updated package-lock

Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.0.4 to 3.1.2.
- [Release notes](https://github.com/isaacs/minimatch/releases)
- [Commits](https://github.com/isaacs/minimatch/compare/v3.0.4...v3.1.2)

---
updated-dependencies:
- dependency-name: minimatch
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/auto-triage-issues

@@ -1,21 +0,0 @@
-name: "Auto-Labelling Issues"
-on:
-  issues:
-    types: [opened, edited]
-
-jobs:
-  auto_label:
-    runs-on: ubuntu-latest
-    name: Auto-Labelling Issues
-    steps:
-    - name: Label Step
-      uses: larrylawl/Auto-Github-Issue-Labeller@v1.0
-      with:
-        GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
-        REPOSITORY: ${{github.repository}}
-        DELTA: "7"
-        CONFIDENCE: "2"
-        FEATURE: "enhancement"
-        BUG: "bug"
-        DOCS: "documentation"
-        

.github/workflows/azure-login-canary.yml

@@ -0,0 +1,94 @@
+#This workflow is used to test azure login action for CLI edge build. Visit, https://github.com/Azure/azure-cli#edge-builds for more details.
+
+name: Run Azure Login Canary Test
+on: 
+  workflow_dispatch:
+  schedule:
+    - cron:  ' 0 8 * * *'  
+permissions:
+      id-token: write
+      contents: read
+jobs: 
+  az-login-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name : Check Az version before installing
+        run: az --version
+        
+      - name: Installing Az CLI Edge build 
+        run: |
+           cd ../..
+           CWD="$(pwd)"
+           python3 -m venv canary-venv
+           . canary-venv/bin/activate
+           echo "***********activated virual environment**********" 
+           python3 -m pip install --upgrade pip
+           echo "***************started installing cli edge build******************"
+           pip3 install -q --upgrade --pre azure-cli --extra-index-url https://azurecliprod.blob.core.windows.net/edge --no-cache-dir --upgrade-strategy=eager
+           echo "***************installed cli Edge build*******************"    
+           echo "$CWD/canary-venv/bin" >> $GITHUB_PATH
+           az --version
+           
+      - name: Check out repository
+        uses: actions/checkout@v3
+        
+      - name: 'Az CLI login with subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          
+      - run: |
+          az account show
+          
+      - name: 'Az CLI login without subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show
+          
+      - name: 'Az CLI login with subscription OIDC'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} 
+        
+      - run: |
+          az account show
+          
+      - name: 'Az CLI login without subscription OIDC'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show
+          
+   
+          
+  slack-post-result:
+        runs-on: ubuntu-latest
+#         continue-on-error: true
+        if: ${{ always() }}
+        needs: [az-login-test]
+        steps:
+          - name: Create slack post
+            id: slack_report
+            run: |
+              TITLE="Login action canary tests update - "
+              DATEVAR=`date "+%d/%m/%YT%H:%M:%S"`
+              TITLE="${TITLE}${DATEVAR}"
+              REPORT="${TITLE}\r\nLink to run - https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\r\n" 
+              RUN_URL="https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+              REPORT="${REPORT}\r\n"
+              if [ ${{needs.az-login-test.result}} == 'success' ]; then REPORT="${REPORT}\r\n|✅|<${RUN_URL}|az-login-test>"; else REPORT="${REPORT}\r\n|❌|<${RUN_URL}|az-login-test>"; fi
+              echo "::set-output name=report::$REPORT"
+          - name: Post to slack
+            shell: bash
+            run: curl -X POST -H 'Content-type:application/json' --data '{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":"${{steps.slack_report.outputs.report}}"}}]}' https://hooks.slack.com/services/${{SECRETS.SLACK_CHANNEL_SECRET}}
+

