Update deprecated Azure Key Vault action in workflows (#3438)

* Update deprecated Azure Key Vault in workflows

* Try without colons

* Specify bash as shell runner
This commit is contained in:
Michał Chęciński 2022-09-05 11:39:27 +02:00 committed by GitHub
parent 123db002dc
commit d1243c97a4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 244 additions and 92 deletions

View File

@ -23,10 +23,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "brew-bump-workflow-pat" brew-bump-workflow-pat
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Update Homebrew formula - name: Update Homebrew formula
uses: dawidd6/action-homebrew-bump-formula@dd221ff435f42fa8102b5871bb1929af9d76476c uses: dawidd6/action-homebrew-bump-formula@dd221ff435f42fa8102b5871bb1929af9d76476c

View File

@ -23,10 +23,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "brew-bump-workflow-pat" brew-bump-workflow-pat
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Update Homebrew cask - name: Update Homebrew cask
uses: macauley/action-homebrew-bump-cask@445c42390d790569d938f9068d01af39ca030feb uses: macauley/action-homebrew-bump-cask@445c42390d790569d938f9068d01af39ca030feb

View File

@ -338,10 +338,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "crowdin-api-token" crowdin-api-token
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Upload Sources - name: Upload Sources
uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9 uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9
@ -371,10 +378,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "github-pat-bitwarden-devops-bot-repo-scope" github-pat-bitwarden-devops-bot-repo-scope
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Extract branch name - name: Extract branch name
id: extract_branch id: extract_branch
@ -444,11 +458,18 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f
if: failure() if: failure()
with: env:
keyvault: "bitwarden-prod-kv" KEYVAULT: bitwarden-prod-kv
secrets: "devops-alerts-slack-webhook-url" SECRETS: |
devops-alerts-slack-webhook-url
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Notify Slack on failure - name: Notify Slack on failure
uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 # v1.5.0 uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 # v1.5.0

View File

@ -360,11 +360,18 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f
if: failure() if: failure()
with: env:
keyvault: "bitwarden-prod-kv" KEYVAULT: bitwarden-prod-kv
secrets: "devops-alerts-slack-webhook-url" SECRETS: |
devops-alerts-slack-webhook-url
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Notify Slack on failure - name: Notify Slack on failure
uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33

View File

@ -297,14 +297,22 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f shell: bash
with: env:
keyvault: "bitwarden-prod-kv" KEYVAULT: bitwarden-prod-kv
secrets: "code-signing-vault-url, SECRETS: |
code-signing-client-id, code-signing-vault-url,
code-signing-tenant-id, code-signing-client-id,
code-signing-client-secret, code-signing-tenant-id,
code-signing-cert-name" code-signing-client-secret,
code-signing-cert-name
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Install Node dependencies - name: Install Node dependencies
run: npm ci run: npm ci
@ -1234,10 +1242,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "crowdin-api-token" crowdin-api-token
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Upload Sources - name: Upload Sources
uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9 uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9
@ -1308,11 +1323,18 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f
if: failure() if: failure()
with: env:
keyvault: "bitwarden-prod-kv" KEYVAULT: bitwarden-prod-kv
secrets: "devops-alerts-slack-webhook-url" SECRETS: |
devops-alerts-slack-webhook-url
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Notify Slack on failure - name: Notify Slack on failure
uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33

View File

@ -406,10 +406,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f # v1.0.0 env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "crowdin-api-token" crowdin-api-token
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Upload Sources - name: Upload Sources
uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9 uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9
@ -472,11 +479,18 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f # v1.0.0
if: failure() if: failure()
with: env:
keyvault: "bitwarden-prod-kv" KEYVAULT: bitwarden-prod-kv
secrets: "devops-alerts-slack-webhook-url" SECRETS: |
devops-alerts-slack-webhook-url
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Notify Slack on failure - name: Notify Slack on failure
uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 # v1.5.1 uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 # v1.5.1

View File

@ -32,10 +32,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403 env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "crowdin-api-token" crowdin-api-token
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Download translations - name: Download translations
uses: bitwarden/gh-actions/crowdin@05052c5c575ceb09ceea397fe241879e199ed44b uses: bitwarden/gh-actions/crowdin@05052c5c575ceb09ceea397fe241879e199ed44b

View File

@ -148,10 +148,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "snapcraft-store-token" snapcraft-store-token
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Install Snap - name: Install Snap
uses: samuelmeuli/action-snapcraft@10d7d0a84d9d86098b19f872257df314b0bd8e2d # v1.2.0 uses: samuelmeuli/action-snapcraft@10d7d0a84d9d86098b19f872257df314b0bd8e2d # v1.2.0
@ -202,10 +209,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "cli-choco-api-key" cli-choco-api-key
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Setup Chocolatey - name: Setup Chocolatey
run: choco apikey --key $env:CHOCO_API_KEY --source https://push.chocolatey.org/ run: choco apikey --key $env:CHOCO_API_KEY --source https://push.chocolatey.org/
@ -261,10 +275,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "cli-npm-api-key" cli-npm-api-key
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Download artifacts - name: Download artifacts
if: ${{ github.event.inputs.release_type != 'Dry Run' }} if: ${{ github.event.inputs.release_type != 'Dry Run' }}

View File

@ -249,14 +249,21 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "code-signing-vault-url, code-signing-vault-url,
code-signing-client-id, code-signing-client-id,
code-signing-tenant-id, code-signing-tenant-id,
code-signing-client-secret, code-signing-client-secret,
code-signing-cert-name" code-signing-cert-name
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Install Node dependencies - name: Install Node dependencies
run: npm ci run: npm ci
@ -932,10 +939,19 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "aws-electron-access-id, aws-electron-access-key, aws-electron-bucket-name" aws-electron-access-id,
aws-electron-access-key,
aws-electron-bucket-name
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Download all artifacts - name: Download all artifacts
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0

View File

@ -93,10 +93,19 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "aws-electron-access-id, aws-electron-access-key, aws-electron-bucket-name" aws-electron-access-id,
aws-electron-access-key,
aws-electron-bucket-name
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Download all artifacts - name: Download all artifacts
if: ${{ github.event.inputs.release_type != 'Dry Run' }} if: ${{ github.event.inputs.release_type != 'Dry Run' }}
@ -208,10 +217,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403 env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "snapcraft-store-token" snapcraft-store-token
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Install Snap - name: Install Snap
uses: samuelmeuli/action-snapcraft@10d7d0a84d9d86098b19f872257df314b0bd8e2d # v1.2.0 uses: samuelmeuli/action-snapcraft@10d7d0a84d9d86098b19f872257df314b0bd8e2d # v1.2.0
@ -272,10 +288,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f env:
with: KEYVAULT: bitwarden-prod-kv
keyvault: "bitwarden-prod-kv" SECRETS: |
secrets: "cli-choco-api-key" cli-choco-api-key
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Setup Chocolatey - name: Setup Chocolatey
shell: pwsh shell: pwsh

View File

@ -32,10 +32,17 @@ jobs:
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f # v1 env:
with: KEYVAULT: bitwarden-qa-kv
keyvault: "bitwarden-qa-kv" SECRETS: |
secrets: "qa-aks-kubectl-credentials" qa-aks-kubectl-credentials
run: |
for i in ${SECRETS//,/ }
do
VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv)
echo "::add-mask::$VALUE"
echo "::set-output name=$i::$VALUE"
done
- name: Login with qa-aks-kubectl-credentials SP - name: Login with qa-aks-kubectl-credentials SP
uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 # v1.1 uses: Azure/login@ec3c14589bd3e9312b3cc8c41e6860e258df9010 # v1.1