fix: E2E pipeline setup (#176)

Azure · May 9, 2024 · 37010e1 · 37010e1
1 parent 0bf642b
commit 37010e1
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/.github/workflows/build-publish-mcr.yml b/.github/workflows/build-publish-mcr.yml
@@ -64,4 +64,3 @@ jobs:
         env:
           TAG: ${{ needs.prepare-variables.outputs.release_tag }}
           REGISTRY: ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}
-
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -54,13 +54,37 @@ jobs:
       - name: Prepare e2e variables
         run: |
           echo "AZURE_RESOURCE_GROUP="fleet-networking-e2e-$RANDOM"" >> $GITHUB_ENV
-      # reference: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure
+
+      # Reference: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure
       - name: 'OIDC Login to Azure Public Cloud'
         uses: azure/login@v1
         with:
           client-id: ${{ secrets.E2E_AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.E2E_AZURE_SUBSCRIPTION_ID }}
+
+      # Note (chenyu1):
+      #
+      # After a recent update, GitHub Actions has set the GitHub ID token expiration time
+      # to 5 minutes for security reasons; as most of our E2E steps cannot finish within
+      # the time range, expiration errors will occur.
+      #
+      # As a temporary mitigation, we will add a step to fetch token periodically (every
+      # 4 minutes) to be exact.
+      #
+      # This should no longer be necessary after the Azure CLI supports ID token refresh.
+      - name: Fetch token every 4 minutes
+        run: |
+          while true; do
+            # $ACTIONS_ID_TOKEN_REQUEST_TOKEN and $ACTIONS_ID_TOKEN_REQUEST_URL env vars are provided by
+            # GitHub Actions automatically.
+            REQUEST_TOKEN=$ACTIONS_ID_TOKEN_REQUEST_TOKEN
+            REQUEST_URI=$ACTIONS_ID_TOKEN_REQUEST_URL
+            FED_TOKEN=$(curl -H "Authorization: bearer $REQUEST_TOKEN" "${REQUEST_URI}&audience=api://AzureADTokenExchange" | jq .value -r)
+            az login --service-principal -u ${{ secrets.E2E_AZURE_CLIENT_ID }} -t ${{ secrets.AZURE_TENANT_ID }} --federated-token $FED_TOKEN --output none
+            sleep 240
+          done &
+  
       - name: Setup e2e Environment
         run: |
           make e2e-setup
Original file line number	Diff line number	Diff line change
Expand Up		@@ -64,4 +64,3 @@ jobs:
		env:
		TAG: ${{ needs.prepare-variables.outputs.release_tag }}
		REGISTRY: ${{ secrets.AZURE_REGISTRY }}/${{ env.REGISTRY_REPO}}