diff --git a/.github/workflows/frontend_ci.yml b/.github/workflows/frontend_ci.yml
index 9f9e76d9..42cdc1f3 100644
--- a/.github/workflows/frontend_ci.yml
+++ b/.github/workflows/frontend_ci.yml
@@ -1,53 +1,63 @@
 # week08/.github/workflows/frontend_ci.yml
-
 name: Frontend CI - Build & Push Image
 
 on:
-  # Manual trigger
   workflow_dispatch:
-
-  # Automatically on pushes to main branch
   push:
-    branches:
-      - main
-    paths: # Only trigger if changes are in the frontend directory
+    branches: [ main ]
+    paths:
       - 'frontend/**'
-      - '.github/workflows/frontend_ci.yml' # Trigger if this workflow file changes
+      - '.github/workflows/frontend_ci.yml'
 
-# Define global environment variables that can be used across jobs
+# OIDC requires this
+permissions:
+  id-token: write
+  contents: read
+
+# Global env
 env:
-  # ACR Login Server (e.g., myregistry.azurecr.io)
-  # This needs to be set as a GitHub Repository Secret
+  # Put login server here, e.g. myregistry.azurecr.io
   ACR_LOGIN_SERVER: ${{ secrets.AZURE_CONTAINER_REGISTRY }}
-  # Dynamically generate image tags based on Git SHA and GitHub Run ID
-  # This provides unique, traceable tags for each image build
-  IMAGE_TAG: ${{ github.sha }}-${{ github.run_id }}
+  # Unique, traceable tag
+  IMAGE_TAG: sha-${{ github.sha }}
 
 jobs:
   build_and_push_frontend:
     runs-on: ubuntu-latest
 
+    # IMPORTANT: this must match the environment you used in Azure federated credentials
+    environment: staging
+
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-
-    # Azure login using a Service Principal secret
-    - name: Azure Login
-      uses: azure/login@v1
-      with:
-        creds: ${{ secrets.AZURE_CREDENTIALS }}
-
-    # Login to Azure Container Registry (ACR)
-    - name: Login to Azure Container Registry
-      run: az acr login --name ${{ env.ACR_LOGIN_SERVER }}
-
-    # Build and Push Docker image for Frontend
-    - name: Build and Push Frontend Image
-      run: |
-        docker build -t ${{ env.ACR_LOGIN_SERVER }}/frontend:latest ./frontend/
-        docker push ${{ env.ACR_LOGIN_SERVER }}/frontend:latest
-
-    # Logout from Azure for security (runs even if image push fails)
-    - name: Logout from Azure
-      run: az logout
-      if: always()
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # OIDC login (no client secret / no creds JSON)
+      - name: Azure Login (OIDC)
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      # Quick sanity: show account (helps with screenshots & debugging)
+      - name: Sanity check
+        run: az account show
+
+      # ACR login: --name expects the REGISTRY NAME, not the login server
+      - name: Login to Azure Container Registry
+        run: |
+          ACR_NAME="${ACR_LOGIN_SERVER%%.*}"   # strip .azurecr.io
+          az acr login --name "$ACR_NAME"
+
+      # Build & push with immutable tag AND latest (optional)
+      - name: Build and Push Frontend Image
+        run: |
+          docker build -t $ACR_LOGIN_SERVER/frontend:${IMAGE_TAG} ./frontend
+          docker tag  $ACR_LOGIN_SERVER/frontend:${IMAGE_TAG} $ACR_LOGIN_SERVER/frontend:latest
+          docker push $ACR_LOGIN_SERVER/frontend:${IMAGE_TAG}
+          docker push $ACR_LOGIN_SERVER/frontend:latest
+
+      - name: Logout from Azure
+        if: always()
+        run: az logout