diff --git a/_posts/2023/2023-09-22-github-actions-python.md b/_posts/2023/2023-09-22-github-actions-python.md
index 3cd4dc67..068a5b6a 100644
--- a/_posts/2023/2023-09-22-github-actions-python.md
+++ b/_posts/2023/2023-09-22-github-actions-python.md
@@ -121,3 +121,31 @@ In March 2023, there was a great news that Azure Service Principal was been [int
     ```
 
     {% endraw %}
+
+We can also [setup OIDC between Github Action and Azure](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux). It's practical because we do not need to worry about Azure SPN secret rotation. However, a drawback is that when setting up OIDC, we must add a filter (`subject` field in the credential.json). This could be a branch name, tag name, pull request, or environment name, we can not use wildcards in the filter, so we have to set up OIDC for each branch, tag, pull request or environment as needed. This is not very practical.
+
+To use OIDC with Github Action, we need to add the following to the workflow:
+{% raw %}
+
+```yaml
+...
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  a_job:
+    ...
+    steps:
+      - name: Azure login by OIDC
+        uses: azure/login@v1
+        with:
+          # Official doc puts these 3 fields in secrets, but it's not necessary,
+          # as `subject` field in the credential.json prevent other repos from
+          # using the same credential. And these are not sensitive info neither.
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+```
+
+{% endraw %}