diff --git a/.github/workflows/build-swift.yml b/.github/workflows/build-swift.yml
index 4b690c7ae..cff5fb8b8 100644
--- a/.github/workflows/build-swift.yml
+++ b/.github/workflows/build-swift.yml
@@ -13,6 +13,8 @@ jobs:
version:
name: Get Version
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
outputs:
package_version: ${{ steps.retrieve-version.outputs.package_version }}
steps:
@@ -29,6 +31,8 @@ jobs:
name: Build
runs-on: macos-14
needs: version
+ permissions:
+ contents: read
env:
_VERSION: ${{ needs.version.outputs.package_version }}
steps:
@@ -95,11 +99,16 @@ jobs:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-24.04
needs: build
+ permissions:
+ contents: read
+ id-token: write
steps:
- - name: Login to Azure - CI Subscription
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Log in to Azure
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve github PAT secrets
id: retrieve-secret-pat
@@ -108,6 +117,9 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+ - name: Log out from Azure
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Trigger Swift release
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
diff --git a/.github/workflows/build-wasm-internal.yml b/.github/workflows/build-wasm-internal.yml
index 7afe8fe66..8e224259c 100644
--- a/.github/workflows/build-wasm-internal.yml
+++ b/.github/workflows/build-wasm-internal.yml
@@ -18,6 +18,8 @@ jobs:
build:
name: Building @bitwarden/sdk-wasm-internal
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
steps:
- name: Checkout repo
@@ -94,11 +96,15 @@ jobs:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-24.04
needs: build
+ permissions:
+ id-token: write
steps:
- - name: Login to Azure - CI Subscription
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Log in to Azure
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve github PAT secrets
id: retrieve-secret-pat
@@ -107,6 +113,9 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+ - name: Log out from Azure
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Trigger WASM publish
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
diff --git a/.github/workflows/publish-rust-crates.yml b/.github/workflows/publish-rust-crates.yml
index 68af5bf2f..4f3a69266 100644
--- a/.github/workflows/publish-rust-crates.yml
+++ b/.github/workflows/publish-rust-crates.yml
@@ -23,6 +23,8 @@ jobs:
setup:
name: Setup
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
outputs:
release-version: ${{ steps.version-output.outputs.version }}
release-tag: ${{ steps.version-output.outputs.tag_name }}
@@ -60,16 +62,22 @@ jobs:
name: Publish
runs-on: ubuntu-24.04
needs: setup
+ permissions:
+ id-token: write
+ contents: read
+ deployments: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.setup.outputs.release-tag }}
- - name: Login to Azure
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Log in to Azure
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
@@ -78,6 +86,9 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "cratesio-api-token"
+ - name: Log out from Azure
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Install rust
uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable
with:
diff --git a/.github/workflows/publish-wasm-internal.yml b/.github/workflows/publish-wasm-internal.yml
index b11e585f1..44c31af54 100644
--- a/.github/workflows/publish-wasm-internal.yml
+++ b/.github/workflows/publish-wasm-internal.yml
@@ -24,6 +24,8 @@ jobs:
setup:
name: Setup
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
outputs:
release-version: ${{ steps.version-output.outputs.version }}
steps:
@@ -58,6 +60,9 @@ jobs:
name: Publish NPM
runs-on: ubuntu-24.04
needs: setup
+ permissions:
+ contents: read
+ id-token: write
steps:
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -67,10 +72,12 @@ jobs:
with:
node-version: 20
- - name: Login to Azure
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Log in to Azure
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
@@ -79,6 +86,9 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "npm-api-key"
+ - name: Log out from Azure
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Download artifact
uses: bitwarden/gh-actions/download-artifacts@main
with:
diff --git a/.github/workflows/release-swift.yml b/.github/workflows/release-swift.yml
index b5fb347e9..4544a6b8d 100644
--- a/.github/workflows/release-swift.yml
+++ b/.github/workflows/release-swift.yml
@@ -32,6 +32,8 @@ jobs:
validate:
name: Set Version and SHA
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
outputs:
version: ${{ steps.version.outputs.version }}
sha: ${{ steps.set-sha.outputs.sha }}
@@ -103,6 +105,9 @@ jobs:
name: Push changed files to SDK Swift repo
runs-on: ubuntu-24.04
needs: validate
+ permissions:
+ contents: read
+ id-token: write
env:
