From d1243c97a4140dc665cb647268e703b60ab13ecf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?= Date: Mon, 5 Sep 2022 11:39:27 +0200 Subject: [PATCH] Update deprecated Azure Key Vault action in workflows (#3438) * Update deprecated Azure Key Vault in workflows * Try without colons * Specify bash as shell runner --- .github/workflows/brew-bump-cli.yml | 15 ++++-- .github/workflows/brew-bump-desktop.yml | 15 ++++-- .github/workflows/build-browser.yml | 45 +++++++++++++----- .github/workflows/build-cli.yml | 15 ++++-- .github/workflows/build-desktop.yml | 54 +++++++++++++++------- .github/workflows/build-web.yml | 30 ++++++++---- .github/workflows/crowdin-pull.yml | 15 ++++-- .github/workflows/release-cli.yml | 45 +++++++++++++----- .github/workflows/release-desktop-beta.yml | 40 +++++++++++----- .github/workflows/release-desktop.yml | 47 ++++++++++++++----- .github/workflows/release-qa-web.yml | 15 ++++-- 11 files changed, 244 insertions(+), 92 deletions(-) diff --git a/.github/workflows/brew-bump-cli.yml b/.github/workflows/brew-bump-cli.yml index 8c77f601a5..5487095bf7 100644 --- a/.github/workflows/brew-bump-cli.yml +++ b/.github/workflows/brew-bump-cli.yml @@ -23,10 +23,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "brew-bump-workflow-pat" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + brew-bump-workflow-pat + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Update Homebrew formula uses: dawidd6/action-homebrew-bump-formula@dd221ff435f42fa8102b5871bb1929af9d76476c diff --git a/.github/workflows/brew-bump-desktop.yml b/.github/workflows/brew-bump-desktop.yml index 4b62b1213c..fba2685f23 100644 --- a/.github/workflows/brew-bump-desktop.yml +++ b/.github/workflows/brew-bump-desktop.yml @@ -23,10 +23,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "brew-bump-workflow-pat" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + brew-bump-workflow-pat + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Update Homebrew cask uses: macauley/action-homebrew-bump-cask@445c42390d790569d938f9068d01af39ca030feb diff --git a/.github/workflows/build-browser.yml b/.github/workflows/build-browser.yml index 0320dbee33..91134cbab6 100644 --- a/.github/workflows/build-browser.yml +++ b/.github/workflows/build-browser.yml @@ -338,10 +338,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "crowdin-api-token" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + crowdin-api-token + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Upload Sources uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9 @@ -371,10 +378,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "github-pat-bitwarden-devops-bot-repo-scope" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + github-pat-bitwarden-devops-bot-repo-scope + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Extract branch name id: extract_branch @@ -444,11 +458,18 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f if: failure() - with: - keyvault: "bitwarden-prod-kv" - secrets: "devops-alerts-slack-webhook-url" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + devops-alerts-slack-webhook-url + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Notify Slack on failure uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 # v1.5.0 diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 4dd90efb2a..9147ed1b7e 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -360,11 +360,18 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f if: failure() - with: - keyvault: "bitwarden-prod-kv" - secrets: "devops-alerts-slack-webhook-url" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + devops-alerts-slack-webhook-url + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Notify Slack on failure uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml index 16579580b5..fe8df982c2 100644 --- a/.github/workflows/build-desktop.yml +++ b/.github/workflows/build-desktop.yml @@ -297,14 +297,22 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "code-signing-vault-url, - code-signing-client-id, - code-signing-tenant-id, - code-signing-client-secret, - code-signing-cert-name" + shell: bash + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + code-signing-vault-url, + code-signing-client-id, + code-signing-tenant-id, + code-signing-client-secret, + code-signing-cert-name + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Install Node dependencies run: npm ci @@ -1234,10 +1242,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "crowdin-api-token" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + crowdin-api-token + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Upload Sources uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9 @@ -1308,11 +1323,18 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f if: failure() - with: - keyvault: "bitwarden-prod-kv" - secrets: "devops-alerts-slack-webhook-url" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + devops-alerts-slack-webhook-url + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Notify Slack on failure uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml index ef3853933c..6c0f000bad 100644 --- a/.github/workflows/build-web.yml +++ b/.github/workflows/build-web.yml @@ -406,10 +406,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f # v1.0.0 - with: - keyvault: "bitwarden-prod-kv" - secrets: "crowdin-api-token" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + crowdin-api-token + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Upload Sources uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9 @@ -472,11 +479,18 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f # v1.0.0 if: failure() - with: - keyvault: "bitwarden-prod-kv" - secrets: "devops-alerts-slack-webhook-url" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + devops-alerts-slack-webhook-url + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Notify Slack on failure uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 # v1.5.1 diff --git a/.github/workflows/crowdin-pull.yml b/.github/workflows/crowdin-pull.yml index bb32e62ca7..9aca46ebd6 100644 --- a/.github/workflows/crowdin-pull.yml +++ b/.github/workflows/crowdin-pull.yml @@ -32,10 +32,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403 - with: - keyvault: "bitwarden-prod-kv" - secrets: "crowdin-api-token" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + crowdin-api-token + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Download translations uses: bitwarden/gh-actions/crowdin@05052c5c575ceb09ceea397fe241879e199ed44b diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml index 78d645e8a2..c3ddbb9814 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/release-cli.yml @@ -148,10 +148,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "snapcraft-store-token" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + snapcraft-store-token + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Install Snap uses: samuelmeuli/action-snapcraft@10d7d0a84d9d86098b19f872257df314b0bd8e2d # v1.2.0 @@ -202,10 +209,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "cli-choco-api-key" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + cli-choco-api-key + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Setup Chocolatey run: choco apikey --key $env:CHOCO_API_KEY --source https://push.chocolatey.org/ @@ -261,10 +275,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "cli-npm-api-key" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + cli-npm-api-key + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Download artifacts if: ${{ github.event.inputs.release_type != 'Dry Run' }} diff --git a/.github/workflows/release-desktop-beta.yml b/.github/workflows/release-desktop-beta.yml index 0d98b26ec4..2d34ab257e 100644 --- a/.github/workflows/release-desktop-beta.yml +++ b/.github/workflows/release-desktop-beta.yml @@ -249,14 +249,21 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "code-signing-vault-url, - code-signing-client-id, - code-signing-tenant-id, - code-signing-client-secret, - code-signing-cert-name" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + code-signing-vault-url, + code-signing-client-id, + code-signing-tenant-id, + code-signing-client-secret, + code-signing-cert-name + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Install Node dependencies run: npm ci @@ -932,10 +939,19 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "aws-electron-access-id, aws-electron-access-key, aws-electron-bucket-name" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + aws-electron-access-id, + aws-electron-access-key, + aws-electron-bucket-name + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Download all artifacts uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 diff --git a/.github/workflows/release-desktop.yml b/.github/workflows/release-desktop.yml index 84cbdf17f2..9a51a3b0be 100644 --- a/.github/workflows/release-desktop.yml +++ b/.github/workflows/release-desktop.yml @@ -93,10 +93,19 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "aws-electron-access-id, aws-electron-access-key, aws-electron-bucket-name" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + aws-electron-access-id, + aws-electron-access-key, + aws-electron-bucket-name + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Download all artifacts if: ${{ github.event.inputs.release_type != 'Dry Run' }} @@ -208,10 +217,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403 - with: - keyvault: "bitwarden-prod-kv" - secrets: "snapcraft-store-token" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + snapcraft-store-token + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Install Snap uses: samuelmeuli/action-snapcraft@10d7d0a84d9d86098b19f872257df314b0bd8e2d # v1.2.0 @@ -272,10 +288,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f - with: - keyvault: "bitwarden-prod-kv" - secrets: "cli-choco-api-key" + env: + KEYVAULT: bitwarden-prod-kv + SECRETS: | + cli-choco-api-key + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Setup Chocolatey shell: pwsh diff --git a/.github/workflows/release-qa-web.yml b/.github/workflows/release-qa-web.yml index fc0cd5231e..ed15f49f98 100644 --- a/.github/workflows/release-qa-web.yml +++ b/.github/workflows/release-qa-web.yml @@ -32,10 +32,17 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f # v1 - with: - keyvault: "bitwarden-qa-kv" - secrets: "qa-aks-kubectl-credentials" + env: + KEYVAULT: bitwarden-qa-kv + SECRETS: | + qa-aks-kubectl-credentials + run: | + for i in ${SECRETS//,/ } + do + VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) + echo "::add-mask::$VALUE" + echo "::set-output name=$i::$VALUE" + done - name: Login with qa-aks-kubectl-credentials SP uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 # v1.1