prepare release v2.3.0

* Bump braces from 3.0.2 to 3.0.3

Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/compare/3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* remove libicu and update powershell version

* apt install libicu72

* change installation url

* fix typo

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: MoChilia <chenshiyingcn@163.com>
Co-authored-by: Shiying Chen <shiyingchen@microsoft.com>

.github/workflows/azure-login-canary.yml

@@ -30,7 +30,7 @@ jobs:
            az --version
            
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         
       - name: 'Az CLI login with subscription'
         uses: azure/login@v1

.github/workflows/azure-login-negative.yml

@@ -9,86 +9,6 @@ permissions:
 
 jobs:
 
-  OSTest:
-    runs-on: macos-latest
-    environment: Automation test
-
-    steps:
-    - name: 'Checking out repo code'
-      uses: actions/checkout@v3.5.2
-
-    - name: Set Node.js 16.x for GitHub Action
-      uses: actions/setup-node@v1
-      with:
-        node-version: 16.x
-
-    - name: 'Validate build'
-      run: |
-        npm install
-        npm run build
-        npm run test
-
-    - name: Login with creds
-      continue-on-error: true
-      uses: ./
-      with:
-        creds: ${{secrets.SP1}}
-        enable-AzPSSession: true
-
-    - name: Run Azure Cli
-      run: |
-        az account show --output none
-        az group show --name GitHubAction_CI_RG --output none
-        az vm list --output none
-
-    - name: Run Azure PowerShell
-      id: ps_1
-      continue-on-error: true
-      uses: azure/powershell@v1.2.0
-      with:
-        azPSVersion: "latest"
-        inlineScript: |
-          (Get-AzContext).Environment.Name -eq 'AzureCloud'
-          (Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG'
-          (Get-AzVM).Count -gt 0
-
-    - name: Check Last step failed
-      if: steps.ps_1.outcome == 'success'
-      uses: actions/github-script@v3
-      with:
-          script: |
-            core.setFailed('Last action should fail but not. Please check it.')
-
-    - name: Login with individual parameters
-      id: login_2
-      uses: ./
-      with:
-        client-id: ${{ secrets.OIDC_SP2_CLIENT_ID }}
-        tenant-id: ${{ secrets.OIDC_SP2_TENANT_ID }}
-        # subscription-id: ${{ secrets.OIDC_SP2_SUBSCRIPTION_ID }}
-        allow-no-subscriptions: true
-        enable-AzPSSession: true
-
-    - name: Run Azure Cli again
-      run: |
-        az account show --output none
-
-    - name: Run Azure PowerShell again
-      id: ps_2
-      continue-on-error: true
-      uses: azure/powershell@v1.2.0
-      with:
-        azPSVersion: "latest"
-        inlineScript: |
-          (Get-AzContext).Environment.Name -eq 'AzureCloud'
-
-    - name: Check Last step failed
-      if: steps.ps_2.outcome == 'success'
-      uses: actions/github-script@v3
-      with:
-          script: |
-            core.setFailed('Last action should fail but not. Please check it.')
-
   PermissionTest:
     strategy:
       matrix:
@@ -99,12 +19,12 @@ jobs:
     steps:
 
     - name: 'Checking out repo code'
-      uses: actions/checkout@v3.5.2
+      uses: actions/checkout@v4
 
-    - name: Set Node.js 16.x for GitHub Action
-      uses: actions/setup-node@v1
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
       with:
-        node-version: 16.x
+        node-version: 20.x
 
     - name: 'Validate build'
       run: |
@@ -130,7 +50,7 @@ jobs:
 
     - name: Check Last step failed
       if: steps.cli_3.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -138,7 +58,7 @@ jobs:
     - name: Run Azure PowerShell
       id: ps_3
       continue-on-error: true
-      uses: azure/powershell@v1.2.0
+      uses: azure/powershell@v1
       with:
         azPSVersion: "latest"
         inlineScript: |
@@ -148,7 +68,7 @@ jobs:
 
     - name: Check Last step failed
       if: steps.ps_3.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -162,12 +82,12 @@ jobs:
 
     steps:
     - name: 'Checking out repo code'
-      uses: actions/checkout@v3.5.2
+      uses: actions/checkout@v4
 
-    - name: Set Node.js 16.x for GitHub Action
-      uses: actions/setup-node@v1
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
       with:
-        node-version: 16.x
+        node-version: 20.x
 
     - name: 'Validate build'
       run: |
@@ -184,7 +104,7 @@ jobs:
 
     - name: Check Last step failed
       if: steps.login_4.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -199,7 +119,7 @@ jobs:
 
     - name: Check Last step failed
       if: steps.login_5.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -213,7 +133,7 @@ jobs:
 
     - name: Check Last step failed
       if: steps.login_6.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -229,7 +149,7 @@ jobs:
 
     - name: Check Last step failed
       if: steps.login_7.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -246,7 +166,7 @@ jobs:
 
     - name: Check Last step failed
       if: steps.login_8.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -266,7 +186,7 @@ jobs:
     - name: Run Azure PowerShell
       id: ps_8
       continue-on-error: true
-      uses: azure/powershell@v1.2.0
+      uses: azure/powershell@v1
       with:
         azPSVersion: "latest"
         inlineScript: |
@@ -276,7 +196,7 @@ jobs:
 
     - name: Check Last step failed
       if: steps.ps_8.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -296,7 +216,7 @@ jobs:
     - name: Run Azure PowerShell
       id: ps_9
       continue-on-error: true
-      uses: azure/powershell@v1.2.0
+      uses: azure/powershell@v1
       with:
         azPSVersion: "latest"
         inlineScript: |
@@ -306,7 +226,7 @@ jobs:
 
     - name: Check Last step failed
       if: steps.ps_9.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -325,7 +245,7 @@ jobs:
 
     - name: Check Last step failed
       if: steps.login_10.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -342,12 +262,12 @@ jobs:
 
     - name: Check Last step failed
       if: steps.login_11.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
 
-    # Secret of SP1 in creds will be used to sign in SP2
+    # SP1 is ignored and SP2 will be used for login, but it will fail since SP2 has no access to the given subscription
     - name: Login with both creds and individual parameters
       id: login_12
       continue-on-error: true
@@ -362,7 +282,7 @@ jobs:
     
     - name: Check Last step failed
       if: steps.login_12.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
@@ -378,40 +298,38 @@ jobs:
       
     - name: Check Last step failed
       if: steps.login_13.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
-
-  VMTest:
-    strategy:
-      matrix:
-        os: [self_linux, self_windows]
-    runs-on: ${{ matrix.os }}
-    environment: Automation test
-
-    steps:
-    - name: 'Checking out repo code'
-      uses: actions/checkout@v3.5.2
-
-    - name: Set Node.js 16.x for GitHub Action
-      uses: actions/setup-node@v1
-      with:
-        node-version: 16.x
-
-    - name: 'Validate build'
-      run: |
-        npm install
-        npm run build
-
-    - name: Login with system-assigned managed identity without auth-type
+    
+    - name: Login with individual parameters, no subscription-id, no allow-no-subscriptions
       id: login_14
       continue-on-error: true
       uses: ./
-    
+      with:
+        client-id: ${{ secrets.OIDC_SP2_CLIENT_ID }}
+        tenant-id: ${{ secrets.OIDC_SP2_TENANT_ID }}
+        enable-AzPSSession: true
+
     - name: Check Last step failed
       if: steps.login_14.outcome == 'success'
-      uses: actions/github-script@v3
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
+    
+    - name: Login with creds, no subscription-id, no allow-no-subscriptions
+      id: login_15
+      continue-on-error: true
+      uses: ./
+      with:
+        creds: '{"clientId":"${{ secrets.OIDC_SP2_CLIENT_ID }}","clientSecret":"${{ secrets.SP2_CLIENT_SECRET }}","tenantId":"${{ secrets.OIDC_SP2_TENANT_ID }}"}'
+        enable-AzPSSession: true
+
+    - name: Check Last step failed
+      if: steps.login_15.outcome == 'success'
+      uses: actions/github-script@v7
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')

.github/workflows/azure-login-positive.yml

@@ -12,18 +12,18 @@ jobs:
   BasicTest:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest, self_linux, self_windows]
+        os: [ubuntu-latest, windows-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     environment: Automation test
 
     steps:
     - name: 'Checking out repo code'
-      uses: actions/checkout@v3.5.2
+      uses: actions/checkout@v4
 
-    - name: Set Node.js 16.x for GitHub Action
-      uses: actions/setup-node@v1
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
       with:
-        node-version: 16.x
+        node-version: 20.x
 
     - name: 'Validate build'
       run: |
@@ -47,13 +47,11 @@ jobs:
         az vm list --output none
 
     - name: Run Azure PowerShell
-      uses: azure/powershell@v1.2.0
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
             $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
-            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
             if(-not $checkResult){
                 throw "Not all checks passed!"
             }
@@ -61,10 +59,9 @@ jobs:
     - name: Login with individual parameters
       uses: ./
       with:
-        client-id: ${{ secrets.OIDC_SP2_CLIENT_ID }}
-        tenant-id: ${{ secrets.OIDC_SP2_TENANT_ID }}
-        # subscription-id: ${{ secrets.OIDC_SP2_SUBSCRIPTION_ID }}
-        allow-no-subscriptions: true
+        client-id: ${{ secrets.SP1_CLIENT_ID }}
+        tenant-id: ${{ secrets.SP1_TENANT_ID }}
+        subscription-id: ${{ secrets.SP1_SUBSCRIPTION_ID }}
         enable-AzPSSession: true
 
     - name: Run Azure Cli again
@@ -72,7 +69,7 @@ jobs:
         az account show --output none
 
     - name: Run Azure PowerShell again
-      uses: azure/powershell@v1.2.0
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
@@ -95,13 +92,11 @@ jobs:
         az vm list --output none
 
     - name: Run Azure PowerShell
-      uses: azure/powershell@v1.2.0
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
             $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
-            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
             if(-not $checkResult){
                 throw "Not all checks passed!"
             }
@@ -109,18 +104,18 @@ jobs:
   ParameterTest:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest]
+        os: [ubuntu-latest, windows-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     environment: Automation test
 
     steps:
     - name: 'Checking out repo code'
-      uses: actions/checkout@v3.5.2
+      uses: actions/checkout@v4
 
-    - name: Set Node.js 16.x for GitHub Action
-      uses: actions/setup-node@v1
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
       with:
-        node-version: 16.x
+        node-version: 20.x
 
     - name: 'Validate build'
       run: |
@@ -165,13 +160,34 @@ jobs:
         az vm list --output none
  
     - name: Run Azure PowerShell
-      uses: azure/powershell@v1.2.0
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
+    - name: Login with individual parameters, allow no subscription
+      uses: ./
+      with:
+        client-id: ${{ secrets.SP1_CLIENT_ID }}
+        tenant-id: ${{ secrets.SP1_TENANT_ID}}
+        subscription-id: ${{ secrets.SP1_SUBSCRIPTION_ID }}
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli again
+      run: |
+        az account show --output none
+
+    - name: Run Azure PowerShell again
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
             $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
-            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
             if(-not $checkResult){
                 throw "Not all checks passed!"
             }
@@ -184,12 +200,37 @@ jobs:
         allow-no-subscriptions: true
         enable-AzPSSession: true
 
