prepare release v2.2.0

* update README.md to add cleanup examples

* update README.md

* update README.md

* update README.md

* fix markdown lint errors

---------

Co-authored-by: Shiying Chen <shiyingchen@microsoft.com>

.github/workflows/azure-login-negative.yml

@@ -333,36 +333,3 @@ jobs:
       with:
           script: |
             core.setFailed('Last action should fail but not. Please check it.')
-
-  VMTest:
-    strategy:
-      matrix:
-        os: [self_linux, self_windows]
-    runs-on: ${{ matrix.os }}
-    environment: Automation test
-
-    steps:
-    - name: 'Checking out repo code'
-      uses: actions/checkout@v4
-
-    - name: Set Node.js 20.x for GitHub Action
-      uses: actions/setup-node@v4
-      with:
-        node-version: 20.x
-
-    - name: 'Validate build'
-      run: |
-        npm install
-        npm run build
-
-    - name: Login with system-assigned managed identity without auth-type
-      id: login_14
-      continue-on-error: true
-      uses: ./
-    
-    - name: Check Last step failed
-      if: steps.login_14.outcome == 'success'
-      uses: actions/github-script@v7
-      with:
-          script: |
-            core.setFailed('Last action should fail but not. Please check it.')

.github/workflows/azure-login-positive.yml

@@ -12,7 +12,7 @@ jobs:
   BasicTest:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest, self_linux, self_windows]
+        os: [ubuntu-latest, windows-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     environment: Automation test
 
@@ -47,13 +47,11 @@ jobs:
         az vm list --output none
 
     - name: Run Azure PowerShell
-      uses: azure/powershell@v1
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
             $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
-            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
             if(-not $checkResult){
                 throw "Not all checks passed!"
             }
@@ -71,7 +69,7 @@ jobs:
         az account show --output none
 
     - name: Run Azure PowerShell again
-      uses: azure/powershell@v1
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
@@ -94,13 +92,11 @@ jobs:
         az vm list --output none
 
     - name: Run Azure PowerShell
-      uses: azure/powershell@v1
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
             $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
-            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
             if(-not $checkResult){
                 throw "Not all checks passed!"
             }
@@ -164,13 +160,11 @@ jobs:
         az vm list --output none
  
     - name: Run Azure PowerShell
-      uses: azure/powershell@v1
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
             $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
-            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
             if(-not $checkResult){
                 throw "Not all checks passed!"
             }
@@ -189,7 +183,7 @@ jobs:
         az account show --output none
 
     - name: Run Azure PowerShell again
-      uses: azure/powershell@v1
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
@@ -209,13 +203,13 @@ jobs:
     - name: Run Azure Cli
       shell: pwsh
       run: |
-        $checkResult = (az account list --output json | ConvertFrom-Json).Count -eq 2
+        $checkResult = (az account list --output json | ConvertFrom-Json).Count -eq 3
         if(-not $checkResult){
             throw "Not all checks passed!"
         }
 
     - name: Run Azure PowerShell
-      uses: azure/powershell@v1
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
@@ -236,7 +230,7 @@ jobs:
         az account show --output none
 
     - name: Run Azure PowerShell
-      uses: azure/powershell@v1
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
@@ -245,13 +239,10 @@ jobs:
                 throw "Not all checks passed!"
             }
 
-  VMTest:
-    strategy:
-      matrix:
-        os: [self_linux, self_windows]
-    runs-on: ${{ matrix.os }}
+  InDockerTest:
+    runs-on: ubuntu-latest
+    container: ubuntu:24.04
     environment: Automation test
-
     steps:
     - name: 'Checking out repo code'
       uses: actions/checkout@v4
@@ -260,103 +251,65 @@ jobs:
       uses: actions/setup-node@v4
       with:
         node-version: 20.x
+      
+    - name: Install Azure CLI
+      run: |
+        apt-get update
+        apt-get install -y curl
+        curl -sL https://aka.ms/InstallAzureCLIDeb | bash
+        
+    - name: Check Azure CLI Version
+      run: |
+        az --version
+
+    - name: Install Powershell
+      run: |
+        apt-get update
+        apt-get install -y wget
+        wget https://mirror.it.ubc.ca/ubuntu/pool/main/i/icu/libicu72_72.1-3ubuntu3_amd64.deb
+        dpkg -i libicu72_72.1-3ubuntu3_amd64.deb
+        wget https://github.com/PowerShell/PowerShell/releases/download/v7.4.3/powershell_7.4.3-1.deb_amd64.deb
+        dpkg -i powershell_7.4.3-1.deb_amd64.deb
+
+    - name: Check Powershell Version
+      shell: pwsh
+      run: |
+        $PSVersionTable
+
+    - name: Install Azure Powershell
+      shell: pwsh
+      run: |
+        Install-Module -Name Az -Repository PSGallery -Force
+
+    - name: Check Azure Powershell Version
+      shell: pwsh
+      run: |
+        Get-Module -ListAvailable Az
 