.github/workflows/azure-login-integration-tests.yml

@@ -0,0 +1,129 @@
+name: Run Azure Login Integration Tests
+on: 
+  workflow_dispatch:
+  schedule:
+    - cron:  '0 */3 * * *'
+permissions:
+      id-token: write
+      contents: write
+
+jobs: 
+
+  az-login-test-non-oidc:
+    runs-on: ubuntu-latest
+#     continue-on-error: true
+    steps:
+      - name: 'Az CLI login with subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          
+      - run: |
+          az account show
+#          az webapp list
+          
+      - name: 'Az CLI login without subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show
+          
+      - name: 'Azure PowerShell login with subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          enable-AzPSSession: true
+          
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "Get-AzContext"
+          azPSVersion: "latest"
+          
+      - name: 'Azure PowerShell login without subscription'
+        uses: azure/login@v1
+        with:
+          creds: ${{secrets.AZURE_CREDENTIALS}}
+          enable-AzPSSession: true
+          allow-no-subscriptions: true
+        
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "Get-AzContext"
+          azPSVersion: "latest"
+
+  az-login-test-oidc:
+    runs-on: ubuntu-latest
+#     continue-on-error: true
+    steps:
+      - name: 'Az CLI login with subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} 
+        
+      - run: |
+          az account show
+#          az webapp list
+          
+      - name: 'Az CLI login without subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          allow-no-subscriptions: true
+          
+      - run: |
+          az account show
+          
+      - name: 'Azure PowerShell login with subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }} 
+          enable-AzPSSession: true
+          
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "Get-AzContext"
+          azPSVersion: "latest"
+          
+      - name: 'Azure PowerShell login without subscription'
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENTID }}
+          tenant-id: ${{ secrets.AZURE_TENANTID }}
+          enable-AzPSSession: true
+          allow-no-subscriptions: true
+        
+      - uses: azure/powershell@v1
+        with:
+          inlineScript: "Get-AzContext"
+          azPSVersion: "latest"
+          
+  slack-post-result:
+        runs-on: ubuntu-latest
+#         continue-on-error: true
+        if: ${{ always() }}
+        needs: [az-login-test-non-oidc, az-login-test-oidc]
+        steps:
+          - name: Create slack post
+            id: slack_report
+            run: |
+              TITLE="Login action OIDC flow tests update - "
+              DATEVAR=`date "+%d/%m/%YT%H:%M:%S"`
+              TITLE="${TITLE}${DATEVAR}"
+              REPORT="${TITLE}\r\nLink to run - https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\r\n" 
+              RUN_URL="https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+              REPORT="${REPORT}\r\n"
+              if [ ${{needs.az-login-test-non-oidc.result}} == 'success' ]; then REPORT="${REPORT}\r\n|✅|<${RUN_URL}|az-login-test-non-oidc>"; else REPORT="${REPORT}\r\n|❌|<${RUN_URL}|az-login-test-non-oidc>"; fi
+              if [ ${{needs.az-login-test-oidc.result}} == 'success' ]; then REPORT="${REPORT}\r\n|✅|<${RUN_URL}|az-login-test-oidc>"; else REPORT="${REPORT}\r\n|❌|<${RUN_URL}|az-login-test-oidc>"; fi
+              echo "::set-output name=report::$REPORT"
+
+          - name: Post to slack
+            shell: bash
+            run: curl -X POST -H 'Content-type:application/json' --data '{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":"${{steps.slack_report.outputs.report}}"}}]}' https://hooks.slack.com/services/${{SECRETS.SLACK_CHANNEL_SECRET}}

.github/workflows/codeql.yml

@@ -27,7 +27,7 @@ jobs:
       
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
@@ -35,7 +35,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -49,4 +49,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

README.md

@@ -23,11 +23,9 @@ With the [Azure Login](https://github.com/Azure/login/blob/master/action.yml) Ac
 
 Note: 
    - Ensure the CLI version is 2.30 or above to use OIDC support.
-   - OIDC support in Azure is in Public Preview and is supported only for public clouds. Support for other clouds like Government clouds, Azure Stacks would be added soon. 
-   - GitHub runners will soon be updating the with the Az CLI and PowerShell versions that support with OIDC. Hence the below sample workflows include explicit instructions to download the same during workflow execution. 
+   - OIDC support in Azure is supported only for public clouds. Support for other clouds like Government clouds, Azure Stacks would be added soon. 
    - By default, Azure access tokens issued during OIDC based login could have limited validity. This expiration time is configurable in Azure.
 