+    - name: Run Azure Cli
+      shell: pwsh
+      run: |
+        $checkResult = (az account list --output json | ConvertFrom-Json).Count -eq 3
+        if(-not $checkResult){
+            throw "Not all checks passed!"
+        }
+
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v2
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+              throw "Not all checks passed!"
+            }
+
+    - name: Login with creds, no subscription, allow no subscription
+      uses: ./
+      with:
+        creds: '{"clientId":"${{ secrets.OIDC_SP2_CLIENT_ID }}","clientSecret":"${{ secrets.SP2_CLIENT_SECRET }}","tenantId":"${{ secrets.OIDC_SP2_TENANT_ID }}"}'
+        allow-no-subscriptions: true
+        enable-AzPSSession: true
+
     - name: Run Azure Cli
       run: |
         az account show --output none
 
     - name: Run Azure PowerShell
-      uses: azure/powershell@v1.2.0
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
@@ -198,118 +239,77 @@ jobs:
                 throw "Not all checks passed!"
             }
 
-  VMTest:
-    strategy:
-      matrix:
-        os: [self_linux, self_windows]
-    runs-on: ${{ matrix.os }}
+  InDockerTest:
+    runs-on: ubuntu-latest
+    container: ubuntu:24.04
     environment: Automation test
-
     steps:
     - name: 'Checking out repo code'
-      uses: actions/checkout@v3.5.2
+      uses: actions/checkout@v4
 
-    - name: Set Node.js 16.x for GitHub Action
-      uses: actions/setup-node@v1
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
       with:
-        node-version: 16.x
+        node-version: 20.x
+      
+    - name: Install Azure CLI
+      run: |
+        apt-get update
+        apt-get install -y curl
+        curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+        
+    - name: Check Azure CLI Version
+      run: |
+        az --version
+
+    - name: Install Powershell
+      run: |
+        apt-get update
+        apt-get install -y wget
+        wget https://ftp.debian.org/debian/pool/main/i/icu/libicu72_72.1-3_amd64.deb
+        dpkg -i libicu72_72.1-3_amd64.deb
+        wget https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell_7.5.0-1.deb_amd64.deb
+        dpkg -i powershell_7.5.0-1.deb_amd64.deb
+
+    - name: Check Powershell Version
+      shell: pwsh
+      run: |
+        $PSVersionTable
+
+    - name: Install Azure Powershell
+      shell: pwsh
+      run: |
+        Install-Module -Name Az -Repository PSGallery -Force
+
+    - name: Check Azure Powershell Version
+      shell: pwsh
+      run: |
+        Get-Module -ListAvailable Az
 
     - name: 'Validate build'
       run: |
         npm install
         npm run build
+        
+    - name: 'Run L0 tests'
+      run: |
+        npm run test
 
-    - name: Login with system-assigned managed identity, no subscription-id
+    - name: Login with individual parameters
       uses: ./
       with:
-        auth-type: IDENTITY
-        allow-no-subscriptions: true
+        client-id: ${{ secrets.SP1_CLIENT_ID }}
+        tenant-id: ${{ secrets.SP1_TENANT_ID }}
+        subscription-id: ${{ secrets.SP1_SUBSCRIPTION_ID }}
         enable-AzPSSession: true
-  
-    - name: Run Azure Cli
+
+    - name: Run Azure Cli again
       run: |
-        az account show --output none
-    
-    - name: Run Azure PowerShell
-      uses: azure/powershell@v1.2.0
+        az group list --output none
+
+    - name: Run Azure PowerShell again
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
-            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            if(-not $checkResult){
-                throw "Not all checks passed!"
-            }
-
-    - name: Login with system-assigned managed identity, with subscription id
-      uses: ./
-      with:
-        auth-type: IDENTITY
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }}
-        enable-AzPSSession: true
-
-    - name: Run Azure Cli
-      run: |
-        az account show --output none
-        az group show --name GitHubAction_CI_RG --output none
-        az vm list --output none
-  
-    - name: Run Azure PowerShell
-      uses: azure/powershell@v1.2.0
-      with:
-        azPSVersion: "latest"
-        inlineScript: |
-            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
-            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
-            if(-not $checkResult){
-                throw "Not all checks passed!"
-            }
-
-    - name: Login with tenant-level user-assigned managed identity with allow-no-subscriptions
-      uses: ./
-      with:
-        client-id: ${{ secrets.UMI2_CLIENT_ID }}
-        allow-no-subscriptions: true
-        auth-type: IDENTITY
-        enable-AzPSSession: true
-    
-    - name: Run Azure Cli
-      run: |
-        az account show --output none
-    
-    - name: Run Azure PowerShell
-      uses: azure/powershell@v1.2.0
-      with:
-        azPSVersion: "latest"
-        inlineScript: |
-            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            if(-not $checkResult){
-                throw "Not all checks passed!"
-            }
-
-    - name: Login with user-assigned managed identity, subscription-id
-      uses: ./
-      with:
-        client-id: ${{ secrets.UMI1_CLIENT_ID }}
-        subscription-id: ${{ secrets.UMI1_SUBSCRIPTION_ID }}
-        auth-type: IDENTITY
-        enable-AzPSSession: true
-
-    - name: Run Azure Cli
-      run: |
-        az account show --output none
-        az group show --name GitHubAction_CI_RG --output none
-        az vm list --output none
-    
-    - name: Run Azure PowerShell
-      uses: azure/powershell@v1.2.0
-      with:
-        azPSVersion: "latest"
-        inlineScript: |
-            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
-            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
-            if(-not $checkResult){
-                throw "Not all checks passed!"
-            }
-
+          $checkResult = Get-AzResourceGroup

.github/workflows/azure-login-pr-check.yml

@@ -1,26 +1,25 @@
 name: pr-check
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - master
       - 'releases/*'
 jobs:
    az-login-test:
-     environment: Automation test
      runs-on: windows-latest
      steps:
        - name: Checkout from PR branch  
-         uses: actions/checkout@v2
+         uses: actions/checkout@v4
          with: 
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           ref: ${{ github.event.pull_request.head.ref }}
 
-         # Using 16.x version as an example
-       - name: Set Node.js 16.x for GitHub Action
-         uses: actions/setup-node@v1
+         # Using 20.x version as an example
+       - name: Set Node.js 20.x for GitHub Action
+         uses: actions/setup-node@v4
          with:
-           node-version: 16.x
+           node-version: 20.x
 
        - name: installing node_modules
          run: npm install 
@@ -28,44 +27,5 @@ jobs:
        - name: Build GitHub Action
          run: npm run build
          
-       - name: 'Az CLI login with subscription'
-         uses: ./
-         with:
-            creds: ${{ secrets.AZURE_CREDENTIALS }}
-          
-       - run: |
-             az account show --output none
-             az vm list --output none
-
-       - name: 'Az CLI login without subscription'
-         uses: ./
-         with:
-           creds: ${{ secrets.AZURE_CREDENTIALS_NO_SUB }}
-           allow-no-subscriptions: true
-
-       - run: |
-             az account show --output none
-       #     az vm list --output none
-
-       - name: 'Azure PowerShell login with subscription'
-         uses: ./
-         with:
-           creds: ${{ secrets.AZURE_CREDENTIALS }}
-           enable-AzPSSession: true
-
-       - uses: azure/powershell@v1
-         with:
-           inlineScript: "(Get-AzContext).Environment.Name"
-           azPSVersion: "latest"
-
-      #  - name: 'Azure PowerShell login without subscription'
-      #    uses: ./
-      #    with:
-      #      creds: ${{secrets.AZURE_CREDENTIALS_NO_SUB}}
-      #      enable-AzPSSession: true
-      #      allow-no-subscriptions: true
-
-      #  - uses: azure/powershell@v1
-      #    with:
-      #      inlineScript: "Get-AzContext"
-      #      azPSVersion: "latest"
+       - name: Run mock test
+         run: npm run test

.github/workflows/ci.yml

@@ -1,3 +1,5 @@
+name: Build and Test
+
 on:
   pull_request:
     branches:
@@ -16,18 +18,18 @@ jobs:
     steps:
 
     - name: 'Checking out repo code'
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
-    - name: Set Node.js 16.x for GitHub Action
-      uses: actions/setup-node@v1
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
       with:
-        node-version: 16.x
+        node-version: 20.x
 
     - name: 'Validate build'
       run: |
         npm install
         npm run build
-        
+
     - name: 'Run L0 tests'
       run: |
         npm run test

.github/workflows/codeql.yml

@@ -6,6 +6,11 @@ on:
   schedule:
     - cron: '0 19 * * 0'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   CodeQL-Build:
 
@@ -14,28 +19,18 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
-      with:
-        # We must fetch at least the immediate parents so that if this is
-        # a pull request then we can checkout the head.
-        fetch-depth: 2
+      uses: actions/checkout@v4
 
-    # If this run was triggered by a pull request event, then checkout
-    # the head of the pull request instead of the merge commit.
-    - run: git checkout HEAD^2
-      if: ${{ github.event_name == 'pull_request' }}
-      
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      # Override language selection by uncommenting this and choosing your languages
-      # with:
-      #   languages: go, javascript, csharp, python, cpp, java
+      uses: github/codeql-action/init@v3
+      with:
+        languages: javascript
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -49,4 +44,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/defaultLabels.yml

@@ -14,7 +14,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
           
-      - uses: actions/stale@v3
+      - uses: actions/stale@v8
         name: Setting issue as idle
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -25,7 +25,7 @@ jobs:
           operations-per-run: 100
           exempt-issue-labels: 'backlog'
           
-      - uses: actions/stale@v3
+      - uses: actions/stale@v8
         name: Setting PR as idle
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/markdownlint.yml

@@ -7,11 +7,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: 16.x
+          node-version: 20.x
       - name: Run Markdownlint
         run: |
           npm i -g markdownlint-cli2

CODE_OF_CONDUCT.md

@@ -7,3 +7,4 @@ Resources:
 - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
 - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
 - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
+- Employees can reach out at [aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support)

README.md

@@ -19,7 +19,8 @@
     - [Login to Azure US Government cloud](#login-to-azure-us-government-cloud)
     - [Login to Azure Stack Hub](#login-to-azure-stack-hub)
     - [Login without subscription](#login-without-subscription)
-  - [Az logout and security hardening](#az-logout-and-security-hardening)
+    - [Enable/Disable the cleanup steps](#enabledisable-the-cleanup-steps)
+  - [Security hardening](#security-hardening)
   - [Azure CLI dependency](#azure-cli-dependency)
   - [Reference](#reference)
     - [GitHub Action](#github-action)
@@ -56,7 +57,7 @@ Azure Login Action supports different ways of authentication with Azure.
 |tenant-id|false|UUID||the login tenant id|
 |creds|false|string||a json string for login with an Azure service principal|
 |enable-AzPSSession|false|boolean|false|if Azure PowerShell login is enabled|
-|environment|false|string|azurecloud|the Azure Cloud environment|
+|environment|false|string|azurecloud|the Azure Cloud environment. For cloud environments other than the public cloud, the `audience` will also need to be updated.|
 |allow-no-subscriptions|false|boolean|false|if login without subscription is allowed|
 |audience|false|string|api://AzureADTokenExchange|the audience to get the JWT ID token from GitHub OIDC provider|
 |auth-type|false|string|SERVICE_PRINCIPAL|the auth type|
@@ -126,6 +127,8 @@ By default, Azure Login Action connects to the Azure Public Cloud (`AzureCloud`)
 
 To login to one of the Azure Government clouds or Azure Stack, set `environment` to one of the supported values `AzureUSGovernment` or `AzureChinaCloud` or `AzureGermanCloud` or `AzureStack`.
 
