prepare release v2.1.1

2026-03-13 18:17:09 -04:00 · 2024-05-24 11:19:08 +08:00
13 changed files with 186 additions and 339 deletions
--- a/.github/workflows/azure-login-negative.yml
+++ b/.github/workflows/azure-login-negative.yml
@@ -333,3 +333,36 @@ jobs:
      with:
          script: |
            core.setFailed('Last action should fail but not. Please check it.')
+
+  VMTest:
+    strategy:
+      matrix:
+        os: [self_linux, self_windows]
+    runs-on: ${{ matrix.os }}
+    environment: Automation test
+
+    steps:
+    - name: 'Checking out repo code'
+      uses: actions/checkout@v4
+
+    - name: Set Node.js 20.x for GitHub Action
+      uses: actions/setup-node@v4
+      with:
+        node-version: 20.x
+
+    - name: 'Validate build'
+      run: |
+        npm install
+        npm run build
+
+    - name: Login with system-assigned managed identity without auth-type
+      id: login_14
+      continue-on-error: true
+      uses: ./
+    
+    - name: Check Last step failed
+      if: steps.login_14.outcome == 'success'
+      uses: actions/github-script@v7
+      with:
+          script: |
+            core.setFailed('Last action should fail but not. Please check it.')
--- a/.github/workflows/azure-login-positive.yml
+++ b/.github/workflows/azure-login-positive.yml
@@ -12,7 +12,7 @@ jobs:
  BasicTest:
    strategy:
      matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest]
+        os: [ubuntu-latest, windows-latest, macos-latest, self_linux, self_windows]
    runs-on: ${{ matrix.os }}
    environment: Automation test

@@ -47,11 +47,13 @@ jobs:
        az vm list --output none

    - name: Run Azure PowerShell
-      uses: azure/powershell@v2
+      uses: azure/powershell@v1
      with:
        azPSVersion: "latest"
        inlineScript: |
            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
+            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
            if(-not $checkResult){
                throw "Not all checks passed!"
            }
@@ -69,7 +71,7 @@ jobs:
        az account show --output none

    - name: Run Azure PowerShell again
-      uses: azure/powershell@v2
+      uses: azure/powershell@v1
      with:
        azPSVersion: "latest"
        inlineScript: |
@@ -92,11 +94,13 @@ jobs:
        az vm list --output none

    - name: Run Azure PowerShell
-      uses: azure/powershell@v2
+      uses: azure/powershell@v1
      with:
        azPSVersion: "latest"
        inlineScript: |
            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
+            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
            if(-not $checkResult){
                throw "Not all checks passed!"
            }
@@ -160,11 +164,13 @@ jobs:
        az vm list --output none
 
    - name: Run Azure PowerShell
-      uses: azure/powershell@v2
+      uses: azure/powershell@v1
      with:
        azPSVersion: "latest"
        inlineScript: |
            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
+            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
            if(-not $checkResult){
                throw "Not all checks passed!"
            }
@@ -183,7 +189,7 @@ jobs:
        az account show --output none

    - name: Run Azure PowerShell again
-      uses: azure/powershell@v2
+      uses: azure/powershell@v1
      with:
        azPSVersion: "latest"
        inlineScript: |
@@ -203,13 +209,13 @@ jobs:
    - name: Run Azure Cli
      shell: pwsh
      run: |
-        $checkResult = (az account list --output json | ConvertFrom-Json).Count -eq 3
+        $checkResult = (az account list --output json | ConvertFrom-Json).Count -eq 2
        if(-not $checkResult){
            throw "Not all checks passed!"
        }

    - name: Run Azure PowerShell
-      uses: azure/powershell@v2
+      uses: azure/powershell@v1
      with:
        azPSVersion: "latest"
        inlineScript: |
@@ -230,7 +236,7 @@ jobs:
        az account show --output none

    - name: Run Azure PowerShell
-      uses: azure/powershell@v2
+      uses: azure/powershell@v1
      with:
        azPSVersion: "latest"
        inlineScript: |
@@ -239,10 +245,13 @@ jobs:
                throw "Not all checks passed!"
            }

