Skip to content

OIDC Setup for GitHub Actions

This guide documents the OIDC configuration for GitHub Actions to authenticate with Azure and Coder.

✅ Completed Steps

1. Azure AD Application Created

  • App Name: GitHub-Actions-SPT
  • Client ID: 579c6254-56c9-4883-8123-8edb584acbd3
  • Tenant ID: c14b9281-fe49-4e1c-94fa-19218d58313a
  • Subscription ID: 85579fe1-921e-43ca-8ad0-95ea618035c9

2. Federated Credentials Configured

The following federated credentials have been configured for workload identity:

  • main branch: repo:SmartPointsTech/spt:ref:refs/heads/main
  • dev branch: repo:SmartPointsTech/spt:ref:refs/heads/dev
  • pull requests: repo:SmartPointsTech/spt:pull_request

3. Azure RBAC Roles Assigned

  • AcrPush: Allows pushing images to smartpoints.azurecr.io
  • Contributor: Full access to resource group operations

4. GitHub Secrets Added

All required secrets have been added to the repository:

  • AZURE_CLIENT_ID
  • AZURE_TENANT_ID
  • AZURE_SUBSCRIPTION_ID

🔄 Remaining Steps

Create Coder Service Token

  1. SSH to the Coder VM:

    bash
    ssh -i ~/.ssh/sptcoderkey adminuser@coder.smartpoints.tech
  2. Create a service account for GitHub Actions:

    bash
    sudo docker exec coder-coder-1 coder users create \
        --email github-actions@smartpoints.tech \
        --username github-actions \
        --login-type none
  3. Generate a long-lived token:

    bash
    sudo docker exec coder-coder-1 coder tokens create \
        --user github-actions \
        --lifetime 8760h \
        --name "GitHub Actions CI/CD"
  4. Add the token to GitHub secrets:

    bash
    # Run from your local machine
    gh secret set CODER_SERVICE_TOKEN --body "<token-from-step-3>" --repo SmartPointsTech/spt

Alternative: Run Configuration Script

Instead of manual steps, you can run the automated configuration script:

bash
./scripts/configure-coder-api-auth.sh

This script will:

  • Verify the Coder VM exists
  • Configure Coder for Azure AD API authentication
  • Provide instructions for creating the service token

🧪 Testing the Setup

Once all steps are complete, test the workflow:

  1. Push to the dev branch:

    bash
    git add .
    git commit -m "Test OIDC authentication"
    git push origin dev
  2. Monitor the workflow:

    bash
    gh workflow view "Build and Push Coder Base Image" --web
  3. Check the logs for successful authentication:

    • Azure login via OIDC ✓
    • ACR login via managed identity ✓
    • Coder authentication via service token ✓
    • Template push to K8s template (primary) ✓
    • Template push to Docker template (secondary) ✓

🔧 Troubleshooting

Workflow fails at "Azure Login"

  • Verify federated credentials are configured correctly
  • Check that the GitHub secrets match the Azure AD app

Workflow fails at "Authenticate with Coder"

  • Verify CODER_SERVICE_TOKEN is set in GitHub secrets
  • Check that the service account exists in Coder
  • Ensure the token hasn't expired

Template push fails

  • Verify Coder is accessible at https://coder.smartpoints.tech
  • Check Coder logs: docker compose -f /opt/coder-server/docker-compose.yaml logs
  • Ensure the service account has template management permissions

📚 References

📝 Setup Scripts

Two scripts have been created to automate the setup:

  1. scripts/setup-github-oidc.sh - Configures Azure AD and GitHub secrets (✅ completed)
  2. scripts/configure-coder-api-auth.sh - Configures Coder for API authentication (run this next)

Released under the MIT License.