OIDC Setup for GitHub Actions
This guide documents the OIDC configuration for GitHub Actions to authenticate with Azure and Coder.
✅ Completed Steps
1. Azure AD Application Created
- App Name: GitHub-Actions-SPT
- Client ID:
579c6254-56c9-4883-8123-8edb584acbd3 - Tenant ID:
c14b9281-fe49-4e1c-94fa-19218d58313a - Subscription ID:
85579fe1-921e-43ca-8ad0-95ea618035c9
2. Federated Credentials Configured
The following federated credentials have been configured for workload identity:
- main branch:
repo:SmartPointsTech/spt:ref:refs/heads/main - dev branch:
repo:SmartPointsTech/spt:ref:refs/heads/dev - pull requests:
repo:SmartPointsTech/spt:pull_request
3. Azure RBAC Roles Assigned
- AcrPush: Allows pushing images to smartpoints.azurecr.io
- Contributor: Full access to resource group operations
4. GitHub Secrets Added
All required secrets have been added to the repository:
AZURE_CLIENT_IDAZURE_TENANT_IDAZURE_SUBSCRIPTION_ID
🔄 Remaining Steps
Create Coder Service Token
SSH to the Coder VM:
bashssh -i ~/.ssh/sptcoderkey adminuser@coder.smartpoints.techCreate a service account for GitHub Actions:
bashsudo docker exec coder-coder-1 coder users create \ --email github-actions@smartpoints.tech \ --username github-actions \ --login-type noneGenerate a long-lived token:
bashsudo docker exec coder-coder-1 coder tokens create \ --user github-actions \ --lifetime 8760h \ --name "GitHub Actions CI/CD"Add the token to GitHub secrets:
bash# Run from your local machine gh secret set CODER_SERVICE_TOKEN --body "<token-from-step-3>" --repo SmartPointsTech/spt
Alternative: Run Configuration Script
Instead of manual steps, you can run the automated configuration script:
bash
./scripts/configure-coder-api-auth.shThis script will:
- Verify the Coder VM exists
- Configure Coder for Azure AD API authentication
- Provide instructions for creating the service token
🧪 Testing the Setup
Once all steps are complete, test the workflow:
Push to the dev branch:
bashgit add . git commit -m "Test OIDC authentication" git push origin devMonitor the workflow:
bashgh workflow view "Build and Push Coder Base Image" --webCheck the logs for successful authentication:
- Azure login via OIDC ✓
- ACR login via managed identity ✓
- Coder authentication via service token ✓
- Template push to K8s template (primary) ✓
- Template push to Docker template (secondary) ✓
🔧 Troubleshooting
Workflow fails at "Azure Login"
- Verify federated credentials are configured correctly
- Check that the GitHub secrets match the Azure AD app
Workflow fails at "Authenticate with Coder"
- Verify
CODER_SERVICE_TOKENis set in GitHub secrets - Check that the service account exists in Coder
- Ensure the token hasn't expired
Template push fails
- Verify Coder is accessible at https://coder.smartpoints.tech
- Check Coder logs:
docker compose -f /opt/coder-server/docker-compose.yaml logs - Ensure the service account has template management permissions
📚 References
📝 Setup Scripts
Two scripts have been created to automate the setup:
scripts/setup-github-oidc.sh- Configures Azure AD and GitHub secrets (✅ completed)scripts/configure-coder-api-auth.sh- Configures Coder for API authentication (run this next)