+The default [`audience`](#audience) for each of these clouds is different and will also need to be set if using anything other than the public environment.
+
 Refer to [Login to Azure US Government cloud](#login-to-azure-us-government-cloud) for its usage.
 
 ### `allow-no-subscriptions`
@@ -153,7 +156,7 @@ Refer to [Login With System-assigned Managed Identity](#login-with-system-assign
 > - Ensure the CLI version is 2.30 or above to support login with OIDC.
 > - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by Service Principal is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hours. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details.
 
-Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on an service principal or a managed identity.
+Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on a service principal or a managed identity.
 
 - Prepare a service principal for Login with OIDC
   - [Create a service principal and assign a role to it](https://learn.microsoft.com/entra/identity-platform/howto-create-service-principal-portal)
@@ -183,21 +186,21 @@ name: Run Azure Login with OIDC
 on: [push]
 
 permissions:
-      id-token: write
-      contents: read
-jobs: 
+  id-token: write
+  contents: read
+jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
     steps:
       - name: Azure login
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-  
+
       - name: Azure CLI script
-        uses: azure/CLI@v1
+        uses: azure/cli@v2
         with:
           azcliversion: latest
           inlineScript: |
@@ -213,29 +216,29 @@ name: Run Azure Login with OIDC
 on: [push]
 
 permissions:
-      id-token: write
-      contents: read
-jobs: 
+  id-token: write
+  contents: read
+jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
     steps:
       - name: Azure login
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           enable-AzPSSession: true
-  
+
       - name: Azure CLI script
-        uses: azure/CLI@v1
+        uses: azure/cli@v2
         with:
           azcliversion: latest
           inlineScript: |
             az account show
 
       - name: Azure PowerShell script
-        uses: azure/powershell@v1.2.0
+        uses: azure/powershell@v2
         with:
           azPSVersion: "latest"
           inlineScript: |
@@ -281,18 +284,17 @@ jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
     steps:
-    
-    - uses: azure/login@v1
+
+    - uses: azure/login@v2
       with:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
-    
+
     - name: Azure CLI script
-      uses: azure/CLI@v1
+      uses: azure/cli@v2
       with:
         azcliversion: latest
         inlineScript: |
           az account show
-
 ```
 
 - **The workflow sample to run both Azure CLI and Azure PowerShell**
@@ -309,21 +311,21 @@ jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
     steps:
-    
-    - uses: azure/login@v1
+
+    - uses: azure/login@v2
       with:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
         enable-AzPSSession: true
-    
+
     - name: Azure CLI script
-      uses: azure/CLI@v1
+      uses: azure/cli@v2
       with:
         azcliversion: latest
         inlineScript: |
           az account show
 
     - name: Azure PowerShell script
-      uses: azure/powershell@v1.2.0
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
@@ -333,7 +335,7 @@ jobs:
 If you want to pass subscription ID, tenant ID, client ID, and client secret as individual parameters instead of bundling them in a single JSON object to address the [security concerns](https://docs.github.com/actions/security-guides/encrypted-secrets), below snippet can help with the same.
 
 ```yaml
-  - uses: Azure/login@v1
+  - uses: azure/login@v2
     with:
       creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
 ```
@@ -372,29 +374,29 @@ Now you can try the workflow to login with system-assigned managed identity.
 name: Run Azure Login with System-assigned Managed Identity
 on: [push]
 
-jobs: 
+jobs:
   build-and-deploy:
     runs-on: self-hosted
     steps:
       - name: Azure login
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
-          auth-type: IDENTITY          
+          auth-type: IDENTITY
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           enable-AzPSSession: true
 
-      # Azure CLI Action only supports linux self-hosted runners for now. 
-      # If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`.  
+      # Azure CLI Action only supports linux self-hosted runners for now.
+      # If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`.
       - name: Azure CLI script
-        uses: azure/CLI@v1
+        uses: azure/cli@v2
         with:
           azcliversion: latest
           inlineScript: |
             az account show
 
       - name: Azure PowerShell script
-        uses: azure/powershell@v1.2.0
+        uses: azure/powershell@v2
         with:
           azPSVersion: "latest"
           inlineScript: |
@@ -438,30 +440,30 @@ Now you can try the workflow to login with user-assigned managed identity.
 name: Run Azure Login with User-assigned Managed Identity
 on: [push]
 
-jobs: 
+jobs:
   build-and-deploy:
     runs-on: self-hosted
     steps:
       - name: Azure login
-        uses: azure/login@v1
+        uses: azure/login@v2
         with:
           auth-type: IDENTITY
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}          
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           enable-AzPSSession: true
 
-      # Azure CLI Action only supports linux self-hosted runners for now. 
-      # If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`. 
+      # Azure CLI Action only supports linux self-hosted runners for now.
+      # If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`.
       - name: Azure CLI script
-        uses: azure/CLI@v1
+        uses: azure/cli@v2
         with:
           azcliversion: latest
           inlineScript: |
             az account show
 
       - name: Azure PowerShell script
-        uses: azure/powershell@v1.2.0
+        uses: azure/powershell@v2
         with:
           azPSVersion: "latest"
           inlineScript: |
@@ -482,13 +484,12 @@ jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
     steps:
-    
-    - uses: azure/login@v1
+
+    - uses: azure/login@v2
       with:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
         environment: 'AzureUSGovernment'
         enable-AzPSSession: true
-    
 ```
 
 ### Login to Azure Stack Hub
@@ -505,13 +506,12 @@ jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
     steps:
-    
-    - uses: azure/login@v1
+
+    - uses: azure/login@v2
       with:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
         environment: 'AzureStack'
         enable-AzPSSession: true
-    
 ```
 
 Refer to the [Azure Stack Hub Login Action Tutorial](https://learn.microsoft.com/azure-stack/user/ci-cd-github-action-login-cli) for more detailed instructions.
@@ -534,7 +534,7 @@ jobs:
     steps:
 
     - name: Azure Login
-      uses: azure/login@v1
+      uses: azure/login@v2
       with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
@@ -542,42 +542,135 @@ jobs:
         enable-AzPSSession: true
 
     - name: Azure CLI script
-      uses: azure/CLI@v1
+      uses: azure/cli@v2
       with:
         azcliversion: latest
         inlineScript: |
           az account show
 
     - name: Run Azure PowerShell
-      uses: azure/powershell@v1.2.0
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
           Get-AzContext
 ```
 
-## Az logout and security hardening
+### Enable/Disable the cleanup steps
 
-This action doesn't implement ```az logout``` by default at the end of execution. However, there is no way to tamper with the credentials or account information because the GitHub-hosted runner is on a VM that will get re-imaged for every customer run, which deletes everything. But if the runner is self-hosted (not provided by GitHub), it is recommended to manually log out at the end of the workflow, as shown below. More details on security of the runners can be found [here](https://docs.github.com/actions/learn-github-actions/security-hardening-for-github-actions#hardening-for-self-hosted-runners).
+In Azure Login Action, "cleanup" means cleaning up the login context. For security reasons, we recommend users run cleanup every time. But in some scenarios, users need flexible control over cleanup.
+
+Referring to [`runs` for JavaScript actions](https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions), there are 3 steps in an action: `pre:`, `main:` and `post:`. Azure Login Action only implement 2 steps: `main:` and `post:`.
+
+There are 2 "cleanup" steps in Azure Login Action:
+
+- cleanup in `main:`
+  - It's **disabled** by default.
+  - Users can enable it by setting an env variable `AZURE_LOGIN_PRE_CLEANUP` to `true`.
+- cleanup in `post:`
+  - It's **enabled** by default.
+  - Users can disable it by setting an env variable `AZURE_LOGIN_POST_CLEANUP` to `false`.
+
+Azure Login Action use env variables to enable or disable cleanup steps. In GitHub Actions, there are three valid scopes for env variables.
+
+- [env](https://docs.github.com/actions/writing-workflows/workflow-syntax-for-github-actions#env)
+  - valid for all jobs in this workflow.
+- [jobs.<job_id>.env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idenv)
+  - valid for all the steps in the job.
+- [jobs.<job_id>.steps[*].env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv)
+  - only valid for the step in a job.
+
+We set `jobs.<job_id>.steps[*].env` for example. Users can set `env` or `jobs.<job_id>.env` for a wider scope.
 
 ```yaml
-- name: Azure CLI script
-  uses: azure/CLI@v1
-  with:
-    inlineScript: |
-      az logout
-      az cache purge
-      az account clear
+# File: .github/workflows/workflow.yml
 
-- name: Azure PowerShell script
-  uses: azure/powershell@v1.2.0
-  with:
-    azPSVersion: "latest"
-    inlineScript: |
-      Clear-AzContext -Scope Process
-      Clear-AzContext -Scope CurrentUser
+on: [push]
+
+name: Cleanup examples for Multiple Azure Login
+
+jobs:
+
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+
+    # enable cleanup for the 1st Azure Login
+    - name: Azure Login
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: true
+        AZURE_LOGIN_POST_CLEANUP: true
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        enable-AzPSSession: true    
+
+    # run some actions
+
+    # disable cleanup for all other Azure Login
+    - name: Azure Login 2
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: false
+        AZURE_LOGIN_POST_CLEANUP: false
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID_2 }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID_2 }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_2 }}
+        enable-AzPSSession: true   
+
+    # run other actions
+
+    # disable cleanup for all other Azure Login
+    - name: Azure Login 3
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: false
+        AZURE_LOGIN_POST_CLEANUP: false
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID_3 }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID_3 }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_3 }}
+        enable-AzPSSession: true   
+
+    # run other actions
 ```
 
+```yaml
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: Disable cleanup for GitHub Hosted Runners
+
+jobs:
+
+  deploy:
+    runs-on: [ubuntu-latest, self-hosted]
+    steps:
+
+    - name: Azure Login
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
+        AZURE_LOGIN_POST_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        enable-AzPSSession: true    
+
+    # run some actions
+
+```
+
+## Security hardening
+
+> [!WARNING]
+> When using self hosted runners it is possible to have multiple runners on a single VM. Currently if your runners share a single user on the VM each runner will share the same credentials. That means in detail that each runner is able to change the permissions of another run. As a workaround we propose to use one single VM user per runner. If you start the runner as a service, do not forget to add the [optional user argument](https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/configuring-the-self-hosted-runner-application-as-a-service#installing-the-service)
+
 ## Azure CLI dependency
 
 Internally in this action, we use azure CLI and execute `az login` with the credentials provided through secrets. In order to validate the new azure CLI releases for this action, [canary test workflow](.github/workflows/azure-login-canary.yml) is written which will execute the action on [azure CLI's edge build](https://github.com/Azure/azure-cli#edge-builds) which will fail incase of any breaking change is being introduced in the new upcoming release. The test results can be posted on a slack or teams channel using the corresponding integrations. Incase of a failure, the concern will be raised to [azure-cli](https://github.com/Azure/azure-cli) for taking a necessary action and also the latest CLI installation will be postponed in [Runner VMs](https://github.com/actions/virtual-environments) as well for hosted runner to prevent the workflows failing due to the new CLI changes.
@@ -586,7 +679,7 @@ Internally in this action, we use azure CLI and execute `az login` with the cred
 
 ### GitHub Action
 
-[GitHub Actions](https://help.github.com/articles/about-github-actions) gives you the flexibility to build an automated software development lifecycle workflow.
+[GitHub Actions](https://docs.github.com/actions) gives you the flexibility to build an automated software development lifecycle workflow.
 
