ci: only use Microsoft key for Azure CLI repo (#10698)

Adding new keys to the `/etc/apt/trusted.gpg.d` keyring is not recommended because it will make `apt` accept packages from any repository signed by this key. This could lead to third-party repositories "overriding" packages from the official ones. To prevent that, we create a dedicated keyring for the Microsoft key and specify that it is only to be used for packages from the `azure-cli` repository.
2026-01-27 10:18:54 +00:00 · 2025-10-24 12:00:18 +11:00
parent 18a8877add
commit e238da3020
1 changed files with 2 additions and 2 deletions
--- a/.github/actions/setup-azure-cli/action.yml
+++ b/.github/actions/setup-azure-cli/action.yml
@@ -5,9 +5,9 @@ runs:
  steps:
    - run: |
        sudo apt-get install -y ca-certificates curl apt-transport-https lsb-release gnupg
-        curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/microsoft.gpg > /dev/null
+        curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | sudo tee /etc/apt/keyrings/microsoft.gpg > /dev/null
        AZ_REPO=$(lsb_release -cs)
-        echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
+        echo "deb [arch=amd64 signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | sudo tee /etc/apt/sources.list.d/azure-cli.list
        sudo apt-get update
        sudo apt-get install -y azure-cli
      shell: bash