-
 ## Sample workflow that uses Azure login action to run az cli
 
 ```yaml
@@ -204,21 +202,35 @@ Follow the steps to configure Azure Service Principal with a secret:
    az ad sp create-for-rbac --name "myApp" --role contributor \
                             --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
                             --sdk-auth
-                            
-  # Replace {subscription-id}, {resource-group} with the subscription, resource group details
+```
+Replace `{subscription-id}`, `{resource-group}` with the subscription, resource group details
 
-  # The command should output a JSON object similar to this:
+The command should output a JSON object similar to this:
 
+ ```bash
   {
     "clientId": "<GUID>",
-    "clientSecret": "<GUID>",
+    "clientSecret": "<STRING>",
     "subscriptionId": "<GUID>",
     "tenantId": "<GUID>",
+    "resourceManagerEndpointUrl": "<URL>"
     (...)
   }
   
 ```
   * Now in the workflow file in your branch: `.github/workflows/workflow.yml` replace the secret in Azure login action with your secret (Refer to the example above)
+  * Note: The above `az ad sp create-for-rbac` command will give you the `--sdk-auth` deprecation warning. As we are working with CLI for this deprecation process, we strongly recommend users to use this `--sdk-auth` flag as the result dictionary output changes and not accepted by login action if `--sdk-auth` is not used.
+  * If you want to pass Subscription ID, Tenant ID, Client ID, and Client Secret as individual parameters instead of bundling them in a single JSON object (creds) to address the [security concerns](https://docs.github.com/en/actions/security-guides/encrypted-secrets) for Non-OIDC login, below snippet can help with the same. 
+```yaml
+  - uses: Azure/login@v1
+    with:
+      creds: '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ secrets.SUBSCRIPTION_ID }}","tenantId":"${{ secrets.TENANT_ID }}"}'
+```
+In a similar way, any additional parameter can be added to creds such as resourceManagerEndpointUrl for Azure Stack, for example.
+
+### Manually creating the Credentials object
+
+If you already created and assigned a Service Principal in Azure you can manually create the .json object above by finding the `clientId` and `clientSecret` on the Service Principal, and your `subscriptionId` and `tenantId` of the subscription and tenant respectively. The `resourceManagerEndpointUrl` will be `https://management.azure.com/` if you are using the public Azure cloud.
 
 ### Configure a service principal with a Federated Credential to use OIDC based authentication:
 
@@ -235,6 +247,7 @@ You can add federated credentials in the Azure portal or with the Microsoft Grap
 7. For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value, based on how you have configured the trigger for your GitHub workflow. For a more detailed overview, see [GitHub OIDC guidance]( https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-[…]dc-claims). 
 8. Add a **Name** for the federated credential.
 9. Click **Add** to configure the federated credential.
+10. Make sure the above created application has the `contributor` access to the provided subscription. Visit [role-based-access-control](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current#prerequisites) for more details.
 
 For a more detailed overview, see more guidance around [Azure Federated Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation-create-trust-github). 
 
@@ -290,13 +303,13 @@ This action doesn't implement ```az logout``` by default at the end of execution
 - name: Azure CLI script
   uses: azure/CLI@v1
   with:
-    azcliversion: 2.0.72
     inlineScript: |
       az logout
       az cache purge
       az account clear
 ```
-
+## Az CLI dependency
+Internally in this action, we use azure CLI and execute `az login` with the credentials provided through secrets. In order to validate the new az CLI releases for this action, [canary test workflow](.github/workflows/azure-login-canary.yml) is written which will execute the action on [az CLI's edge build](https://github.com/Azure/azure-cli#edge-builds) which will fail incase of any breaking change is being introduced in the new upcoming release. The test results can be posted on a slack or teams channel using the corresponding integrations. Incase of a failure, the concern will be raised to [azure-cli](https://github.com/Azure/azure-cli) for taking a necessary action and also the latest CLI installation will be postponed in [Runner VMs](https://github.com/actions/virtual-environments) as well for hosted runner to prevent the workflows failing due to the new CLI changes.
 # Contributing
 
