[BRE-831] migrate secrets AKV (#5962)

.github/workflows/publish.yml

@@ -26,6 +26,9 @@ jobs:
   setup:
     name: Setup
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      deployments: write
     outputs:
       branch-name: ${{ steps.branch.outputs.branch-name }}
       deployment-id: ${{ steps.deployment.outputs.deployment_id }}
@@ -63,6 +66,9 @@ jobs:
     name: Publish Docker images
     runs-on: ubuntu-22.04
     needs: setup
+    permissions:
+      contents: read
+      id-token: write
     env:
       _RELEASE_VERSION: ${{ needs.setup.outputs.release-version }}
       _BRANCH_NAME: ${{ needs.setup.outputs.branch-name }}
@@ -109,10 +115,12 @@ jobs:
           echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT
 
       ########## ACR PROD ##########
-      - name: Log in to Azure - production subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
         with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Log in to Azure ACR
         run: az acr login -n $_AZ_REGISTRY --only-show-errors
@@ -152,12 +160,17 @@ jobs:
       - name: Log out of Docker
         run: docker logout
 
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
   update-deployment:
     name: Update Deployment Status
     runs-on: ubuntu-22.04
     needs:
       - setup
       - publish-docker
+    permissions:
+      deployments: write
     if: ${{ always() && inputs.publish_type != 'Dry Run' }}
     steps:
       - name: Check if any job failed