Clean up workflow files for Zizmor (#17318)

2025-12-06 00:13:28 +00:00 · 2025-11-11 09:58:49 -05:00
parent 021d3e53aa
commit ec5081a7e9
1 changed files with 10 additions and 5 deletions
--- a/.github/workflows/deploy-web.yml
+++ b/.github/workflows/deploy-web.yml
@@ -54,8 +54,7 @@ on:
        type: string
        required: false

-permissions:
-  deployments: write
+permissions: {}

 jobs:
  setup:
@@ -373,10 +372,16 @@ jobs:

      - name: Login to Azure
        uses: bitwarden/gh-actions/azure-login@main
+        env:
+          # The following 2 values are ignored in Zizmor, because they have to be dynamically mapped from secrets
+          # The only way around this is to create separate steps per environment with static secret references, which is not maintainable
+          SUBSCRIPTION_ID: ${{ secrets[ needs.setup.outputs.azure_login_subscription_id_key_name ] }} # zizmor: ignore[overprovisioned-secrets]
+          CLIENT_ID: ${{ secrets[ needs.setup.outputs.azure_login_client_key_name ] }} # zizmor: ignore[overprovisioned-secrets]
+          TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
        with:
-          subscription_id: ${{ secrets[needs.setup.outputs.azure_login_subscription_id_key_name] }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets[needs.setup.outputs.azure_login_client_key_name] }}
+          subscription_id: ${{ env.SUBSCRIPTION_ID }}
+          tenant_id: ${{ env.TENANT_ID }}
+          client_id: ${{ env.CLIENT_ID }}

      - name: Retrieve Storage Account name
        id: retrieve-secrets-azcopy