From 3ea23537e27688442ecf2ff43b3ac0634214c973 Mon Sep 17 00:00:00 2001 From: Ashoksadineni Date: Wed, 1 Oct 2025 18:23:49 +0530 Subject: [PATCH 1/3] Update frontend_ci.yml --- .github/workflows/frontend_ci.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/frontend_ci.yml b/.github/workflows/frontend_ci.yml index 9f9e76d9..f945cf6b 100644 --- a/.github/workflows/frontend_ci.yml +++ b/.github/workflows/frontend_ci.yml @@ -32,10 +32,15 @@ jobs: uses: actions/checkout@v4 # Azure login using a Service Principal secret - - name: Azure Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + # - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + - uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # Login to Azure Container Registry (ACR) - name: Login to Azure Container Registry From 700e265e195c7606d43798814638c0e2518337db Mon Sep 17 00:00:00 2001 From: Ashoksadineni Date: Wed, 1 Oct 2025 18:39:21 +0530 Subject: [PATCH 2/3] Update frontend_ci.yml --- .github/workflows/frontend_ci.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/frontend_ci.yml b/.github/workflows/frontend_ci.yml index f945cf6b..68b85a6e 100644 --- a/.github/workflows/frontend_ci.yml +++ b/.github/workflows/frontend_ci.yml @@ -31,16 +31,16 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - # Azure login using a Service Principal secret - # - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + #Azure login using a Service Principal secret + - name: Azure Login + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_CREDENTIALS }} + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # Login to Azure Container Registry (ACR) - name: Login to Azure Container Registry From 45646a42075aea51107dd39a4968811fcc30c04c Mon Sep 17 00:00:00 2001 From: Ashoksadineni Date: Wed, 1 Oct 2025 18:48:24 +0530 Subject: [PATCH 3/3] Update frontend_ci.yml --- .github/workflows/frontend_ci.yml | 89 ++++++++++++++++--------------- 1 file changed, 47 insertions(+), 42 deletions(-) diff --git a/.github/workflows/frontend_ci.yml b/.github/workflows/frontend_ci.yml index 68b85a6e..42cdc1f3 100644 --- a/.github/workflows/frontend_ci.yml +++ b/.github/workflows/frontend_ci.yml @@ -1,58 +1,63 @@ # week08/.github/workflows/frontend_ci.yml - name: Frontend CI - Build & Push Image on: - # Manual trigger workflow_dispatch: - - # Automatically on pushes to main branch push: - branches: - - main - paths: # Only trigger if changes are in the frontend directory + branches: [ main ] + paths: - 'frontend/**' - - '.github/workflows/frontend_ci.yml' # Trigger if this workflow file changes + - '.github/workflows/frontend_ci.yml' -# Define global environment variables that can be used across jobs +# OIDC requires this +permissions: + id-token: write + contents: read + +# Global env env: - # ACR Login Server (e.g., myregistry.azurecr.io) - # This needs to be set as a GitHub Repository Secret + # Put login server here, e.g. myregistry.azurecr.io ACR_LOGIN_SERVER: ${{ secrets.AZURE_CONTAINER_REGISTRY }} - # Dynamically generate image tags based on Git SHA and GitHub Run ID - # This provides unique, traceable tags for each image build - IMAGE_TAG: ${{ github.sha }}-${{ github.run_id }} + # Unique, traceable tag + IMAGE_TAG: sha-${{ github.sha }} jobs: build_and_push_frontend: runs-on: ubuntu-latest + # IMPORTANT: this must match the environment you used in Azure federated credentials + environment: staging + steps: - - name: Checkout repository - uses: actions/checkout@v4 - - #Azure login using a Service Principal secret - - name: Azure Login - # uses: azure/login@v1 - # with: - # creds: ${{ secrets.AZURE_CREDENTIALS }} - uses: azure/login@v2 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Login to Azure Container Registry (ACR) - - name: Login to Azure Container Registry - run: az acr login --name ${{ env.ACR_LOGIN_SERVER }} - - # Build and Push Docker image for Frontend - - name: Build and Push Frontend Image - run: | - docker build -t ${{ env.ACR_LOGIN_SERVER }}/frontend:latest ./frontend/ - docker push ${{ env.ACR_LOGIN_SERVER }}/frontend:latest - - # Logout from Azure for security (runs even if image push fails) - - name: Logout from Azure - run: az logout - if: always() + - name: Checkout repository + uses: actions/checkout@v4 + + # OIDC login (no client secret / no creds JSON) + - name: Azure Login (OIDC) + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Quick sanity: show account (helps with screenshots & debugging) + - name: Sanity check + run: az account show + + # ACR login: --name expects the REGISTRY NAME, not the login server + - name: Login to Azure Container Registry + run: | + ACR_NAME="${ACR_LOGIN_SERVER%%.*}" # strip .azurecr.io + az acr login --name "$ACR_NAME" + + # Build & push with immutable tag AND latest (optional) + - name: Build and Push Frontend Image + run: | + docker build -t $ACR_LOGIN_SERVER/frontend:${IMAGE_TAG} ./frontend + docker tag $ACR_LOGIN_SERVER/frontend:${IMAGE_TAG} $ACR_LOGIN_SERVER/frontend:latest + docker push $ACR_LOGIN_SERVER/frontend:${IMAGE_TAG} + docker push $ACR_LOGIN_SERVER/frontend:latest + + - name: Logout from Azure + if: always() + run: az logout