 ### GitHub Actions for deploying to Azure
 

__tests__/LoginConfig.test.ts

@@ -74,16 +74,29 @@ describe("LoginConfig Test", () => {
         await testCreds(creds1);
 
     });
-
-    test('initialize with creds, lack of subscriptionId', async () => {
+   
+    test('initialize with creds, lack of subscriptionId, but allowNoSubscriptionsLogin=true', async () => {
         let creds1 = {
             'clientId': 'client-id',
             'clientSecret': 'client-secret',
             'tenantId': 'tenant-id',
             // 'subscriptionId': 'subscription-id'
         }
-        await testCreds(creds1);
-
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        setEnv('creds', JSON.stringify(creds1));
+        let loginConfig = new LoginConfig();
+        await loginConfig.initialize();
+        expect(loginConfig.environment).toBe("azurecloud");
+        expect(loginConfig.enableAzPSSession).toBeTruthy();
+        expect(loginConfig.allowNoSubscriptionsLogin).toBeTruthy();
+        expect(loginConfig.authType).toBe("SERVICE_PRINCIPAL");
+        expect(loginConfig.servicePrincipalId).toBe("client-id");
+        expect(loginConfig.servicePrincipalSecret).toBe("client-secret");
+        expect(loginConfig.tenantId).toBe("tenant-id");
+        expect(loginConfig.subscriptionId).toBe(undefined);
     });
 
     test('initialize with creds', async () => {
@@ -232,7 +245,7 @@ describe("LoginConfig Test", () => {
 
         let loginConfig = new LoginConfig();
         await loginConfig.initialize();
-        testValidateWithErrorMessage(loginConfig, "Ensure subscriptionId is supplied.");
+        testValidateWithErrorMessage(loginConfig, "Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'.");
     });
 
     test('validate without subscriptionId and allowNoSubscriptionsLogin=true', async () => {

__tests__/PowerShell/AzPSLogin.test.ts

@@ -1,92 +1,92 @@
-import * as os from 'os';
-
-import { AzPSLogin } from '../../src/PowerShell/AzPSLogin';
-import { LoginConfig } from '../../src/common/LoginConfig';
-import AzPSConstants from '../../src/PowerShell/AzPSConstants';
-
-let azpsLogin: AzPSLogin;
-jest.setTimeout(30000);
-
-beforeAll(() => {
-    var loginConfig = new LoginConfig();
-    loginConfig.servicePrincipalId = "servicePrincipalID";
-    loginConfig.servicePrincipalSecret = "servicePrincipalSecret";
-    loginConfig.tenantId = "tenantId";
-    loginConfig.subscriptionId = "subscriptionId";
-    azpsLogin = new AzPSLogin(loginConfig);
-});
-
-afterEach(() => {
-    jest.restoreAllMocks();
-});
-
-describe('Testing login', () => {
-    let loginSpy;
-    
-    beforeEach(() => {
-        loginSpy = jest.spyOn(azpsLogin, 'login');
-    });
-
-    test('ServicePrincipal login should pass', async () => {
-        loginSpy.mockImplementationOnce(() => Promise.resolve());
-        await azpsLogin.login();
-        expect(loginSpy).toHaveBeenCalled();
-    });
-});
-
-describe('Testing set module path', () => {
-    test('setDefaultPSModulePath should work', () => {
-        azpsLogin.setPSModulePathForGitHubRunner();
-        const runner: string = process.env.RUNNER_OS || os.type();
-        if(runner.toLowerCase() === "linux"){
-            expect(process.env.PSModulePath).toContain(AzPSConstants.DEFAULT_AZ_PATH_ON_LINUX);
-        }
-        if(runner.toLowerCase().startsWith("windows")){
-            expect(process.env.PSModulePath).toContain(AzPSConstants.DEFAULT_AZ_PATH_ON_WINDOWS);
-        }
-    });
-
-});
-
-describe('Testing runPSScript', () => {
-    test('Get PowerShell Version', async () => {
-        let script = `try {
-            $ErrorActionPreference = "Stop"
-            $WarningPreference = "SilentlyContinue"
-            $output = @{}
-            $output['Success'] = $true
-            $output['Result'] = $PSVersionTable.PSVersion.ToString()
-        }
-        catch {
-            $output['Success'] = $false
-            $output['Error'] = $_.exception.Message
-        }
-        return ConvertTo-Json $output`;
-
-        let psVersion: string = await AzPSLogin.runPSScript(script);
-        expect(psVersion === null).toBeFalsy();
-    });
-
-    test('Get PowerShell Version with Wrong Name', async () => {
-        let script = `try {
-            $ErrorActionPreference = "Stop"
-            $WarningPreference = "SilentlyContinue"
-            $output = @{}
-            $output['Success'] = $true
-            $output['Result'] = $PSVersionTableWrongName.PSVersion.ToString()
-        }
-        catch {
-            $output['Success'] = $false
-            $output['Error'] = $_.exception.Message
-        }
-        return ConvertTo-Json $output`;
-
-        try{
-            await AzPSLogin.runPSScript(script);
-            throw new Error("The last step should fail.");
-        }catch(error){
-            expect(error.message.includes("Azure PowerShell login failed with error: You cannot call a method on a null-valued expression.")).toBeTruthy();
-        }
-    });
-
+import * as os from 'os';
+
+import { AzPSLogin } from '../../src/PowerShell/AzPSLogin';
+import { LoginConfig } from '../../src/common/LoginConfig';
+import { AzPSConstants, AzPSUtils } from '../../src/PowerShell/AzPSUtils';
+
+let azpsLogin: AzPSLogin;
+jest.setTimeout(30000);
+
+beforeAll(() => {
+    var loginConfig = new LoginConfig();
+    loginConfig.servicePrincipalId = "servicePrincipalID";
+    loginConfig.servicePrincipalSecret = "servicePrincipalSecret";
+    loginConfig.tenantId = "tenantId";
+    loginConfig.subscriptionId = "subscriptionId";
+    azpsLogin = new AzPSLogin(loginConfig);
+});
+
+afterEach(() => {
+    jest.restoreAllMocks();
+});
+
+describe('Testing login', () => {
+    let loginSpy;
+    
+    beforeEach(() => {
+        loginSpy = jest.spyOn(azpsLogin, 'login');
+    });
+
+    test('ServicePrincipal login should pass', async () => {
+        loginSpy.mockImplementationOnce(() => Promise.resolve());
+        await azpsLogin.login();
+        expect(loginSpy).toHaveBeenCalled();
+    });
+});
+
+describe('Testing set module path', () => {
+    test('setDefaultPSModulePath should work', () => {
+        AzPSUtils.setPSModulePathForGitHubRunner();
+        const runner: string = process.env.RUNNER_OS || os.type();
+        if(runner.toLowerCase() === "linux"){
+            expect(process.env.PSModulePath).toContain(AzPSConstants.DEFAULT_AZ_PATH_ON_LINUX);
+        }
+        if(runner.toLowerCase().startsWith("windows")){
+            expect(process.env.PSModulePath).toContain(AzPSConstants.DEFAULT_AZ_PATH_ON_WINDOWS);
+        }
+    });
+
+});
+
+describe('Testing runPSScript', () => {
+    test('Get PowerShell Version', async () => {
+        let script = `try {
+            $ErrorActionPreference = "Stop"
+            $WarningPreference = "SilentlyContinue"
+            $output = @{}
+            $output['Success'] = $true
+            $output['Result'] = $PSVersionTable.PSVersion.ToString()
+        }
+        catch {
+            $output['Success'] = $false
+            $output['Error'] = $_.exception.Message
+        }
+        return ConvertTo-Json $output`;
+
+        let psVersion: string = await AzPSUtils.runPSScript(script);
+        expect(psVersion === null).toBeFalsy();
+    });
+
+    test('Get PowerShell Version with Wrong Name', async () => {
+        let script = `try {
+            $ErrorActionPreference = "Stop"
+            $WarningPreference = "SilentlyContinue"
+            $output = @{}
+            $output['Success'] = $true
+            $output['Result'] = $PSVersionTableWrongName.PSVersion.ToString()
+        }
+        catch {
+            $output['Success'] = $false
+            $output['Error'] = $_.exception.Message
+        }
+        return ConvertTo-Json $output`;
+
+        try{
+            await AzPSUtils.runPSScript(script);
+            throw new Error("The last step should fail.");
+        }catch(error){
+            expect(error.message.includes("Azure PowerShell login failed with error: You cannot call a method on a null-valued expression.")).toBeTruthy();
+        }
+    });
+
 });

