From a78820d8120673d62021de1060878aca2c1a404a Mon Sep 17 00:00:00 2001
From: Balaga Gayatri <balaga-gayatri@github.com>
Date: Mon, 21 Jun 2021 10:12:12 +0530
Subject: [PATCH] Update README.md

---
 README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README.md b/README.md
index d0f6d0cd..ddddac10 100644
--- a/README.md
+++ b/README.md
@@ -226,7 +226,19 @@ jobs:
         creds: ${{ secrets.AZURE_CREDENTIALS }}
         allow-no-subscriptions: true
 ```
+## az logout and security hardening
 
+This action doesn't implement ```az logout``` by default at the end of execution. However there is no way of tampering the credentials or account information because the github hosted runner is on a vm that will get reimagined for every customer run which gets everything deleted. But if the runner is self-hosted which is not github provided it is recommended to manually logout at the end of the workflow as shown below. More details on security of the runners can be found [here](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#hardening-for-self-hosted-runners).
+```
+- name: Azure CLI script
+  uses: azure/CLI@v1
+  with:
+    azcliversion: 2.0.72
+    inlineScript: |
+      az logout
+      az cache purge
+      az account clear
+```
 # Contributing
 
 This project welcomes contributions and suggestions.  Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.