[DEVOPS-1260] Update workflows to use new CI only keyvault (#5157)

* Use new CI Azure Key Vault * Change name * Fix * Fix
2023-04-11 18:37:58 +02:00 · 2023-04-11 18:37:58 +02:00 · 2722198191
parent 7ac893ad7c
commit 2722198191
14 changed files with 53 additions and 48 deletions
--- a/.github/workflows/brew-bump-cli.yml
+++ b/.github/workflows/brew-bump-cli.yml
@ -19,13 +19,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "brew-bump-workflow-pat"

      - name: Update Homebrew formula
--- a/.github/workflows/brew-bump-desktop.yml
+++ b/.github/workflows/brew-bump-desktop.yml
@ -19,13 +19,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "brew-bump-workflow-pat"

      - name: Update Homebrew cask
--- a/.github/workflows/build-browser.yml
+++ b/.github/workflows/build-browser.yml
@ -350,13 +350,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@471ae4aec27405f16c5b796e288f54262c406e5d
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "crowdin-api-token"

      - name: Upload Sources
@ -411,14 +411,14 @@ jobs:
        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
        if: failure()
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        if: failure()
        uses: bitwarden/gh-actions/get-keyvault-secrets@471ae4aec27405f16c5b796e288f54262c406e5d
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
--- a/.github/workflows/build-cli.yml
+++ b/.github/workflows/build-cli.yml
@ -399,14 +399,14 @@ jobs:
        uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010  # v1.1
        if: failure()
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        if: failure()
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
--- a/.github/workflows/build-desktop.yml
+++ b/.github/workflows/build-desktop.yml
@ -298,13 +298,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@471ae4aec27405f16c5b796e288f54262c406e5d
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "code-signing-vault-url,
            code-signing-client-id,
            code-signing-tenant-id,
@ -1186,13 +1186,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@471ae4aec27405f16c5b796e288f54262c406e5d
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "crowdin-api-token"

      - name: Upload Sources
@ -1264,14 +1264,14 @@ jobs:
        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2
        if: failure()
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        if: failure()
        uses: bitwarden/gh-actions/get-keyvault-secrets@471ae4aec27405f16c5b796e288f54262c406e5d
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
--- a/.github/workflows/build-web.yml
+++ b/.github/workflows/build-web.yml
@ -228,11 +228,16 @@ jobs:
        working-directory: apps/web
        run: unzip web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip

+      - name: Login to Azure
+        uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010  # v1.1
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
      - name: Retrieve github PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"

      - name: Setup DCT
@ -240,7 +245,7 @@ jobs:
        id: setup-dct
        uses: bitwarden/gh-actions/setup-docker-trust@a8c384a05a974c05c48374c818b004be221d43ff
        with:
-          azure-creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
          azure-keyvault-name: "bitwarden-prod-kv"

      - name: Build Docker image
@ -282,13 +287,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010  # v1.1
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "crowdin-api-token"

      - name: Upload Sources
@ -342,14 +347,14 @@ jobs:
        uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010  # v1.1
        if: failure()
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        if: failure()
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
--- a/.github/workflows/crowdin-pull.yml
+++ b/.github/workflows/crowdin-pull.yml
@ -28,13 +28,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af 
+        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"               
+          keyvault: "bitwarden-ci"
          secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase"

      - name: Download translations
--- a/.github/workflows/release-cli.yml
+++ b/.github/workflows/release-cli.yml
@ -146,13 +146,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010  # v1.1
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "snapcraft-store-token"

      - name: Install Snap
@ -200,13 +200,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@24848bc889cfc0a8313c2b3e378ac0d625b9bc16
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "cli-choco-api-key"

      - name: Setup Chocolatey
@ -259,13 +259,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@24848bc889cfc0a8313c2b3e378ac0d625b9bc16
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "npm-api-key"

      - name: Download artifacts
--- a/.github/workflows/release-desktop-beta.yml
+++ b/.github/workflows/release-desktop-beta.yml
@ -245,13 +245,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "code-signing-vault-url,
            code-signing-client-id,
            code-signing-tenant-id,
@ -928,13 +928,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "aws-electron-access-id,
            aws-electron-access-key,
            aws-electron-bucket-name,
--- a/.github/workflows/release-desktop.yml
+++ b/.github/workflows/release-desktop.yml
@ -106,13 +106,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "aws-electron-access-id,
            aws-electron-access-key,
            aws-electron-bucket-name,
@ -259,13 +259,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "snapcraft-store-token"

      - name: Install Snap
@ -323,13 +323,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@24848bc889cfc0a8313c2b3e378ac0d625b9bc16
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "cli-choco-api-key"

      - name: Setup Chocolatey
--- a/.github/workflows/release-web.yml
+++ b/.github/workflows/release-web.yml
@ -72,7 +72,7 @@ jobs:
        id: setup-dct
        uses: bitwarden/gh-actions/setup-docker-trust@a8c384a05a974c05c48374c818b004be221d43ff
        with:
-          azure-creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
          azure-keyvault-name: "bitwarden-prod-kv"

      - name: Pull branch image
--- a/.github/workflows/staged-rollout-desktop.yml
+++ b/.github/workflows/staged-rollout-desktop.yml
@ -22,13 +22,13 @@ jobs:
      - name: Login to Azure
        uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "aws-electron-access-id,
            aws-electron-access-key,
            aws-electron-bucket-name,
@ -106,7 +106,7 @@ jobs:
        run: |
          aws s3 cp latest.yml $AWS_S3_BUCKET_NAME/desktop/ \
          --endpoint-url https://${CF_ACCOUNT}.r2.cloudflarestorage.com
-          
+
          aws s3 cp latest-linux.yml $AWS_S3_BUCKET_NAME/desktop/ \
          --endpoint-url https://${CF_ACCOUNT}.r2.cloudflarestorage.com

--- a/.github/workflows/version-auto-bump.yml
+++ b/.github/workflows/version-auto-bump.yml
@ -47,7 +47,7 @@ jobs:
      - name: Bump version to ${{ needs.setup.outputs.version_number }}
        uses: ./.github/workflows/version-bump.yml
        secrets:
-          AZURE_PROD_KV_CREDENTIALS: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          AZURE_PROD_KV_CREDENTIALS: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
        with:
          version_number: ${{ needs.setup.outputs.version_number }}
          client: "Desktop"
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@ -45,13 +45,13 @@ jobs:
      - name: Login to Azure - Prod Subscription
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
-         creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+         creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
        with:
-          keyvault: "bitwarden-prod-kv"
+          keyvault: "bitwarden-ci"
          secrets: "github-gpg-private-key, github-gpg-private-key-passphrase"

      - name: Import GPG key