-  InDockerTest:
-    runs-on: ubuntu-latest
-    container: ubuntu:24.04
+  VMTest:
+    strategy:
+      matrix:
+        os: [self_linux, self_windows]
+    runs-on: ${{ matrix.os }}
    environment: Automation test
+
    steps:
    - name: 'Checking out repo code'
      uses: actions/checkout@v4
@@ -251,65 +260,103 @@ jobs:
      uses: actions/setup-node@v4
      with:
        node-version: 20.x
-      
-    - name: Install Azure CLI
-      run: |
-        apt-get update
-        apt-get install -y curl
-        curl -sL https://aka.ms/InstallAzureCLIDeb | bash
-        
-    - name: Check Azure CLI Version
-      run: |
-        az --version
-
-    - name: Install Powershell
-      run: |
-        apt-get update
-        apt-get install -y wget
-        wget https://ftp.debian.org/debian/pool/main/i/icu/libicu72_72.1-3_amd64.deb
-        dpkg -i libicu72_72.1-3_amd64.deb
-        wget https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell_7.5.0-1.deb_amd64.deb
-        dpkg -i powershell_7.5.0-1.deb_amd64.deb
-
-    - name: Check Powershell Version
-      shell: pwsh
-      run: |
-        $PSVersionTable
-
-    - name: Install Azure Powershell
-      shell: pwsh
-      run: |
-        Install-Module -Name Az -Repository PSGallery -Force
-
-    - name: Check Azure Powershell Version
-      shell: pwsh
-      run: |
-        Get-Module -ListAvailable Az

    - name: 'Validate build'
      run: |
        npm install
        npm run build
-        
-    - name: 'Run L0 tests'
-      run: |
-        npm run test

-    - name: Login with individual parameters
+    - name: Login with system-assigned managed identity, no subscription-id
      uses: ./
      with:
-        client-id: ${{ secrets.SP1_CLIENT_ID }}
-        tenant-id: ${{ secrets.SP1_TENANT_ID }}
-        subscription-id: ${{ secrets.SP1_SUBSCRIPTION_ID }}
+        auth-type: IDENTITY
+        allow-no-subscriptions: true
        enable-AzPSSession: true
-
-    - name: Run Azure Cli again
+  
+    - name: Run Azure Cli
      run: |
-        az group list --output none
-
-    - name: Run Azure PowerShell again
-      uses: azure/powershell@v2
+        az account show --output none
+    
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v1
      with:
        azPSVersion: "latest"
        inlineScript: |
-          $checkResult = Get-AzResourceGroup
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
+    - name: Login with system-assigned managed identity, with subscription id
+      uses: ./
+      with:
+        auth-type: IDENTITY
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }}
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli
+      run: |
+        az account show --output none
+        az group show --name GitHubAction_CI_RG --output none
+        az vm list --output none
+  
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v1
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
+            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
+    - name: Login with tenant-level user-assigned managed identity with allow-no-subscriptions
+      uses: ./
+      with:
+        client-id: ${{ secrets.UMI2_CLIENT_ID }}
+        allow-no-subscriptions: true
+        auth-type: IDENTITY
+        enable-AzPSSession: true
+    
+    - name: Run Azure Cli
+      run: |
+        az account show --output none
+    
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v1
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
+    - name: Login with user-assigned managed identity, subscription-id
+      uses: ./
+      with:
+        client-id: ${{ secrets.UMI1_CLIENT_ID }}
+        subscription-id: ${{ secrets.UMI1_SUBSCRIPTION_ID }}
+        auth-type: IDENTITY
+        enable-AzPSSession: true
+
+    - name: Run Azure Cli
+      run: |
+        az account show --output none
+        az group show --name GitHubAction_CI_RG --output none
+        az vm list --output none
+    
+    - name: Run Azure PowerShell
+      uses: azure/powershell@v1
+      with:
+        azPSVersion: "latest"
+        inlineScript: |
+            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
+            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
+            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
+            if(-not $checkResult){
+                throw "Not all checks passed!"
+            }
+
--- a/README.md
+++ b/README.md
@@ -19,7 +19,6 @@
    - [Login to Azure US Government cloud](#login-to-azure-us-government-cloud)
    - [Login to Azure Stack Hub](#login-to-azure-stack-hub)
    - [Login without subscription](#login-without-subscription)
-    - [Enable/Disable the cleanup steps](#enabledisable-the-cleanup-steps)
  - [Security hardening](#security-hardening)
  - [Azure CLI dependency](#azure-cli-dependency)
  - [Reference](#reference)
@@ -57,7 +56,7 @@ Azure Login Action supports different ways of authentication with Azure.
 |tenant-id|false|UUID||the login tenant id|
 |creds|false|string||a json string for login with an Azure service principal|
 |enable-AzPSSession|false|boolean|false|if Azure PowerShell login is enabled|
-|environment|false|string|azurecloud|the Azure Cloud environment. For cloud environments other than the public cloud, the `audience` will also need to be updated.|
+|environment|false|string|azurecloud|the Azure Cloud environment|
 |allow-no-subscriptions|false|boolean|false|if login without subscription is allowed|
 |audience|false|string|api://AzureADTokenExchange|the audience to get the JWT ID token from GitHub OIDC provider|
 |auth-type|false|string|SERVICE_PRINCIPAL|the auth type|
@@ -127,8 +126,6 @@ By default, Azure Login Action connects to the Azure Public Cloud (`AzureCloud`)

