mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-15 06:37:40 +00:00
This completely eliminates the Azure secret from the repo, following the below guidance: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure The federated identity is scoped to the `ci` environment, meaning: * I had to specify this environment in some YAMLs. I don't believe there's any downside to this. * As previously, the CI works seamlessly both from PRs and in the manual workflow. I also deleted the tools/packaging/kata-deploy/action folder as it doesn't seem to be used anymore, and it contains a reference to the secret. Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
36 lines
972 B
YAML
36 lines
972 B
YAML
name: Cleanup dangling Azure resources
|
|
on:
|
|
schedule:
|
|
- cron: "0 0 * * *"
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
|
|
jobs:
|
|
cleanup-resources:
|
|
runs-on: ubuntu-22.04
|
|
environment: ci
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Log into Azure
|
|
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
|
|
with:
|
|
client-id: ${{ secrets.AZ_APPID }}
|
|
tenant-id: ${{ secrets.AZ_TENANT_ID }}
|
|
subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
|
|
|
|
- name: Install Python dependencies
|
|
run: |
|
|
pip3 install --user --upgrade \
|
|
azure-identity==1.16.0 \
|
|
azure-mgmt-resource==23.0.1
|
|
|
|
- name: Cleanup resources
|
|
env:
|
|
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
|
|
CLEANUP_AFTER_HOURS: 24 # Clean up resources created more than this many hours ago.
|
|
run: python3 tests/cleanup_resources.py
|