__tests__/PowerShell/AzPSScriptBuilder.test.ts

@@ -1,153 +1,153 @@
-import AzPSSCriptBuilder from "../../src/PowerShell/AzPSScriptBuilder";
-import { LoginConfig } from "../../src/common/LoginConfig";
-
-describe("Getting AzLogin PS script", () => {
-
-    function setEnv(name: string, value: string) {
-        process.env[`INPUT_${name.replace(/ /g, '_').toUpperCase()}`] = value;
-    }
-
-    function cleanEnv() {
-        for (const envKey in process.env) {
-            if (envKey.startsWith('INPUT_')) {
-                delete process.env[envKey]
-            }
-        }
-    }
-
-    beforeEach(() => {
-        cleanEnv();
-    });
-
-    test('getImportLatestModuleScript', () => {
-        expect(AzPSSCriptBuilder.getImportLatestModuleScript("TestModule")).toContain("(Get-Module -Name 'TestModule' -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1).Path");
-        expect(AzPSSCriptBuilder.getImportLatestModuleScript("TestModule")).toContain("Import-Module -Name $latestModulePath");
-    });
-
-    test('getAzPSLoginScript for SP+secret with allowNoSubscriptionsLogin=true', () => {
-        setEnv('environment', 'azurecloud');
-        setEnv('enable-AzPSSession', 'true');
-        setEnv('allow-no-subscriptions', 'true');
-        setEnv('auth-type', 'SERVICE_PRINCIPAL');
-        let creds = {
-            'clientId': 'client-id',
-            'clientSecret': "client-secret",
-            'tenantId': 'tenant-id',
-            'subscriptionId': 'subscription-id'
-        }
-        setEnv('creds', JSON.stringify(creds));
-
-        let loginConfig = new LoginConfig();
-        loginConfig.initialize();
-        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
-            expect(loginScript.includes("Clear-AzContext -Scope Process; Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue; $psLoginSecrets = ConvertTo-SecureString 'client-secret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential | out-null;")).toBeTruthy();
-            expect(loginMethod).toBe('service principal with secret');
-        });
-    });
-
-    test('getAzPSLoginScript for SP+secret with allowNoSubscriptionsLogin=true, secret with single-quote', () => {
-        setEnv('environment', 'azurecloud');
-        setEnv('enable-AzPSSession', 'true');
-        setEnv('allow-no-subscriptions', 'true');
-        setEnv('auth-type', 'SERVICE_PRINCIPAL');
-        let creds = {
-            'clientId': 'client-id',
-            'clientSecret': "client-se'cret",
-            'tenantId': 'tenant-id',
-            'subscriptionId': 'subscription-id'
-        }
-        setEnv('creds', JSON.stringify(creds));
-
-        let loginConfig = new LoginConfig();
-        loginConfig.initialize();
-        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
-            expect(loginScript.includes("Clear-AzContext -Scope Process; Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue; $psLoginSecrets = ConvertTo-SecureString 'client-se''cret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential | out-null;")).toBeTruthy();
-            expect(loginMethod).toBe('service principal with secret');
-        });
-    });
-
-    test('getAzPSLoginScript for SP+secret with allowNoSubscriptionsLogin=false', () => {
-        setEnv('environment', 'azurecloud');
-        setEnv('enable-AzPSSession', 'true');
-        setEnv('allow-no-subscriptions', 'false'); // same as true
-        setEnv('auth-type', 'SERVICE_PRINCIPAL');
-        let creds = {
-            'clientId': 'client-id',
-            'clientSecret': 'client-secret',
-            'tenantId': 'tenant-id',
-            'subscriptionId': 'subscription-id'
-        }
-        setEnv('creds', JSON.stringify(creds));
-
-        let loginConfig = new LoginConfig();
-        loginConfig.initialize();
-        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
-            expect(loginScript.includes("Clear-AzContext -Scope Process; Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue; $psLoginSecrets = ConvertTo-SecureString 'client-secret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential | out-null;")).toBeTruthy();
-            expect(loginMethod).toBe('service principal with secret');
-        });
-    });
-
-    test('getAzPSLoginScript for OIDC', () => {
-        setEnv('environment', 'azurecloud');
-        setEnv('enable-AzPSSession', 'true');
-        setEnv('allow-no-subscriptions', 'false');
-        setEnv('tenant-id', 'tenant-id');
-        setEnv('subscription-id', 'subscription-id');
-        setEnv('client-id', 'client-id');
-        setEnv('auth-type', 'SERVICE_PRINCIPAL');
-
-        let loginConfig = new LoginConfig();
-        loginConfig.initialize();
-        jest.spyOn(loginConfig, 'getFederatedToken').mockImplementation(async () => {loginConfig.federatedToken = "fake-token";});
-        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
-            expect(loginScript.includes("Clear-AzContext -Scope Process; Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue; Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -ApplicationId 'client-id' -FederatedToken 'fake-token' | out-null;")).toBeTruthy();
-            expect(loginMethod).toBe('OIDC');
-        });
-    });
-
-    test('getAzPSLoginScript for System MI', () => {
-        setEnv('environment', 'azurecloud');
-        setEnv('enable-AzPSSession', 'true');
-        setEnv('allow-no-subscriptions', 'false');
-        setEnv('subscription-id', 'subscription-id');
-        setEnv('auth-type', 'IDENTITY');
-
-        let loginConfig = new LoginConfig();
-        loginConfig.initialize();
-        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
-            expect(loginScript.includes("Clear-AzContext -Scope Process; Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue; Connect-AzAccount -Identity -Environment 'azurecloud' -Subscription 'subscription-id'  | out-null;")).toBeTruthy();
-            expect(loginMethod).toBe('system-assigned managed identity');
-        });
-    });
-
-    test('getAzPSLoginScript for System MI without subscription id', () => {
-        setEnv('environment', 'azurecloud');
-        setEnv('enable-AzPSSession', 'true');
-        setEnv('allow-no-subscriptions', 'false');
-        // setEnv('subscription-id', 'subscription-id');
-        setEnv('auth-type', 'IDENTITY');
-
-        let loginConfig = new LoginConfig();
-        loginConfig.initialize();
-        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
-            expect(loginScript.includes("Clear-AzContext -Scope Process; Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue; Connect-AzAccount -Identity -Environment 'azurecloud'  | out-null;")).toBeTruthy();
-            expect(loginMethod).toBe('system-assigned managed identity');
-        });
-    });
-
-    test('getAzPSLoginScript for user-assigned MI', () => {
-        setEnv('environment', 'azurecloud');
-        setEnv('enable-AzPSSession', 'true');
-        setEnv('allow-no-subscriptions', 'true');
-        setEnv('auth-type', 'IDENTITY');
-        setEnv('client-id', 'client-id');
-
-        let loginConfig = new LoginConfig();
-        loginConfig.initialize();
-        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
-            expect(loginScript.includes("Clear-AzContext -Scope Process; Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue; Connect-AzAccount -Identity -Environment 'azurecloud' -AccountId 'client-id' | out-null;")).toBeTruthy();
-            expect(loginMethod).toBe('user-assigned managed identity');
-        });
-    });
-
+import AzPSSCriptBuilder from "../../src/PowerShell/AzPSScriptBuilder";
+import { LoginConfig } from "../../src/common/LoginConfig";
+
+describe("Getting AzLogin PS script", () => {
+
+    function setEnv(name: string, value: string) {
+        process.env[`INPUT_${name.replace(/ /g, '_').toUpperCase()}`] = value;
+    }
+
+    function cleanEnv() {
+        for (const envKey in process.env) {
+            if (envKey.startsWith('INPUT_')) {
+                delete process.env[envKey]
+            }
+        }
+    }
+
+    beforeEach(() => {
+        cleanEnv();
+    });
+
+    test('getImportLatestModuleScript', () => {
+        expect(AzPSSCriptBuilder.getImportLatestModuleScript("TestModule")).toContain("(Get-Module -Name 'TestModule' -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1).Path");
+        expect(AzPSSCriptBuilder.getImportLatestModuleScript("TestModule")).toContain("Import-Module -Name $latestModulePath");
+    });
+
+    test('getAzPSLoginScript for SP+secret with allowNoSubscriptionsLogin=true', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        let creds = {
+            'clientId': 'client-id',
+            'clientSecret': "client-secret",
+            'tenantId': 'tenant-id',
+            'subscriptionId': 'subscription-id'
+        }
+        setEnv('creds', JSON.stringify(creds));
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-secret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('service principal with secret');
+        });
+    });
+
+    test('getAzPSLoginScript for SP+secret with allowNoSubscriptionsLogin=true, secret with single-quote', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        let creds = {
+            'clientId': 'client-id',
+            'clientSecret': "client-se'cret",
+            'tenantId': 'tenant-id',
+            'subscriptionId': 'subscription-id'
+        }
+        setEnv('creds', JSON.stringify(creds));
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-se''cret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('service principal with secret');
+        });
+    });
+
+    test('getAzPSLoginScript for SP+secret with allowNoSubscriptionsLogin=false', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'false'); // same as true
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+        let creds = {
+            'clientId': 'client-id',
+            'clientSecret': 'client-secret',
+            'tenantId': 'tenant-id',
+            'subscriptionId': 'subscription-id'
+        }
+        setEnv('creds', JSON.stringify(creds));
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-secret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('service principal with secret');
+        });
+    });
+
+    test('getAzPSLoginScript for OIDC', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'false');
+        setEnv('tenant-id', 'tenant-id');
+        setEnv('subscription-id', 'subscription-id');
+        setEnv('client-id', 'client-id');
+        setEnv('auth-type', 'SERVICE_PRINCIPAL');
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        jest.spyOn(loginConfig, 'getFederatedToken').mockImplementation(async () => {loginConfig.federatedToken = "fake-token";});
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -ApplicationId 'client-id' -FederatedToken 'fake-token' -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('OIDC');
+        });
+    });
+
+    test('getAzPSLoginScript for System MI', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'false');
+        setEnv('subscription-id', 'subscription-id');
+        setEnv('auth-type', 'IDENTITY');
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud' -Subscription 'subscription-id'  -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('system-assigned managed identity');
+        });
+    });
+
+    test('getAzPSLoginScript for System MI without subscription id', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'false');
+        // setEnv('subscription-id', 'subscription-id');
+        setEnv('auth-type', 'IDENTITY');
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud'  -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('system-assigned managed identity');
+        });
+    });
+
+    test('getAzPSLoginScript for user-assigned MI', () => {
+        setEnv('environment', 'azurecloud');
+        setEnv('enable-AzPSSession', 'true');
+        setEnv('allow-no-subscriptions', 'true');
+        setEnv('auth-type', 'IDENTITY');
+        setEnv('client-id', 'client-id');
+
+        let loginConfig = new LoginConfig();
+        loginConfig.initialize();
+        return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
+            expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud' -AccountId 'client-id' -InformationAction Ignore | out-null;")).toBeTruthy();
+            expect(loginMethod).toBe('user-assigned managed identity');
+        });
+    });
+
 });

action.yml

@@ -1,7 +1,7 @@
 # Login to Azure subscription
 name: 'Azure Login'
 description: 'Authenticate to Azure and run your Azure CLI or Azure PowerShell based actions or scripts.'
-inputs: 
+inputs:
   creds:
     description: 'Paste output of `az ad sp create-for-rbac` as value of secret variable: AZURE_CREDENTIALS'
     required: false
@@ -14,7 +14,7 @@ inputs:
   subscription-id:
     description: 'Azure subscriptionId'
     required: false
-  enable-AzPSSession: 
+  enable-AzPSSession:
     description: 'Set this value to true to enable Azure PowerShell Login in addition to Azure CLI login'
     required: false
     default: false
@@ -27,16 +27,18 @@ inputs:
     required: false
     default: false
   audience:
-    description: 'Provide audience field for access-token. Default value is api://AzureADTokenExchange' 
+    description: 'Provide audience field for access-token. Default value is api://AzureADTokenExchange'
     required: false
     default: 'api://AzureADTokenExchange'
   auth-type:
-    description: 'The type of authentication. Supported values are SERVICE_PRINCIPAL, IDENTITY. Default value is SERVICE_PRINCIPAL' 
+    description: 'The type of authentication. Supported values are SERVICE_PRINCIPAL, IDENTITY. Default value is SERVICE_PRINCIPAL'
     required: false
     default: 'SERVICE_PRINCIPAL'
 branding:
   icon: 'login.svg'
   color: 'blue'
 runs:
-  using: 'node16'
-  main: 'lib/main.js'
+  using: 'node20'
+  main: 'lib/main/index.js'
+  post-if: (!env.AZURE_LOGIN_POST_CLEANUP || env.AZURE_LOGIN_POST_CLEANUP != 'false')
+  post: 'lib/cleanup/index.js'