 To login to one of the Azure Government clouds or Azure Stack, set `environment` to one of the supported values `AzureUSGovernment` or `AzureChinaCloud` or `AzureGermanCloud` or `AzureStack`.

-The default [`audience`](#audience) for each of these clouds is different and will also need to be set if using anything other than the public environment.
-
 Refer to [Login to Azure US Government cloud](#login-to-azure-us-government-cloud) for its usage.

 ### `allow-no-subscriptions`
@@ -156,7 +153,7 @@ Refer to [Login With System-assigned Managed Identity](#login-with-system-assign
 > - Ensure the CLI version is 2.30 or above to support login with OIDC.
 > - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by Service Principal is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hours. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details.

-Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on a service principal or a managed identity.
+Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on an service principal or a managed identity.

 - Prepare a service principal for Login with OIDC
  - [Create a service principal and assign a role to it](https://learn.microsoft.com/entra/identity-platform/howto-create-service-principal-portal)
@@ -556,116 +553,6 @@ jobs:
          Get-AzContext
 ```

-### Enable/Disable the cleanup steps
-
-In Azure Login Action, "cleanup" means cleaning up the login context. For security reasons, we recommend users run cleanup every time. But in some scenarios, users need flexible control over cleanup.
-
-Referring to [`runs` for JavaScript actions](https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions), there are 3 steps in an action: `pre:`, `main:` and `post:`. Azure Login Action only implement 2 steps: `main:` and `post:`.
-
-There are 2 "cleanup" steps in Azure Login Action:
-
- cleanup in `main:`
-  - It's **disabled** by default.
-  - Users can enable it by setting an env variable `AZURE_LOGIN_PRE_CLEANUP` to `true`.
- cleanup in `post:`
-  - It's **enabled** by default.
-  - Users can disable it by setting an env variable `AZURE_LOGIN_POST_CLEANUP` to `false`.
-
-Azure Login Action use env variables to enable or disable cleanup steps. In GitHub Actions, there are three valid scopes for env variables.
-
- [env](https://docs.github.com/actions/writing-workflows/workflow-syntax-for-github-actions#env)
-  - valid for all jobs in this workflow.
- [jobs.<job_id>.env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idenv)
-  - valid for all the steps in the job.
- [jobs.<job_id>.steps[*].env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv)
-  - only valid for the step in a job.
-
-We set `jobs.<job_id>.steps[*].env` for example. Users can set `env` or `jobs.<job_id>.env` for a wider scope.
-
-```yaml
-# File: .github/workflows/workflow.yml
-
-on: [push]
-
-name: Cleanup examples for Multiple Azure Login
-
-jobs:
-
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-
-    # enable cleanup for the 1st Azure Login
-    - name: Azure Login
-      uses: azure/login@v2
-      env:
-        AZURE_LOGIN_PRE_CLEANUP: true
-        AZURE_LOGIN_POST_CLEANUP: true
-      with:
-        client-id: ${{ secrets.AZURE_CLIENT_ID }}
-        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-        enable-AzPSSession: true    
-
-    # run some actions
-
-    # disable cleanup for all other Azure Login
-    - name: Azure Login 2
-      uses: azure/login@v2
-      env:
-        AZURE_LOGIN_PRE_CLEANUP: false
-        AZURE_LOGIN_POST_CLEANUP: false
-      with:
-        client-id: ${{ secrets.AZURE_CLIENT_ID_2 }}
-        tenant-id: ${{ secrets.AZURE_TENANT_ID_2 }}
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_2 }}
-        enable-AzPSSession: true   
-
-    # run other actions
-
-    # disable cleanup for all other Azure Login
-    - name: Azure Login 3
-      uses: azure/login@v2
-      env:
-        AZURE_LOGIN_PRE_CLEANUP: false
-        AZURE_LOGIN_POST_CLEANUP: false
-      with:
-        client-id: ${{ secrets.AZURE_CLIENT_ID_3 }}
-        tenant-id: ${{ secrets.AZURE_TENANT_ID_3 }}
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_3 }}
