Federated identity is not working with dependabot Prs
helayoty opened this issue · comments
I'm facing an issue while using the login Github action with Dependabot PRs (other PRs are working fine). The login will fail with the following error:
Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows
We added federated identity to handle dependabot branches similar to dependabot/github_actions/* patterns but still fail.
More info
- Runner: GitHub-hosted runners. Linux.
- The screenshot of federated identity settings in Azure Portal:
![Screenshot 2023-11-22 at 8 24 26 PM](https://private-user-images.githubusercontent.com/31887807/285100291-cddd7449-8fdc-45bb-b048-6bb153ca0667.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTU4Njk3MzcsIm5iZiI6MTcxNTg2OTQzNywicGF0aCI6Ii8zMTg4NzgwNy8yODUxMDAyOTEtY2RkZDc0NDktOGZkYy00NWJiLWIwNDgtNmJiMTUzY2EwNjY3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA1MTYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNTE2VDE0MjM1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWIxMmI2ZDY2NjY2YzJiZmY1Yzc1YzYwMWJmMmFlNDIyOTQ1OGU3Njc4Y2EwOGQwM2VjYTlhNjkyNGI3ODAwMmUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.o6I4xAzz_7_xtkDIiWVtZ2wgM1-gma1GvbszgY62mPI)
on:
workflow_dispatch: {}
push:
branches: [main]
pull_request:
branches: [main]
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
e2e-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v4
- name: Checkout
uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
- name: Install Azure CLI latest
run: |
if ! which az > /dev/null; then
echo "Azure CLI not found. Installing..."
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
else
echo "Azure CLI already installed."
fi
- uses: azure/login@v1.4.6
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
allow-no-subscriptions: true
- Rerun workflow with debug mode.
##[debug]Evaluating condition for step: 'Run azure/login@v1.4.6'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run azure/login@v1.4.6
##[debug]Loading inputs
##[debug]Evaluating: secrets.AZURE_CLIENT_ID
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'AZURE_CLIENT_ID'
##[debug]=> null
##[debug]Result: null
##[debug]Evaluating: secrets.AZURE_TENANT_ID
##[debug]Evaluating Index:
##[debug]..Evaluating secrets:
##[debug]..=> Object
##[debug]..Evaluating String:
##[debug]..=> 'AZURE_TENANT_ID'
##[debug]=> null
##[debug]Result: null
##[debug]Loading env
Run azure/login@v1.4.6
##[debug]az cli version used: /usr/bin/az
##[debug]az cli version used:
##[debug]azure-cli 2.54.0
##[debug]
##[debug]core 2.54.0
##[debug]telemetry 1.1.0
##[debug]
##[debug]Extensions:
##[debug]azure-devops 0.26.0
##[debug]
##[debug]Dependencies:
##[debug]msal 1.24.0b2
##[debug]azure-mgmt-resource 23.1.0b2
##[debug]
##[debug]Python location '/opt/az/bin/python3'
##[debug]Extensions directory '/opt/az/azcliextensions'
##[debug]
##[debug]Python (Linux) 3.11.5 (main, Nov 8 2023, 05:20:54) [GCC 11.4.0]
##[debug]
##[debug]Legal docs and information: aka.ms/AzureCliLegal
##[debug]
##[debug]
##[debug]Your CLI is up-to-date.
##[debug]
Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows
##[debug]Node Action run completed with exit code 1
##[debug]AZURE_HTTP_USER_AGENT='GITHUBACTIONS/AzureLogin@v1_<Repo>'
##[debug]AZUREPS_HOST_ENVIRONMENT='GITHUBACTIONS/AzureLogin@v1_<Repo>'
##[debug]AZURE_HTTP_USER_AGENT=''
##[debug]AZUREPS_HOST_ENVIRONMENT=''
##[debug]Finishing: Run azure/login@v1.4.6
- Does it always fail while running Dependabot PRs, or sometimes it succeeds? It only fails with Dependabot.
Hi @helayoty , I see you're trying to use wildcards in "Branch", which I think it's not supported by Azure.
Maybe you can try Environment
and configure it as a static value.
It is working with other repos, the only difference is that this repo is still private. Does that matter?
As I know, a private repo will not cause the issue.
Could you double-check if the "other repos" are configured with wildcards in federated identity settings?
As I know, a private repo will not cause the issue. Could you double-check if the "other repos" are configured with wildcards in federated identity settings?
Yes, the public repo has the exact same configuration.