package.json

@@ -1,17 +1,20 @@
 {
   "name": "login",
-  "version": "1.0.0",
+  "version": "2.2.0",
   "description": "Login Azure wraps the az login, allowing for Azure actions to log into Azure",
-  "main": "lib/main.js",
+  "main": "lib/main/index.js",
   "scripts": {
-    "build": "tsc",
+    "build:main": "ncc build src/main.ts -o lib/main",
+    "build:cleanup": "ncc build src/cleanup.ts -o lib/cleanup",
+    "build": "npm run build:main && npm run build:cleanup",
     "test": "jest"
   },
-  "author": "Sumiran Aggarwal",
+  "author": "Microsoft",
   "license": "MIT",
   "devDependencies": {
     "@types/jest": "^29.2.4",
-    "@types/node": "^12.7.11",
+    "@types/node": "^20.11.1",
+    "@vercel/ncc": "^0.38.1",
     "jest": "^29.3.1",
     "jest-circus": "^29.3.1",
     "ts-jest": "^29.0.3",
@@ -21,7 +24,6 @@
     "@actions/core": "1.9.1",
     "@actions/exec": "^1.0.1",
     "@actions/io": "^1.0.1",
-    "actions-secret-parser": "^1.0.2",
     "package-lock": "^1.0.3"
   }
-}
+}

src/Cli/AzureCliLogin.ts

@@ -8,6 +8,7 @@ export class AzureCliLogin {
     loginConfig: LoginConfig;
     azPath: string;
     loginOptions: ExecOptions;
+    azVersion: string;
 
     constructor(loginConfig: LoginConfig) {
         this.loginConfig = loginConfig;
@@ -17,9 +18,6 @@ export class AzureCliLogin {
     async login() {
         core.info(`Running Azure CLI Login.`);
         this.azPath = await io.which("az", true);
-        if (!this.azPath) {
-            throw new Error("Azure CLI is not found in the runner.");
-        }
         core.debug(`Azure CLI path: ${this.azPath}`);
 
         let output: string = "";
@@ -31,10 +29,15 @@ export class AzureCliLogin {
             }
         };
 
-        await this.executeAzCliCommand(["--version"], true, execOptions);
+        await this.executeAzCliCommand(["version"], true, execOptions);
         core.debug(`Azure CLI version used:\n${output}`);
-
-        this.setAzurestackEnvIfNecessary();
+        try {
+            this.azVersion = JSON.parse(output)["azure-cli"];
+        }
+        catch (error) {
+            core.warning("Failed to parse Azure CLI version.");
+        }
+        await this.registerAzurestackEnvIfNecessary();
 
         await this.executeAzCliCommand(["cloud", "set", "-n", this.loginConfig.environment], false);
         core.info(`Done setting cloud: "${this.loginConfig.environment}"`);
@@ -62,7 +65,7 @@ export class AzureCliLogin {
         }
     }
 
-    async setAzurestackEnvIfNecessary() {
+    async registerAzurestackEnvIfNecessary() {
         if (this.loginConfig.environment != "azurestack") {
             return;
         }
@@ -88,7 +91,7 @@ export class AzureCliLogin {
             let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
             let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
             let profileVersion = "2019-03-01-hybrid";
-            await this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", `"${this.loginConfig.resourceManagerEndpointUrl}"`, "--suffix-keyvault-dns", `"${suffixKeyvault}"`, "--suffix-storage-endpoint", `"${suffixStorage}"`, "--profile", `"${profileVersion}"`], false);
+            await this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", this.loginConfig.resourceManagerEndpointUrl, "--suffix-keyvault-dns", suffixKeyvault, "--suffix-storage-endpoint", suffixStorage, "--profile", profileVersion], false);
         }
         catch (error) {
             core.error(`Error while trying to register cloud "${this.loginConfig.environment}"`);
@@ -111,7 +114,20 @@ export class AzureCliLogin {
     }
 
     async loginWithUserAssignedIdentity(args: string[]) {
-        args.push("--username", this.loginConfig.servicePrincipalId);
+        let azcliMinorVersion = 0;
+        try {
+            azcliMinorVersion = parseInt(this.azVersion.split('.')[1], 10);
+        }
+        catch (error) {
+            core.warning("Failed to parse the minor version of Azure CLI. Assuming the version is less than 2.69.0");
+        }
+        //From Azure-cli v2.69.0, `--username` is replaced with `--client-id`, `--object-id` or `--resource-id`: https://github.com/Azure/azure-cli/pull/30525
+        if (azcliMinorVersion < 69) {
+            args.push("--username", this.loginConfig.servicePrincipalId);
+        }
+        else {
+            args.push("--client-id", this.loginConfig.servicePrincipalId);
+        }
         await this.callCliLogin(args, 'user-assigned managed identity');
     }
 
@@ -126,14 +142,13 @@ export class AzureCliLogin {
             args.push("--allow-no-subscriptions");
         }
         await this.executeAzCliCommand(args, true, this.loginOptions);
-        await this.setSubscription();
+        if (this.loginConfig.subscriptionId) {
+            await this.setSubscription();
+        }
         core.info(`Azure CLI login succeeds by using ${methodName}.`);
     }
 
     async setSubscription() {
-        if (this.loginConfig.allowNoSubscriptionsLogin) {
-            return;
-        }
         let args = ["account", "set", "--subscription", this.loginConfig.subscriptionId];
         await this.executeAzCliCommand(args, true, this.loginOptions);
         core.info("Subscription is set successfully.");
@@ -160,7 +175,7 @@ function defaultExecOptions(): exec.ExecOptions {
                 if (error && error.trim().length !== 0 && !startsWithWarning) {
                     if (startsWithError) {
                         //removing the keyword 'ERROR' to avoid duplicates while throwing error
-                        error = error.slice(5);
+                        error = error.slice(7);
                     }
                     core.error(error);
                 }

src/PowerShell/AzPSConstants.ts

@@ -1,7 +0,0 @@
-export default class AzPSConstants {
-    static readonly DEFAULT_AZ_PATH_ON_LINUX: string = '/usr/share';
-    static readonly DEFAULT_AZ_PATH_ON_WINDOWS: string = 'C:\\Modules';
-    static readonly AzAccounts: string = "Az.Accounts";
-    static readonly PowerShell_CmdName = "pwsh";
-}
-

src/PowerShell/AzPSLogin.ts

@@ -1,100 +1,24 @@
-import * as core from '@actions/core';
-import * as exec from '@actions/exec';
-import * as io from '@actions/io';
-import * as os from 'os';
-import * as path from 'path';
-
-import AzPSScriptBuilder from './AzPSScriptBuilder';
-import AzPSConstants from './AzPSConstants';
-import { LoginConfig } from '../common/LoginConfig';
-
-interface PSResultType {
-    Result: string;
-    Success: boolean;
-    Error: string;
-}
-
-export class AzPSLogin {
-    loginConfig: LoginConfig;
-
-    constructor(loginConfig: LoginConfig) {
-        this.loginConfig = loginConfig;
-    }
-
-    async login() {
-        core.info(`Running Azure PowerShell Login.`);
-        this.setPSModulePathForGitHubRunner();
-        await this.importLatestAzAccounts();
-
-        const [loginMethod, loginScript] = await AzPSScriptBuilder.getAzPSLoginScript(this.loginConfig);
-        core.info(`Attempting Azure PowerShell login by using ${loginMethod}...`);
-        core.debug(`Azure PowerShell Login Script: ${loginScript}`);
-        await AzPSLogin.runPSScript(loginScript);
-        console.log(`Running Azure PowerShell Login successfully.`);
-    }
-
-    setPSModulePathForGitHubRunner() {
-        const runner: string = process.env.RUNNER_OS || os.type();
-        switch (runner.toLowerCase()) {
-            case "linux":
-                this.pushPSModulePath(AzPSConstants.DEFAULT_AZ_PATH_ON_LINUX);
-                break;
-            case "windows":
-            case "windows_nt":
-                this.pushPSModulePath(AzPSConstants.DEFAULT_AZ_PATH_ON_WINDOWS);
-                break;
-            case "macos":
-            case "darwin":
-                core.warning(`Skip setting the default PowerShell module path for OS ${runner.toLowerCase()}.`);
-                break;
-            default:
-                core.warning(`Skip setting the default PowerShell module path for unknown OS ${runner.toLowerCase()}.`);
-                break;
-        }
-    }
-
-    private pushPSModulePath(psModulePath: string) {
-        process.env.PSModulePath = `${psModulePath}${path.delimiter}${process.env.PSModulePath}`;
-        core.debug(`Set PSModulePath as ${process.env.PSModulePath}`);
-    }
-
-    private async importLatestAzAccounts() {
-        let importLatestAccountsScript: string = AzPSScriptBuilder.getImportLatestModuleScript(AzPSConstants.AzAccounts);
-        core.debug(`The script to import the latest Az.Accounts: ${importLatestAccountsScript}`);
-        let azAccountsPath: string = await AzPSLogin.runPSScript(importLatestAccountsScript);
-        core.debug(`The latest Az.Accounts used: ${azAccountsPath}`);
-    }
-
-    static async runPSScript(psScript: string): Promise<string> {
-        let outputString: string = "";
-        let commandStdErr = false;
-        const options: any = {
-            silent: true,
-            listeners: {
-                stdout: (data: Buffer) => {
-                    outputString += data.toString();
-                },
-                stderr: (data: Buffer) => {
-                    let error = data.toString();
-                    if (error && error.trim().length !== 0) {
-                        commandStdErr = true;
-                        core.error(error);
-                    }
-                }
-            }
-        };
-
-        let psPath: string = await io.which(AzPSConstants.PowerShell_CmdName, true);
-        await exec.exec(`"${psPath}"`, ["-Command", psScript], options)
-        if (commandStdErr) {
-            throw new Error('Azure PowerShell login failed with errors.');
-        }
-        const result: PSResultType = JSON.parse(outputString.trim());
-        console.log(result);
-        if (!(result.Success)) {
-            throw new Error(`Azure PowerShell login failed with error: ${result.Error}`);
-        }
-        return result.Result;
-    }
-}
-
+import * as core from '@actions/core';
+
+import AzPSScriptBuilder from './AzPSScriptBuilder';
+import { AzPSUtils } from './AzPSUtils';
+import { LoginConfig } from '../common/LoginConfig';
+
+export class AzPSLogin {
+    loginConfig: LoginConfig;
+
+    constructor(loginConfig: LoginConfig) {
+        this.loginConfig = loginConfig;
+    }
+
+    async login() {
+        core.info(`Running Azure PowerShell Login.`);
+        AzPSUtils.setPSModulePathForGitHubRunner();
+        await AzPSUtils.importLatestAzAccounts();
+        const [loginMethod, loginScript] = await AzPSScriptBuilder.getAzPSLoginScript(this.loginConfig);
+        core.info(`Attempting Azure PowerShell login by using ${loginMethod}...`);
+        core.debug(`Azure PowerShell Login Script: ${loginScript}`);
+        await AzPSUtils.runPSScript(loginScript);
+        console.log(`Running Azure PowerShell Login successfully.`);
+    }
+}

