diff --git a/.github/workflows/build-unified.yml b/.github/workflows/build-unified.yml index 1c479cd..753f276 100644 --- a/.github/workflows/build-unified.yml +++ b/.github/workflows/build-unified.yml @@ -85,10 +85,12 @@ jobs: uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0 ########## Login to Docker registries ########## - - name: Login to Azure - Prod Subscription - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Login to Azure ACR run: az acr login -n bitwardenprod @@ -135,12 +137,19 @@ jobs: echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT fi + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" + - name: Generate GH App token uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 id: app-token with: - app-id: ${{ secrets.BW_GHAPP_ID }} - private-key: ${{ secrets.BW_GHAPP_KEY }} + app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} - name: Checkout server repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -211,12 +220,17 @@ jobs: docker logout ghcr.io docker logout $_AZ_REGISTRY + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + check-failures: name: Check for failures if: always() runs-on: ubuntu-24.04 needs: build-docker + permissions: + id-token: write steps: - name: Check if any job failed if: | @@ -226,11 +240,13 @@ jobs: && contains(needs.*.result, 'failure') run: exit 1 - - name: Login to Azure - CI subscription - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + - name: Log in to Azure if: failure() + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -240,6 +256,10 @@ jobs: keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" + - name: Log out from Azure + if: failure() + uses: bitwarden/gh-actions/azure-logout@main + - name: Notify Slack on failure uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 if: failure() diff --git a/.github/workflows/release-digital-ocean.yml b/.github/workflows/release-digital-ocean.yml index b9f30f4..e725f74 100644 --- a/.github/workflows/release-digital-ocean.yml +++ b/.github/workflows/release-digital-ocean.yml @@ -17,14 +17,19 @@ jobs: build-image: name: Build Image runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Login to Azure - CI Subscription - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -33,6 +38,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "digital-ocean-api-key" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Set version from version.json id: set-version run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ee2f617..9c14e41 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,6 +26,8 @@ jobs: setup: name: Setup runs-on: ubuntu-24.04 + permissions: + contents: read outputs: _WEB_RELEASE_TAG: ${{ steps.set-tags.outputs.WEB_RELEASE_TAG }} _CORE_RELEASE_TAG: ${{ steps.set-tags.outputs.CORE_RELEASE_TAG }} @@ -155,16 +157,21 @@ jobs: needs: - setup - release + permissions: + contents: read + id-token: write steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: main - - name: Login to Azure - CI Subscription - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -175,6 +182,9 @@ jobs: aws-selfhost-version-access-key, aws-selfhost-version-bucket-name" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Upload version.json to S3 bucket if: ${{ inputs.release_type != 'Dry Run' }} env: @@ -229,10 +239,12 @@ jobs: - name: Install Cosign uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 - - name: Login to Azure - Prod Subscription - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Setup project name and release tag id: setup @@ -287,6 +299,9 @@ jobs: docker logout ghcr.io docker logout $_AZ_REGISTRY + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + release-unified: name: Release Self-host unified @@ -300,10 +315,12 @@ jobs: id-token: write packages: write steps: - - name: Login to Azure - PROD Subscription - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Login to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 @@ -376,6 +393,9 @@ jobs: - name: Log out of Docker run: docker logout $_AZ_REGISTRY + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + trigger-workflows: name: Trigger workflows @@ -385,13 +405,32 @@ jobs: - release - tag-push-latest-images - release-unified + permissions: + id-token: write steps: + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Generate GH App token uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 id: app-token with: - app-id: ${{ secrets.BW_GHAPP_ID }} - private-key: ${{ secrets.BW_GHAPP_KEY }} + app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} - name: Trigger release-digital-ocean workflow uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 10a4018..395e4bb 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -31,22 +31,40 @@ jobs: contents: read pull-requests: write security-events: write + id-token: write steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Scan with Checkmarx uses: checkmarx/ast-github-action@dda03dce250dead2404252f9970f35980201934c # 2.0.43 env: INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}" with: project_name: ${{ github.repository }} - cx_tenant: ${{ secrets.CHECKMARX_TENANT }} + cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }} base_uri: https://ast.checkmarx.net/ - cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CHECKMARX_SECRET }} + cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }} + cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }} additional_params: | --report-format sarif \ --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \ @@ -66,6 +84,7 @@ jobs: permissions: contents: read pull-requests: write + id-token: write steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -73,10 +92,27 @@ jobs: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "SONAR-TOKEN" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Scan with SonarCloud uses: sonarsource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0 env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }} with: args: > -Dsonar.organization=${{ github.repository_owner }} diff --git a/.github/workflows/update-versions.yml b/.github/workflows/update-versions.yml index 4a663fc..18d0426 100644 --- a/.github/workflows/update-versions.yml +++ b/.github/workflows/update-versions.yml @@ -8,6 +8,8 @@ jobs: name: Setup if: github.ref_name == 'main' runs-on: ubuntu-24.04 + permissions: + contents: read outputs: core_version: ${{ steps.get-core.outputs.version }} core_version_update: ${{ steps.core-update.outputs.update }} @@ -96,15 +98,35 @@ jobs: needs.setup.outputs.key_connector_version_update == 1 runs-on: ubuntu-24.04 needs: setup + permissions: + contents: write + id-token: write steps: + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Generate GH App token uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 id: app-token with: - app-id: ${{ secrets.BW_GHAPP_ID }} - private-key: ${{ secrets.BW_GHAPP_KEY }} + app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} owner: ${{ github.repository_owner }} - repository: ${{ github.repository }} + repositories: ${{ github.repository }} - name: Checkout Branch uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2