From 651ddd1c399a5eac6c978e51bcd2104e803cc24e Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Mon, 9 Feb 2026 14:57:37 +0000
Subject: [PATCH 1/5] test

---
 .../devcontainer_run_command/action.yml       | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
index 07182e98f..c7dc09d75 100644
--- a/.github/actions/devcontainer_run_command/action.yml
+++ b/.github/actions/devcontainer_run_command/action.yml
@@ -223,16 +223,16 @@ runs:
       run: |
         echo "ACR_DOMAIN_SUFFIX=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv)" >> $GITHUB_ENV
 
-    - name: Get GitHub OIDC Token
-      id: get_oidc_token
-      shell: bash
-      run: |
-        # Request the GitHub OIDC token for federated authentication
-        OIDC_TOKEN=$(curl -sLS "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" -H "Accept: application/json; api-version=2.0" | jq -r '.value')
+    # - name: Get GitHub OIDC Token
+    #   id: get_oidc_token
+    #   shell: bash
+    #   run: |
+    #     # Request the GitHub OIDC token for federated authentication
+    #     OIDC_TOKEN=$(curl -sLS "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" -H "Accept: application/json; api-version=2.0" | jq -r '.value')
 
-        # Write token to a temporary file for safe transport into container
-        echo "$OIDC_TOKEN" > /tmp/github_oidc_token
-        chmod 600 /tmp/github_oidc_token
+    #     # Write token to a temporary file for safe transport into container
+    #     echo "$OIDC_TOKEN" > /tmp/github_oidc_token
+    #     chmod 600 /tmp/github_oidc_token
 
     - name: Run command in DevContainer
       shell: bash
@@ -250,7 +250,7 @@ runs:
           "type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \
           -v /var/run/docker.sock:/var/run/docker.sock \
           -v "./command.sh:/workspaces/tre/command.sh" \
-          -v "/tmp/github_oidc_token:/tmp/github_oidc_token:ro" \
+          -v "~/.azure:/home/vscode/.azure" \
           --workdir /workspaces/tre \
           --user vscode \
           -e TF_INPUT="0" \

From 5ae9a9f78c1e26fffb03ec094591d34bafe530bd Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Mon, 9 Feb 2026 15:06:07 +0000
Subject: [PATCH 2/5] 1

---
 .github/actions/devcontainer_run_command/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
index c7dc09d75..127c757bd 100644
--- a/.github/actions/devcontainer_run_command/action.yml
+++ b/.github/actions/devcontainer_run_command/action.yml
@@ -250,7 +250,7 @@ runs:
           "type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \
           -v /var/run/docker.sock:/var/run/docker.sock \
           -v "./command.sh:/workspaces/tre/command.sh" \
-          -v "~/.azure:/home/vscode/.azure" \
+          -v "$HOME/.azure:/home/vscode/.azure" \
           --workdir /workspaces/tre \
           --user vscode \
           -e TF_INPUT="0" \

From 5f9201efd39c1eb6dc69ecd6e423729c0a43462d Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Mon, 9 Feb 2026 15:13:09 +0000
Subject: [PATCH 3/5] 1

---
 devops/scripts/bootstrap_azure_env.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/devops/scripts/bootstrap_azure_env.sh b/devops/scripts/bootstrap_azure_env.sh
index 59c10b27b..91fb1d64b 100755
--- a/devops/scripts/bootstrap_azure_env.sh
+++ b/devops/scripts/bootstrap_azure_env.sh
@@ -80,7 +80,8 @@ set_account_context() {
 
 print_header
 load_environment_config
-ensure_automation_login
+# ensure_automation_login
+az account show
 set_account_context
 
 # Ensure nounset is restored to avoid affecting caller

From 1f676527136cc6661e493e95a1e2a186fffcbaa3 Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Mon, 9 Feb 2026 15:23:29 +0000
Subject: [PATCH 4/5] 2

---
 .../devcontainer_run_command/action.yml       | 11 ------
 devops/scripts/bootstrap_azure_env.sh         | 34 ++++++++-----------
 2 files changed, 14 insertions(+), 31 deletions(-)

diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
index 127c757bd..32e5f15b7 100644
--- a/.github/actions/devcontainer_run_command/action.yml
+++ b/.github/actions/devcontainer_run_command/action.yml
@@ -223,17 +223,6 @@ runs:
       run: |
         echo "ACR_DOMAIN_SUFFIX=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv)" >> $GITHUB_ENV
 
