From 1cc64bf49b76555fdb18bb0856e9f2b0776d59e3 Mon Sep 17 00:00:00 2001
From: Andy Pixley <3723676+pixman20@users.noreply.github.com>
Date: Fri, 6 Jun 2025 11:32:32 -0400
Subject: [PATCH 1/7] [BRE-831] Updating to use AKV with OIDC
---
.github/workflows/build-swift.yml | 15 +++++++++---
.github/workflows/build-wasm-internal.yml | 14 ++++++++---
.github/workflows/publish-rust-crates.yml | 16 +++++++++---
.github/workflows/publish-wasm-internal.yml | 15 +++++++++---
.github/workflows/release-swift.yml | 27 ++++++++++++++++-----
.github/workflows/version-bump.yml | 15 +++++++++---
6 files changed, 81 insertions(+), 21 deletions(-)
diff --git a/.github/workflows/build-swift.yml b/.github/workflows/build-swift.yml
index 4c0ec5a9c..371f0df1e 100644
--- a/.github/workflows/build-swift.yml
+++ b/.github/workflows/build-swift.yml
@@ -95,11 +95,17 @@ jobs:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-24.04
needs: build
+ permissions:
+ contents: read
+ id-token: write
steps:
- - name: Login to Azure - CI Subscription
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Azure Login
+ id: azure-login
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve github PAT secrets
id: retrieve-secret-pat
@@ -108,6 +114,9 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+ - name: Azure Logout
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Trigger Swift release
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
diff --git a/.github/workflows/build-wasm-internal.yml b/.github/workflows/build-wasm-internal.yml
index 771ebd469..b9a563d1f 100644
--- a/.github/workflows/build-wasm-internal.yml
+++ b/.github/workflows/build-wasm-internal.yml
@@ -94,11 +94,16 @@ jobs:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-24.04
needs: build
+ permissions:
+ id-token: write
steps:
- - name: Login to Azure - CI Subscription
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Azure Login
+ id: azure-login
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve github PAT secrets
id: retrieve-secret-pat
@@ -107,6 +112,9 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+ - name: Azure Logout
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Trigger WASM publish
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
diff --git a/.github/workflows/publish-rust-crates.yml b/.github/workflows/publish-rust-crates.yml
index c72cf4fad..75cc96000 100644
--- a/.github/workflows/publish-rust-crates.yml
+++ b/.github/workflows/publish-rust-crates.yml
@@ -60,16 +60,23 @@ jobs:
name: Publish
runs-on: ubuntu-24.04
needs: setup
+ permissions:
+ id-token: write
+ contents: read
+ deployments: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.setup.outputs.release-tag }}
- - name: Login to Azure
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Azure Login
+ id: azure-login
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
@@ -78,6 +85,9 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "cratesio-api-token"
+ - name: Azure Logout
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Install rust
uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # stable
with:
diff --git a/.github/workflows/publish-wasm-internal.yml b/.github/workflows/publish-wasm-internal.yml
index b11e585f1..2d9ab1471 100644
--- a/.github/workflows/publish-wasm-internal.yml
+++ b/.github/workflows/publish-wasm-internal.yml
@@ -58,6 +58,9 @@ jobs:
name: Publish NPM
runs-on: ubuntu-24.04
needs: setup
+ permissions:
+ contents: read
+ id-token: write
steps:
- name: Checkout repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -67,10 +70,13 @@ jobs:
with:
node-version: 20
- - name: Login to Azure
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Azure Login
+ id: azure-login
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
@@ -79,6 +85,9 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "npm-api-key"
+ - name: Azure Logout
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Download artifact
uses: bitwarden/gh-actions/download-artifacts@main
with:
diff --git a/.github/workflows/release-swift.yml b/.github/workflows/release-swift.yml
index b5fb347e9..c85d1c819 100644
--- a/.github/workflows/release-swift.yml
+++ b/.github/workflows/release-swift.yml
@@ -103,6 +103,9 @@ jobs:
name: Push changed files to SDK Swift repo
runs-on: ubuntu-24.04
needs: validate
+ permissions:
+ contents: read
+ id-token: write
env:
_BOT_EMAIL: 106330231+bitwarden-devops-bot@users.noreply.github.com
_BOT_NAME: bitwarden-devops-bot
@@ -126,10 +129,13 @@ jobs:
echo "ref=main" >> $GITHUB_OUTPUT
fi
- - name: Login to Azure - Prod Subscription
