-
Notifications
You must be signed in to change notification settings - Fork 0
65 lines (57 loc) · 3.53 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Download from Azure Artifacts without secrets (full logging)
on:
push:
branches:
- main
permissions:
id-token: write
jobs:
ubuntu-latest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: "example JWT"
run: |
export JWT=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange")
export JSON=$(echo $JWT | jq -r .value | tr '.' '\n' | tail -n +2 | tr -d '\n' | base64 --decode | jq)
echo $JSON
# login as MSI
# this will only work from this repo on the main branch because the MSI's federated credential is
# configured with this subject identifier: `repo:johnterickson/actions-oidc-demo:ref:refs/heads/main`
- name: "Az CLI login"
uses: azure/login@v1
with:
client-id: "0219b319-b051-4079-b778-933db7596e59" # 'johnterickson--actions-oidc-demo--main--ReadPackages'
tenant-id: "6175198f-8863-49c8-ad4a-3ce4364763a8" # 'johntericksonlive.onmicrosoft.com'
subscription-id: "dcd6a152-f532-4435-9f36-f5b2c5c14939" # Visual Studio Enterprise Subscription
- name: "confirm MSI works"
run: az account list
- name: "extract AAD access token for MSI (valid for about an hour)"
run: |
export AZDO_ACCESSTOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 | jq -r .accessToken)
(echo $AZDO_ACCESSTOKEN | tr '.' '\n' | tail -n +2 | tr -d '\n' | base64 --decode | jq ) || true
echo "AZDO_ACCESSTOKEN=$AZDO_ACCESSTOKEN" >> $GITHUB_ENV
- name: "example: curl with bearer auth"
run: |
set -e
curl -H "Authorization: Bearer $AZDO_ACCESSTOKEN" https://pkgs.dev.azure.com/johnterickson/PrivateRepros/_packaging/PrivateFeed2/nuget/v3/index.json
curl -H "Authorization: Bearer $AZDO_ACCESSTOKEN" -L -o microsoft.identitymodel.abstractions.6.22.0.nupkg https://pkgs.dev.azure.com/johnterickson/ee787130-34df-4a6f-be9e-772090d4dc7d/_packaging/eff55061-a595-4da6-b22a-1174acf20595/nuget/v3/flat2/microsoft.identitymodel.abstractions/6.22.0/microsoft.identitymodel.abstractions.6.22.0.nupkg
ls -l microsoft.identitymodel.abstractions.6.22.0.nupkg
rm microsoft.identitymodel.abstractions.6.22.0.nupkg
- name: "example: curl with basic auth (similar to PAT)"
run: |
set -e
curl -u "user:$AZDO_ACCESSTOKEN" https://pkgs.dev.azure.com/johnterickson/PrivateRepros/_packaging/PrivateFeed2/nuget/v3/index.json
curl -u "user:$AZDO_ACCESSTOKEN" -L -o microsoft.identitymodel.abstractions.6.22.0.nupkg https://pkgs.dev.azure.com/johnterickson/ee787130-34df-4a6f-be9e-772090d4dc7d/_packaging/eff55061-a595-4da6-b22a-1174acf20595/nuget/v3/flat2/microsoft.identitymodel.abstractions/6.22.0/microsoft.identitymodel.abstractions.6.22.0.nupkg
ls -l microsoft.identitymodel.abstractions.6.22.0.nupkg
rm microsoft.identitymodel.abstractions.6.22.0.nupkg
# Azure Artifacts example
- name: "install cred provider"
run: sh -c "$(curl -fsSL https://aka.ms/install-artifacts-credprovider.sh)"
- name: "configure artifacts cred provider to use AZDO_ACCESSTOKEN"
run: |
echo "VSS_NUGET_ACCESSTOKEN=$AZDO_ACCESSTOKEN" >> $GITHUB_ENV
echo "VSS_NUGET_URI_PREFIXES=https://pkgs.dev.azure.com/johnterickson/" >> $GITHUB_ENV
- name: "dotnet restore"
run: |
dotnet restore -v diag