Migrate to Managed Identity instead of AR for Github Workflow (#50)

* Test MI * fix workflow * add required permissions * fix run command * open firewall * use bash for ip retrieval * test !cancelled * Whitelist IP In ACR * update client ids
equinor · Mar 11, 2024 · 06075a2 · 06075a2
1 parent 0d5a7a3
commit 06075a2
Showing 1 changed file with 22 additions and 4 deletions.
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -18,25 +18,25 @@ jobs:
           - name: "dev"
             ref: "refs/heads/main"
             acr-name: "radixdev"
-            client-id: "1a292b18-2960-49a5-b429-c8a50349b5eb"
+            client-id: "846345fd-f1aa-417d-8e9b-9c71ccba6346"
             subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
 
           - name: "playground"
             ref: "refs/heads/release"
             acr-name: "radixdev"
-            client-id: "1a292b18-2960-49a5-b429-c8a50349b5eb"
+            client-id: "0921f4b2-6679-48c3-b498-543defceab24"
             subscription-id: "16ede44b-1f74-40a5-b428-46cca9a5741b"
 
           - name: "platform"
             ref: "refs/heads/release"
             acr-name: "radixprod"
-            client-id: "d1ee58e8-5896-48d9-a777-5418c3df9a58"
+            client-id: "9864d8f0-8cbc-4bf7-abb2-ccf8e51dd6e6"
             subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
 
           - name: "c2"
             ref: "refs/heads/release"
             acr-name: "radixc2prod"
-            client-id: "d1ee58e8-5896-48d9-a777-5418c3df9a58"
+            client-id: "6b564cbc-d1ff-45a1-b320-4bc460034dc5"
             subscription-id: "ded7ca41-37c8-4085-862f-b11d21ab341a"
 
     steps:
@@ -50,6 +50,17 @@ jobs:
           tenant-id: "3aa4a235-b6e2-48d5-9195-7fcf05b459b0"
           subscription-id: ${{matrix.target.subscription-id}}
 
+      - name: Get GitHub Public IP
+        id: github_public_ip
+        run: echo "ipv4=$(curl 'https://ifconfig.me/ip')" >> $GITHUB_OUTPUT
+
+      - name: Add GitHub IP to ACR
+        id: update_firewall
+        run: az acr network-rule add
+          --name ${{matrix.target.acr-name}}
+          --subscription ${{matrix.target.subscription-id}}
+          --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}
+
       - name: Generate image tag
         if: matrix.target.ref == github.ref
         id: tag
@@ -81,3 +92,10 @@ jobs:
              --set CACHE="" \
              --set CACHE_TO_OPTIONS="--cache-to=type=registry,ref=${ACR_NAME}.azurecr.io/${IMAGE_NAME}:radix-cache-${GITHUB_REF_NAME},mode=max"
 
+
+      - name: Revoke GitHub IP on ACR
+        if: ${{ steps.update_firewall.outcome == 'success' && !cancelled()}} # Always run this step even if previous step failed
+        run: az acr network-rule remove
+          --name ${{matrix.target.acr-name}}
+          --subscription ${{matrix.target.subscription-id}}
+          --ip-address ${{ steps.github_public_ip.outputs.ipv4 }}