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Azure Login
+ id: azure-login
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
@@ -140,6 +146,9 @@ jobs:
github-gpg-private-key-passphrase,
github-pat-bitwarden-devops-bot-repo-scope"
+ - name: Azure Logout
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Checkout SDK-Swift repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
@@ -226,10 +235,13 @@ jobs:
_RELEASE_NAME: ${{ needs.validate.outputs.release_name }}
_BUILD_RUN_ID: ${{ needs.validate.outputs.run_id }}
steps:
- - name: Login to Azure - Prod Subscription
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Azure Login
+ id: azure-login
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
@@ -238,6 +250,9 @@ jobs:
keyvault: ${{ env._KEY_VAULT }}
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+ - name: Azure Logout
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Download BitwardenEFI artifact
uses: bitwarden/gh-actions/download-artifacts@main
id: download-artifact
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
index 9dfd8ac73..c032a8eef 100644
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@@ -22,6 +22,9 @@ jobs:
bump_version:
name: "Bump ${{ inputs.project }} Version to v${{ inputs.version_number }}"
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
+ id-token: write
steps:
- name: Install rust
uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # stable
@@ -34,10 +37,13 @@ jobs:
- name: Install cargo-release
run: cargo install cargo-edit --locked
- - name: Login to Azure - CI Subscription
- uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+ - name: Azure Login
+ id: azure-login
+ uses: bitwarden/gh-actions/azure-login@main
with:
- creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
@@ -48,6 +54,9 @@ jobs:
github-gpg-private-key-passphrase,
github-pat-bitwarden-devops-bot-repo-scope"
+ - name: Azure Logout
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Checkout Branch
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
From f83dafb94798d774df0c63bbadb30fd648f8180d Mon Sep 17 00:00:00 2001
From: Andy Pixley <3723676+pixman20@users.noreply.github.com>
Date: Fri, 13 Jun 2025 10:59:12 -0400
Subject: [PATCH 2/7] [BRE-831] Updating to use AKV with OIDC
---
.github/workflows/scan.yml | 48 ++++++++++++++++++++++++++++++++++----
1 file changed, 44 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index d300da237..af664d7ac 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -20,6 +20,8 @@ jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+ permissions:
+ contents: read
sast:
name: SAST scan
@@ -29,6 +31,7 @@ jobs:
contents: read
pull-requests: write
security-events: write
+ id-token: write
steps:
- name: Check out repo
@@ -36,16 +39,34 @@ jobs:
with:
ref: ${{ github.event.pull_request.head.sha }}
+ - name: Azure Login
+ id: azure-login
+ uses: bitwarden/gh-actions/azure-login@main
+ with:
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+ - name: Get KV secrets
+ id: get-kv-secrets
+ uses: bitwarden/gh-actions/get-keyvault-secrets@main
+ with:
+ keyvault: gh-org-bitwarden
+ secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"
+
+ - name: Azure Logout
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Scan with Checkmarx
uses: checkmarx/ast-github-action@9fda4ab4c1b67c35de380552a972a82997d97731 # 2.0.42
env:
INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
with:
project_name: ${{ github.repository }}
- cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+ cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
base_uri: https://ast.checkmarx.net/
- cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
- cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+ cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
+ cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
additional_params: |
--report-format sarif \
--filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
@@ -65,6 +86,7 @@ jobs:
permissions:
contents: read
pull-requests: write
+ id-token: write
steps:
- name: Check out repo
@@ -73,10 +95,28 @@ jobs:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
+ - name: Azure Login
+ id: azure-login
+ uses: bitwarden/gh-actions/azure-login@main
+ with:
+ subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+ client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+ - name: Get KV secrets
+ id: get-kv-secrets
+ uses: bitwarden/gh-actions/get-keyvault-secrets@main
+ with:
+ keyvault: gh-org-bitwarden
+ secrets: "SONAR-TOKEN"
+
+ - name: Azure Logout
+ uses: bitwarden/gh-actions/azure-logout@main
+
- name: Scan with SonarCloud
