Replace Entra app client secret auth with OpenID Connect in E2E tests. (#1792)

* Use Az login with OpenID connection to get test credentials. * Set subscription id environment variable. * Update testExplorer and cleanup job. * Retrieve access token in test case and pass to testExplorer. * Add debug tracing for tests. * Set up other mongo test to use Az CLI creds. * Revert subscription id retrieval. * Add CLI credentials retrieval to rest of tests. * Fix missing imports. * Clean up redundant code. * Remove commented import statement.
2025-12-21 18:01:39 +00:00 · 2024-04-09 10:55:08 -07:00
parent 7f6338b68b
commit 6925fa8e4e
13 changed files with 78 additions and 48 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,6 +8,9 @@ on:
  pull_request:
    branches:
      - master
+permissions:
+  id-token: write
+  contents: read
 jobs:
  codemetrics:
    runs-on: ubuntu-latest
@@ -134,7 +137,7 @@ jobs:
    runs-on: ubuntu-latest
    env:
      NODE_TLS_REJECT_UNAUTHORIZED: 0
-      NOTEBOOKS_TEST_RUNNER_CLIENT_SECRET: ${{ secrets.NOTEBOOKS_TEST_RUNNER_CLIENT_SECRET }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    strategy:
      fail-fast: false
      matrix:
@@ -145,11 +148,18 @@ jobs:
          - ./test/mongo/container.spec.ts
          - ./test/mongo/container32.spec.ts
          - ./test/selfServe/selfServeExample.spec.ts
-          # - ./test/notebooks/upload.spec.ts // TEMP disabled since notebooks service is off
          - ./test/sql/resourceToken.spec.ts
          - ./test/tables/container.spec.ts
    steps:
      - uses: actions/checkout@v4
+
+      - name: "Az CLI login"
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
      - name: Use Node.js 18.x
        uses: actions/setup-node@v4
        with:
--- a/.github/workflows/cleanup.yml
+++ b/.github/workflows/cleanup.yml
@@ -9,6 +9,10 @@ on:
    # Once every hour
    - cron: "0 15 * * *"

+permissions:
+  id-token: write
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
  # This workflow contains a single job called "build"
@@ -16,10 +20,17 @@ jobs:
    name: "Cleanup Test Database Accounts"
    runs-on: ubuntu-latest
    env:
-      NOTEBOOKS_TEST_RUNNER_CLIENT_ID: ${{ secrets.NOTEBOOKS_TEST_RUNNER_CLIENT_ID }}
-      NOTEBOOKS_TEST_RUNNER_CLIENT_SECRET: ${{ secrets.NOTEBOOKS_TEST_RUNNER_CLIENT_SECRET }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    steps:
      - uses: actions/checkout@v2
+
+      - name: "Az CLI login"
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
      - name: Use Node.js 18.x
        uses: actions/setup-node@v1
        with: