nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-04 01:22:50 -05:00
Code Activity

[BRE-831] Updating to use AKV with OIDC

Browse Source
This commit is contained in:
Andy Pixley
2025-06-10 21:19:46 -04:00
parent fe6181f55f
commit 182ae93cba
6 changed files with 124 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
.github/workflows/_move_finalization_db_scripts.yml vendored
View File

@ -12,14 +12,20 @@ jobs:
setup: setup:
name: Setup name: Setup
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write
outputs: outputs:
migration_filename_prefix: ${{ steps.prefix.outputs.prefix }} migration_filename_prefix: ${{ steps.prefix.outputs.prefix }}
copy_finalization_scripts: ${{ steps.check-finalization-scripts-existence.outputs.copy_finalization_scripts }} copy_finalization_scripts: ${{ steps.check-finalization-scripts-existence.outputs.copy_finalization_scripts }}
steps: steps:
- name: Log in to Azure - name: Azure Login
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
@ -28,6 +34,9 @@ jobs:
keyvault: "bitwarden-ci" keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope" secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
- name: Check out branch - name: Check out branch
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:
@ -50,6 +59,11 @@ jobs:
name: Move finalization database scripts name: Move finalization database scripts
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: setup needs: setup
permissions:
contents: write
pull-requests: write
id-token: write
actions: read
if: ${{ needs.setup.outputs.copy_finalization_scripts == 'true' }} if: ${{ needs.setup.outputs.copy_finalization_scripts == 'true' }}
steps: steps:
- name: Checkout - name: Checkout
@ -92,10 +106,13 @@ jobs:
done done
echo "moved_files=$moved_files" >> $GITHUB_OUTPUT echo "moved_files=$moved_files" >> $GITHUB_OUTPUT
- name: Log in to Azure - production subscription - name: Azure Login
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
@ -106,6 +123,9 @@ jobs:
github-gpg-private-key-passphrase, github-gpg-private-key-passphrase,
devops-alerts-slack-webhook-url" devops-alerts-slack-webhook-url"
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
- name: Import GPG keys - name: Import GPG keys
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0 uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
with: with:

80
.github/workflows/build.yml vendored
View File

@ -76,10 +76,8 @@ jobs:
steps: steps:
- name: Check secrets - name: Check secrets
id: check-secrets id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: | run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }} has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
- name: Check out repo - name: Check out repo
@ -211,19 +209,17 @@ jobs:
fi fi
########## ACRs ########## ########## ACRs ##########
- name: Log in to Azure - production subscription - name: Azure Login
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with: with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Log in to ACR - production subscription - name: Log in to ACR - production subscription
run: az acr login -n bitwardenprod run: az acr login -n bitwardenprod
- name: Log in to Azure - CI subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve GitHub PAT secrets - name: Retrieve GitHub PAT secrets
id: retrieve-secret-pat id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@main uses: bitwarden/gh-actions/get-keyvault-secrets@main
@ -334,10 +330,17 @@ jobs:
sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }} sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }} ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
upload: upload:
name: Upload name: Upload
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: build-docker needs: build-docker
permissions:
contents: read
id-token: write
actions: read
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -347,10 +350,13 @@ jobs:
- name: Set up .NET - name: Set up .NET
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0 uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
- name: Log in to Azure - production subscription - name: Azure Login
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with: with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Log in to ACR - production subscription - name: Log in to ACR - production subscription
run: az acr login -n $_AZ_REGISTRY --only-show-errors run: az acr login -n $_AZ_REGISTRY --only-show-errors
@ -397,6 +403,9 @@ jobs:
cd docker-stub/US; zip -r ../../docker-stub-US.zip *; cd ../.. cd docker-stub/US; zip -r ../../docker-stub-US.zip *; cd ../..
cd docker-stub/EU; zip -r ../../docker-stub-EU.zip *; cd ../.. cd docker-stub/EU; zip -r ../../docker-stub-EU.zip *; cd ../..
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
- name: Make Docker stub checksums - name: Make Docker stub checksums
if: | if: |
github.event_name != 'pull_request' github.event_name != 'pull_request'
@ -571,11 +580,16 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: needs:
- build-docker - build-docker
permissions:
id-token: write
steps: steps:
- name: Log in to Azure - CI subscription - name: Azure Login
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve GitHub PAT secrets - name: Retrieve GitHub PAT secrets
id: retrieve-secret-pat id: retrieve-secret-pat
@ -584,6 +598,9 @@ jobs:
keyvault: "bitwarden-ci" keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope" secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
- name: Trigger self-host build - name: Trigger self-host build
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with: with:
@ -605,11 +622,16 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: needs:
- build-docker - build-docker
permissions:
id-token: write
steps: steps:
- name: Log in to Azure - CI subscription - name: Azure Login
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve GitHub PAT secrets - name: Retrieve GitHub PAT secrets
id: retrieve-secret-pat id: retrieve-secret-pat
@ -618,6 +640,9 @@ jobs:
keyvault: "bitwarden-ci" keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope" secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
- name: Trigger k8s deploy - name: Trigger k8s deploy
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with: with:
@ -661,6 +686,8 @@ jobs:
- build-mssqlmigratorutility - build-mssqlmigratorutility
- self-host-build - self-host-build
- trigger-k8s-deploy - trigger-k8s-deploy
permissions:
id-token: write
steps: steps:
- name: Check if any job failed - name: Check if any job failed
if: | if: |
@ -669,11 +696,13 @@ jobs:
&& contains(needs.*.result, 'failure') && contains(needs.*.result, 'failure')
run: exit 1 run: exit 1
- name: Log in to Azure - CI subscription - name: Azure Login
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 id: azure-login
if: failure() uses: bitwarden/gh-actions/azure-login@main
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
@ -683,6 +712,9 @@ jobs:
keyvault: "bitwarden-ci" keyvault: "bitwarden-ci"
secrets: "devops-alerts-slack-webhook-url" secrets: "devops-alerts-slack-webhook-url"
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
- name: Notify Slack on failure - name: Notify Slack on failure
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
if: failure() if: failure()

