Commit 2026-03-24 17:34 cedd7cc8

ci: Push to the cache using OIDC and federated credentials (#36064) This migration replaces static SAS-based cache upload auth with GitHub OIDC + Entra app registrations in Azure. Concretely, each workflow run gets a GitHub-issued OIDC token, and Azure AD (Entra) exchanges that token for a short-lived access token for Storage. We do this through app registrations configured with federated credentials, so no client secret or SAS needs to be stored for normal operation. A key design point is identity separation. We use two different app registrations (two app IDs): one for master workflows and one for non-master workflows. That lets us enforce different trust and permission boundaries in Azure RBAC, instead of giving one shared credential broad write access to every workflow type. Note that this separation is not implemented by this change: for now, both identities are still contributing to the same cache. On the cache client side (Cache/Requests.lean / Cache/Main.lean), auth selection is robust to empty bearer values, and there is migration-safe fallback behavior: if bearer upload fails with auth errors and SAS is available, it retries with SAS. The workflow also supports fallback to MATHLIB_CACHE_SAS when minting fails. Benefits:

• OIDC/federated credentials remove dependency on a static shared upload secret.
• Tokens are minted just-in-time and short-lived.
• We can enforce least privilege cleanly by using separate app identities for different workflow classes.
• Blast radius is reduced: master and non-master workflows can have different RBAC scopes.
• We keep operational safety during migration by retaining controlled SAS fallback, but SAS is no longer the primary auth path.