chore(ci): read Azure client/tenant IDs from repo variables#560
Open
einarwar wants to merge 1 commit into
Open
chore(ci): read Azure client/tenant IDs from repo variables#560einarwar wants to merge 1 commit into
einarwar wants to merge 1 commit into
Conversation
The Azure app registration values used as Docker build args (AUTH_SCOPE, CLIENT_ID, TENANT_ID) are now read from the repository variables AZURE_CLIENT_ID and AZURE_TENANT_ID instead of being hardcoded in the workflow. AUTH_SCOPE is derived from AZURE_CLIENT_ID (api://<client-id>/api) so only two variables are needed. Downstream forks of this template can now point at their own Azure app registration purely through Settings -> Variables, without editing the workflow file.
There was a problem hiding this comment.
Pull request overview
Replaces hardcoded Azure app registration IDs in the publish-image workflow with repository variable references, enabling downstream forks to configure their own Azure app registration via repo settings without modifying the workflow file.
Changes:
- Replace hardcoded
CLIENT_IDandTENANT_IDDocker build args withvars.AZURE_CLIENT_IDandvars.AZURE_TENANT_ID - Derive
AUTH_SCOPEfromAZURE_CLIENT_IDvariable
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Move the Azure app registration values used as Docker build args in
publish-image.yamlout of the YAML and read them from repository variables instead.AUTH_SCOPEis derived fromAZURE_CLIENT_ID(api://<client-id>/api) so only two new variables are required.AUTH_SCOPEapi://4a761bec-…/apiapi://${{ vars.AZURE_CLIENT_ID }}/apiCLIENT_ID4a761bec-…${{ vars.AZURE_CLIENT_ID }}TENANT_ID3aa4a235-…${{ vars.AZURE_TENANT_ID }}Why
Downstream forks of this template can now point at their own Azure app registration purely through Settings → Variables, without editing the workflow file.
Variables — already set
Both variables are already configured on this repo with the original values, so behaviour is unchanged after merge:
Scope
deploy-to-radix.yamlalso embeds the same IDs plus the Radix app name/user, but it's currently not invoked by any workflow — left out of this PR to keep the change focused. Happy to do that as a separate PR if/when those deploy jobs are re-enabled.