microsoft · dscho · Oct 28, 2024 · Oct 28, 2024
diff --git a/.github/workflows/release-winget.yml b/.github/workflows/release-winget.yml
@@ -10,11 +10,21 @@ on:
         required: true
         default: 'latest'
 
+permissions:
+  id-token: write # required for Azure login via OIDC
+
 jobs:
   release:
     runs-on: windows-latest
     environment: release
     steps:
+      - name: Log into Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Publish manifest with winget-create
         run: |
           # Get correct release asset
@@ -37,5 +47,5 @@ jobs:
 
           # Submit manifests
           $manifestDirectory = Split-Path "$manifestPath"
-          .\wingetcreate.exe submit -t "${{ secrets.WINGET_TOKEN }}" $manifestDirectory
+          .\wingetcreate.exe submit -t "(az keyvault secret show --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --query "value")" $manifestDirectory
         shell: powershell