 This project welcomes contributions and suggestions.  Most contributions require you to agree to a

action.yml

@@ -1,6 +1,6 @@
 # Login to Azure subscription
 name: 'Azure Login'
-description: 'Authenticate to Azure and run your Az CLI or Az PowerShell based Actions or scripts. github.com/Azure/Actions'
+description: 'Authenticate to Azure using OIDC and run your Az CLI or Az PowerShell based Actions or scripts. github.com/Azure/Actions'
 inputs: 
   creds:
     description: 'Paste output of `az ad sp create-for-rbac` as value of secret variable: AZURE_CREDENTIALS'
@@ -34,5 +34,5 @@ branding:
   icon: 'login.svg'
   color: 'blue'
 runs:
-  using: 'node12'
-  main: 'lib/main.js'
+  using: 'node16'
+  main: 'lib/main.js'

lib/PowerShell/Constants.js

@@ -5,7 +5,7 @@ class Constants {
 exports.default = Constants;
 Constants.prefix = "az_";
 Constants.moduleName = "Az.Accounts";
-Constants.versionPattern = /[0-9]\.[0-9]\.[0-9]/;
+Constants.versionPattern = /[0-9]+\.[0-9]+\.[0-9]+/;
 Constants.AzureCloud = "AzureCloud";
 Constants.Subscription = "Subscription";
 Constants.ServicePrincipal = "ServicePrincipal";

lib/PowerShell/ServicePrincipalLogin.js

@@ -14,7 +14,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
     __setModuleDefault(result, mod);
     return result;
 };

lib/PowerShell/Utilities/PowerShellToolRunner.js

@@ -14,7 +14,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
     __setModuleDefault(result, mod);
     return result;
 };

lib/PowerShell/Utilities/ScriptBuilder.js

@@ -14,7 +14,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
     __setModuleDefault(result, mod);
     return result;
 };

lib/PowerShell/Utilities/Utils.js

@@ -14,7 +14,7 @@ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
     __setModuleDefault(result, mod);
     return result;
 };

lib/main.js

@@ -1,20 +1,20 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function (o, m, k, k2) {
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function () { return m[k]; } });
-}) : (function (o, m, k, k2) {
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
     o[k2] = m[k];
 }));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function (o, v) {
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
     Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function (o, v) {
+}) : function(o, v) {
     o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
     if (mod && mod.__esModule) return mod;
     var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
     __setModuleDefault(result, mod);
     return result;
 };
@@ -40,22 +40,20 @@ function main() {
     return __awaiter(this, void 0, void 0, function* () {
         try {
             //Options for error handling
-            let commandStdErr = false;
             const loginOptions = {
                 silent: true,
-                ignoreReturnCode: true,
-                failOnStdErr: true,
                 listeners: {
                     stderr: (data) => {
                         let error = data.toString();
-                        //removing the keyword 'ERROR' to avoid duplicates while throwing error
-                        if (error.toLowerCase().startsWith('error')) {
-                            error = error.slice(5);
-                        }
-                        // printing error
-                        if (error && error.trim().length !== 0) {
-                            commandStdErr = true;
-                            core.error(error);
+                        let startsWithWarning = error.toLowerCase().startsWith('warning');
+                        let startsWithError = error.toLowerCase().startsWith('error');
+                        // printing ERROR
+                        if (error && error.trim().length !== 0 && !startsWithWarning) {
+                            if (startsWithError) {
+                                //removing the keyword 'ERROR' to avoid duplicates while throwing error
+                                error = error.slice(5);
+                            }
+                            core.setFailed(error);
                         }
                     }
                 }
@@ -134,17 +132,19 @@ function main() {
             // OIDC specific checks
             if (enableOIDC) {
                 console.log('Using OIDC authentication...');
-                //generating ID-token
-                let audience = core.getInput('audience', { required: false });
-                federatedToken = yield core.getIDToken(audience);
-                if (!!federatedToken) {
-                    if (environment != "azurecloud")
-                        throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
-                    let [issuer, subjectClaim] = yield jwtParser(federatedToken);
-                    console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
+                try {
+                    //generating ID-token
+                    let audience = core.getInput('audience', { required: false });
+                    federatedToken = yield core.getIDToken(audience);
+                    if (!!federatedToken) {
+                        if (environment != "azurecloud")
+                            throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
+                        let [issuer, subjectClaim] = yield jwtParser(federatedToken);
+                        console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
+                    }
                 }
-                else {
-                    throw new Error("Could not get ID token for authentication.");
+                catch (error) {
+                    core.error(`${error.message.split(':')[1]}. Please make sure to give write permissions to id-token in the workflow.`);
                 }
             }
             // Attempting Az cli login
@@ -190,6 +190,7 @@ function main() {
                 commonArgs = commonArgs.concat("--federated-token", federatedToken);
             }
             else {
+                console.log("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.");
                 commonArgs = commonArgs.concat("-p", servicePrincipalKey);
             }
             yield executeAzCliCommand(`login`, true, loginOptions, commonArgs);
@@ -213,10 +214,10 @@ function main() {
         }
         catch (error) {
             if (!isAzCLISuccess) {
-                core.setFailed("Az CLI Login failed. Please check the credentials and make sure az is istalled on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
+                core.setFailed("Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
             }
             else {
-                core.setFailed(`Azure PowerShell Login failed. Please check the credentials and make sure az is istalled on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
+                core.setFailed(`Azure PowerShell Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
             }
         }
         finally {

