docs(ci): document e2e-azure OIDC federated credential setup#192
Merged
Conversation
Adds maintainer-facing documentation for the OIDC federated credential required by the e2e-azure workflow's Azure login step. The repo rename to add the '-python' suffix invalidated the existing federated credential, causing AADSTS700213 failures on tag pushes. - docs/testing.md: new 'Federated Credential (OIDC) Setup' subsection documenting the exact OIDC subject (repo:yeongseon/azure-functions-validation-python:environment:azure-e2e), subject composition (owner/repo vs PyPI/import name), case-sensitivity, and a new 'Troubleshooting' subsection for AADSTS700213 with typical causes and recovery steps. Also corrects stale trigger text and clarifies the source of secrets vs vars. - .github/workflows/e2e-azure.yml: adds inline maintainer comments above the 'environment: azure-e2e' declaration in both jobs pointing to the docs and stating the expected OIDC subject. This PR satisfies acceptance item #5 only. Items 1-4 require Azure portal access to (1) confirm the AD app registration behind AZURE_CLIENT_ID and (2) add or update the federated credential to match the new subject, then re-run the workflow to verify. Refs #183
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes part of #183 (documentation only — items 1-4 require Azure portal access).
Adds maintainer-facing documentation for the OIDC federated credential required by the
e2e-azureworkflow's Azure login step. The repo rename to add the-pythonsuffix invalidated the existing federated credential, producingAADSTS700213: No matching federated identity record foundon tag pushes.Changes
docs/testing.mdv*) or manual (workflow_dispatch)").AZURE_CLIENT_ID/AZURE_TENANT_ID/AZURE_SUBSCRIPTION_IDcome from theazure-e2eGitHub Environment, whileAZURE_LOCATIONis read from thevarscontext with a fallback tokoreacentral.repo:yeongseon/azure-functions-validation-python:environment:azure-e2e.repo:<owner>/<repo>:environment:<environment_name>) with explicit note that<owner>/<repo>is the GitHub repo slug — not the PyPI package name (azure-functions-validation) or the Python import name (azure_functions_validation).AADSTS700213subsection with typical causes (rename, environment change, wrong app registration) and recovery steps..github/workflows/e2e-azure.ymlenvironment: azure-e2ein thedeploy_and_testjob stating the expected OIDC subject and pointing todocs/testing.md. Placed nearenvironment:(not nearazure/login) because the environment declaration is what drives the OIDCsubclaim.environment: azure-e2ein thecleanupjob.What this PR does NOT do
This PR addresses only acceptance item #5 of #183 ("Add a short maintainer note documenting the expected OIDC subject"). Items 1–4 require Azure-side action that cannot be performed from code:
AZURE_CLIENT_ID.repo:yeongseon/azure-functions-validation-python:environment:azure-e2e(issuerhttps://token.actions.githubusercontent.com, audienceapi://AzureADTokenExchange).e2e-azure.ymland confirmAzure login (OIDC)succeeds.After the maintainer applies the Azure-side fix and re-runs the workflow, this issue can be closed.
Validation
python3 -c "import yaml; yaml.safe_load(open('.github/workflows/e2e-azure.yml'))"→ OK.mkdocs.ymlalready includesdocs/testing.mdunder Contributing → Testing, so the new subsections are discoverable in the published docs without nav changes.Review process
AZURE_LOCATIONsource) before commit.