Skip to content

Migrate Windows code signing from client secret to OIDC#21786

Merged
tidy-dev merged 1 commit into
developmentfrom
testing-signing
Mar 12, 2026
Merged

Migrate Windows code signing from client secret to OIDC#21786
tidy-dev merged 1 commit into
developmentfrom
testing-signing

Conversation

@tidy-dev

@tidy-dev tidy-dev commented Mar 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Replaces AZURE_CLIENT_SECRET-based authentication for Windows code signing with OIDC federated identity credentials via azure/login@v2.

Changes

  • Add id-token: write permission to the build job (required for OIDC token requests)
  • Add azure/login@v2 step before packaging (Windows + sign only) to establish OIDC session
  • Remove AZURE_CODE_SIGNING_CLIENT_SECRET from workflow secrets declaration and env vars

Companion PR

@tidy-dev tidy-dev marked this pull request as ready for review March 12, 2026 00:20
@tidy-dev
Migrate Windows code signing from client secret to OIDC
47bfd5c 
Replace AZURE_CLIENT_SECRET-based auth with OIDC federated identity
credentials via azure/login@v2. This addresses the SFI requirement
(vuln-mgmt#183285) to eliminate client secrets from spn-desktop-codesign.

- Add id-token: write permission to build job
- Add azure/login OIDC step before packaging (Windows only)
- Remove AZURE_CODE_SIGNING_CLIENT_SECRET from secrets and env vars

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@BagToad BagToad mentioned this pull request Mar 12, 2026
Merged
2 tasks
@tidy-dev tidy-dev merged commit 76767ed into development Mar 12, 2026
7 checks passed
@tidy-dev tidy-dev deleted the testing-signing branch March 12, 2026 10:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@niik niik niik approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tidy-dev @niik