uses: sonarsource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
env:
- SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+ SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
with:
args: >
-Dsonar.organization=${{ github.repository_owner }}
From f6f69cbb94fccaf78659388bd604fbe277c35b7b Mon Sep 17 00:00:00 2001
From: Andy Pixley <3723676+pixman20@users.noreply.github.com>
Date: Fri, 13 Jun 2025 11:26:52 -0400
Subject: [PATCH 3/7] [BRE-831] Updating to use AKV with OIDC
---
.github/workflows/build-swift.yml | 4 ++++
.github/workflows/build-wasm-internal.yml | 2 ++
.github/workflows/publish-rust-crates.yml | 2 ++
.github/workflows/publish-wasm-internal.yml | 2 ++
.github/workflows/release-swift.yml | 5 +++++
.github/workflows/version-bump.yml | 2 ++
6 files changed, 17 insertions(+)
diff --git a/.github/workflows/build-swift.yml b/.github/workflows/build-swift.yml
index bf71aaf5d..5cf2e141e 100644
--- a/.github/workflows/build-swift.yml
+++ b/.github/workflows/build-swift.yml
@@ -13,6 +13,8 @@ jobs:
version:
name: Get Version
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
outputs:
package_version: ${{ steps.retrieve-version.outputs.package_version }}
steps:
@@ -29,6 +31,8 @@ jobs:
name: Build
runs-on: macos-14
needs: version
+ permissions:
+ contents: read
env:
_VERSION: ${{ needs.version.outputs.package_version }}
steps:
diff --git a/.github/workflows/build-wasm-internal.yml b/.github/workflows/build-wasm-internal.yml
index f1eb6eabf..4c0a1a645 100644
--- a/.github/workflows/build-wasm-internal.yml
+++ b/.github/workflows/build-wasm-internal.yml
@@ -18,6 +18,8 @@ jobs:
build:
name: Building @bitwarden/sdk-wasm-internal
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
steps:
- name: Checkout repo
diff --git a/.github/workflows/publish-rust-crates.yml b/.github/workflows/publish-rust-crates.yml
index 4603fcdb5..ed09497c7 100644
--- a/.github/workflows/publish-rust-crates.yml
+++ b/.github/workflows/publish-rust-crates.yml
@@ -23,6 +23,8 @@ jobs:
setup:
name: Setup
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
outputs:
release-version: ${{ steps.version-output.outputs.version }}
release-tag: ${{ steps.version-output.outputs.tag_name }}
diff --git a/.github/workflows/publish-wasm-internal.yml b/.github/workflows/publish-wasm-internal.yml
index 2d9ab1471..84a3bf6a8 100644
--- a/.github/workflows/publish-wasm-internal.yml
+++ b/.github/workflows/publish-wasm-internal.yml
@@ -24,6 +24,8 @@ jobs:
setup:
name: Setup
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
outputs:
release-version: ${{ steps.version-output.outputs.version }}
steps:
diff --git a/.github/workflows/release-swift.yml b/.github/workflows/release-swift.yml
index c85d1c819..3eae5975c 100644
--- a/.github/workflows/release-swift.yml
+++ b/.github/workflows/release-swift.yml
@@ -32,6 +32,8 @@ jobs:
validate:
name: Set Version and SHA
runs-on: ubuntu-24.04
+ permissions:
+ contents: read
outputs:
version: ${{ steps.version.outputs.version }}
sha: ${{ steps.set-sha.outputs.sha }}
@@ -230,6 +232,9 @@ jobs:
needs:
- validate
- repo-sync
+ permissions:
+ actions: read
+ contents: write
env:
_PKG_VERSION: ${{ needs.validate.outputs.version }}
_RELEASE_NAME: ${{ needs.validate.outputs.release_name }}
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
index 9580340e3..578426311 100644
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@@ -171,6 +171,8 @@ jobs:
needs: bump_version
if: ${{ inputs.cut_rc_branch == true }}
runs-on: ubuntu-24.04
+ permissions:
+ contents: write
steps:
- name: Checkout Branch
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
From 0602c8b2494333cc89aed57bee673f952835417b Mon Sep 17 00:00:00 2001
From: Andy Pixley <3723676+pixman20@users.noreply.github.com>
Date: Mon, 16 Jun 2025 16:57:32 -0400
Subject: [PATCH 4/7] [BRE-831] Updating to use AKV with OIDC
---
.github/workflows/release-swift.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.github/workflows/release-swift.yml b/.github/workflows/release-swift.yml
index 3eae5975c..4d1b1580f 100644
--- a/.github/workflows/release-swift.yml
+++ b/.github/workflows/release-swift.yml
@@ -235,6 +235,7 @@ jobs:
permissions:
actions: read
contents: write
+ id-token: write
env:
_PKG_VERSION: ${{ needs.validate.outputs.version }}
_RELEASE_NAME: ${{ needs.validate.outputs.release_name }}
From 9a38ae345ca54ee0f3a5ea553a82da70666e69da Mon Sep 17 00:00:00 2001
From: Andy Pixley <3723676+pixman20@users.noreply.github.com>
Date: Mon, 16 Jun 2025 23:36:08 -0400
Subject: [PATCH 5/7] [BRE-831] Renaming azure login/get/logout step names
---
