From 9e2b2c55371d92a886dfef6faee74d5bbf1b609c Mon Sep 17 00:00:00 2001
From: Emmanuel Knafo <emknafo@microsoft.com>
Date: Wed, 3 Jun 2026 06:10:38 -0400
Subject: [PATCH] fix(teardown): add az OIDC login + tolerate missing azd state

Two failures observed:
1. 'azd down' aborted with 'deployment not found' when azd local state was
   missing (azd env state is per-runner, not stored in Azure). Mark the step
   continue-on-error and append '|| true' so the RG-delete fallback runs.
2. Final 'az group delete' failed with 'Please run az login to setup account'
   because only 'azd auth login' ran (azd does not authenticate the az CLI).
   Add azure/login@v2 (OIDC) + explicit 'az account set'.

Mirrors the ADO pipeline behavior (.azuredevops/pipelines/teardown.yml).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .github/workflows/teardown.yml | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/teardown.yml b/.github/workflows/teardown.yml
index 9642a2f..e45df34 100644
--- a/.github/workflows/teardown.yml
+++ b/.github/workflows/teardown.yml
@@ -34,6 +34,13 @@ jobs:
       - name: Install azd
         uses: Azure/setup-azd@v2
 
+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: azd auth login (OIDC)
         run: |
           azd auth login \
@@ -41,17 +48,21 @@ jobs:
             --tenant-id "$AZURE_TENANT_ID" \
             --federated-credential-provider github
 
-      - name: azd env select
+      - name: azd env select (re-hydrate or create)
         run: |
           azd env select "$AZURE_ENV_NAME" || \
             azd env new "$AZURE_ENV_NAME" \
               --no-prompt \
               --subscription "$AZURE_SUBSCRIPTION_ID"
 
-      - name: azd down --purge --force
-        run: azd down --environment "$AZURE_ENV_NAME" --purge --force --no-prompt
+      # Tolerate missing/partial azd state — the RG delete below is the real safety net.
+      - name: azd down --purge --force (best effort)
+        continue-on-error: true
+        run: azd down --environment "$AZURE_ENV_NAME" --purge --force --no-prompt || true
 
       # Belt-and-braces fallback if azd state was missing or partial.
       - name: Force RG delete (no-op if already gone)
         if: always()
-        run: az group delete --name "rg-$AZURE_ENV_NAME" --yes --no-wait || true
+        run: |
+          az account set --subscription "$AZURE_SUBSCRIPTION_ID"
+          az group delete --name "rg-$AZURE_ENV_NAME" --yes --no-wait || true