From 767eea7f78dc37af69768b5d95a12263cef0cc7c Mon Sep 17 00:00:00 2001
From: Max Schmitt <max@schmitt.mx>
Date: Thu, 18 Apr 2024 15:42:09 +0200
Subject: [PATCH 1/2] devops: migrate to OIDC for Docker publishing

---
 .github/workflows/publish_docker.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish_docker.yml b/.github/workflows/publish_docker.yml
index d69645bee..7be2e29e5 100644
--- a/.github/workflows/publish_docker.yml
+++ b/.github/workflows/publish_docker.yml
@@ -16,17 +16,23 @@ jobs:
     name: "publish to DockerHub"
     runs-on: ubuntu-22.04
     if: github.repository == 'microsoft/playwright-python'
+    permissions:
+      id-token: write   # This is required for OIDC login (azure/login) to succeed
+      contents: read    # This is required for actions/checkout to succeed
     steps:
     - uses: actions/checkout@v3
+    - name: Azure login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_DOCKER_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_DOCKER_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_DOCKER_SUBSCRIPTION_ID }}
+    - name: Login to ACR via OIDC
+      run: az acr login --name playwright
     - name: Set up Python
       uses: actions/setup-python@v4
       with:
         python-version: "3.10"
-    - uses: azure/docker-login@v1
-      with:
-        login-server: playwright.azurecr.io
-        username: playwright
-        password: ${{ secrets.DOCKER_PASSWORD }}
     - name: Set up Docker QEMU for arm64 docker builds
       uses: docker/setup-qemu-action@v2
       with:

From 97fc624631f02c62632949d50b1d1420dca27556 Mon Sep 17 00:00:00 2001
From: Max Schmitt <max@schmitt.mx>
Date: Fri, 19 Apr 2024 00:12:47 +0200
Subject: [PATCH 2/2] Update publish_docker.yml

---
 .github/workflows/publish_docker.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/publish_docker.yml b/.github/workflows/publish_docker.yml
index 7be2e29e5..87db48384 100644
--- a/.github/workflows/publish_docker.yml
+++ b/.github/workflows/publish_docker.yml
@@ -19,6 +19,7 @@ jobs:
     permissions:
       id-token: write   # This is required for OIDC login (azure/login) to succeed
       contents: read    # This is required for actions/checkout to succeed
+    environment: Docker
     steps:
     - uses: actions/checkout@v3
     - name: Azure login