src/PowerShell/AzPSScriptBuilder.ts

@@ -1,113 +1,111 @@
-import AzPSConstants from "./AzPSConstants";
-import { LoginConfig } from '../common/LoginConfig';
-
-export default class AzPSScriptBuilder {
-
-    static getImportLatestModuleScript(moduleName: string): string {
-        let script = `try {
-            $ErrorActionPreference = "Stop"
-            $WarningPreference = "SilentlyContinue"
-            $output = @{}
-            $latestModulePath = (Get-Module -Name '${moduleName}' -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1).Path
-            Import-Module -Name $latestModulePath
-            $output['Success'] = $true
-            $output['Result'] = $latestModulePath
-        }
-        catch {
-            $output['Success'] = $false
-            $output['Error'] = $_.exception.Message
-        }
-        return ConvertTo-Json $output`;
-
-        return script;
-    }
-
-    static async getAzPSLoginScript(loginConfig: LoginConfig) {
-        let loginMethodName = "";
-        let commands = 'Clear-AzContext -Scope Process; ';
-        commands += 'Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue; ';
-
-        if (loginConfig.environment.toLowerCase() == "azurestack") {
-            commands += `Add-AzEnvironment -Name '${loginConfig.environment}' -ARMEndpoint '${loginConfig.resourceManagerEndpointUrl}' | out-null;`;
-        }
-        if (loginConfig.authType === LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL) {
-            if (loginConfig.servicePrincipalSecret) {
-                commands += AzPSScriptBuilder.loginWithSecret(loginConfig);
-                loginMethodName = 'service principal with secret';
-            } else {
-                commands += await AzPSScriptBuilder.loginWithOIDC(loginConfig);
-                loginMethodName = "OIDC";
-            }
-        } else {
-            if (loginConfig.servicePrincipalId) {
-                commands += AzPSScriptBuilder.loginWithUserAssignedIdentity(loginConfig);
-                loginMethodName = 'user-assigned managed identity';
-            } else {
-                commands += AzPSScriptBuilder.loginWithSystemAssignedIdentity(loginConfig);
-                loginMethodName = 'system-assigned managed identity';
-            }
-        }
-
-        let script = `try {
-            $ErrorActionPreference = "Stop"
-            $WarningPreference = "SilentlyContinue"
-            $output = @{}
-            ${commands}
-            $output['Success'] = $true
-            $output['Result'] = ""
-        }
-        catch {
-            $output['Success'] = $false
-            $output['Error'] = $_.exception.Message
-        }
-        return ConvertTo-Json $output`;
-
-        return [loginMethodName, script];
-    }
-
-    private static loginWithSecret(loginConfig: LoginConfig): string {
-        let servicePrincipalSecret: string = loginConfig.servicePrincipalSecret.split("'").join("''");
-        let loginCmdlet = `$psLoginSecrets = ConvertTo-SecureString '${servicePrincipalSecret}' -AsPlainText -Force; `;
-        loginCmdlet += `$psLoginCredential = New-Object System.Management.Automation.PSCredential('${loginConfig.servicePrincipalId}', $psLoginSecrets); `;
-        
-        let cmdletSuffix = "-Credential $psLoginCredential";
-        loginCmdlet += AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
-
-        return loginCmdlet;
-    }
-
-    private static async loginWithOIDC(loginConfig: LoginConfig) {
-        await loginConfig.getFederatedToken();
-        let cmdletSuffix = `-ApplicationId '${loginConfig.servicePrincipalId}' -FederatedToken '${loginConfig.federatedToken}'`;
-        return AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
-    }
-
-    private static loginWithSystemAssignedIdentity(loginConfig: LoginConfig): string {
-        let cmdletSuffix = "";
-        return AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
-    }
-
-    static loginWithUserAssignedIdentity(loginConfig: LoginConfig): string {
-        let cmdletSuffix = `-AccountId '${loginConfig.servicePrincipalId}'`;
-        return AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
-    }
-
-    private static psLoginCmdlet(authType:string, environment:string, tenantId:string, subscriptionId:string, cmdletSuffix:string){
-        let loginCmdlet = `Connect-AzAccount `;
-        if(authType === LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL){
-            loginCmdlet += "-ServicePrincipal ";
-        }else{
-            loginCmdlet += "-Identity ";
-        }
-        loginCmdlet += `-Environment '${environment}' `;
-        if(tenantId){
-            loginCmdlet += `-Tenant '${tenantId}' `;
-        }
-        if(subscriptionId){
-            loginCmdlet += `-Subscription '${subscriptionId}' `;
-        }
-        loginCmdlet += `${cmdletSuffix} | out-null;`;
-        return loginCmdlet;
-    }
-}
-
+import { LoginConfig } from '../common/LoginConfig';
+
+export default class AzPSScriptBuilder {
+
+    static getImportLatestModuleScript(moduleName: string): string {
+        let script = `try {
+            $ErrorActionPreference = "Stop"
+            $WarningPreference = "SilentlyContinue"
+            $output = @{}
+            $latestModulePath = (Get-Module -Name '${moduleName}' -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1).Path
+            Import-Module -Name $latestModulePath
+            $output['Success'] = $true
+            $output['Result'] = $latestModulePath
+        }
+        catch {
+            $output['Success'] = $false
+            $output['Error'] = $_.exception.Message
+        }
+        return ConvertTo-Json $output`;
+
+        return script;
+    }
+
+    static async getAzPSLoginScript(loginConfig: LoginConfig) {
+        let loginMethodName = "";
+        let commands = "";
+
+        if (loginConfig.environment.toLowerCase() == "azurestack") {
+            commands += `Add-AzEnvironment -Name '${loginConfig.environment}' -ARMEndpoint '${loginConfig.resourceManagerEndpointUrl}' | out-null;`;
+        }
+        if (loginConfig.authType === LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL) {
+            if (loginConfig.servicePrincipalSecret) {
+                commands += AzPSScriptBuilder.loginWithSecret(loginConfig);
+                loginMethodName = 'service principal with secret';
+            } else {
+                commands += await AzPSScriptBuilder.loginWithOIDC(loginConfig);
+                loginMethodName = "OIDC";
+            }
+        } else {
+            if (loginConfig.servicePrincipalId) {
+                commands += AzPSScriptBuilder.loginWithUserAssignedIdentity(loginConfig);
+                loginMethodName = 'user-assigned managed identity';
+            } else {
+                commands += AzPSScriptBuilder.loginWithSystemAssignedIdentity(loginConfig);
+                loginMethodName = 'system-assigned managed identity';
+            }
+        }
+
+        let script = `try {
+            $ErrorActionPreference = "Stop"
+            $WarningPreference = "SilentlyContinue"
+            $output = @{}
+            ${commands}
+            $output['Success'] = $true
+            $output['Result'] = ""
+        }
+        catch {
+            $output['Success'] = $false
+            $output['Error'] = $_.exception.Message
+        }
+        return ConvertTo-Json $output`;
+
+        return [loginMethodName, script];
+    }
+
+    private static loginWithSecret(loginConfig: LoginConfig): string {
+        let servicePrincipalSecret: string = loginConfig.servicePrincipalSecret.split("'").join("''");
+        let loginCmdlet = `$psLoginSecrets = ConvertTo-SecureString '${servicePrincipalSecret}' -AsPlainText -Force; `;
+        loginCmdlet += `$psLoginCredential = New-Object System.Management.Automation.PSCredential('${loginConfig.servicePrincipalId}', $psLoginSecrets); `;
+        
+        let cmdletSuffix = "-Credential $psLoginCredential";
+        loginCmdlet += AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
+
+        return loginCmdlet;
+    }
+
+    private static async loginWithOIDC(loginConfig: LoginConfig) {
+        await loginConfig.getFederatedToken();
+        let cmdletSuffix = `-ApplicationId '${loginConfig.servicePrincipalId}' -FederatedToken '${loginConfig.federatedToken}'`;
+        return AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
+    }
+
+    private static loginWithSystemAssignedIdentity(loginConfig: LoginConfig): string {
+        let cmdletSuffix = "";
+        return AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
+    }
+
+    static loginWithUserAssignedIdentity(loginConfig: LoginConfig): string {
+        let cmdletSuffix = `-AccountId '${loginConfig.servicePrincipalId}'`;
+        return AzPSScriptBuilder.psLoginCmdlet(loginConfig.authType, loginConfig.environment, loginConfig.tenantId, loginConfig.subscriptionId, cmdletSuffix);
+    }
+
+    private static psLoginCmdlet(authType:string, environment:string, tenantId:string, subscriptionId:string, cmdletSuffix:string){
+        let loginCmdlet = `Connect-AzAccount `;
+        if(authType === LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL){
+            loginCmdlet += "-ServicePrincipal ";
+        }else{
+            loginCmdlet += "-Identity ";
+        }
+        loginCmdlet += `-Environment '${environment}' `;
+        if(tenantId){
+            loginCmdlet += `-Tenant '${tenantId}' `;
+        }
+        if(subscriptionId){
+            loginCmdlet += `-Subscription '${subscriptionId}' `;
+        }
+        loginCmdlet += `${cmdletSuffix} -InformationAction Ignore | out-null;`;
+        return loginCmdlet;
+    }
+}
+

