[BRE-831] Updating to use AKV with OIDC

2025-07-03 17:12:49 -05:00 · 2025-06-10 21:19:46 -04:00
parent fe6181f55f
commit 182ae93cba
6 changed files with 124 additions and 39 deletions
--- a/.github/workflows/_move_finalization_db_scripts.yml
+++ b/.github/workflows/_move_finalization_db_scripts.yml
@ -12,14 +12,20 @@ jobs:
  setup:
    name: Setup
    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
    outputs:
      migration_filename_prefix: ${{ steps.prefix.outputs.prefix }}
      copy_finalization_scripts: ${{ steps.check-finalization-scripts-existence.outputs.copy_finalization_scripts }}
    steps:
-      - name: Log in to Azure
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Retrieve secrets
        id: retrieve-secrets
@ -28,6 +34,9 @@ jobs:
          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"

+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Check out branch
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
@ -50,6 +59,11 @@ jobs:
    name: Move finalization database scripts
    runs-on: ubuntu-22.04
    needs: setup
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+      actions: read
    if: ${{ needs.setup.outputs.copy_finalization_scripts == 'true' }}
    steps:
      - name: Checkout
@ -92,10 +106,13 @@ jobs:
          done
          echo "moved_files=$moved_files" >> $GITHUB_OUTPUT

-      - name: Log in to Azure - production subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Retrieve secrets
        id: retrieve-secrets
@ -106,6 +123,9 @@ jobs:
            github-gpg-private-key-passphrase,
            devops-alerts-slack-webhook-url"

+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Import GPG keys
        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
        with:
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -76,10 +76,8 @@ jobs:
    steps:
      - name: Check secrets
        id: check-secrets
-        env:
-          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
        run: |
-          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }}
          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT

      - name: Check out repo
@ -211,19 +209,17 @@ jobs:
          fi

      ########## ACRs ##########
-      - name: Log in to Azure - production subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Log in to ACR - production subscription
        run: az acr login -n bitwardenprod

-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
-        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
      - name: Retrieve GitHub PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
@ -334,10 +330,17 @@ jobs:
          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}

+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
+
  upload:
    name: Upload
    runs-on: ubuntu-22.04
    needs: build-docker
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
    steps:
      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -347,10 +350,13 @@ jobs:
      - name: Set up .NET
        uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0

-      - name: Log in to Azure - production subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Log in to ACR - production subscription
        run: az acr login -n $_AZ_REGISTRY --only-show-errors
@ -397,6 +403,9 @@ jobs:
          cd docker-stub/US; zip -r ../../docker-stub-US.zip *; cd ../..
          cd docker-stub/EU; zip -r ../../docker-stub-EU.zip *; cd ../..

+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Make Docker stub checksums
        if: |
          github.event_name != 'pull_request'
@ -571,11 +580,16 @@ jobs:
    runs-on: ubuntu-22.04
    needs:
      - build-docker
+    permissions:
+      id-token: write
    steps:
-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Retrieve GitHub PAT secrets
        id: retrieve-secret-pat
@ -584,6 +598,9 @@ jobs:
          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"

+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Trigger self-host build
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
@ -605,11 +622,16 @@ jobs:
    runs-on: ubuntu-22.04
    needs:
      - build-docker
+    permissions:
+      id-token: write
    steps:
-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Retrieve GitHub PAT secrets
        id: retrieve-secret-pat
@ -618,6 +640,9 @@ jobs:
          keyvault: "bitwarden-ci"
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"

+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Trigger k8s deploy
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
@ -661,6 +686,8 @@ jobs:
      - build-mssqlmigratorutility
      - self-host-build
      - trigger-k8s-deploy
+    permissions:
+      id-token: write
    steps:
      - name: Check if any job failed
        if: |
@ -669,11 +696,13 @@ jobs:
          && contains(needs.*.result, 'failure')
        run: exit 1

-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
-        if: failure()
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Retrieve secrets
        id: retrieve-secrets
@ -683,6 +712,9 @@ jobs:
          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Notify Slack on failure
        uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
        if: failure()
--- a/.github/workflows/build_target.yml
+++ b/.github/workflows/build_target.yml
@ -14,6 +14,8 @@ jobs:
  check-run:
    name: Check PR run
    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+    permissions:
+      contents: read

  run-workflow:
    name: Run Build on PR Target
@ -21,3 +23,8 @@ jobs:
    if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
    uses: ./.github/workflows/build.yml
    secrets: inherit
+
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
--- a/.github/workflows/cleanup-after-pr.yml
+++ b/.github/workflows/cleanup-after-pr.yml
@ -11,11 +11,16 @@ jobs:
  build-docker:
    name: Remove branch-specific Docker images
    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
    steps:
-      - name: Log in to Azure - production subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Log in to Azure ACR
        run: az acr login -n $_AZ_REGISTRY --only-show-errors
@ -62,3 +67,6 @@ jobs:

      - name: Log out of Docker
        run: docker logout
+
+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
--- a/.github/workflows/cleanup-rc-branch.yml
+++ b/.github/workflows/cleanup-rc-branch.yml
@ -9,11 +9,17 @@ jobs:
  delete-rc:
    name: Delete RC Branch
    runs-on: ubuntu-22.04
+    permissions:
+      contents: write
+      id-token: write
    steps:
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Retrieve bot secrets
        id: retrieve-bot-secrets
@ -22,6 +28,9 @@ jobs:
          keyvault: bitwarden-ci
          secrets: "github-pat-bitwarden-devops-bot-repo-scope"

+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
+
      - name: Checkout main
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -63,6 +63,9 @@ jobs:
    name: Publish Docker images
    runs-on: ubuntu-22.04
    needs: setup
+    permissions:
+      contents: read
+      id-token: write
    env:
      _RELEASE_VERSION: ${{ needs.setup.outputs.release-version }}
      _BRANCH_NAME: ${{ needs.setup.outputs.branch-name }}
@ -109,10 +112,13 @@ jobs:
          echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT

      ########## ACR PROD ##########
-      - name: Log in to Azure - production subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
        with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}

      - name: Log in to Azure ACR
        run: az acr login -n $_AZ_REGISTRY --only-show-errors
@ -152,6 +158,9 @@ jobs:
      - name: Log out of Docker
        run: docker logout

+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
+
  update-deployment:
    name: Update Deployment Status
    runs-on: ubuntu-22.04