_BOT_EMAIL: 106330231+bitwarden-devops-bot@users.noreply.github.com
_BOT_NAME: bitwarden-devops-bot
@@ -126,10 +131,12 @@ jobs:
echo "ref=main" >> $GITHUB_OUTPUT
fi
- - name: Login to Azure - Prod Subscription
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Log in to Azure
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
@@ -140,6 +147,9 @@ jobs:
github-gpg-private-key-passphrase,
github-pat-bitwarden-devops-bot-repo-scope"
+ - name: Log out from Azure
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Checkout SDK-Swift repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
@@ -221,15 +231,21 @@ jobs:
needs:
- validate
- repo-sync
+ permissions:
+ actions: read
+ contents: write
+ id-token: write
env:
_PKG_VERSION: ${{ needs.validate.outputs.version }}
_RELEASE_NAME: ${{ needs.validate.outputs.release_name }}
_BUILD_RUN_ID: ${{ needs.validate.outputs.run_id }}
steps:
- - name: Login to Azure - Prod Subscription
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Log in to Azure
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
@@ -238,6 +254,9 @@ jobs:
keyvault: ${{ env._KEY_VAULT }}
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+ - name: Log out from Azure
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Download BitwardenEFI artifact
uses: bitwarden/gh-actions/download-artifacts@main
id: download-artifact
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index a8849094e..e4f02ae2a 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -33,6 +33,7 @@ jobs:
contents: read
pull-requests: write
security-events: write
+ id-token: write
steps:
- name: Check out repo
@@ -40,16 +41,33 @@ jobs:
with:
ref: ${{ github.event.pull_request.head.sha }}
+ - name: Log in to Azure
+ uses: bitwarden/gh-actions/azure-login@main
+ with:
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+ - name: Get Azure Key Vault secrets
+ id: get-kv-secrets
+ uses: bitwarden/gh-actions/get-keyvault-secrets@main
+ with:
+ keyvault: gh-org-bitwarden
+ secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"
+
+ - name: Log out from Azure
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Scan with Checkmarx
uses: checkmarx/ast-github-action@9fda4ab4c1b67c35de380552a972a82997d97731 # 2.0.42
env:
INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
with:
project_name: ${{ github.repository }}
- cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+ cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
base_uri: https://ast.checkmarx.net/
- cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
- cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+ cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
+ cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
additional_params: |
--report-format sarif \
--filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
@@ -69,6 +87,7 @@ jobs:
permissions:
contents: read
pull-requests: write
+ id-token: write
steps:
- name: Check out repo
@@ -77,10 +96,27 @@ jobs:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
+ - name: Log in to Azure
+ uses: bitwarden/gh-actions/azure-login@main
+ with:
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+ - name: Get Azure Key Vault secrets
+ id: get-kv-secrets
+ uses: bitwarden/gh-actions/get-keyvault-secrets@main
+ with:
+ keyvault: gh-org-bitwarden
+ secrets: "SONAR-TOKEN"
+
+ - name: Log out from Azure
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Scan with SonarCloud
uses: sonarsource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
env:
- SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
with:
args: >
-Dsonar.organization=${{ github.repository_owner }}
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
index 729792bca..521949493 100644
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@@ -22,6 +22,9 @@ jobs:
bump_version:
name: "Bump ${{ inputs.project }} Version to v${{ inputs.version_number }}"
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
+ id-token: write
steps:
- name: Install rust
uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable
@@ -34,10 +37,12 @@ jobs:
- name: Install cargo-release
run: cargo install cargo-edit --locked
- - name: Login to Azure - CI Subscription
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Log in to Azure
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
@@ -48,6 +53,9 @@ jobs:
github-gpg-private-key-passphrase,
github-pat-bitwarden-devops-bot-repo-scope"
+ - name: Log out from Azure
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Checkout Branch
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
@@ -162,6 +170,8 @@ jobs:
needs: bump_version
if: ${{ inputs.cut_rc_branch == true }}
runs-on: ubuntu-24.04
+ permissions:
+ contents: write
steps:
- name: Checkout Branch
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2