.github/workflows/build-swift.yml | 4 ++--
.github/workflows/build-wasm-internal.yml | 4 ++--
.github/workflows/publish-rust-crates.yml | 4 ++--
.github/workflows/publish-wasm-internal.yml | 4 ++--
.github/workflows/release-swift.yml | 8 ++++----
.github/workflows/scan.yml | 12 ++++++------
.github/workflows/version-bump.yml | 4 ++--
7 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/.github/workflows/build-swift.yml b/.github/workflows/build-swift.yml
index 5cf2e141e..bc5d1940b 100644
--- a/.github/workflows/build-swift.yml
+++ b/.github/workflows/build-swift.yml
@@ -103,7 +103,7 @@ jobs:
contents: read
id-token: write
steps:
- - name: Azure Login
+ - name: Log in to Azure
id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
@@ -118,7 +118,7 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- - name: Azure Logout
+ - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Trigger Swift release
diff --git a/.github/workflows/build-wasm-internal.yml b/.github/workflows/build-wasm-internal.yml
index 4c0a1a645..a29b6cd8a 100644
--- a/.github/workflows/build-wasm-internal.yml
+++ b/.github/workflows/build-wasm-internal.yml
@@ -99,7 +99,7 @@ jobs:
permissions:
id-token: write
steps:
- - name: Azure Login
+ - name: Log in to Azure
id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
@@ -114,7 +114,7 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- - name: Azure Logout
+ - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Trigger WASM publish
diff --git a/.github/workflows/publish-rust-crates.yml b/.github/workflows/publish-rust-crates.yml
index ed09497c7..2eccb61f2 100644
--- a/.github/workflows/publish-rust-crates.yml
+++ b/.github/workflows/publish-rust-crates.yml
@@ -72,7 +72,7 @@ jobs:
with:
ref: ${{ needs.setup.outputs.release-tag }}
- - name: Azure Login
+ - name: Log in to Azure
id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
@@ -87,7 +87,7 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "cratesio-api-token"
- - name: Azure Logout
+ - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Install rust
diff --git a/.github/workflows/publish-wasm-internal.yml b/.github/workflows/publish-wasm-internal.yml
index 84a3bf6a8..ff08e015f 100644
--- a/.github/workflows/publish-wasm-internal.yml
+++ b/.github/workflows/publish-wasm-internal.yml
@@ -72,7 +72,7 @@ jobs:
with:
node-version: 20
- - name: Azure Login
+ - name: Log in to Azure
id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
@@ -87,7 +87,7 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "npm-api-key"
- - name: Azure Logout
+ - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Download artifact
diff --git a/.github/workflows/release-swift.yml b/.github/workflows/release-swift.yml
index 4d1b1580f..a3b8fece0 100644
--- a/.github/workflows/release-swift.yml
+++ b/.github/workflows/release-swift.yml
@@ -131,7 +131,7 @@ jobs:
echo "ref=main" >> $GITHUB_OUTPUT
fi
- - name: Azure Login
+ - name: Log in to Azure
id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
@@ -148,7 +148,7 @@ jobs:
github-gpg-private-key-passphrase,
github-pat-bitwarden-devops-bot-repo-scope"
- - name: Azure Logout
+ - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Checkout SDK-Swift repo
@@ -241,7 +241,7 @@ jobs:
_RELEASE_NAME: ${{ needs.validate.outputs.release_name }}
_BUILD_RUN_ID: ${{ needs.validate.outputs.run_id }}
steps:
- - name: Azure Login
+ - name: Log in to Azure
id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
@@ -256,7 +256,7 @@ jobs:
keyvault: ${{ env._KEY_VAULT }}
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- - name: Azure Logout
+ - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Download BitwardenEFI artifact
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 4d729163a..29a34a41a 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -41,7 +41,7 @@ jobs:
with:
ref: ${{ github.event.pull_request.head.sha }}
- - name: Azure Login
+ - name: Log in to Azure
id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
@@ -49,14 +49,14 @@ jobs:
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- - name: Get KV secrets
+ - name: Get Azure Key Vault Secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: gh-org-bitwarden
secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"
- - name: Azure Logout
+ - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Scan with Checkmarx
@@ -97,7 +97,7 @@ jobs:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- - name: Azure Login
+ - name: Log in to Azure
id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
@@ -105,14 +105,14 @@ jobs:
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- - name: Get KV secrets
