add assertion credential login support

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2025 BCC-forbundets Fellestjenester (norwegian organisation number 928453944)
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -12,6 +12,8 @@ This action allows signing a GitHub App token using a key stored in Azure Key Va
 
 Create a private key and upload it to Azure Key Vault.
 
+Note: This action requires that the workflow has already logged in to Azure, either through the `az` CLI or through the `Azure/login` action. Alternatively it also supports loging in using `azurerm` Terraform provider's OIDC login method environment variables.
+
 ### Inputs
 
 * `gh-app-client-id` - The Client ID of the GitHub App to sign the token for.

index.js

@@ -1,14 +1,22 @@
 const core = require('@actions/core');
 const { createHash } = require('crypto');
-const { DefaultAzureCredential } = require('@azure/identity');
+const { DefaultAzureCredential, ClientAssertionCredential } = require('@azure/identity');
 const {
   CryptographyClient,
   KeyClient,
   KnownSignatureAlgorithms
 } = require('@azure/keyvault-keys');
 
 try {
-  const credential = new DefaultAzureCredential();
+  let credential;
+  if (process.env.ARM_USE_OIDC == 'true' && process.env.ARM_TENANT_ID && process.env.ARM_CLIENT_ID && process.env.ARM_OIDC_TOKEN) {
+    const tenantID = process.env.ARM_TENANT_ID;
+    const clientID = process.env.ARM_CLIENT_ID;
+    const token = process.env.ARM_OIDC_TOKEN;
+    credential = new ClientAssertionCredential(tenantID, clientID, () => token);
+  } else {
+    credential = new DefaultAzureCredential();
+  }
 
   const githubAppClientId = core.getInput('gh-app-client-id');
   const keyVaultName = core.getInput('key-vault-name');