ci: Migrated GitHub Actions authentication from client secrets to OIDC and combined Ubuntu & Windows workflows into a single pipeline

[Vamshi-Microsoft]

Purpose

This pull request refactors and modernizes the GitHub Actions workflows for deployment, validation, and Docker image building. The main improvements include consolidating deployment workflows, enhancing deployment environment flexibility, standardizing Azure authentication, and improving security and environment management.

Workflow Consolidation and Environment Flexibility

• The Linux and Windows deployment workflows have been merged into a single, more flexible workflow (deploy-v2.yml), allowing users to select the deployment environment (Codespace/Ubuntu or Local/Windows) dynamically. The Windows-specific workflow has been removed. [1] [2]
• The new workflow validates input parameters and sets the appropriate runner OS based on user selection, making the deployment process more adaptable. [1] [2] [3] [4] [5] [6]

Azure Authentication and Security Improvements

• All workflows now use the official azure/login@v2 action for Azure authentication, replacing manual az login commands. This change standardizes authentication and improves security by leveraging OIDC and ephemeral credentials. [1] [2] [3]
• The id-token: write permission is now explicitly granted where needed, supporting secure OIDC-based authentication. [1] [2] [3]

Environment and Permissions Enhancements

• The environment: production field has been added to key jobs in several workflows, enabling environment protection rules and improved auditability of production deployments. [1] [2] [3] [4]
• Unnecessary hardcoded secrets and permissions blocks have been removed from orchestrator and cleanup workflows, reducing maintenance overhead and potential for misconfiguration. [1] [2]

Docker Build and Push Workflow Updates

• The Docker build workflow now uses Azure CLI for ACR login after authenticating with azure/login@v2, removing the need to store ACR username and password as secrets.

Summary of Most Important Changes

Deployment Workflow Modernization

• Merged Linux and Windows deployment workflows into a single, environment-aware workflow (deploy-v2.yml) and removed the Windows-specific workflow. Users can now select the deployment environment, and input validation was improved. [1] [2] [3] [4] [5] [6] [7] [8]

Azure Authentication Standardization

• Replaced manual az login commands with the azure/login@v2 action across all workflows for secure, standardized Azure authentication using OIDC. [1] [2] [3]
• Added id-token: write permission to workflows that require OIDC authentication. [1] [2] [3]

Environment and Permissions Updates

• Added environment: production to critical jobs for improved environment management and protection. [1] [2] [3] [4]
• Removed redundant permissions and secrets from orchestrator and cleanup jobs, simplifying workflow configuration. [1] [2]

Docker Workflow Improvements

• Updated Docker build workflow to authenticate with Azure using azure/login@v2 and then log in to ACR using Azure CLI, eliminating the need for ACR username/password secrets.

These changes make the workflows more secure, flexible, and maintainable, and align with best practices for GitHub Actions and Azure integration.

Does this introduce a breaking change?

• Yes
• No

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.