-    # - name: Get GitHub OIDC Token
-    #   id: get_oidc_token
-    #   shell: bash
-    #   run: |
-    #     # Request the GitHub OIDC token for federated authentication
-    #     OIDC_TOKEN=$(curl -sLS "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" -H "Accept: application/json; api-version=2.0" | jq -r '.value')
-
-    #     # Write token to a temporary file for safe transport into container
-    #     echo "$OIDC_TOKEN" > /tmp/github_oidc_token
-    #     chmod 600 /tmp/github_oidc_token
-
     - name: Run command in DevContainer
       shell: bash
       run: |
diff --git a/devops/scripts/bootstrap_azure_env.sh b/devops/scripts/bootstrap_azure_env.sh
index 91fb1d64b..cd0dad730 100755
--- a/devops/scripts/bootstrap_azure_env.sh
+++ b/devops/scripts/bootstrap_azure_env.sh
@@ -28,26 +28,21 @@ load_environment_config() {
 
 ensure_automation_login() {
   if [[ -n "${TF_IN_AUTOMATION:-}" ]]; then
-    az cloud set --name "${AZURE_ENVIRONMENT}"
-
-    # Use OIDC-based login for GitHub Actions
-    if [[ -f "/tmp/github_oidc_token" ]]; then
-      # Use the GitHub OIDC token from file for federated authentication
-      az login --service-principal \
-        --username "${ARM_CLIENT_ID}" \
-        --tenant "${ARM_TENANT_ID}" \
-        --allow-no-subscriptions \
-        --federated-token "$(cat /tmp/github_oidc_token)"
-    elif [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then
-      # Fallback to classic service principal login (for backwards compatibility)
-      echo "Warning: Using classic service principal authentication. Consider migrating to OIDC."
-      az login --service-principal -u "${ARM_CLIENT_ID}" -p "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
+    if [[ -d "$HOME/.azure" ]]; then
+      echo "Using existing Azure CLI login."
     else
-      echo "Error: No authentication method available (OIDC token or client secret required)"
-      exit 1
-    fi
+      az cloud set --name "${AZURE_ENVIRONMENT}"
 
-    az account set -s "${ARM_SUBSCRIPTION_ID}"
+      if [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then
+        echo "Warning: Using classic service principal authentication."
+        az login --service-principal -u "${ARM_CLIENT_ID}" -p "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
+      else
+        echo "Error: No authentication method available (Azure CLI or client secret required)"
+        exit 1
+      fi
+
+      az account set -s "${ARM_SUBSCRIPTION_ID}"
+    fi
   fi
 }
 
@@ -80,8 +75,7 @@ set_account_context() {
 
 print_header
 load_environment_config
-# ensure_automation_login
-az account show
+ensure_automation_login
 set_account_context
 
 # Ensure nounset is restored to avoid affecting caller

From da0766c2b881bc3ba05337978a2ed7202bc2337d Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Tue, 10 Feb 2026 07:43:47 +0000
Subject: [PATCH 5/5] 1

---
 devops/scripts/bootstrap_azure_env.sh | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/devops/scripts/bootstrap_azure_env.sh b/devops/scripts/bootstrap_azure_env.sh
index cd0dad730..d966da99e 100755
--- a/devops/scripts/bootstrap_azure_env.sh
+++ b/devops/scripts/bootstrap_azure_env.sh
@@ -30,18 +30,14 @@ ensure_automation_login() {
   if [[ -n "${TF_IN_AUTOMATION:-}" ]]; then
     if [[ -d "$HOME/.azure" ]]; then
       echo "Using existing Azure CLI login."
-    else
+    elif [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then
+      echo "Warning: Using classic service principal authentication."
       az cloud set --name "${AZURE_ENVIRONMENT}"
-
-      if [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then
-        echo "Warning: Using classic service principal authentication."
-        az login --service-principal -u "${ARM_CLIENT_ID}" -p "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
-      else
-        echo "Error: No authentication method available (Azure CLI or client secret required)"
-        exit 1
-      fi
-
+      az login --service-principal -u "${ARM_CLIENT_ID}" -p "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
       az account set -s "${ARM_SUBSCRIPTION_ID}"
+    else
+      echo "Error: No authentication method available (Azure CLI or client secret required)"
+      exit 1
     fi
   fi
 }