     - name: 'Validate build'
       run: |
         npm install
         npm run build
+        
+    - name: 'Run L0 tests'
+      run: |
+        npm run test
 
-    - name: Login with system-assigned managed identity, no subscription-id
+    - name: Login with individual parameters
       uses: ./
       with:
-        auth-type: IDENTITY
-        allow-no-subscriptions: true
+        client-id: ${{ secrets.SP1_CLIENT_ID }}
+        tenant-id: ${{ secrets.SP1_TENANT_ID }}
+        subscription-id: ${{ secrets.SP1_SUBSCRIPTION_ID }}
         enable-AzPSSession: true
-  
-    - name: Run Azure Cli
+
+    - name: Run Azure Cli again
       run: |
-        az account show --output none
-    
-    - name: Run Azure PowerShell
-      uses: azure/powershell@v1
+        az group list --output none
+
+    - name: Run Azure PowerShell again
+      uses: azure/powershell@v2
       with:
         azPSVersion: "latest"
         inlineScript: |
-            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            if(-not $checkResult){
-                throw "Not all checks passed!"
-            }
-
-    - name: Login with system-assigned managed identity, with subscription id
-      uses: ./
-      with:
-        auth-type: IDENTITY
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }}
-        enable-AzPSSession: true
-
-    - name: Run Azure Cli
-      run: |
-        az account show --output none
-        az group show --name GitHubAction_CI_RG --output none
-        az vm list --output none
-  
-    - name: Run Azure PowerShell
-      uses: azure/powershell@v1
-      with:
-        azPSVersion: "latest"
-        inlineScript: |
-            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
-            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
-            if(-not $checkResult){
-                throw "Not all checks passed!"
-            }
-
-    - name: Login with tenant-level user-assigned managed identity with allow-no-subscriptions
-      uses: ./
-      with:
-        client-id: ${{ secrets.UMI2_CLIENT_ID }}
-        allow-no-subscriptions: true
-        auth-type: IDENTITY
-        enable-AzPSSession: true
-    
-    - name: Run Azure Cli
-      run: |
-        az account show --output none
-    
-    - name: Run Azure PowerShell
-      uses: azure/powershell@v1
-      with:
-        azPSVersion: "latest"
-        inlineScript: |
-            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            if(-not $checkResult){
-                throw "Not all checks passed!"
-            }
-
-    - name: Login with user-assigned managed identity, subscription-id
-      uses: ./
-      with:
-        client-id: ${{ secrets.UMI1_CLIENT_ID }}
-        subscription-id: ${{ secrets.UMI1_SUBSCRIPTION_ID }}
-        auth-type: IDENTITY
-        enable-AzPSSession: true
-
-    - name: Run Azure Cli
-      run: |
-        az account show --output none
-        az group show --name GitHubAction_CI_RG --output none
-        az vm list --output none
-    
-    - name: Run Azure PowerShell
-      uses: azure/powershell@v1
-      with:
-        azPSVersion: "latest"
-        inlineScript: |
-            $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
-            $checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
-            $checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
-            if(-not $checkResult){
-                throw "Not all checks passed!"
-            }
-
+          $checkResult = Get-AzResourceGroup

