OIDC.md

Authenticating with OpenID Connect

Follow the steps below to authenticate with Open ID Connect:

1. Create a Microsoft Entra application and service principal

2. Add federated credentials

3. Create GitHub secrets

4. Assign the Trusted Signing Certificate Profile Signer role to your service principal.

   1. Open your Trusted Signing Account in the Azure portal.
      1. Note: You can assign the role from your Resource Group or Subscription if you have multiple Trusted Signing accounts.
   2. Navigate to the Access Control (IAM) tab.
   3. Click 'Add role assignment'.
   4. Select 'Trusted Signing Certificate Profile Signer'.
   5. Next.
   6. Assign access to your 'User, group, or service principal' or 'Managed identity'.
   7. Review + assign.

5. Adapt the following yaml to your GitHub pipeline:

   permissions:
     id-token: write
     contents: read
   
   jobs:
     sign:
       runs-on: windows-latest
   
       steps:
         - name: Azure login
           uses: azure/login@v1
           with:
             client-id: ${{ secrets.AZURE_CLIENT_ID }}
             tenant-id: ${{ secrets.AZURE_TENANT_ID }}
             subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
   
         - name: Trusted Signing
           uses: azure/[email protected]
           with:
             ...
             exclude-environment-credential: true
             exclude-workload-identity-credential: true
             exclude-managed-identity-credential: true
             exclude-shared-token-cache-credential: true
             exclude-visual-studio-credential: true
             exclude-visual-studio-code-credential: true
             exclude-azure-cli-credential: false
             exclude-azure-powershell-credential: true
             exclude-azure-developer-cli-credential: true
             exclude-interactive-browser-credential: true