-        enable-AzPSSession: true   
-
-    # run other actions
-```
-
-```yaml
-# File: .github/workflows/workflow.yml
-
-on: [push]
-
-name: Disable cleanup for GitHub Hosted Runners
-
-jobs:
-
-  deploy:
-    runs-on: [ubuntu-latest, self-hosted]
-    steps:
-
-    - name: Azure Login
-      uses: azure/login@v2
-      env:
-        AZURE_LOGIN_PRE_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
-        AZURE_LOGIN_POST_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
-      with:
-        client-id: ${{ secrets.AZURE_CLIENT_ID }}
-        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-        enable-AzPSSession: true    
-
-    # run some actions
-
-```
-
 ## Security hardening

 > [!WARNING]
@@ -679,7 +566,7 @@ Internally in this action, we use azure CLI and execute `az login` with the cred

 ### GitHub Action

-[GitHub Actions](https://docs.github.com/actions) gives you the flexibility to build an automated software development lifecycle workflow.
+[GitHub Actions](https://help.github.com/articles/about-github-actions) gives you the flexibility to build an automated software development lifecycle workflow.

 ### GitHub Actions for deploying to Azure

--- a/tests/LoginConfig.test.ts
+++ b/tests/LoginConfig.test.ts
@@ -245,7 +245,7 @@ describe("LoginConfig Test", () => {

        let loginConfig = new LoginConfig();
        await loginConfig.initialize();
-        testValidateWithErrorMessage(loginConfig, "Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'.");
+        testValidateWithErrorMessage(loginConfig, "Ensure subscriptionId is supplied.");
    });

    test('validate without subscriptionId and allowNoSubscriptionsLogin=true', async () => {
--- a/action.yml
+++ b/action.yml
@@ -39,6 +39,6 @@ branding:
  color: 'blue'
 runs:
  using: 'node20'
+  pre: 'lib/cleanup/index.js'
  main: 'lib/main/index.js'
-  post-if: (!env.AZURE_LOGIN_POST_CLEANUP || env.AZURE_LOGIN_POST_CLEANUP != 'false')
  post: 'lib/cleanup/index.js'
--- a/lib/cleanup/index.js
+++ b/lib/cleanup/index.js
@@ -4339,16 +4339,11 @@ class LoginConfig {
                this.mask(this.federatedToken);
            }
            catch (error) {
-                core.error("Failed to fetch federated token from GitHub. Please make sure to give write permissions to id-token in the workflow.");
+                core.error(`Please make sure to give write permissions to id-token in the workflow.`);
                throw error;
            }
-            try {
-                let [issuer, subjectClaim, audience, jobWorkflowRef] = yield jwtParser(this.federatedToken);
-                core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim + "\n audience - " + audience + "\n job_workflow_ref - " + jobWorkflowRef);
-            }
-            catch (error) {
-                core.warning(`Failed to parse the federated token. Error: ${error}`);
-            }
+            let [issuer, subjectClaim] = yield jwtParser(this.federatedToken);
+            core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim);
        });
    }
    validate() {
@@ -4364,7 +4359,7 @@ class LoginConfig {
            }
        }
        if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) {
-            throw new Error("Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'.");
+            throw new Error("Ensure subscriptionId is supplied.");
        }
    }
    mask(parameterValue) {
@@ -4392,22 +4387,7 @@ function jwtParser(federatedToken) {
        let tokenPayload = federatedToken.split('.')[1];
        let bufferObj = Buffer.from(tokenPayload, "base64");
        let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
-        const JWT_CLAIM_ISSUER = 'iss';
-        const JWT_CLAIM_SUBJECT = 'sub';
-        const JWT_CLAIM_AUDIENCE = 'aud';
-        const JWT_CLAIM_JOB_WORKFLOW_REF = 'job_workflow_ref';
-        const requiredClaims = [
-            JWT_CLAIM_ISSUER,
-            JWT_CLAIM_SUBJECT,
-            JWT_CLAIM_AUDIENCE,
-            JWT_CLAIM_JOB_WORKFLOW_REF
-        ];
-        for (const claim of requiredClaims) {
-            if (!decodedPayload[claim]) {