README.md

@@ -19,6 +19,7 @@
     - [Login to Azure US Government cloud](#login-to-azure-us-government-cloud)
     - [Login to Azure Stack Hub](#login-to-azure-stack-hub)
     - [Login without subscription](#login-without-subscription)
+    - [Enable/Disable the cleanup steps](#enabledisable-the-cleanup-steps)
   - [Security hardening](#security-hardening)
   - [Azure CLI dependency](#azure-cli-dependency)
   - [Reference](#reference)
@@ -56,7 +57,7 @@ Azure Login Action supports different ways of authentication with Azure.
 |tenant-id|false|UUID||the login tenant id|
 |creds|false|string||a json string for login with an Azure service principal|
 |enable-AzPSSession|false|boolean|false|if Azure PowerShell login is enabled|
-|environment|false|string|azurecloud|the Azure Cloud environment|
+|environment|false|string|azurecloud|the Azure Cloud environment. For cloud environments other than the public cloud, the `audience` will also need to be updated.|
 |allow-no-subscriptions|false|boolean|false|if login without subscription is allowed|
 |audience|false|string|api://AzureADTokenExchange|the audience to get the JWT ID token from GitHub OIDC provider|
 |auth-type|false|string|SERVICE_PRINCIPAL|the auth type|
@@ -126,6 +127,8 @@ By default, Azure Login Action connects to the Azure Public Cloud (`AzureCloud`)
 
 To login to one of the Azure Government clouds or Azure Stack, set `environment` to one of the supported values `AzureUSGovernment` or `AzureChinaCloud` or `AzureGermanCloud` or `AzureStack`.
 
+The default [`audience`](#audience) for each of these clouds is different and will also need to be set if using anything other than the public environment.
+
 Refer to [Login to Azure US Government cloud](#login-to-azure-us-government-cloud) for its usage.
 
 ### `allow-no-subscriptions`
@@ -153,7 +156,7 @@ Refer to [Login With System-assigned Managed Identity](#login-with-system-assign
 > - Ensure the CLI version is 2.30 or above to support login with OIDC.
 > - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by Service Principal is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hours. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details.
 
-Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on an service principal or a managed identity.
+Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on a service principal or a managed identity.
 
