From 8c19ef9ca62a2b65ccc25db99aee641b0616aa6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9mence=20Lesn=C3=A9?= <clemence@lesne.pro>
Date: Tue, 19 Nov 2024 13:09:55 +0100
Subject: [PATCH] security: Use OAuth to connect to Azure in pipeline

---
 .github/workflows/pipeline.yaml | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
index be7a5517..f925a7dc 100644
--- a/.github/workflows/pipeline.yaml
+++ b/.github/workflows/pipeline.yaml
@@ -265,6 +265,9 @@ jobs:
 
   static-test:
     name: Static test
+    permissions:
+      contents: read
+      id-token: write
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout
@@ -285,7 +288,9 @@ jobs:
       - name: Login to Azure
         uses: azure/login@v2.2.0
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
 
       - name: Run tests
         run: |
@@ -882,6 +887,9 @@ jobs:
 
   integration-test-linux:
     name: Integration test (Linux ${{ matrix.os }})
+    permissions:
+      contents: read
+      id-token: write
     needs:
       - build-release-linux
       - init
@@ -917,7 +925,9 @@ jobs:
       - name: Login to Azure
         uses: azure/login@v2.2.0
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
 
       - name: Deploy Bicep
         run: |