package.json

@@ -18,10 +18,10 @@
     "typescript": "^3.6.3"
   },
   "dependencies": {
-    "@actions/core": "1.6.0",
+    "@actions/core": "1.9.1",
     "@actions/exec": "^1.0.1",
     "@actions/io": "^1.0.1",
     "actions-secret-parser": "^1.0.2",
     "package-lock": "^1.0.3"
   }
-}
+}

src/PowerShell/Constants.ts

@@ -1,7 +1,7 @@
 export default class Constants {
     static readonly prefix: string = "az_";
     static readonly moduleName: string = "Az.Accounts";
-    static readonly versionPattern = /[0-9]\.[0-9]\.[0-9]/;
+    static readonly versionPattern = /[0-9]+\.[0-9]+\.[0-9]+/;
 
     static readonly AzureCloud: string = "AzureCloud";
     static readonly Subscription: string = "Subscription";
@@ -10,4 +10,4 @@ export default class Constants {
     static readonly Success: string = "Success";
     static readonly Error: string = "Error";
     static readonly AzVersion: string = "AzVersion";
-}
+}

src/main.ts

@@ -12,22 +12,20 @@ var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREP
 async function main() {
     try {
         //Options for error handling
-        let commandStdErr = false;
         const loginOptions: ExecOptions = {
             silent: true,
-            ignoreReturnCode: true,
-            failOnStdErr: true,
             listeners: {
                 stderr: (data: Buffer) => {
                     let error = data.toString();
-                    //removing the keyword 'ERROR' to avoid duplicates while throwing error
-                    if (error.toLowerCase().startsWith('error')) {
-                        error = error.slice(5);
-                    }
-                    // printing error
-                    if (error && error.trim().length !== 0) {
-                        commandStdErr = true;
-                        core.error(error);
+                    let startsWithWarning = error.toLowerCase().startsWith('warning');
+                    let startsWithError = error.toLowerCase().startsWith('error');
+                    // printing ERROR
+                    if (error && error.trim().length !== 0 && !startsWithWarning) {
+                        if(startsWithError) {
+                            //removing the keyword 'ERROR' to avoid duplicates while throwing error
+                            error = error.slice(5);
+                        }
+                        core.setFailed(error);
                     }
                 }
             }
@@ -112,17 +110,19 @@ async function main() {
         // OIDC specific checks
         if (enableOIDC) {
             console.log('Using OIDC authentication...')
-            //generating ID-token
-            let audience = core.getInput('audience', { required: false });
-            federatedToken = await core.getIDToken(audience);
-            if (!!federatedToken) {
-                if (environment != "azurecloud")
-                    throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
-                let [issuer, subjectClaim] = await jwtParser(federatedToken);
-                console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
+            try {
+                //generating ID-token
+                let audience = core.getInput('audience', { required: false });
+                federatedToken = await core.getIDToken(audience);
+                if (!!federatedToken) {
+                    if (environment != "azurecloud")
+                        throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
+                    let [issuer, subjectClaim] = await jwtParser(federatedToken);
+                    console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
+                }
             }
-            else {
-                throw new Error("Could not get ID token for authentication.");
+            catch (error) {
+                core.error(`${error.message.split(':')[1]}. Please make sure to give write permissions to id-token in the workflow.`);
             }
         }
 
@@ -174,6 +174,7 @@ async function main() {
             commonArgs = commonArgs.concat("--federated-token", federatedToken);
         }
         else {
+            console.log("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.")
             commonArgs = commonArgs.concat("-p", servicePrincipalKey);
         }
         await executeAzCliCommand(`login`, true, loginOptions, commonArgs);
@@ -235,4 +236,4 @@ async function jwtParser(federatedToken: string) {
     let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
     return [decodedPayload['iss'], decodedPayload['sub']];
 }
-main();
+main();