-                throw new Error(`The claim '${claim}' is missing from the token payload`);
-            }
-        }
-        return [decodedPayload[JWT_CLAIM_ISSUER], decodedPayload[JWT_CLAIM_SUBJECT], decodedPayload[JWT_CLAIM_AUDIENCE], decodedPayload[JWT_CLAIM_JOB_WORKFLOW_REF]];
+        return [decodedPayload['iss'], decodedPayload['sub']];
    });
 }

@@ -4461,8 +4441,8 @@ const AzPSUtils_1 = __nccwpck_require__(895);
 function setUserAgent() {
    let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
    let actionName = 'AzureLogin';
-    process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
-    process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
+    process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
+    process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
 }
 exports.setUserAgent = setUserAgent;
 function cleanupAzCLIAccounts() {
--- a/lib/main/index.js
+++ b/lib/main/index.js
@@ -4001,15 +4001,9 @@ class AzureCliLogin {
                    }
                }
            };
-            yield this.executeAzCliCommand(["version"], true, execOptions);
+            yield this.executeAzCliCommand(["--version"], true, execOptions);
            core.debug(`Azure CLI version used:\n${output}`);
-            try {
-                this.azVersion = JSON.parse(output)["azure-cli"];
-            }
-            catch (error) {
-                core.warning("Failed to parse Azure CLI version.");
-            }
-            yield this.registerAzurestackEnvIfNecessary();
+            this.setAzurestackEnvIfNecessary();
            yield this.executeAzCliCommand(["cloud", "set", "-n", this.loginConfig.environment], false);
            core.info(`Done setting cloud: "${this.loginConfig.environment}"`);
            if (this.loginConfig.authType === LoginConfig_1.LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL) {
@@ -4035,7 +4029,7 @@ class AzureCliLogin {
            }
        });
    }
-    registerAzurestackEnvIfNecessary() {
+    setAzurestackEnvIfNecessary() {
        return __awaiter(this, void 0, void 0, function* () {
            if (this.loginConfig.environment != "azurestack") {
                return;
@@ -4060,7 +4054,7 @@ class AzureCliLogin {
                let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
                let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
                let profileVersion = "2019-03-01-hybrid";
-                yield this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", this.loginConfig.resourceManagerEndpointUrl, "--suffix-keyvault-dns", suffixKeyvault, "--suffix-storage-endpoint", suffixStorage, "--profile", profileVersion], false);
+                yield this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", `"${this.loginConfig.resourceManagerEndpointUrl}"`, "--suffix-keyvault-dns", `"${suffixKeyvault}"`, "--suffix-storage-endpoint", `"${suffixStorage}"`, "--profile", `"${profileVersion}"`], false);
            }
            catch (error) {
                core.error(`Error while trying to register cloud "${this.loginConfig.environment}"`);
@@ -4085,20 +4079,7 @@ class AzureCliLogin {
    }
    loginWithUserAssignedIdentity(args) {
        return __awaiter(this, void 0, void 0, function* () {
-            let azcliMinorVersion = 0;
-            try {
-                azcliMinorVersion = parseInt(this.azVersion.split('.')[1], 10);
-            }
-            catch (error) {
-                core.warning("Failed to parse the minor version of Azure CLI. Assuming the version is less than 2.69.0");
-            }
-            //From Azure-cli v2.69.0, `--username` is replaced with `--client-id`, `--object-id` or `--resource-id`: https://github.com/Azure/azure-cli/pull/30525
-            if (azcliMinorVersion < 69) {
-                args.push("--username", this.loginConfig.servicePrincipalId);
-            }
-            else {
-                args.push("--client-id", this.loginConfig.servicePrincipalId);
-            }
+            args.push("--username", this.loginConfig.servicePrincipalId);
            yield this.callCliLogin(args, 'user-assigned managed identity');
