diff --git a/.github/workflows/brew-bump-cli.yml b/.github/workflows/brew-bump-cli.yml index 5487095bf7..88a8cdefe5 100644 --- a/.github/workflows/brew-bump-cli.yml +++ b/.github/workflows/brew-bump-cli.yml @@ -23,17 +23,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - brew-bump-workflow-pat - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "brew-bump-workflow-pat" - name: Update Homebrew formula uses: dawidd6/action-homebrew-bump-formula@dd221ff435f42fa8102b5871bb1929af9d76476c diff --git a/.github/workflows/brew-bump-desktop.yml b/.github/workflows/brew-bump-desktop.yml index fba2685f23..249c5a57d4 100644 --- a/.github/workflows/brew-bump-desktop.yml +++ b/.github/workflows/brew-bump-desktop.yml @@ -23,17 +23,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - brew-bump-workflow-pat - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "brew-bump-workflow-pat" - name: Update Homebrew cask uses: macauley/action-homebrew-bump-cask@445c42390d790569d938f9068d01af39ca030feb diff --git a/.github/workflows/build-browser.yml b/.github/workflows/build-browser.yml index 91134cbab6..9a5e4ebd33 100644 --- a/.github/workflows/build-browser.yml +++ b/.github/workflows/build-browser.yml @@ -338,17 +338,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - crowdin-api-token - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "crowdin-api-token" - name: Upload Sources uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9 @@ -378,17 +371,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - github-pat-bitwarden-devops-bot-repo-scope - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "github-pat-bitwarden-devops-bot-repo-scope" - name: Extract branch name id: extract_branch @@ -459,17 +445,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets if: failure() - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - devops-alerts-slack-webhook-url - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 # v1.5.0 diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 9147ed1b7e..e32dbedb24 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -361,17 +361,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets if: failure() - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - devops-alerts-slack-webhook-url - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml index fe8df982c2..8f8529320c 100644 --- a/.github/workflows/build-desktop.yml +++ b/.github/workflows/build-desktop.yml @@ -142,7 +142,7 @@ jobs: uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 - name: Set up Node - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3.0.0 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a with: cache: 'npm' cache-dependency-path: '**/package-lock.json' @@ -176,7 +176,7 @@ jobs: working-directory: ./ - name: Cache Native Module - uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 # v3.0.2 + uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 id: cache with: path: | @@ -257,7 +257,7 @@ jobs: uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 - name: Set up Node - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3.0.0 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a with: cache: 'npm' cache-dependency-path: '**/package-lock.json' @@ -297,29 +297,21 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - shell: bash - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - code-signing-vault-url, + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "code-signing-vault-url, code-signing-client-id, code-signing-tenant-id, code-signing-client-secret, - code-signing-cert-name - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + code-signing-cert-name" - name: Install Node dependencies run: npm ci working-directory: ./ - name: Cache Native Module - uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 # v3.0.2 + uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 id: cache with: path: apps/desktop/desktop_native/*.node @@ -478,7 +470,7 @@ jobs: uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 - name: Set up Node - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3.0.0 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a with: cache: 'npm' cache-dependency-path: '**/package-lock.json' @@ -591,7 +583,7 @@ jobs: working-directory: ./ - name: Cache Native Module - uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 # v3.0.2 + uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 id: cache with: path: apps/desktop/desktop_native/*.node @@ -623,7 +615,7 @@ jobs: uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 - name: Set up Node - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3.0.0 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a with: cache: 'npm' cache-dependency-path: '**/package-lock.json' @@ -736,7 +728,7 @@ jobs: working-directory: ./ - name: Cache Native Module - uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 # v3.0.2 + uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 id: cache with: path: apps/desktop/desktop_native/*.node @@ -754,7 +746,7 @@ jobs: - name: Download artifact from hotfix-rc-desktop if: github.ref == 'refs/heads/hotfix-rc-desktop' - uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 # v2.19.0 + uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 with: workflow: build-browser.yml workflow_conclusion: success @@ -763,7 +755,7 @@ jobs: - name: Download artifact from rc if: github.ref == 'refs/heads/rc' - uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 # v2.19.0 + uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 with: workflow: build-browser.yml workflow_conclusion: success @@ -772,7 +764,7 @@ jobs: - name: Download artifact from master if: ${{ github.ref != 'refs/heads/rc' && github.ref != 'refs/heads/hotfix-rc-desktop' }} - uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 # v2.19.0 + uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 with: workflow: build-browser.yml workflow_conclusion: success @@ -841,7 +833,7 @@ jobs: uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 - name: Set up Node - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3.0.0 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a with: cache: 'npm' cache-dependency-path: '**/package-lock.json' @@ -954,7 +946,7 @@ jobs: working-directory: ./ - name: Cache Native Module - uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 # v3.0.2 + uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 id: cache with: path: apps/desktop/desktop_native/*.node @@ -972,7 +964,7 @@ jobs: - name: Download artifact from hotfix-rc-desktop if: github.ref == 'refs/heads/hotfix-rc-desktop' - uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 # v2.19.0 + uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 with: workflow: build-browser.yml workflow_conclusion: success @@ -981,7 +973,7 @@ jobs: - name: Download artifact from rc if: github.ref == 'refs/heads/rc' - uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 # v2.19.0 + uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 with: workflow: build-browser.yml workflow_conclusion: success @@ -990,7 +982,7 @@ jobs: - name: Download artifact from master if: ${{ github.ref != 'refs/heads/rc' && github.ref != 'refs/heads/hotfix-rc-desktop' }} - uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 # v2.19.0 + uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 with: workflow: build-browser.yml workflow_conclusion: success @@ -1051,7 +1043,7 @@ jobs: uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 - name: Set up Node - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3.0.0 + uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a with: cache: 'npm' cache-dependency-path: '**/package-lock.json' @@ -1159,7 +1151,7 @@ jobs: working-directory: ./ - name: Cache Native Module - uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 # v3.0.2 + uses: actions/cache@48af2dc4a9e8278b89d7fa154b955c30c6aaab09 id: cache with: path: apps/desktop/desktop_native/*.node @@ -1177,7 +1169,7 @@ jobs: - name: Download artifact from rc if: github.ref == 'refs/heads/rc' - uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 # v2.19.0 + uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 with: workflow: build-browser.yml workflow_conclusion: success @@ -1186,7 +1178,7 @@ jobs: - name: Download artifact from master if: github.ref != 'refs/heads/rc' - uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 # v2.19.0 + uses: dawidd6/action-download-artifact@b2abf1705491048a2d7074f7d90513044fd25d39 with: workflow: build-browser.yml workflow_conclusion: success @@ -1242,20 +1234,13 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - crowdin-api-token - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "crowdin-api-token" - name: Upload Sources - uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9 + uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }} @@ -1324,17 +1309,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets if: failure() - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - devops-alerts-slack-webhook-url - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml index 5122b24fe8..f7073ec3c6 100644 --- a/.github/workflows/build-web.yml +++ b/.github/workflows/build-web.yml @@ -349,17 +349,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - crowdin-api-token - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "crowdin-api-token" - name: Upload Sources uses: crowdin/github-action@ecd7eb0ef6f3cfa16293c79e9cbc4bc5b5fd9c49 # v1.4.9 @@ -419,17 +412,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets if: failure() - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - devops-alerts-slack-webhook-url - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33 # v1.5.1 diff --git a/.github/workflows/crowdin-pull.yml b/.github/workflows/crowdin-pull.yml index 9aca46ebd6..abb3fca703 100644 --- a/.github/workflows/crowdin-pull.yml +++ b/.github/workflows/crowdin-pull.yml @@ -32,17 +32,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - crowdin-api-token - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "crowdin-api-token" - name: Download translations uses: bitwarden/gh-actions/crowdin@05052c5c575ceb09ceea397fe241879e199ed44b diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml index 881fedc35e..208cbb2d4a 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/release-cli.yml @@ -148,17 +148,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - snapcraft-store-token - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "snapcraft-store-token" - name: Install Snap uses: samuelmeuli/action-snapcraft@10d7d0a84d9d86098b19f872257df314b0bd8e2d # v1.2.0 @@ -268,17 +261,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - cli-npm-api-key - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "cli-npm-api-key" - name: Download artifacts if: ${{ github.event.inputs.release_type != 'Dry Run' }} @@ -313,4 +299,3 @@ jobs: - name: Publish NPM if: ${{ github.event.inputs.release_type != 'Dry Run' }} run: npm publish --access public --regsitry=https://registry.npmjs.org/ --userconfig=./.npmrc - diff --git a/.github/workflows/release-desktop-beta.yml b/.github/workflows/release-desktop-beta.yml index 79a4eaa24c..7dbc110a04 100644 --- a/.github/workflows/release-desktop-beta.yml +++ b/.github/workflows/release-desktop-beta.yml @@ -249,21 +249,14 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - code-signing-vault-url, + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "code-signing-vault-url, code-signing-client-id, code-signing-tenant-id, code-signing-client-secret, - code-signing-cert-name - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + code-signing-cert-name" - name: Install Node dependencies run: npm ci @@ -939,26 +932,19 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - aws-electron-access-id, + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "aws-electron-access-id, aws-electron-access-key, aws-electron-bucket-name, r2-electron-access-id, r2-electron-access-key, r2-electron-bucket-name, - cf-prod-account - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + cf-prod-account" - name: Download all artifacts - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 + uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: path: apps/desktop/artifacts @@ -1037,4 +1023,3 @@ jobs: env: BRANCH: ${{ needs.setup.outputs.branch-name }} run: git push origin --delete $BRANCH -