[BRE-831] migrate secrets AKV (#5962)

2026-01-10 20:44:05 +00:00 · 2025-07-09 15:02:11 -04:00
parent 12b2eeaa66
commit 5772c467de
10 changed files with 241 additions and 61 deletions
--- a/.github/workflows/_move_finalization_db_scripts.yml
+++ b/.github/workflows/_move_finalization_db_scripts.yml
@@ -12,14 +12,19 @@ jobs:
  setup:
    name: Setup
    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
    outputs:
      migration_filename_prefix: ${{ steps.prefix.outputs.prefix }}
      copy_finalization_scripts: ${{ steps.check-finalization-scripts-existence.outputs.copy_finalization_scripts }}
    steps:
      - name: Log in to Azure
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Retrieve secrets
        id: retrieve-secrets
@@ -28,6 +33,9 @@ jobs:
          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"

+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Check out branch
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@@ -50,6 +58,11 @@ jobs:
    name: Move finalization database scripts
    runs-on: ubuntu-22.04
    needs: setup
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+      actions: read
    if: ${{ needs.setup.outputs.copy_finalization_scripts == 'true' }}
    steps:
      - name: Checkout
@@ -92,10 +105,12 @@ jobs:
          done
          echo "moved_files=$moved_files" >> $GITHUB_OUTPUT

-      - name: Log in to Azure - production subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Retrieve secrets
        id: retrieve-secrets
@@ -106,6 +121,9 @@ jobs:
            github-gpg-private-key-passphrase,
            devops-alerts-slack-webhook-url"

+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Import GPG keys
        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
        with: