Skip to content

📚 Documentation needed for commit test #35

New issue
New issue
Open
Open
📚 Documentation needed for commit test#35
Labels
automateddocumentationImprovements or additions to documentation
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 26, 2026

Summary

Commit 6530536 introduces OIDC-based keyless authentication for GitHub Actions via a User-Assigned Managed Identity (UAMI), which is a significant security and infrastructure change that requires documentation.

What Changed

infra/identity.tf (60 additions)

  • New UAMI resource: azurerm_user_assigned_identity.workload (uami-agentic-workload)
  • 4 GitHub Actions OIDC federated credentials: env:copilot, env:demo, branch:main, pull_request
  • 2 Azure role assignments: Contributor on RG, AKS Cluster Admin

infra/outputs.tf (17 additions)

  • uami_client_id, uami_principal_id, github_actions_env_vars, oidc_issuer_url

Why Documentation is Needed

  • New integration (Azure OIDC + GitHub Actions) ✅
  • Security configuration change ✅
  • New Terraform outputs users must act on ✅
  • Breaking change (no static credentials) ✅

Recommended Documentation Updates

  1. README.md — Add OIDC/UAMI setup section
  2. New infra/README.md — Document identity.tf, outputs, role assignments
  3. GitHub Actions workflow docs — ARM_USE_OIDC usage

⚠️ Breaking / Migration Notes

This change moves away from service principal secrets. Workflows using ARM_CLIENT_SECRET must be updated to use ARM_USE_OIDC: true.

Reference

  • Commit: 653053615c03ca44d21dc3cf1e723a334b91c199
  • Files: infra/identity.tf, infra/outputs.tf

Metadata

Metadata

Assignees

No one assigned

    Labels

    automateddocumentationImprovements or additions to documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions