oracle · edburns · Aug 20, 2025 · Aug 20, 2025 · Aug 20, 2025 · Aug 20, 2025
diff --git a/.github/resource/azure-credential-setup.sh b/.github/resource/azure-credential-setup.sh
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+#############################################################
+# Unified Azure credential setup script.
+# Replaces the need to run both azure-credential-setup-wls-aks.sh
+# and azure-credential-setup-wls-vm.sh when using the unified flow.
+#
+# Behavior:
+# - Creates ONE Azure Service Principal.
+# - Assigns Contributor + User Access Administrator roles.
+# - Stores credentials JSON in AZURE_CREDENTIALS secret.
+# - Exposes unified name via SERVICE_PRINCIPAL_NAME variable.
+# - For backward compatibility also sets legacy variables
+#   SERVICE_PRINCIPAL_NAME_WLS_AKS and SERVICE_PRINCIPAL_NAME_WLS_VM
+#   to the same value so downstream workflows keep working.
+#
+# NOTE: Leaves the original per-target scripts untouched for users
+# still invoking them directly.
+#############################################################
+
+echo "Execute unified azure-credential-setup.sh - Start-----------------------------"
+
+# Derive repo name if not provided
+REPO_NAME=${REPO_NAME:-$(basename "$(git rev-parse --show-toplevel 2>/dev/null || echo repo)")}
+SUBSCRIPTION_ID=$(az account show --query id -o tsv | tr -d '\r\n')
+
+SERVICE_PRINCIPAL_NAME="sp-${REPO_NAME}-wls-unified-$(date +%s)"
+echo "Creating Azure Service Principal with name: ${SERVICE_PRINCIPAL_NAME}" >&2
+
+AZURE_CREDENTIALS=$(az ad sp create-for-rbac \
+  --name "${SERVICE_PRINCIPAL_NAME}" \
+  --role "Contributor" \
+  --scopes "/subscriptions/${SUBSCRIPTION_ID}" \
+  --sdk-auth \
+  --only-show-errors)
+
+SP_ID=$(az ad sp list --display-name "${SERVICE_PRINCIPAL_NAME}" --query '[0].id' -o tsv | tr -d '\r\n') || true
+if [[ -n "${SP_ID}" ]]; then
+  az role assignment create --assignee "${SP_ID}" --scope "/subscriptions/${SUBSCRIPTION_ID}" --role "User Access Administrator" >/dev/null 2>&1 || \
+    echo "Warning: secondary role assignment may have failed" >&2
+else
+  echo "Warning: could not resolve SP ID for secondary role assignment" >&2
+fi
+
+# Best-effort detection of existing secret
+if gh secret list 2>/dev/null | grep -q '^AZURE_CREDENTIALS\b'; then
+  echo "Notice: Overwriting existing AZURE_CREDENTIALS secret" >&2
+fi
+
+gh secret --repo $(gh repo set-default --view) set "AZURE_CREDENTIALS" -b"${AZURE_CREDENTIALS}" >/dev/null
+
+gh variable --repo $(gh repo set-default --view) set SERVICE_PRINCIPAL_NAME -b"${SERVICE_PRINCIPAL_NAME}" >/dev/null || true
+gh variable --repo $(gh repo set-default --view) set SERVICE_PRINCIPAL_NAME_WLS_AKS -b"${SERVICE_PRINCIPAL_NAME}" >/dev/null || true
+gh variable --repo $(gh repo set-default --view) set SERVICE_PRINCIPAL_NAME_WLS_VM -b"${SERVICE_PRINCIPAL_NAME}" >/dev/null || true
+
+echo "Execute unified azure-credential-setup.sh - End-------------------------------"
diff --git a/.github/resource/azure-credential-teardown.sh b/.github/resource/azure-credential-teardown.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+#############################################################
+# Unified Azure credential teardown script.
+# Mirrors the unified setup (azure-credential-setup.sh) and
+# replaces the need to run both azure-credential-teardown-wls-aks.sh
+# and azure-credential-teardown-wls-vm.sh when using the unified flow.
+#
+# Behavior:
+# - Deletes AZURE_CREDENTIALS secret if present.
+# - Retrieves any of SERVICE_PRINCIPAL_NAME, SERVICE_PRINCIPAL_NAME_WLS_AKS,
+#   SERVICE_PRINCIPAL_NAME_WLS_VM (variables) and deletes the *single* SP
+#   they reference (they all point to the same name in unified setup).
+# - Ignores missing items gracefully.
+#############################################################
+
+echo "Execute unified azure-credential-teardown.sh - Start----------------------------------"
+
+# Delete the AZURE_CREDENTIALS secret (ignore errors if it doesn't exist)
+if gh secret list 2>/dev/null | grep -q '^AZURE_CREDENTIALS\b'; then
+  gh secret --repo $(gh repo set-default --view) delete "AZURE_CREDENTIALS" || echo "Warning: failed to delete AZURE_CREDENTIALS" >&2
+else
+  echo "AZURE_CREDENTIALS secret not found (already removed)"
+fi
+
+# Try variables in priority order: unified then legacy aliases
+VAR_CANDIDATES=(SERVICE_PRINCIPAL_NAME SERVICE_PRINCIPAL_NAME_WLS_AKS SERVICE_PRINCIPAL_NAME_WLS_VM)
+SP_NAME=""
+for var in "${VAR_CANDIDATES[@]}"; do
+  if gh variable list 2>/dev/null | grep -q "^${var}\b"; then
+    # Capture the value; gh variable get prints value only
+    value=$(gh variable --repo $(gh repo set-default --view) get "$var" 2>/dev/null || true)
+    if [[ -n "$value" ]]; then
+      SP_NAME="$value"
+      echo "Found service principal name via $var: $SP_NAME"
+      break
+    fi
+  fi
+done
+
+if [[ -n "$SP_NAME" ]]; then
+  APP_ID=$(az ad sp list --display-name "$SP_NAME" --query "[0].appId" -o tsv | tr -d '\r\n' || true)
+  if [[ -n "$APP_ID" ]]; then
+    echo "Deleting service principal appId=$APP_ID name=$SP_NAME" >&2
+    az ad sp delete --id "$APP_ID" || echo "Warning: failed to delete service principal $APP_ID" >&2
+  else
+    echo "Service principal '$SP_NAME' not found in Azure (already deleted?)"
+  fi
+else
+  echo "No service principal name variables found; skip SP deletion."
+fi
+
+# Optionally remove the variables themselves (clean slate)
+for var in "${VAR_CANDIDATES[@]}"; do
+  if gh variable list 2>/dev/null | grep -q "^${var}\b"; then
+    gh variable --repo $(gh repo set-default --view) delete "$var" || echo "Warning: failed to delete variable $var" >&2
+  fi
+done
+
+echo "Execute unified azure-credential-teardown.sh - End------------------------------------"
diff --git a/.github/resource/credentials-params-setup.sh b/.github/resource/credentials-params-setup.sh
@@ -28,7 +28,7 @@ check_parameters() {
         else
             echo "Name: $name, Value: $value"
         fi
-    done < <(yq eval -o=json '.[]' "$param_file" | jq -c '.')
+    done < <(yq '.[]' "$param_file" | jq -c '.')
 
     echo "return $has_empty_value"
     return $has_empty_value
@@ -37,7 +37,7 @@ check_parameters() {
 # Function to set values from YAML
 set_values() {
     echo "Setting values..."
-    yq eval -o=json '.[]' "$param_file" | jq -c '.' | while read -r line; do
+    yq '.[]' "$param_file" | jq -c '.' | while read -r line; do
         name=$(echo "$line" | jq -r '.name')
         value=$(echo "$line" | jq -r '.value')
         gh secret --repo $(gh repo set-default --view) set "$name" -b"${value}"

diff --git a/.github/resource/credentials-params-teardown.sh b/.github/resource/credentials-params-teardown.sh
@@ -3,8 +3,8 @@ set -Eeuo pipefail
 
 echo "teardown-credentials.sh - Start"
 
-# remove param the json
-yq eval -o=json '.[]' "$param_file" | jq -c '.' | while read -r line; do
+ # remove param the json
+ yq '.[]' "$param_file" | jq -c '.' | while read -r line; do
     name=$(echo "$line" | jq -r '.name')
     value=$(echo "$line" | jq -r '.value')
     gh secret --repo $(gh repo set-default --view) delete "$name"

diff --git a/.github/resource/credentials-params.yaml b/.github/resource/credentials-params.yaml
@@ -0,0 +1,40 @@
+# Unified credentials parameters for AKS and VM flows.
+# Populate required values before running setup-credentials.sh.
+# Optional ELK_* entries may be left blank to skip.
+
+- name: ORC_SSOUSER
+  value: ""
+  description: Oracle SSO user (AKS flow)
+- name: ORC_SSOPSW
+  value: ""
+  description: Oracle SSO password (AKS flow)
+- name: WDT_RUNTIMEPSW
+  value: ""
+  description: WDT encryption/password (AKS)
+- name: WLS_PSW
+  value: ""
+  description: WebLogic admin password (fallback to WDT_RUNTIMEPSW if blank)
+- name: WLS_USERNAME
+  value: ""
+  description: WebLogic admin username (AKS)
+- name: DB_PASSWORD
+  value: ""
+  description: Sample database password (AKS)
+- name: OTN_USERID
+  value: ""
+  description: Oracle SSO user (VM flow naming)
+- name: OTN_PASSWORD
+  value: ""
+  description: Oracle SSO password (VM flow naming)
+- name: USER_EMAIL
+  value: ""
+  description: Git user email (VM)
+- name: USER_NAME
+  value: ""
+  description: Git user name (VM)
+- name: GIT_TOKEN
+  value: ""
+  description: GitHub personal access token (VM)
+- name: LOCATION
+  value: ""
+  description: Azure region (common)
diff --git a/.github/workflows/setup-credentials.sh b/.github/workflows/setup-credentials.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+################################################
+# This script is invoked by a human who:
+# - has done az login.
+# - can create repository secrets in the github repo from which this file was cloned.
+# - has the gh client >= 2.0.0 installed.
+# - has yq 4.x installed.
+#
+# This script initializes the repo from which this file was cloned
+# with the necessary secrets to run the workflows.
+# Steps to run the Script:
+# 1. Run az login.
+# 2. Run gh auth login.
+# 3. Clone the repository.
+# 4. Prepare the .github/resource/credentials-params.yaml file with the required parameters.
+# 5. Run the script with the following command:
+#    ```
+#    cd .github/workflows
+#    bash setup-credentials.sh
+#    ```
+# 6. The script will set the required secrets in the repository.
+# 7. Check the repository secrets to verify that the secrets are set.
+################################################
+
+set -Eeuo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+RESOURCE_DIR="${SCRIPT_DIR}/../resource"
+export param_file="${RESOURCE_DIR}/credentials-params.yaml"
+
+source "${RESOURCE_DIR}/pre-check.sh"
+
+if [[ ! -f "${param_file}" ]]; then
+  echo "Parameter file not found: ${param_file}" >&2
+  exit 1
+fi
+
+source "${RESOURCE_DIR}/credentials-params-setup.sh"
+source "${RESOURCE_DIR}/azure-credential-setup.sh"
+
+exit 0
diff --git a/.github/workflows/setup-for-wls-aks.sh b/.github/workflows/setup-for-wls-aks.sh
diff --git a/.github/workflows/setup-for-wls-vm.sh b/.github/workflows/setup-for-wls-vm.sh
diff --git a/.github/workflows/teardown-credentials.sh b/.github/workflows/teardown-credentials.sh
@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+
+################################################
+# This script is invoked by a human who:
+# - can remove repository secrets and variables in the github repo from which this file was cloned.
+# - has the gh client >= 2.0.0 installed.
+# - has yq 4.x installed.
+#
+# This script removes all secrets and variables set by setup-credentials.sh.
+# Steps to run the Script:
+# 1. Run gh auth login.
+# 2. Clone the repository.
+# 3. Run the script with the following command:
+#    ```
+#    cd .github/workflows
+#    bash teardown-credentials.sh
+#    ```
+# 4. The script will remove the required secrets and variables in the repository.
+# 5. Check the repository secrets/variables to verify that they are removed.
+################################################
+
+set -Eeuo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+RESOURCE_DIR="${SCRIPT_DIR}/../resource"
+export param_file="${RESOURCE_DIR}/credentials-params.yaml"
+
+source "${RESOURCE_DIR}/pre-check.sh"
+
+if [[ ! -f "${param_file}" ]]; then
+  echo "Parameter file not found: ${param_file}" >&2
+  exit 1
+fi
+
+# Remove all secrets set by setup-credentials.sh
+
+# Remove all secrets set by setup-credentials.sh
+# Ensure no jq command uses '-o=json' (jq outputs JSON by default)
+source "${RESOURCE_DIR}/credentials-params-teardown.sh"
+source "${RESOURCE_DIR}/azure-credential-teardown.sh"
+
+echo "All unified secrets and variables have been removed."
+exit 0
diff --git a/.github/workflows/teardown-for-wls-aks.sh b/.github/workflows/teardown-for-wls-aks.sh
diff --git a/.github/workflows/teardown-for-wls-vm.sh b/.github/workflows/teardown-for-wls-vm.sh