OIDC ctx testing

TasoOneAsia · TasoOneAsia · commit 3cd3dab608a7 · 2026-04-16T11:11:43.000-04:00
diff --git a/.github/workflows/docs-build-push.yml b/.github/workflows/docs-build-push.yml
@@ -3,7 +3,11 @@ name: Docs Build Push
 on:
   workflow_call:
     secrets:
-      AZURE_CREDENTIALS:
+      OIDC_CLIENT_ID:
+        required: true
+      OIDC_TENANT_ID:
+        required: true
+      OIDC_SUBSCRIPTION_ID:
         required: true
       AZURE_KEY_VAULT:
         required: true
@@ -88,6 +92,8 @@ jobs:
     needs: [checks]
     if: ${{ needs.checks.outputs.forked_workflow == 'false' }}
     runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
     outputs: 
       PREVIEW_URL: ${{ steps.summary.outputs.PREVIEW_URL }}
     env:
@@ -164,7 +170,9 @@ jobs:
       - name: Azure login
         uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.OIDC_CLIENT_ID }}
+          tenant-id: ${{ secrets.OIDC_TENANT_ID }}
+          subscription-id: ${{ secrets.OIDC_SUBSCRIPTION_ID }}
 
       - name: Retrieve secrets from Keyvault
         id: keyvault
diff --git a/.github/workflows/hugo-build-deploy.yml b/.github/workflows/hugo-build-deploy.yml
@@ -0,0 +1,72 @@
+name: Docs Build & Deploy (Hugo Only)
+on:
+  workflow_call:
+    secrets:
+      OIDC_TENANT_ID:
+        required: true
+      OIDC_CLIENT_ID:
+        required: true
+    inputs:
+      NODE_DEPS:
+        type: boolean
+      BUILD_ROOT:
+        type: string
+        description: Root directory to start a build
+        default: ./
+        required: false
+    outputs:
+      PREVIEW_URL:
+        description: String
+
+
+env:
+  GO_VERISON: "1.21" # Go version used for `hugo mod get`
+  HUGO_VERSION: "0.147.8" # Hugo version used for building docs
+  THEME_MODULE: "github.com/nginxinc/nginx-hugo-theme/v2" # Name of source repo for module. For example; github.com/nginxinc/nginx-hugo-theme
+
+
+jobs:
+  checks:
+    name: Checks and variables
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+    outputs:
+      forked_workflow: ${{ steps.vars.outputs.forked_workflow }}
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set Variables
+        id: vars
+        run: |
+          echo "forked_workflow=${{ (github.event.pull_request && github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name) || !(startsWith(github.repository, 'nginx/') || startsWith(github.repository, 'nginxinc/')) }}" >> $GITHUB_OUTPUT
+      - name: Output variables
+        run: |
+          echo forked_workflow: ${{ steps.vars.outputs.forked_workflow }}
+  build:
+    runs-on: ubuntu-24.04
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+    outputs:
+      PREVIEW_URL: ${{ steps.summary.outputs.PREVIEW_URL }}
+    steps:
+      - name: Azure login
+        uses: azure/login@a65d910e8af852a8061c627c456678983e180302
+        with:
+          client-id: ${{ secrets.OIDC_CLIENT_ID }}
+          tenant-id: ${{ secrets.OIDC_TENANT_ID }}
+
+      - name: Checkout docs content
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.7.1
+        with:
+          fetch-depth: 0 # This is required for hugo Lastmod to function properly
+
+      - name: Setup Go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: false
+
+      - name: Setup Hugo
+        uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
