From 35537714c4a3362bf312ba81f4f8fbaf6b3c128d Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Tue, 10 Feb 2026 07:47:26 +0000
Subject: [PATCH 1/3] devcontainer uses azurecli auth in github actions

---
 .../devcontainer_run_command/action.yml       | 13 +-----------
 devops/scripts/bootstrap_azure_env.sh         | 21 ++++++-------------
 2 files changed, 7 insertions(+), 27 deletions(-)

diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
index 07182e98f..32e5f15b7 100644
--- a/.github/actions/devcontainer_run_command/action.yml
+++ b/.github/actions/devcontainer_run_command/action.yml
@@ -223,17 +223,6 @@ runs:
       run: |
         echo "ACR_DOMAIN_SUFFIX=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv)" >> $GITHUB_ENV
 
-    - name: Get GitHub OIDC Token
-      id: get_oidc_token
-      shell: bash
-      run: |
-        # Request the GitHub OIDC token for federated authentication
-        OIDC_TOKEN=$(curl -sLS "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" -H "Accept: application/json; api-version=2.0" | jq -r '.value')
-
-        # Write token to a temporary file for safe transport into container
-        echo "$OIDC_TOKEN" > /tmp/github_oidc_token
-        chmod 600 /tmp/github_oidc_token
-
     - name: Run command in DevContainer
       shell: bash
       run: |
@@ -250,7 +239,7 @@ runs:
           "type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \
           -v /var/run/docker.sock:/var/run/docker.sock \
           -v "./command.sh:/workspaces/tre/command.sh" \
-          -v "/tmp/github_oidc_token:/tmp/github_oidc_token:ro" \
+          -v "$HOME/.azure:/home/vscode/.azure" \
           --workdir /workspaces/tre \
           --user vscode \
           -e TF_INPUT="0" \
diff --git a/devops/scripts/bootstrap_azure_env.sh b/devops/scripts/bootstrap_azure_env.sh
index 59c10b27b..d966da99e 100755
--- a/devops/scripts/bootstrap_azure_env.sh
+++ b/devops/scripts/bootstrap_azure_env.sh
@@ -28,26 +28,17 @@ load_environment_config() {
 
 ensure_automation_login() {
   if [[ -n "${TF_IN_AUTOMATION:-}" ]]; then
-    az cloud set --name "${AZURE_ENVIRONMENT}"
-
-    # Use OIDC-based login for GitHub Actions
-    if [[ -f "/tmp/github_oidc_token" ]]; then
-      # Use the GitHub OIDC token from file for federated authentication
-      az login --service-principal \
-        --username "${ARM_CLIENT_ID}" \
-        --tenant "${ARM_TENANT_ID}" \
-        --allow-no-subscriptions \
-        --federated-token "$(cat /tmp/github_oidc_token)"
+    if [[ -d "$HOME/.azure" ]]; then
+      echo "Using existing Azure CLI login."
     elif [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then
-      # Fallback to classic service principal login (for backwards compatibility)
-      echo "Warning: Using classic service principal authentication. Consider migrating to OIDC."
+      echo "Warning: Using classic service principal authentication."
+      az cloud set --name "${AZURE_ENVIRONMENT}"
       az login --service-principal -u "${ARM_CLIENT_ID}" -p "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
+      az account set -s "${ARM_SUBSCRIPTION_ID}"
     else
-      echo "Error: No authentication method available (OIDC token or client secret required)"
+      echo "Error: No authentication method available (Azure CLI or client secret required)"
       exit 1
     fi
-
-    az account set -s "${ARM_SUBSCRIPTION_ID}"
   fi
 }
 

From 9a431cd2949aadd1e919305b1ac5821286c9dc2e Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Tue, 10 Feb 2026 07:55:13 +0000
Subject: [PATCH 2/3] changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 009ae0ff8..0e58ae4a1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@
 ENHANCEMENTS:
 * Add interactive browser login method to TRE CLI for easier authentication ([#4856](https://github.com/microsoft/AzureTRE/issues/4856))
 * Harden security of the app gateway. ([#4863](https://github.com/microsoft/AzureTRE/pull/4863))
+* Rely on host's AzureCLI login for devcontainer running in Github Actions ([#4869](https://github.com/microsoft/AzureTRE/issues/4869))
 
 BUG FIXES:
 * Fix property substitution not occuring where there is only a main step in the pipeline ([#4824](https://github.com/microsoft/AzureTRE/issues/4824))

From cbe75ca4f033a60427f4b900e594834c08d20716 Mon Sep 17 00:00:00 2001
From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com>
Date: Tue, 10 Feb 2026 09:04:14 +0000
Subject: [PATCH 3/3] 1

---
 .github/actions/devcontainer_run_command/action.yml | 3 +++
 devops/scripts/bootstrap_azure_env.sh               | 7 +------
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml
index 32e5f15b7..e562afd31 100644
--- a/.github/actions/devcontainer_run_command/action.yml
+++ b/.github/actions/devcontainer_run_command/action.yml
@@ -256,6 +256,9 @@ runs:
           -e ARM_CLIENT_ID="${{ inputs.AZURE_CLIENT_ID }}" \
           -e ARM_TENANT_ID="${{ inputs.AZURE_TENANT_ID }}" \
           -e ARM_SUBSCRIPTION_ID="${{ inputs.AZURE_SUBSCRIPTION_ID }}" \
+          -e ARM_USE_OIDC="true" \
+          -e ACTIONS_ID_TOKEN_REQUEST_URL \
+          -e ACTIONS_ID_TOKEN_REQUEST_TOKEN \
           -e TF_VAR_terraform_state_container_name="${{ (inputs.TERRAFORM_STATE_CONTAINER_NAME != ''
             && inputs.TERRAFORM_STATE_CONTAINER_NAME) || 'tfstate' }}" \
           -e TF_VAR_mgmt_storage_account_name="${{ inputs.MGMT_STORAGE_ACCOUNT_NAME }}" \
diff --git a/devops/scripts/bootstrap_azure_env.sh b/devops/scripts/bootstrap_azure_env.sh
index d966da99e..51310d813 100755
--- a/devops/scripts/bootstrap_azure_env.sh
+++ b/devops/scripts/bootstrap_azure_env.sh
@@ -28,16 +28,11 @@ load_environment_config() {
 
 ensure_automation_login() {
   if [[ -n "${TF_IN_AUTOMATION:-}" ]]; then
-    if [[ -d "$HOME/.azure" ]]; then
-      echo "Using existing Azure CLI login."
-    elif [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then
+    if [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then
       echo "Warning: Using classic service principal authentication."
       az cloud set --name "${AZURE_ENVIRONMENT}"
       az login --service-principal -u "${ARM_CLIENT_ID}" -p "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
       az account set -s "${ARM_SUBSCRIPTION_ID}"
-    else
-      echo "Error: No authentication method available (Azure CLI or client secret required)"
-      exit 1
     fi
   fi
 }