From 39a22113df37de2fd4b5c3860cd7f6dc3c198795 Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Sun, 30 Nov 2025 22:25:38 -0500
Subject: [PATCH] BRE-1355 - Fix lite naming and remove PAT (#17743)

---
 .github/workflows/publish-web.yml | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/publish-web.yml b/.github/workflows/publish-web.yml
index be93ee6147..62d9342cf6 100644
--- a/.github/workflows/publish-web.yml
+++ b/.github/workflows/publish-web.yml
@@ -158,7 +158,7 @@ jobs:
         run: docker logout
 
   bitwarden-lite-build:
-    name: Trigger Bitwarden Lite build
+    name: Trigger Bitwarden lite build
     runs-on: ubuntu-22.04
     needs: setup
     permissions:
@@ -171,20 +171,27 @@ jobs:
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
-      - name: Trigger Bitwarden Lite build
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+
+      - name: Trigger Bitwarden lite build
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          github-token: ${{ steps.app-token.outputs.token }}
           script: |
             await github.rest.actions.createWorkflowDispatch({
               owner: 'bitwarden',
@@ -192,6 +199,7 @@ jobs:
               workflow_id: 'build-bitwarden-lite.yml',
               ref: 'main',
               inputs: {
-                use_latest_core_version: true
+                use_latest_core_version: true,
+                web_branch: process.env.GITHUB_REF
               }
             });