azuregithub-actions

Azure Login in seperate jobs within the same workflow use different Subject Identifier


So I'm trying to set up a GitHub Actions workflow which deploys an ARM template and then deploys multiple apps to azure resources. Since I'm deploying multiple apps, I am trying to deploy the apps in a seperate jobs from the arm deployment so I can use the matrix strategy but for some reason the azure/login action uses a different (and therefor wrong) subject identifier which results in the deployment of the apps failing.

This is (a part of) the workflow:

name: push

on:
  push:
    branches:
      - develop 
      - release/*
      - main
      - hotfix/*

permissions:
      id-token: write
      contents: write

jobs:
  * other jobs *

  publish:
    needs: determine
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - projectName: 'ApiProj'
            publishPath: 'api'
          - projectName: 'FunctionsProj'
            publishPath: 'func'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Restore
        run: dotnet restore ./server
        env:
          NuGetPackageSourceCredentials: Username=DUMMY_USER;Password=${{ secrets.PAT_PACKAGES }}
      - name: Publish
        run: |
          dotnet publish ./server/src/${{ matrix.projectName }}/${{ matrix.projectName }}.csproj -c Release -o ./publish/${{ matrix.publishPath }}
      - name: Upload artifact for deployment job (API)
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.publishPath }}
          path: ./publish/${{ matrix.publishPath }}

  deploy-arm:
  # Deploy the app (if approved when needed by environment)
    needs: determine
    runs-on: ubuntu-latest
    environment: ${{ needs.determine.outputs.Environment }}
    steps:
      - name: Azure Login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Run ARM deploy
        uses: azure/arm-deploy@v2
        with:
          subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
          resourceGroupName: ${{ vars.AZURE_RG }}
          template: ./infra/deployments/main.json
          parameters: ./infra/deployments/main.parameters.${{needs.determine.outputs.Environment}}.json

  deploy-apps:  
    needs: [ deploy-arm, publish ]
    runs-on: ubuntu-latest
    environment: ${{ needs.determine.outputs.Environment }}
    strategy:
      matrix:
        include:
          - artifact: 'api'
            publishProfile: ${{ secrets.AZURE_API_PUBLISH_PROFILE  }}
          - artifact: 'func'
            publishProfile: ${{ secrets.AZURE_FUNC_PUBLISH_PROFILE  }}     
    steps:
      - name: Azure Login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - name: Download artifact from publish job
        uses: actions/download-artifact@v4
        with:
          name: ${{ matrix.artifact }}
          path: app
      - name: Deploy to Azure Web App
        id: deploy-to-webapp
        uses: azure/webapps-deploy@v2
        with:
          app-name: resource-${{ matrix.artifact }}-app
          publish-profile: ${{ matrix.publishProfile  }}
          package: ./app

Now, when the "deploy-arm" job does the azure login step, it uses the correct Subject Identifier:

subject claim - repo:OrganisationName/RepositoryName:environment:dev

and the template is deployed successfully (verified this in Azure, all resources have been created)

In the next job "deploy-apps", the azure login step uses a different one:

subject claim - 'repo:OrganisationName/RepositoryName:ref:refs/heads/develop'

Can anyone explain to me why the subject identifier suddenly changes, and how I could resolve this?


Solution

  • The deploy-apps job depends on [ deploy-arm, publish ]. You set the environment to be needs.determine.outputs.Environment.

    I imagine the environment is not resolved here and the subject claim defaults to the branch you're deploying from. Adding determine in the list of dependency should solve your issue:

    deploy-apps:
      needs: [ deploy-arm, publish,  determine]