        });
    }
@@ -4566,16 +4547,11 @@ class LoginConfig {
                this.mask(this.federatedToken);
            }
            catch (error) {
-                core.error("Failed to fetch federated token from GitHub. Please make sure to give write permissions to id-token in the workflow.");
+                core.error(`Please make sure to give write permissions to id-token in the workflow.`);
                throw error;
            }
-            try {
-                let [issuer, subjectClaim, audience, jobWorkflowRef] = yield jwtParser(this.federatedToken);
-                core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim + "\n audience - " + audience + "\n job_workflow_ref - " + jobWorkflowRef);
-            }
-            catch (error) {
-                core.warning(`Failed to parse the federated token. Error: ${error}`);
-            }
+            let [issuer, subjectClaim] = yield jwtParser(this.federatedToken);
+            core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim);
        });
    }
    validate() {
@@ -4591,7 +4567,7 @@ class LoginConfig {
            }
        }
        if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) {
-            throw new Error("Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'.");
+            throw new Error("Ensure subscriptionId is supplied.");
        }
    }
    mask(parameterValue) {
@@ -4619,22 +4595,7 @@ function jwtParser(federatedToken) {
        let tokenPayload = federatedToken.split('.')[1];
        let bufferObj = Buffer.from(tokenPayload, "base64");
        let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
-        const JWT_CLAIM_ISSUER = 'iss';
-        const JWT_CLAIM_SUBJECT = 'sub';
-        const JWT_CLAIM_AUDIENCE = 'aud';
-        const JWT_CLAIM_JOB_WORKFLOW_REF = 'job_workflow_ref';
-        const requiredClaims = [
-            JWT_CLAIM_ISSUER,
-            JWT_CLAIM_SUBJECT,
-            JWT_CLAIM_AUDIENCE,
-            JWT_CLAIM_JOB_WORKFLOW_REF
-        ];
-        for (const claim of requiredClaims) {
-            if (!decodedPayload[claim]) {
-                throw new Error(`The claim '${claim}' is missing from the token payload`);
-            }
-        }
-        return [decodedPayload[JWT_CLAIM_ISSUER], decodedPayload[JWT_CLAIM_SUBJECT], decodedPayload[JWT_CLAIM_AUDIENCE], decodedPayload[JWT_CLAIM_JOB_WORKFLOW_REF]];
+        return [decodedPayload['iss'], decodedPayload['sub']];
    });
 }

@@ -4688,8 +4649,8 @@ const AzPSUtils_1 = __nccwpck_require__(1895);
 function setUserAgent() {
    let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
    let actionName = 'AzureLogin';
-    process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
-    process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
+    process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
+    process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
 }
 exports.setUserAgent = setUserAgent;
 function cleanupAzCLIAccounts() {
@@ -4765,13 +4726,6 @@ function main() {
    return __awaiter(this, void 0, void 0, function* () {
        try {
            (0, Utils_1.setUserAgent)();
-            const preCleanup = process.env.AZURE_LOGIN_PRE_CLEANUP;
-            if ('true' == preCleanup) {
-                yield (0, Utils_1.cleanupAzCLIAccounts)();
-                if (core.getInput('enable-AzPSSession').toLowerCase() === "true") {
-                    yield (0, Utils_1.cleanupAzPSAccounts)();
-                }
-            }
            // prepare the login configuration
            var loginConfig = new LoginConfig_1.LoginConfig();
            yield loginConfig.initialize();
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "login",
-  "version": "2.2.0",
+  "version": "2.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "login",
-      "version": "2.2.0",
+      "version": "2.0.0",
      "license": "MIT",
      "dependencies": {
        "@actions/core": "1.9.1",
@@ -1278,13 +1278,11 @@
      }
    },
    "node_modules/braces": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
-      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