src/PowerShell/AzPSUtils.ts

@@ -0,0 +1,85 @@
+import * as core from '@actions/core';
+import * as os from 'os';
+import * as path from 'path';
+import * as exec from '@actions/exec';
+import * as io from '@actions/io';
+import AzPSScriptBuilder from './AzPSScriptBuilder';
+
+interface PSResultType {
+    Result: string;
+    Success: boolean;
+    Error: string;
+}
+
+export class AzPSConstants {
+    static readonly DEFAULT_AZ_PATH_ON_LINUX: string = '/usr/share';
+    static readonly DEFAULT_AZ_PATH_ON_WINDOWS: string = 'C:\\Modules';
+    static readonly AzAccounts: string = "Az.Accounts";
+    static readonly PowerShell_CmdName = "pwsh";
+}
+
+export class AzPSUtils {
+    static async setPSModulePathForGitHubRunner() {
+        const runner: string = process.env.RUNNER_OS || os.type();
+        switch (runner.toLowerCase()) {
+            case "linux":
+                AzPSUtils.pushPSModulePath(AzPSConstants.DEFAULT_AZ_PATH_ON_LINUX);
+                break;
+            case "windows":
+            case "windows_nt":
+                AzPSUtils.pushPSModulePath(AzPSConstants.DEFAULT_AZ_PATH_ON_WINDOWS);
+                break;
+            case "macos":
+            case "darwin":
+                core.warning(`Skip setting the default PowerShell module path for OS ${runner.toLowerCase()}.`);
+                break;
+            default:
+                core.warning(`Skip setting the default PowerShell module path for unknown OS ${runner.toLowerCase()}.`);
+                break;
+        }
+    }
+    
+    private static pushPSModulePath(psModulePath: string) {
+        process.env.PSModulePath = `${psModulePath}${path.delimiter}${process.env.PSModulePath}`;
+        core.debug(`Set PSModulePath as ${process.env.PSModulePath}`);
+    }
+    
+    static async importLatestAzAccounts() {
+        let importLatestAccountsScript: string = AzPSScriptBuilder.getImportLatestModuleScript(AzPSConstants.AzAccounts);
+        core.debug(`The script to import the latest Az.Accounts: ${importLatestAccountsScript}`);
+        let azAccountsPath: string = await AzPSUtils.runPSScript(importLatestAccountsScript);
+        core.debug(`The latest Az.Accounts used: ${azAccountsPath}`);
+    }
+
+    static async runPSScript(psScript: string): Promise<string> {
+        let outputString: string = "";
+        let commandStdErr = false;
+        const options: any = {
+            silent: true,
+            listeners: {
+                stdout: (data: Buffer) => {
+                    outputString += data.toString();
+                },
+                stderr: (data: Buffer) => {
+                    let error = data.toString();
+                    if (error && error.trim().length !== 0) {
+                        commandStdErr = true;
+                        core.error(error);
+                    }
+                }
+            }
+        };
+
+        let psPath: string = await io.which(AzPSConstants.PowerShell_CmdName, true);
+        await exec.exec(`"${psPath}"`, ["-Command", psScript], options)
+        if (commandStdErr) {
+            throw new Error('Azure PowerShell login failed with errors.');
+        }
+        const result: PSResultType = JSON.parse(outputString.trim());
+        console.log(result);
+        if (!(result.Success)) {
+            throw new Error(`Azure PowerShell login failed with error: ${result.Error}`);
+        }
+        return result.Result;
+    }
+}

src/cleanup.ts

@@ -0,0 +1,19 @@
+import * as core from '@actions/core';
+import { setUserAgent, cleanupAzCLIAccounts, cleanupAzPSAccounts } from './common/Utils'; 
+
+async function cleanup() {
+    try {
+        setUserAgent();
+        await cleanupAzCLIAccounts();
+        if(core.getInput('enable-AzPSSession').toLowerCase() === "true"){
+            await cleanupAzPSAccounts();
+        }
+    }
+    catch (error) {
+        core.warning(`Login cleanup failed with ${error}. Cleanup will be skipped.`);
+        core.debug(error.stack);
+    }
+}
+
+cleanup();
+

src/common/LoginConfig.ts

@@ -1,5 +1,4 @@
 import * as core from '@actions/core';
-import { FormatType, SecretParser } from 'actions-secret-parser';
 
 export class LoginConfig {
     static readonly AUTH_TYPE_SERVICE_PRINCIPAL = "SERVICE_PRINCIPAL";
@@ -49,10 +48,10 @@ export class LoginConfig {
 
     private readParametersFromCreds() {
         let creds = core.getInput('creds', { required: false });
-        let secrets = creds ? new SecretParser(creds, FormatType.JSON) : null;
-        if (!secrets) {
+        if (!creds) {
             return;
         }
+        let secrets = JSON.parse(creds);
 
         if(this.authType != LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL){
             return;
@@ -64,13 +63,13 @@ export class LoginConfig {
         }
 
         core.debug('Reading creds in JSON...');
-        this.servicePrincipalId = this.servicePrincipalId ? this.servicePrincipalId : secrets.getSecret("$.clientId", false);
-        this.servicePrincipalSecret = secrets.getSecret("$.clientSecret", false);
-        this.tenantId = this.tenantId ? this.tenantId : secrets.getSecret("$.tenantId", false);
-        this.subscriptionId = this.subscriptionId ? this.subscriptionId : secrets.getSecret("$.subscriptionId", false);
-        this.resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
-        if (!this.servicePrincipalId || !this.servicePrincipalSecret || !this.tenantId || !this.subscriptionId) {
-            throw new Error("Not all parameters are provided in 'creds'. Double-check if all keys are defined in 'creds': 'clientId', 'clientSecret', 'subscriptionId', 'tenantId'.");
+        this.servicePrincipalId = this.servicePrincipalId ? this.servicePrincipalId : secrets.clientId;
+        this.servicePrincipalSecret = secrets.clientSecret;
+        this.tenantId = this.tenantId ? this.tenantId : secrets.tenantId; 
+        this.subscriptionId = this.subscriptionId ? this.subscriptionId : secrets.subscriptionId;
+        this.resourceManagerEndpointUrl = secrets.resourceManagerEndpointUrl;
+        if (!this.servicePrincipalId || !this.servicePrincipalSecret || !this.tenantId) {
+            throw new Error("Not all parameters are provided in 'creds'. Double-check if all keys are defined in 'creds': 'clientId', 'clientSecret', 'tenantId'.");
         }
     }
 
@@ -80,11 +79,16 @@ export class LoginConfig {
             this.mask(this.federatedToken);
         }
         catch (error) {
-            core.error(`Please make sure to give write permissions to id-token in the workflow.`);
+            core.error("Failed to fetch federated token from GitHub. Please make sure to give write permissions to id-token in the workflow.");
             throw error;
         }
-        let [issuer, subjectClaim] = await jwtParser(this.federatedToken);
-        core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim);
+        try {
+            let [issuer, subjectClaim, audience, jobWorkflowRef] = await jwtParser(this.federatedToken);
+            core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim + "\n audience - " + audience + "\n job_workflow_ref - " + jobWorkflowRef);
+        }
+        catch (error) {
+            core.warning(`Failed to parse the federated token. Error: ${error}`);
+        }
     }
 
     validate() {
@@ -100,7 +104,7 @@ export class LoginConfig {
             }
         }
         if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) {
-            throw new Error("Ensure subscriptionId is supplied.");
+            throw new Error("Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'.");
         }
     }
 
@@ -115,6 +119,20 @@ async function jwtParser(federatedToken: string) {
     let tokenPayload = federatedToken.split('.')[1];
     let bufferObj = Buffer.from(tokenPayload, "base64");
     let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
-    return [decodedPayload['iss'], decodedPayload['sub']];
-}
-
+    const JWT_CLAIM_ISSUER = 'iss';
+    const JWT_CLAIM_SUBJECT = 'sub';
+    const JWT_CLAIM_AUDIENCE = 'aud';
+    const JWT_CLAIM_JOB_WORKFLOW_REF = 'job_workflow_ref';
+    const requiredClaims = [
+        JWT_CLAIM_ISSUER,
+        JWT_CLAIM_SUBJECT,
+        JWT_CLAIM_AUDIENCE,
+        JWT_CLAIM_JOB_WORKFLOW_REF
+    ];
+    for (const claim of requiredClaims) {
+        if (!decodedPayload[claim]) {
+            throw new Error(`The claim '${claim}' is missing from the token payload`);
+        }
+    }
+    return [decodedPayload[JWT_CLAIM_ISSUER], decodedPayload[JWT_CLAIM_SUBJECT], decodedPayload[JWT_CLAIM_AUDIENCE], decodedPayload[JWT_CLAIM_JOB_WORKFLOW_REF]];   
+}   

src/common/Utils.ts

@@ -0,0 +1,30 @@
+import * as core from '@actions/core';
+import * as exec from '@actions/exec';
+import * as io from '@actions/io';
+import * as crypto from 'crypto';
+import { AzPSConstants, AzPSUtils } from '../PowerShell/AzPSUtils';
+
+export function setUserAgent(): void {
+    let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
+    let actionName = 'AzureLogin';
+    process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
+    process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
+}
+
+export async function cleanupAzCLIAccounts(): Promise<void> {
+    let azPath = await io.which("az", true);
+    core.debug(`Azure CLI path: ${azPath}`);
+    core.info("Clearing azure cli accounts from the local cache.");
+    await exec.exec(`"${azPath}"`, ["account", "clear"]);  
+}
+
+export async function cleanupAzPSAccounts(): Promise<void> {
+    let psPath: string = await io.which(AzPSConstants.PowerShell_CmdName, true);
+    core.debug(`PowerShell path: ${psPath}`);
+    core.debug("Importing Azure PowerShell module.");
+    AzPSUtils.setPSModulePathForGitHubRunner();
+    await AzPSUtils.importLatestAzAccounts();
+    core.info("Clearing azure powershell accounts from the local cache.");
+    await exec.exec(`"${psPath}"`, ["-Command", "Clear-AzContext", "-Scope", "Process"]);
+    await exec.exec(`"${psPath}"`, ["-Command", "Clear-AzContext", "-Scope", "CurrentUser", "-Force", "-ErrorAction", "SilentlyContinue"]);
+}

src/main.ts

@@ -1,19 +1,19 @@
 import * as core from '@actions/core';
+import { cleanupAzCLIAccounts, cleanupAzPSAccounts, setUserAgent } from './common/Utils';
 import { AzPSLogin } from './PowerShell/AzPSLogin';
 import { LoginConfig } from './common/LoginConfig';
 import { AzureCliLogin } from './Cli/AzureCliLogin';
 
-var prefix = !!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT}` : "";
-var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT}` : "";
-
 async function main() {
     try {
-        let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`;
-        let actionName = 'AzureLogin';
-        let userAgentString = (!!prefix ? `${prefix}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-        let azurePSHostEnv = (!!azPSHostEnv ? `${azPSHostEnv}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-        core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString);
-        core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
+        setUserAgent();
+        const preCleanup: string = process.env.AZURE_LOGIN_PRE_CLEANUP;
+        if ('true' == preCleanup) {
+            await cleanupAzCLIAccounts();
+            if (core.getInput('enable-AzPSSession').toLowerCase() === "true") {
+                await cleanupAzPSAccounts();
+            }
+        }
 
         // prepare the login configuration
         var loginConfig = new LoginConfig();
@@ -31,14 +31,9 @@ async function main() {
         }
     }
     catch (error) {
-        core.setFailed(`Login failed with ${error}. Make sure 'az' is installed on the runner. If 'enable-AzPSSession' is true, make sure 'pwsh' is installed on the runner together with Azure PowerShell module. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.`);
+        core.setFailed(`Login failed with ${error}. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.`);
         core.debug(error.stack);
     }
-    finally {
-        // Reset AZURE_HTTP_USER_AGENT
-        core.exportVariable('AZURE_HTTP_USER_AGENT', prefix);
-        core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azPSHostEnv);
-    }
 }
 
 main();