From fde8035185010e25438bdddc692486cfa409698e Mon Sep 17 00:00:00 2001
From: "DESKTOP-RTLN3BA\\$punk" <vermarohanfinal@gmail.com>
Date: Tue, 21 Apr 2026 10:54:12 -0700
Subject: [PATCH] refactor: remove Azure OIDC token fetching steps from desktop
 release workflow

- Eliminated the Azure login and OIDC token fetching steps for Windows signing.
- Updated environment variable handling for Azure signing to use client-secret authentication due to electron-builder limitations.
---
 .github/workflows/desktop-release.yml | 26 +++++---------------------
 1 file changed, 5 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml
index 179caab61..b955e5014 100644
--- a/.github/workflows/desktop-release.yml
+++ b/.github/workflows/desktop-release.yml
@@ -75,24 +75,6 @@ jobs:
             echo "Windows signing: skipped"
           fi
 
-      - name: Azure login (for Windows signing)
-        if: steps.sign.outputs.enabled == 'true'
-        uses: azure/login@v2
-        with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-      - name: Fetch GitHub OIDC token for Azure signing SDK
-        if: steps.sign.outputs.enabled == 'true'
-        id: oidc
-        shell: pwsh
-        run: |
-          $token = (Invoke-RestMethod -Headers @{Authorization = "bearer $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN"} `
-            -Uri "$env:ACTIONS_ID_TOKEN_REQUEST_URL&audience=api://AzureADTokenExchange").value
-          Write-Output "::add-mask::$token"
-          "token=$token" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
-
       - name: Setup pnpm
         uses: pnpm/action-setup@v5
 
@@ -154,8 +136,10 @@ jobs:
           AZURE_CODESIGN_ENDPOINT: ${{ vars.AZURE_CODESIGN_ENDPOINT }}
           AZURE_CODESIGN_ACCOUNT: ${{ vars.AZURE_CODESIGN_ACCOUNT }}
           AZURE_CODESIGN_PROFILE: ${{ vars.AZURE_CODESIGN_PROFILE }}
-          # Env vars for Azure.Identity EnvironmentCredential used by the TrustedSigning PowerShell module.
-          # Only populated when signing is enabled; harmless when empty otherwise.
+          # Service principal credentials for Azure.Identity EnvironmentCredential used by the
+          # TrustedSigning PowerShell module. Only populated when signing is enabled.
+          # electron-builder 26 does not yet support OIDC federated tokens for Azure signing,
+          # so we fall back to client-secret auth. Rotate AZURE_CLIENT_SECRET before expiry.
           AZURE_TENANT_ID: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_TENANT_ID || '' }}
           AZURE_CLIENT_ID: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_CLIENT_ID || '' }}
-          AZURE_FEDERATED_TOKEN: ${{ steps.oidc.outputs.token }}
+          AZURE_CLIENT_SECRET: ${{ steps.sign.outputs.enabled == 'true' && secrets.AZURE_CLIENT_SECRET || '' }}