+      "version": "3.0.2",
      "dev": true,
      "license": "MIT",
      "dependencies": {
-        "fill-range": "^7.1.1"
+        "fill-range": "^7.0.1"
      },
      "engines": {
        "node": ">=8"
@@ -1640,9 +1638,7 @@
      }
    },
    "node_modules/fill-range": {
-      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
-      "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+      "version": "7.0.1",
      "dev": true,
      "license": "MIT",
      "dependencies": {
@@ -1843,8 +1839,6 @@
    },
    "node_modules/is-number": {
      "version": "7.0.0",
-      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
-      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
      "dev": true,
      "license": "MIT",
      "engines": {
@@ -3131,8 +3125,6 @@
    },
    "node_modules/to-regex-range": {
      "version": "5.0.1",
-      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
-      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
      "dev": true,
      "license": "MIT",
      "dependencies": {
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "login",
-  "version": "2.2.0",
+  "version": "2.0.0",
  "description": "Login Azure wraps the az login, allowing for Azure actions to log into Azure",
  "main": "lib/main/index.js",
  "scripts": {
--- a/src/Cli/AzureCliLogin.ts
+++ b/src/Cli/AzureCliLogin.ts
@@ -8,7 +8,6 @@ export class AzureCliLogin {
    loginConfig: LoginConfig;
    azPath: string;
    loginOptions: ExecOptions;
-    azVersion: string;

    constructor(loginConfig: LoginConfig) {
        this.loginConfig = loginConfig;
@@ -29,15 +28,10 @@ export class AzureCliLogin {
            }
        };

-        await this.executeAzCliCommand(["version"], true, execOptions);
+        await this.executeAzCliCommand(["--version"], true, execOptions);
        core.debug(`Azure CLI version used:\n${output}`);
-        try {
-            this.azVersion = JSON.parse(output)["azure-cli"];
-        }
-        catch (error) {
-            core.warning("Failed to parse Azure CLI version.");
-        }
-        await this.registerAzurestackEnvIfNecessary();
+
+        this.setAzurestackEnvIfNecessary();

        await this.executeAzCliCommand(["cloud", "set", "-n", this.loginConfig.environment], false);
        core.info(`Done setting cloud: "${this.loginConfig.environment}"`);
@@ -65,7 +59,7 @@ export class AzureCliLogin {
        }
    }

-    async registerAzurestackEnvIfNecessary() {
+    async setAzurestackEnvIfNecessary() {
        if (this.loginConfig.environment != "azurestack") {
            return;
        }
@@ -91,7 +85,7 @@ export class AzureCliLogin {
            let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
            let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
            let profileVersion = "2019-03-01-hybrid";
-            await this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", this.loginConfig.resourceManagerEndpointUrl, "--suffix-keyvault-dns", suffixKeyvault, "--suffix-storage-endpoint", suffixStorage, "--profile", profileVersion], false);
+            await this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", `"${this.loginConfig.resourceManagerEndpointUrl}"`, "--suffix-keyvault-dns", `"${suffixKeyvault}"`, "--suffix-storage-endpoint", `"${suffixStorage}"`, "--profile", `"${profileVersion}"`], false);
        }
        catch (error) {
            core.error(`Error while trying to register cloud "${this.loginConfig.environment}"`);
@@ -114,20 +108,7 @@ export class AzureCliLogin {
    }

    async loginWithUserAssignedIdentity(args: string[]) {
-        let azcliMinorVersion = 0;
-        try {
-            azcliMinorVersion = parseInt(this.azVersion.split('.')[1], 10);
-        }
-        catch (error) {
-            core.warning("Failed to parse the minor version of Azure CLI. Assuming the version is less than 2.69.0");
-        }
-        //From Azure-cli v2.69.0, `--username` is replaced with `--client-id`, `--object-id` or `--resource-id`: https://github.com/Azure/azure-cli/pull/30525
-        if (azcliMinorVersion < 69) {
-            args.push("--username", this.loginConfig.servicePrincipalId);