7
.github/workflows/build_target.yml vendored
View File

@ -14,6 +14,8 @@ jobs:
check-run: check-run:
name: Check PR run name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
permissions:
contents: read
run-workflow: run-workflow:
name: Run Build on PR Target name: Run Build on PR Target
@ -21,3 +23,8 @@ jobs:
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build.yml uses: ./.github/workflows/build.yml
secrets: inherit secrets: inherit
permissions:
contents: read
id-token: write
security-events: write

14
.github/workflows/cleanup-after-pr.yml vendored
View File

@ -11,11 +11,16 @@ jobs:
build-docker: build-docker:
name: Remove branch-specific Docker images name: Remove branch-specific Docker images
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
id-token: write
steps: steps:
- name: Log in to Azure - production subscription - name: Azure Login
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with: with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Log in to Azure ACR - name: Log in to Azure ACR
run: az acr login -n $_AZ_REGISTRY --only-show-errors run: az acr login -n $_AZ_REGISTRY --only-show-errors
@ -62,3 +67,6 @@ jobs:
- name: Log out of Docker - name: Log out of Docker
run: docker logout run: docker logout
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main

15
.github/workflows/cleanup-rc-branch.yml vendored
View File

@ -9,11 +9,17 @@ jobs:
delete-rc: delete-rc:
name: Delete RC Branch name: Delete RC Branch
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: write
id-token: write
steps: steps:
- name: Login to Azure - CI Subscription - name: Azure Login
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve bot secrets - name: Retrieve bot secrets
id: retrieve-bot-secrets id: retrieve-bot-secrets
@ -22,6 +28,9 @@ jobs:
keyvault: bitwarden-ci keyvault: bitwarden-ci
secrets: "github-pat-bitwarden-devops-bot-repo-scope" secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
- name: Checkout main - name: Checkout main
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with: with:

15
.github/workflows/publish.yml vendored
View File

@ -63,6 +63,9 @@ jobs:
name: Publish Docker images name: Publish Docker images
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: setup needs: setup
permissions:
contents: read
id-token: write
env: env:
_RELEASE_VERSION: ${{ needs.setup.outputs.release-version }} _RELEASE_VERSION: ${{ needs.setup.outputs.release-version }}
_BRANCH_NAME: ${{ needs.setup.outputs.branch-name }} _BRANCH_NAME: ${{ needs.setup.outputs.branch-name }}
@ -109,10 +112,13 @@ jobs:
echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT
########## ACR PROD ########## ########## ACR PROD ##########
- name: Log in to Azure - production subscription - name: Azure Login
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 id: azure-login
uses: bitwarden/gh-actions/azure-login@main
with: with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Log in to Azure ACR - name: Log in to Azure ACR
run: az acr login -n $_AZ_REGISTRY --only-show-errors run: az acr login -n $_AZ_REGISTRY --only-show-errors
@ -152,6 +158,9 @@ jobs:
- name: Log out of Docker - name: Log out of Docker
run: docker logout run: docker logout
- name: Azure Logout
uses: bitwarden/gh-actions/azure-logout@main
update-deployment: update-deployment:
name: Update Deployment Status name: Update Deployment Status
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04