devops: migrate to OIDC for Docker publishing (#2412)

Author: mxschmitt

.github/workflows/publish_docker.yml

@@ -16,17 +16,24 @@ jobs:
     name: "publish to DockerHub"
     runs-on: ubuntu-22.04
     if: github.repository == 'microsoft/playwright-python'
+    permissions:
+      id-token: write   # This is required for OIDC login (azure/login) to succeed
+      contents: read    # This is required for actions/checkout to succeed
+    environment: Docker
     steps:
     - uses: actions/checkout@v3
+    - name: Azure login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_DOCKER_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_DOCKER_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_DOCKER_SUBSCRIPTION_ID }}
+    - name: Login to ACR via OIDC
+      run: az acr login --name playwright
     - name: Set up Python
       uses: actions/setup-python@v4
       with:
         python-version: "3.10"
-    - uses: azure/docker-login@v1
-      with:
-        login-server: playwright.azurecr.io
-        username: playwright
-        password: ${{ secrets.DOCKER_PASSWORD }}
     - name: Set up Docker QEMU for arm64 docker builds
       uses: docker/setup-qemu-action@v2
       with: