From 2722198191fc39cab094a07e618b5249a036e746 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?= Date: Tue, 11 Apr 2023 18:37:58 +0200 Subject: [PATCH] [DEVOPS-1260] Update workflows to use new CI only keyvault (#5157) * Use new CI Azure Key Vault * Change name * Fix * Fix --- .github/workflows/brew-bump-cli.yml | 4 ++-- .github/workflows/brew-bump-desktop.yml | 4 ++-- .github/workflows/build-browser.yml | 8 ++++---- .github/workflows/build-cli.yml | 4 ++-- .github/workflows/build-desktop.yml | 12 ++++++------ .github/workflows/build-web.yml | 17 +++++++++++------ .github/workflows/crowdin-pull.yml | 6 +++--- .github/workflows/release-cli.yml | 12 ++++++------ .github/workflows/release-desktop-beta.yml | 8 ++++---- .github/workflows/release-desktop.yml | 12 ++++++------ .github/workflows/release-web.yml | 2 +- .github/workflows/staged-rollout-desktop.yml | 6 +++--- .github/workflows/version-auto-bump.yml | 2 +- .github/workflows/version-bump.yml | 4 ++-- 14 files changed, 53 insertions(+), 48 deletions(-) diff --git a/.github/workflows/brew-bump-cli.yml b/.github/workflows/brew-bump-cli.yml index 88a8cdefe50..f06517cec62 100644 --- a/.github/workflows/brew-bump-cli.yml +++ b/.github/workflows/brew-bump-cli.yml @@ -19,13 +19,13 @@ jobs: - name: Login to Azure uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "brew-bump-workflow-pat" - name: Update Homebrew formula diff --git a/.github/workflows/brew-bump-desktop.yml b/.github/workflows/brew-bump-desktop.yml index 249c5a57d48..32999bba4ab 100644 --- a/.github/workflows/brew-bump-desktop.yml +++ b/.github/workflows/brew-bump-desktop.yml @@ -19,13 +19,13 @@ jobs: - name: Login to Azure uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "brew-bump-workflow-pat" - name: Update Homebrew cask diff --git a/.github/workflows/build-browser.yml b/.github/workflows/build-browser.yml index 18e7f752bd9..cdb045e629a 100644 --- a/.github/workflows/build-browser.yml +++ b/.github/workflows/build-browser.yml @@ -350,13 +350,13 @@ jobs: - name: Login to Azure uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@471ae4aec27405f16c5b796e288f54262c406e5d with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "crowdin-api-token" - name: Upload Sources @@ -411,14 +411,14 @@ jobs: uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 if: failure() with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets if: failure() uses: bitwarden/gh-actions/get-keyvault-secrets@471ae4aec27405f16c5b796e288f54262c406e5d with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index e319be23e23..a3e08a7f1a3 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -399,14 +399,14 @@ jobs: uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 # v1.1 if: failure() with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets if: failure() uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml index 73762e73f48..8ddda489df6 100644 --- a/.github/workflows/build-desktop.yml +++ b/.github/workflows/build-desktop.yml @@ -298,13 +298,13 @@ jobs: - name: Login to Azure uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@471ae4aec27405f16c5b796e288f54262c406e5d with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "code-signing-vault-url, code-signing-client-id, code-signing-tenant-id, @@ -1186,13 +1186,13 @@ jobs: - name: Login to Azure uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@471ae4aec27405f16c5b796e288f54262c406e5d with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "crowdin-api-token" - name: Upload Sources @@ -1264,14 +1264,14 @@ jobs: uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 if: failure() with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets if: failure() uses: bitwarden/gh-actions/get-keyvault-secrets@471ae4aec27405f16c5b796e288f54262c406e5d with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml index be59be4123e..7becb7dff75 100644 --- a/.github/workflows/build-web.yml +++ b/.github/workflows/build-web.yml @@ -228,11 +228,16 @@ jobs: working-directory: apps/web run: unzip web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip + - name: Login to Azure + uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 # v1.1 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + - name: Retrieve github PAT secrets id: retrieve-secret-pat uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "github-pat-bitwarden-devops-bot-repo-scope" - name: Setup DCT @@ -240,7 +245,7 @@ jobs: id: setup-dct uses: bitwarden/gh-actions/setup-docker-trust@a8c384a05a974c05c48374c818b004be221d43ff with: - azure-creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} azure-keyvault-name: "bitwarden-prod-kv" - name: Build Docker image @@ -282,13 +287,13 @@ jobs: - name: Login to Azure uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 # v1.1 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "crowdin-api-token" - name: Upload Sources @@ -342,14 +347,14 @@ jobs: uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 # v1.1 if: failure() with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets if: failure() uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure diff --git a/.github/workflows/crowdin-pull.yml b/.github/workflows/crowdin-pull.yml index acb660177f7..cda1f39262a 100644 --- a/.github/workflows/crowdin-pull.yml +++ b/.github/workflows/crowdin-pull.yml @@ -28,13 +28,13 @@ jobs: - name: Login to Azure uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets - uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase" - name: Download translations diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml index c01f73677d2..603459876bd 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/release-cli.yml @@ -146,13 +146,13 @@ jobs: - name: Login to Azure uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 # v1.1 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "snapcraft-store-token" - name: Install Snap @@ -200,13 +200,13 @@ jobs: - name: Login to Azure uses: Azure/login@24848bc889cfc0a8313c2b3e378ac0d625b9bc16 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "cli-choco-api-key" - name: Setup Chocolatey @@ -259,13 +259,13 @@ jobs: - name: Login to Azure uses: Azure/login@24848bc889cfc0a8313c2b3e378ac0d625b9bc16 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "npm-api-key" - name: Download artifacts diff --git a/.github/workflows/release-desktop-beta.yml b/.github/workflows/release-desktop-beta.yml index fb456de1951..60ddf2f60cd 100644 --- a/.github/workflows/release-desktop-beta.yml +++ b/.github/workflows/release-desktop-beta.yml @@ -245,13 +245,13 @@ jobs: - name: Login to Azure uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "code-signing-vault-url, code-signing-client-id, code-signing-tenant-id, @@ -928,13 +928,13 @@ jobs: - name: Login to Azure uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "aws-electron-access-id, aws-electron-access-key, aws-electron-bucket-name, diff --git a/.github/workflows/release-desktop.yml b/.github/workflows/release-desktop.yml index f0fe2011734..b4fa338897d 100644 --- a/.github/workflows/release-desktop.yml +++ b/.github/workflows/release-desktop.yml @@ -106,13 +106,13 @@ jobs: - name: Login to Azure uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "aws-electron-access-id, aws-electron-access-key, aws-electron-bucket-name, @@ -259,13 +259,13 @@ jobs: - name: Login to Azure uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "snapcraft-store-token" - name: Install Snap @@ -323,13 +323,13 @@ jobs: - name: Login to Azure uses: Azure/login@24848bc889cfc0a8313c2b3e378ac0d625b9bc16 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "cli-choco-api-key" - name: Setup Chocolatey diff --git a/.github/workflows/release-web.yml b/.github/workflows/release-web.yml index cf9379a8201..598541f1262 100644 --- a/.github/workflows/release-web.yml +++ b/.github/workflows/release-web.yml @@ -72,7 +72,7 @@ jobs: id: setup-dct uses: bitwarden/gh-actions/setup-docker-trust@a8c384a05a974c05c48374c818b004be221d43ff with: - azure-creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} azure-keyvault-name: "bitwarden-prod-kv" - name: Pull branch image diff --git a/.github/workflows/staged-rollout-desktop.yml b/.github/workflows/staged-rollout-desktop.yml index d2c842301a3..04c0b8472fd 100644 --- a/.github/workflows/staged-rollout-desktop.yml +++ b/.github/workflows/staged-rollout-desktop.yml @@ -22,13 +22,13 @@ jobs: - name: Login to Azure uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "aws-electron-access-id, aws-electron-access-key, aws-electron-bucket-name, @@ -106,7 +106,7 @@ jobs: run: | aws s3 cp latest.yml $AWS_S3_BUCKET_NAME/desktop/ \ --endpoint-url https://${CF_ACCOUNT}.r2.cloudflarestorage.com - + aws s3 cp latest-linux.yml $AWS_S3_BUCKET_NAME/desktop/ \ --endpoint-url https://${CF_ACCOUNT}.r2.cloudflarestorage.com diff --git a/.github/workflows/version-auto-bump.yml b/.github/workflows/version-auto-bump.yml index 88cb606a194..4274022f8f2 100644 --- a/.github/workflows/version-auto-bump.yml +++ b/.github/workflows/version-auto-bump.yml @@ -47,7 +47,7 @@ jobs: - name: Bump version to ${{ needs.setup.outputs.version_number }} uses: ./.github/workflows/version-bump.yml secrets: - AZURE_PROD_KV_CREDENTIALS: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + AZURE_PROD_KV_CREDENTIALS: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} with: version_number: ${{ needs.setup.outputs.version_number }} client: "Desktop" diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 6d3bd96ea11..6afd2278552 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -45,13 +45,13 @@ jobs: - name: Login to Azure - Prod Subscription uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "github-gpg-private-key, github-gpg-private-key-passphrase" - name: Import GPG key