Skip to content

ci: Refactor pipeline and sample data uploading workflows and updated client secrets to oidc#2120

Open
Vamshi-Microsoft wants to merge 28 commits intoAzure-Samples:mainfrom
Vamshi-Microsoft:psl-pipeline-changes
Open

ci: Refactor pipeline and sample data uploading workflows and updated client secrets to oidc#2120
Vamshi-Microsoft wants to merge 28 commits intoAzure-Samples:mainfrom
Vamshi-Microsoft:psl-pipeline-changes

Conversation

@Vamshi-Microsoft
Copy link
Contributor

@Vamshi-Microsoft Vamshi-Microsoft commented Mar 13, 2026

Purpose

This pull request updates several GitHub Actions workflows to improve security, streamline Azure authentication, and simplify configuration. The main focus is on migrating from client secret–based authentication to OIDC (OpenID Connect) federated identity for Azure logins, enhancing secrets management, and making input handling more robust and flexible.

Key improvements include:

  • Migration to OIDC-based Azure authentication across CI/CD workflows, removing the need for client secrets.
  • Enhanced permissions and environment variable handling for better security and clarity.
  • Simplified and improved workflow input validation and resource group handling.
  • Updates to sample data import to automate storage access and data download.

Azure Authentication & Security

  • Migrated all workflows (ci.yml, build-docker.yml, import-sample-data-postgresql.yml) to use OIDC-based Azure authentication via the azure/login@v2 action, replacing client secret usage with federated tokens and removing related secrets and environment variables. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]

  • Updated workflow permissions to explicitly grant id-token: write for OIDC and limited other permissions to contents: read and packages: write where needed. [1] [2] [3] [4]

Workflow Input Handling & Validation

  • Made resource_group_name optional in deploy-v2.yml, with improved validation and messaging for auto-generation if not provided. Updated default runner OS logic and input passing to orchestrator workflow. [1] [2] [3] [4]

  • Removed the need to provide or validate the PostgreSQL host name as a workflow input in import-sample-data-postgresql.yml, simplifying the input requirements. [1] [2]

Docker Build & Registry

  • Refactored Docker build workflows to remove explicit username/password authentication for the registry, switching to Azure OIDC login and ACR login via CLI, and removed unnecessary input parameters. [1] [2] [3]

Sample Data Import Automation

  • Automated enabling public access on the Azure Storage account for sample data, downloading the data using Azure CLI, and setting up environment variables for downstream steps in the import-sample-data-postgresql.yml workflow.

Miscellaneous

  • Removed unused output variable RESOURCE_TOKEN from deploy-orchestrator.yml.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid

  • ...

Other Information

Vamshi-Microsoft and others added 28 commits February 18, 2026 12:09
@Vamshi-Microsoft
feat: Add USE_ADVANCED_IMAGE_PROCESSING input to deployment workflows
385b069
@Vamshi-Microsoft
feat: Add Advanced Image Processing output to deployment summary
f11752b
@Vamshi-Microsoft
Added Chunk_id
68e821c
@Vamshi-Microsoft
Merge branch 'main' of https://github.com/Vamshi-Microsoft/chat-with-…
dc15a8e 
…your-data-solution-accelerator
@Vamshi-Microsoft
Merge branch 'main' of https://github.com/Vamshi-Microsoft/chat-with-…
10d76d9 
…your-data-solution-accelerator
@Vamshi-Microsoft
feat: add script to import sample data into PostgreSQL from CSV
eae89f7 
- Created `import_sample_data_postgresql.sh` to facilitate importing data into the PostgreSQL vector_store table.
- The script validates input parameters, checks Azure CLI login status, and discovers PostgreSQL Flexible Server in the specified resource group.
- It handles network access configuration, adds necessary firewall rules, and installs required Azure CLI extensions.
- The script also adds the current user as a PostgreSQL Entra ID administrator and installs Python dependencies before importing data from a CSV file.
- Includes error handling and cleanup procedures to ensure proper execution and rollback of changes.
@Vamshi-Microsoft
Remove obsolete Azure Search index schema and add new import scripts …
338cf76 
…for sample data in CosmosDB and PostgreSQL with WAF support
@Vamshi-Microsoft
refactor: remove obsolete parameters and add discovery steps for Post…
0eaa31b 
…greSQL and CosmosDB workflows
@Harmanpreet-Microsoft
Fix admin page title validation and update Hebrew PDF filename in tests
a24f383 
- Updated the admin page title validation to check for substring match instead of exact match.
- Changed the Hebrew PDF filename in test cases to remove the space for consistency.
@Harmanpreet-Microsoft
fix: update test question for citation source validation
8bee3d4
@Vamshi-Microsoft
Added Sample data script for cosmos and modified Pipeline to create RG
dce721a
@Vamshi-Microsoft
Added cosmos pipeline
b97b6bd
@Vamshi-Microsoft
feat: add RG_TAGS environment variable and update resource group crea…
139c68a 
…tion tags
@Vamshi-Microsoft
Updated Sample data pipelines to fetch the data files from Storage ac…
6722a8f 
…count instead of keeping them within repo
@Vamshi-Microsoft
Minor fix
cb46a1f
@Vamshi-Microsoft
Remove ingestion scripts and associated documentation for Azure Searc…
0b6d651 
…h Service
@Vamshi-Microsoft
remove unused scipts
5a6afff
@Vamshi-Microsoft
Merge pull request #38 from Vamshi-Microsoft/pls-cwyd
c9a5ca8 
ci: Added tag support for RG and enhanced sample data importing steps
@Vamshi-Microsoft
Merge branch 'Azure-Samples:main' into main
cb90067
@Vamshi-Microsoft
Fix echo statement for resource group creation confirmation in deploy…
b0e0b72 
…ment workflow
@Vamshi-Microsoft
Change default runner OS to 'Local' in deployment workflow
1f7afdb
@Vamshi-Microsoft
Change default runner OS to 'windows-latest' in deployment workflow
d579159
@Vamshi-Microsoft
enable public access sample data storage account
ebe52d2
@Harmanpreet-Microsoft
Enhance citation testing by adding multiple questions and improving r…
7867d17 
…eference link checks
@Vamshi-Microsoft
Enhance quota check process for OpenAI and Azure Search by refining r…
53a15bc 
…egion validation and error handling
@Vamshi-Microsoft
Add data file information to workflow summary for CosmosDB and Postgr…
0638247 
…eSQL imports
@Harmanpreet-Microsoft
Refactor citation test case to improve question variety and enhance l…
40c7936 
…ogging for better traceability
@Vamshi-Microsoft
Migrated client secrets to Odic
f4b4073
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Avijit-Microsoft Avijit-Microsoft Awaiting requested review from Avijit-Microsoft Avijit-Microsoft is a code owner

@Roopan-Microsoft Roopan-Microsoft Awaiting requested review from Roopan-Microsoft Roopan-Microsoft is a code owner

@Prajwal-Microsoft Prajwal-Microsoft Awaiting requested review from Prajwal-Microsoft Prajwal-Microsoft is a code owner

@Fr4nc3 Fr4nc3 Awaiting requested review from Fr4nc3 Fr4nc3 is a code owner

@Vinay-Microsoft Vinay-Microsoft Awaiting requested review from Vinay-Microsoft Vinay-Microsoft is a code owner

@aniaroramsft aniaroramsft Awaiting requested review from aniaroramsft aniaroramsft is a code owner

@toherman-msft toherman-msft Awaiting requested review from toherman-msft toherman-msft is a code owner

@nchandhi nchandhi Awaiting requested review from nchandhi nchandhi is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Vamshi-Microsoft @Harmanpreet-Microsoft