fix opex pipelines permissions

gquadrati · gquadrati · commit bb8499e4a487 · 2026-02-02T17:24:33.000+01:00
diff --git a/.github/workflows/opex_api_backend.yml b/.github/workflows/opex_api_backend.yml
@@ -14,10 +14,18 @@ on:
 concurrency:
   group: ${{ github.workflow }}
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   apply:
     uses: ./.github/workflows/call_opex_api.yml
     name: Apply changes to Production
-    secrets: inherit
+    secrets:
+      AZURE_CLIENT_ID_CI: ${{ secrets.AZURE_CLIENT_ID_CI }}
+      AZURE_CLIENT_ID_CD: ${{ secrets.AZURE_CLIENT_ID_CD }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     with:
       api_name: api_backend
diff --git a/.github/workflows/opex_api_io_fims.yml b/.github/workflows/opex_api_io_fims.yml
@@ -14,10 +14,18 @@ on:
 concurrency:
   group: ${{ github.workflow }}
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   apply:
     uses: ./.github/workflows/call_opex_api.yml
     name: Apply changes to Production
-    secrets: inherit
+    secrets:
+      AZURE_CLIENT_ID_CI: ${{ secrets.AZURE_CLIENT_ID_CI }}
+      AZURE_CLIENT_ID_CD: ${{ secrets.AZURE_CLIENT_ID_CD }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     with:
       api_name: api_io_fims
diff --git a/.github/workflows/opex_api_public.yml b/.github/workflows/opex_api_public.yml
@@ -14,10 +14,18 @@ on:
 concurrency:
   group: ${{ github.workflow }}
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   apply:
     uses: ./.github/workflows/call_opex_api.yml
     name: Apply changes to Production
-    secrets: inherit
+    secrets:
+      AZURE_CLIENT_ID_CI: ${{ secrets.AZURE_CLIENT_ID_CI }}
+      AZURE_CLIENT_ID_CD: ${{ secrets.AZURE_CLIENT_ID_CD }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     with:
       api_name: api_public
diff --git a/.github/workflows/opex_api_services_app_backend.yml b/.github/workflows/opex_api_services_app_backend.yml
@@ -14,10 +14,18 @@ on:
 concurrency:
   group: ${{ github.workflow }}
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   apply:
     uses: ./.github/workflows/call_opex_api.yml
     name: Apply changes to Production
-    secrets: inherit
+    secrets:
+      AZURE_CLIENT_ID_CI: ${{ secrets.AZURE_CLIENT_ID_CI }}
+      AZURE_CLIENT_ID_CD: ${{ secrets.AZURE_CLIENT_ID_CD }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     with:
       api_name: api_services_app_backend
diff --git a/.github/workflows/pr_opex_api_backend.yml b/.github/workflows/pr_opex_api_backend.yml
@@ -21,10 +21,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: false
 
+permissions:
+  id-token: write
+  pull-requests: write
+
 jobs:
   plan:
     uses: ./.github/workflows/call_pr_opex_api.yml
     name: Plan changes against Production
-    secrets: inherit
+    secrets:
+      AZURE_CLIENT_ID_CI: ${{ secrets.AZURE_CLIENT_ID_CI }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     with:
       api_name: api_backend
diff --git a/.github/workflows/pr_opex_api_identity.yml b/.github/workflows/pr_opex_api_identity.yml
@@ -10,7 +10,7 @@ on:
     branches:
       - master
     paths:
-      - 'api_identity.yaml'
+      - 'openapi/generated/api_identity.yaml'
       - '.github/workflows/pr_opex_api_identity.yml'
       - '.github/workflows/opex_api_identity.yml'
       - '.opex/api_identity/**'
diff --git a/.github/workflows/pr_opex_api_io_fims.yml b/.github/workflows/pr_opex_api_io_fims.yml
@@ -21,10 +21,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: false
 
+permissions:
+  id-token: write
+  pull-requests: write
+
 jobs:
   plan:
     uses: ./.github/workflows/call_pr_opex_api.yml
     name: Plan changes against Production
-    secrets: inherit
+    secrets:
+      AZURE_CLIENT_ID_CI: ${{ secrets.AZURE_CLIENT_ID_CI }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     with:
       api_name: api_io_fims
diff --git a/.github/workflows/pr_opex_api_public.yml b/.github/workflows/pr_opex_api_public.yml
@@ -21,10 +21,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: false
 
+permissions:
+  id-token: write
+  pull-requests: write
+
 jobs:
   plan:
     uses: ./.github/workflows/call_pr_opex_api.yml
     name: Plan changes against Production
-    secrets: inherit
+    secrets:
+      AZURE_CLIENT_ID_CI: ${{ secrets.AZURE_CLIENT_ID_CI }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     with:
       api_name: api_public
diff --git a/.github/workflows/pr_opex_api_services_app_backend.yml b/.github/workflows/pr_opex_api_services_app_backend.yml
@@ -21,10 +21,17 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: false
 
+permissions:
+  id-token: write
+  pull-requests: write
+
 jobs:
   plan:
     uses: ./.github/workflows/call_pr_opex_api.yml
     name: Plan changes against Production
-    secrets: inherit
+    secrets:
+      AZURE_CLIENT_ID_CI: ${{ secrets.AZURE_CLIENT_ID_CI }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     with:
       api_name: api_services_app_backend