 - Prepare a service principal for Login with OIDC
   - [Create a service principal and assign a role to it](https://learn.microsoft.com/entra/identity-platform/howto-create-service-principal-portal)
@@ -553,6 +556,116 @@ jobs:
           Get-AzContext
 ```
 
+### Enable/Disable the cleanup steps
+
+In Azure Login Action, "cleanup" means cleaning up the login context. For security reasons, we recommend users run cleanup every time. But in some scenarios, users need flexible control over cleanup.
+
+Referring to [`runs` for JavaScript actions](https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions), there are 3 steps in an action: `pre:`, `main:` and `post:`. Azure Login Action only implement 2 steps: `main:` and `post:`.
+
+There are 2 "cleanup" steps in Azure Login Action:
+
+- cleanup in `main:`
+  - It's **disabled** by default.
+  - Users can enable it by setting an env variable `AZURE_LOGIN_PRE_CLEANUP` to `true`.
+- cleanup in `post:`
+  - It's **enabled** by default.
+  - Users can disable it by setting an env variable `AZURE_LOGIN_POST_CLEANUP` to `false`.
+
+Azure Login Action use env variables to enable or disable cleanup steps. In GitHub Actions, there are three valid scopes for env variables.
+
+- [env](https://docs.github.com/actions/writing-workflows/workflow-syntax-for-github-actions#env)
+  - valid for all jobs in this workflow.
+- [jobs.<job_id>.env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idenv)
+  - valid for all the steps in the job.
+- [jobs.<job_id>.steps[*].env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv)
+  - only valid for the step in a job.
+
+We set `jobs.<job_id>.steps[*].env` for example. Users can set `env` or `jobs.<job_id>.env` for a wider scope.
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: Cleanup examples for Multiple Azure Login
+
+jobs:
+
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+
+    # enable cleanup for the 1st Azure Login
+    - name: Azure Login
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: true
+        AZURE_LOGIN_POST_CLEANUP: true
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        enable-AzPSSession: true    
+
+    # run some actions
+
+    # disable cleanup for all other Azure Login
+    - name: Azure Login 2
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: false
+        AZURE_LOGIN_POST_CLEANUP: false
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID_2 }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID_2 }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_2 }}
+        enable-AzPSSession: true   
+
+    # run other actions
+
+    # disable cleanup for all other Azure Login
+    - name: Azure Login 3
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: false
+        AZURE_LOGIN_POST_CLEANUP: false
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID_3 }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID_3 }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_3 }}
+        enable-AzPSSession: true   
+
+    # run other actions
+```
+
+```yaml
+# File: .github/workflows/workflow.yml
+
+on: [push]
+
+name: Disable cleanup for GitHub Hosted Runners
+
+jobs:
+
+  deploy:
+    runs-on: [ubuntu-latest, self-hosted]
+    steps:
+
+    - name: Azure Login
+      uses: azure/login@v2
+      env:
+        AZURE_LOGIN_PRE_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
+        AZURE_LOGIN_POST_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+        enable-AzPSSession: true    
+
+    # run some actions
+
+```
+
 ## Security hardening
 
 > [!WARNING]

action.yml

@@ -39,6 +39,6 @@ branding:
   color: 'blue'
 runs:
   using: 'node20'
-  pre: 'lib/cleanup/index.js'
   main: 'lib/main/index.js'
+  post-if: (!env.AZURE_LOGIN_POST_CLEANUP || env.AZURE_LOGIN_POST_CLEANUP != 'false')
   post: 'lib/cleanup/index.js'

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "login",
-  "version": "2.0.0",
+  "version": "2.2.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "login",
-      "version": "2.0.0",
+      "version": "2.2.0",
       "license": "MIT",
       "dependencies": {
         "@actions/core": "1.9.1",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "login",
-  "version": "2.0.0",
+  "version": "2.2.0",
   "description": "Login Azure wraps the az login, allowing for Azure actions to log into Azure",
   "main": "lib/main/index.js",
   "scripts": {

src/Cli/AzureCliLogin.ts

@@ -28,10 +28,10 @@ export class AzureCliLogin {
             }
         };
 
-        await this.executeAzCliCommand(["--version"], true, execOptions);
+        await this.executeAzCliCommand(["version"], true, execOptions);
         core.debug(`Azure CLI version used:\n${output}`);
 
-        this.setAzurestackEnvIfNecessary();
+        await this.registerAzurestackEnvIfNecessary();
 
         await this.executeAzCliCommand(["cloud", "set", "-n", this.loginConfig.environment], false);
         core.info(`Done setting cloud: "${this.loginConfig.environment}"`);
@@ -59,7 +59,7 @@ export class AzureCliLogin {
         }
     }
 
-    async setAzurestackEnvIfNecessary() {
+    async registerAzurestackEnvIfNecessary() {
         if (this.loginConfig.environment != "azurestack") {
             return;
         }
@@ -85,7 +85,7 @@ export class AzureCliLogin {
             let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
             let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
             let profileVersion = "2019-03-01-hybrid";
-            await this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", `"${this.loginConfig.resourceManagerEndpointUrl}"`, "--suffix-keyvault-dns", `"${suffixKeyvault}"`, "--suffix-storage-endpoint", `"${suffixStorage}"`, "--profile", `"${profileVersion}"`], false);
+            await this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", this.loginConfig.resourceManagerEndpointUrl, "--suffix-keyvault-dns", suffixKeyvault, "--suffix-storage-endpoint", suffixStorage, "--profile", profileVersion], false);
         }
         catch (error) {
             core.error(`Error while trying to register cloud "${this.loginConfig.environment}"`);

src/common/Utils.ts

@@ -7,8 +7,8 @@ import { AzPSConstants, AzPSUtils } from '../PowerShell/AzPSUtils';
 export function setUserAgent(): void {
     let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
     let actionName = 'AzureLogin';
-    process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
-    process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
+    process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
+    process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`;
 }
 
 export async function cleanupAzCLIAccounts(): Promise<void> {

src/main.ts

@@ -1,5 +1,5 @@
 import * as core from '@actions/core';
-import { setUserAgent } from './common/Utils'; 
+import { cleanupAzCLIAccounts, cleanupAzPSAccounts, setUserAgent } from './common/Utils';
 import { AzPSLogin } from './PowerShell/AzPSLogin';
 import { LoginConfig } from './common/LoginConfig';
 import { AzureCliLogin } from './Cli/AzureCliLogin';
@@ -7,6 +7,13 @@ import { AzureCliLogin } from './Cli/AzureCliLogin';
 async function main() {
     try {
         setUserAgent();
+        const preCleanup: string = process.env.AZURE_LOGIN_PRE_CLEANUP;
+        if ('true' == preCleanup) {
+            await cleanupAzCLIAccounts();
+            if (core.getInput('enable-AzPSSession').toLowerCase() === "true") {
+                await cleanupAzPSAccounts();
+            }
+        }
 
         // prepare the login configuration
         var loginConfig = new LoginConfig();