From bb23fbc04cc6a66a1f0aafdaa8bdba7a21bfec14 Mon Sep 17 00:00:00 2001
From: Andy Pixley <3723676+pixman20@users.noreply.github.com>
Date: Fri, 13 Jun 2025 12:55:27 -0400
Subject: [PATCH] [BRE-831] Updating to use AKV with OIDC

---
 .github/workflows/publish.yml               |  5 ++++
 .github/workflows/repository-management.yml | 27 +++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 84dde1a676..9225196cce 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -26,6 +26,9 @@ jobs:
   setup:
     name: Setup
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      deployments: write
     outputs:
       branch-name: ${{ steps.branch.outputs.branch-name }}
       deployment-id: ${{ steps.deployment.outputs.deployment_id }}
@@ -167,6 +170,8 @@ jobs:
     needs:
       - setup
       - publish-docker
+    permissions:
+      deployments: write
     if: ${{ always() && inputs.publish_type != 'Dry Run' }}
     steps:
       - name: Check if any job failed
diff --git a/.github/workflows/repository-management.yml b/.github/workflows/repository-management.yml
index 8d496f0727..2afb5ef8e7 100644
--- a/.github/workflows/repository-management.yml
+++ b/.github/workflows/repository-management.yml
@@ -26,6 +26,7 @@ jobs:
   setup:
     name: Setup
     runs-on: ubuntu-24.04
+    permissions: {}
     outputs:
       branch: ${{ steps.set-branch.outputs.branch }}
     steps:
@@ -237,7 +238,28 @@ jobs:
     needs:
       - bump_version
       - setup
+    permissions:
+      contents: write
+      id-token: write
     steps:
+      - name: Azure Login
+        id: azure-login
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get KV secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Azure Logout
+        uses: bitwarden/gh-actions/azure-logout@main
+
       - name: Generate GH App token
         uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
         id: app-token
@@ -320,3 +342,8 @@ jobs:
     needs: cherry_pick
     uses: ./.github/workflows/_move_finalization_db_scripts.yml
     secrets: inherit
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+      actions: read