Follow the steps below to authenticate with Open ID Connect:
-
Assign the Trusted Signing Certificate Profile Signer role to your service principal.
- Open your Trusted Signing Account in the Azure portal.
- Note: You can assign the role from your Resource Group or Subscription if you have multiple Trusted Signing accounts.
- Navigate to the Access Control (IAM) tab.
- Click 'Add role assignment'.
- Select 'Trusted Signing Certificate Profile Signer'.
- Next.
- Assign access to your 'User, group, or service principal' or 'Managed identity'.
- Review + assign.
- Open your Trusted Signing Account in the Azure portal.
-
Adapt the following yaml to your GitHub pipeline:
permissions: id-token: write contents: read jobs: sign: runs-on: windows-latest steps: - name: Azure login uses: azure/login@v1 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Trusted Signing uses: azure/[email protected] with: ... exclude-environment-credential: true exclude-workload-identity-credential: true exclude-managed-identity-credential: true exclude-shared-token-cache-credential: true exclude-visual-studio-credential: true exclude-visual-studio-code-credential: true exclude-azure-cli-credential: false exclude-azure-powershell-credential: true exclude-azure-developer-cli-credential: true exclude-interactive-browser-credential: true