+ - name: Get Azure Key Vault Secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: gh-org-bitwarden
secrets: "SONAR-TOKEN"
- - name: Azure Logout
+ - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Scan with SonarCloud
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
index 578426311..8753c9125 100644
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@@ -37,7 +37,7 @@ jobs:
- name: Install cargo-release
run: cargo install cargo-edit --locked
- - name: Azure Login
+ - name: Log in to Azure
id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
@@ -54,7 +54,7 @@ jobs:
github-gpg-private-key-passphrase,
github-pat-bitwarden-devops-bot-repo-scope"
- - name: Azure Logout
+ - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Checkout Branch
From ebc026b8458ecf4032a8b5c74d52f30ab39522ab Mon Sep 17 00:00:00 2001
From: Andy Pixley <3723676+pixman20@users.noreply.github.com>
Date: Tue, 17 Jun 2025 11:56:13 -0400
Subject: [PATCH 6/7] [BRE-831] Updating to use AKV with OIDC
---
.github/workflows/scan.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index 29a34a41a..e5e256c4a 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -49,7 +49,7 @@ jobs:
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- - name: Get Azure Key Vault Secrets
+ - name: Get Azure Key Vault secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
@@ -105,7 +105,7 @@ jobs:
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- - name: Get Azure Key Vault Secrets
+ - name: Get Azure Key Vault secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
From 8925aa30c0b1b952b1f794cdbdbca05c3ef8c856 Mon Sep 17 00:00:00 2001
From: Andy Pixley <3723676+pixman20@users.noreply.github.com>
Date: Mon, 30 Jun 2025 19:20:21 -0400
Subject: [PATCH 7/7] Removing unused azure-login id
---
.github/workflows/build-swift.yml | 1 -
.github/workflows/build-wasm-internal.yml | 1 -
.github/workflows/publish-rust-crates.yml | 1 -
.github/workflows/publish-wasm-internal.yml | 1 -
.github/workflows/release-swift.yml | 2 --
.github/workflows/scan.yml | 2 --
.github/workflows/version-bump.yml | 1 -
7 files changed, 9 deletions(-)
diff --git a/.github/workflows/build-swift.yml b/.github/workflows/build-swift.yml
index bc5d1940b..cff5fb8b8 100644
--- a/.github/workflows/build-swift.yml
+++ b/.github/workflows/build-swift.yml
@@ -104,7 +104,6 @@ jobs:
id-token: write
steps:
- name: Log in to Azure
- id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/build-wasm-internal.yml b/.github/workflows/build-wasm-internal.yml
index a29b6cd8a..8e224259c 100644
--- a/.github/workflows/build-wasm-internal.yml
+++ b/.github/workflows/build-wasm-internal.yml
@@ -100,7 +100,6 @@ jobs:
id-token: write
steps:
- name: Log in to Azure
- id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/publish-rust-crates.yml b/.github/workflows/publish-rust-crates.yml
index 2eccb61f2..4f3a69266 100644
--- a/.github/workflows/publish-rust-crates.yml
+++ b/.github/workflows/publish-rust-crates.yml
@@ -73,7 +73,6 @@ jobs:
ref: ${{ needs.setup.outputs.release-tag }}
- name: Log in to Azure
- id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/publish-wasm-internal.yml b/.github/workflows/publish-wasm-internal.yml
index ff08e015f..44c31af54 100644
--- a/.github/workflows/publish-wasm-internal.yml
+++ b/.github/workflows/publish-wasm-internal.yml
@@ -73,7 +73,6 @@ jobs:
node-version: 20
- name: Log in to Azure
- id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/release-swift.yml b/.github/workflows/release-swift.yml
index a3b8fece0..4544a6b8d 100644
--- a/.github/workflows/release-swift.yml
+++ b/.github/workflows/release-swift.yml
@@ -132,7 +132,6 @@ jobs:
fi
- name: Log in to Azure
- id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
@@ -242,7 +241,6 @@ jobs:
_BUILD_RUN_ID: ${{ needs.validate.outputs.run_id }}
steps:
- name: Log in to Azure
- id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
index e5e256c4a..e4f02ae2a 100644
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@@ -42,7 +42,6 @@ jobs:
ref: ${{ github.event.pull_request.head.sha }}
- name: Log in to Azure
- id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
@@ -98,7 +97,6 @@ jobs:
ref: ${{ github.event.pull_request.head.sha }}
- name: Log in to Azure
- id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
index 8753c9125..521949493 100644
--- a/.github/workflows/version-bump.yml
+++ b/.github/workflows/version-bump.yml
@@ -38,7 +38,6 @@ jobs:
run: cargo install cargo-edit --locked
- name: Log in to Azure
- id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}