Update OIDC setup script and tutorial to use master branch

workcontrolgit · workcontrolgit · commit ebfb10d96764 · 2026-04-04T16:24:42.000-04:00
diff --git a/blogs/series-5-devops-data/5.5-azure-oidc-github-actions.md b/blogs/series-5-devops-data/5.5-azure-oidc-github-actions.md
@@ -110,12 +110,12 @@ RESOURCE_GROUP="rg-talent-dev"         # Resource group to manage
 LOCATION="eastus"                       # Azure region
 GITHUB_ORG="workcontrolgit"            # Your GitHub username or org
 GITHUB_REPO="AngularNetTutorial"       # Your repository name
-BRANCH="main"                           # Branch that triggers deployments
+BRANCH="master"                         # Branch that triggers deployments
 ```
 
 **`APP_NAME`** — this is the display name of the App Registration in Azure Entra ID. It appears in the Azure Portal under "App registrations" and in audit logs. Use a name that makes the purpose clear.
 
-**`BRANCH`** — the federated credential is scoped to this exact branch. Tokens from `develop`, pull request branches, or forks will not be trusted. For this tutorial, `main` is the deployment branch. Article 5.6 shows how to trigger on pushes to `main`.
+**`BRANCH`** — the federated credential is scoped to this exact branch. Tokens from `develop`, pull request branches, or forks will not be trusted. For this tutorial, `master` is the deployment branch. Article 5.6 shows how to trigger on pushes to `master`.
 
 ### Step 2: Run the Script
 
@@ -153,17 +153,17 @@ The App Registration is the identity definition. The Service Principal is the in
 az ad app federated-credential create \
   --id "$APP_ID" \
   --parameters '{
-    "name": "github-actions-branch-main",
+    "name": "github-actions-branch-master",
     "issuer": "https://token.actions.githubusercontent.com",
-    "subject": "repo:workcontrolgit/AngularNetTutorial:ref:refs/heads/main",
+    "subject": "repo:workcontrolgit/AngularNetTutorial:ref:refs/heads/master",
     "audiences": ["api://AzureADTokenExchange"]
   }'
 ```
 
 This is the trust configuration. It tells Azure Entra ID:
 
 * **`issuer`** — tokens must be signed by GitHub's OIDC identity provider
-* **`subject`** — tokens must claim to be from exactly `repo:workcontrolgit/AngularNetTutorial:ref:refs/heads/main` — no other repo, no other branch
+* **`subject`** — tokens must claim to be from exactly `repo:workcontrolgit/AngularNetTutorial:ref:refs/heads/master` — no other repo, no other branch
 * **`audiences`** — the intended audience must be `api://AzureADTokenExchange` (Azure's OIDC exchange endpoint)
 
 A token that matches all three conditions will be accepted. A token from a fork, a pull request branch, or a different repository is rejected by subject mismatch — even if it was legitimately signed by GitHub.
@@ -274,7 +274,7 @@ Find `github-actions-talent-dev`. Click it and navigate to:
 Certificates & secrets → Federated credentials
 ```
 
-You should see `github-actions-branch-main` with issuer `token.actions.githubusercontent.com`.
+You should see `github-actions-branch-master` with issuer `token.actions.githubusercontent.com`.
 
 To verify the role assignment:
 
@@ -294,7 +294,7 @@ The output should include a row with `Contributor` assigned to `github-actions-t
 
 **Resource group scope, not subscription scope.** Granting `Contributor` at the subscription level would allow the deployment identity to create, modify, or delete any resource in the subscription — including the spending-limit configuration. Scoping to `rg-talent-dev` limits the blast radius: even a compromised token can only affect resources in that resource group.
 
-**Branch-specific federated credential.** The `subject` claim in the federated credential locks trust to `refs/heads/main`. A pull request branch, a feature branch, or a fork cannot obtain an Azure access token using this credential. This prevents a malicious pull request from running arbitrary Azure CLI commands against the subscription.
+**Branch-specific federated credential.** The `subject` claim in the federated credential locks trust to `refs/heads/master`. A pull request branch, a feature branch, or a fork cannot obtain an Azure access token using this credential. This prevents a malicious pull request from running arbitrary Azure CLI commands against the subscription.
 
 **GitHub CLI (`gh`) for secret management.** Using `gh secret set` in the script eliminates manual copy-pasting. Manual steps introduce transcription errors and require the person running the script to have browser access to GitHub repository settings. The script runs end-to-end from the terminal with no manual steps except the SQL password.
 
diff --git a/infra/scripts/setup-oidc.sh b/infra/scripts/setup-oidc.sh
@@ -28,7 +28,7 @@ RESOURCE_GROUP="rg-talent-dev"         # Resource group the deployment identity
 LOCATION="eastus"                       # Azure region for the resource group
 GITHUB_ORG="workcontrolgit"            # GitHub organisation or username
 GITHUB_REPO="AngularNetTutorial"       # GitHub repository name (no owner prefix)
-BRANCH="main"                           # Branch that triggers deployments
+BRANCH="master"                         # Branch that triggers deployments
 # ──────────────────────────────────────────────────────────────────────────────
 
 echo ""
