Skip to content

Migrate Windows code signing from client secret to OIDC#12911

Merged
BagToad merged 1 commit intotrunkfrom
kw/deployment-oidc
Mar 12, 2026
Merged

Migrate Windows code signing from client secret to OIDC#12911
BagToad merged 1 commit intotrunkfrom
kw/deployment-oidc

Conversation

@BagToad
Copy link
Member

@BagToad BagToad commented Mar 12, 2026
edited
Loading

Summary

Replaces AZURE_CLIENT_SECRET-based authentication for Windows code signing with OIDC federated identity credentials via azure/login@v2.

Changes

  • Add azure/login@v2 step before signing (production only) to establish OIDC session
  • Remove AZURE_CLIENT_SECRET from both the .exe signing (GoReleaser) and .msi signing steps
  • Keep AZURE_CLIENT_ID and AZURE_TENANT_ID env vars for DefaultAzureCredential identification

Pre-requisites completed

  • OIDC subject customization set on cli/cli (repository_owner_id, repository_id, context)
  • id-token: write permission already present at workflow level

Companion work

Modeled after desktop's identical migration: desktop/desktop#21786

Notes for reviewer

Please see the successful test run using this workflow: https://github.com/cli/cli/actions/runs/22981502108/job/66722159067

@BagToad BagToad requested a review from a team as a code owner March 12, 2026 00:41
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 12, 2026
View reviewed changes
@BagToad BagToad force-pushed the kw/deployment-oidc branch from 00d79d2 to bd12a06 Compare March 12, 2026 00:42
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Migrates Windows release code signing in the deployment workflow from client-secret auth to OIDC-based authentication using azure/login@v2, aligning with the Trusted Signing/DefaultAzureCredential flow and removing long-lived secrets from the workflow.

Changes:

  • Add azure/login@v2 (production-only) to establish an Azure auth session for code signing via OIDC.
  • Remove AZURE_CLIENT_SECRET from Windows .exe (GoReleaser) and .msi signing environments.
  • Keep AZURE_CLIENT_ID / AZURE_TENANT_ID environment variables for identity selection.
Comments suppressed due to low confidence (1)

.github/workflows/deployment.yml:226

  • azure/login@v2 only runs for production, but the GoReleaser build step still sets DLIB_PATH/METADATA_PATH unconditionally. Since .goreleaser.yml always runs pwsh .\script\sign.ps1 as a post-hook for Windows builds, staging runs will still attempt to code-sign but won’t have an authenticated Azure session (and may also not have these environment-scoped secrets), which is likely to fail the build. Consider only setting DLIB_PATH/METADATA_PATH (and Azure env vars, if only needed for signing) when inputs.environment == 'production', so script/sign.ps1 reliably skips signing outside production, or alternatively run azure/login for all environments where signing is expected to occur.
      - name: Authenticate to Azure for code signing
        if: inputs.environment == 'production'
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
          tenant-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
          allow-no-subscriptions: true
      # Azure Code Signing authenticates via OIDC (azure/login above). AZURE_CLIENT_ID and AZURE_TENANT_ID
      # are still passed so DefaultAzureCredential can identify the service principal.
      - name: Build release binaries
        shell: bash
        env:
          AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
          AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
          DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
          TAG_NAME: ${{ inputs.tag_name }}
        run: script/release --local "$TAG_NAME" --platform windows

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@BagToad BagToad enabled auto-merge March 12, 2026 01:03
@BagToad BagToad merged commit 2bf1669 into trunk Mar 12, 2026
25 of 26 checks passed
@BagToad BagToad deleted the kw/deployment-oidc branch March 12, 2026 09:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@babakks babakks babakks approved these changes

@williammartin williammartin Awaiting requested review from williammartin williammartin is a code owner automatically assigned from cli/code-reviewers

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BagToad @babakks