-        }
-        else {
-            args.push("--client-id", this.loginConfig.servicePrincipalId);
-        }
+        args.push("--username", this.loginConfig.servicePrincipalId);
        await this.callCliLogin(args, 'user-assigned managed identity');
    }

--- a/src/common/LoginConfig.ts
+++ b/src/common/LoginConfig.ts
@@ -79,16 +79,11 @@ export class LoginConfig {
            this.mask(this.federatedToken);
        }
        catch (error) {
-            core.error("Failed to fetch federated token from GitHub. Please make sure to give write permissions to id-token in the workflow.");
+            core.error(`Please make sure to give write permissions to id-token in the workflow.`);
            throw error;
        }
-        try {
-            let [issuer, subjectClaim, audience, jobWorkflowRef] = await jwtParser(this.federatedToken);
-            core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim + "\n audience - " + audience + "\n job_workflow_ref - " + jobWorkflowRef);
-        }
-        catch (error) {
-            core.warning(`Failed to parse the federated token. Error: ${error}`);
-        }
+        let [issuer, subjectClaim] = await jwtParser(this.federatedToken);
+        core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim);
    }

    validate() {
@@ -104,7 +99,7 @@ export class LoginConfig {
            }
        }
        if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) {
-            throw new Error("Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'.");
+            throw new Error("Ensure subscriptionId is supplied.");
        }
    }

@@ -119,20 +114,5 @@ async function jwtParser(federatedToken: string) {
    let tokenPayload = federatedToken.split('.')[1];
    let bufferObj = Buffer.from(tokenPayload, "base64");
    let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
-    const JWT_CLAIM_ISSUER = 'iss';
-    const JWT_CLAIM_SUBJECT = 'sub';
-    const JWT_CLAIM_AUDIENCE = 'aud';
-    const JWT_CLAIM_JOB_WORKFLOW_REF = 'job_workflow_ref';
-    const requiredClaims = [
-        JWT_CLAIM_ISSUER,
-        JWT_CLAIM_SUBJECT,
-        JWT_CLAIM_AUDIENCE,
-        JWT_CLAIM_JOB_WORKFLOW_REF
-    ];
-    for (const claim of requiredClaims) {
-        if (!decodedPayload[claim]) {
-            throw new Error(`The claim '${claim}' is missing from the token payload`);
-        }
-    }
-    return [decodedPayload[JWT_CLAIM_ISSUER], decodedPayload[JWT_CLAIM_SUBJECT], decodedPayload[JWT_CLAIM_AUDIENCE], decodedPayload[JWT_CLAIM_JOB_WORKFLOW_REF]];   
-}   
+    return [decodedPayload['iss'], decodedPayload['sub']];
+}
--- a/src/common/Utils.ts
+++ b/src/common/Utils.ts
@@ -7,8 +7,8 @@ import { AzPSConstants, AzPSUtils } from '../PowerShell/AzPSUtils';
 export function setUserAgent(): void {
    let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
    let actionName = 'AzureLogin';
-    process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
-    process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
+    process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
+    process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
 }

 export async function cleanupAzCLIAccounts(): Promise<void> {
--- a/src/main.ts
+++ b/src/main.ts
@@ -1,5 +1,5 @@
 import * as core from '@actions/core';
-import { cleanupAzCLIAccounts, cleanupAzPSAccounts, setUserAgent } from './common/Utils';
+import { setUserAgent } from './common/Utils'; 
 import { AzPSLogin } from './PowerShell/AzPSLogin';
 import { LoginConfig } from './common/LoginConfig';
 import { AzureCliLogin } from './Cli/AzureCliLogin';
@@ -7,13 +7,6 @@ import { AzureCliLogin } from './Cli/AzureCliLogin';
 async function main() {
    try {
        setUserAgent();
-        const preCleanup: string = process.env.AZURE_LOGIN_PRE_CLEANUP;
-        if ('true' == preCleanup) {
-            await cleanupAzCLIAccounts();
-            if (core.getInput('enable-AzPSSession').toLowerCase() === "true") {
-                await cleanupAzPSAccounts();
-            }
-        }

        // prepare the login configuration
        var loginConfig = new LoginConfig();