From 972a500745f2cddb5009e126efead93706f568bb Mon Sep 17 00:00:00 2001 From: Opeyemi <54288773+Eeebru@users.noreply.github.com> Date: Mon, 17 Apr 2023 14:06:57 +0100 Subject: [PATCH] [DEVOPS-1259]Update pipeline to CI only KV (#2854) * Update pipeline to CI only KV --- .github/workflows/build-self-host.yml | 14 +++++++++----- .github/workflows/build.yml | 11 ++++++++--- .github/workflows/container-registry-purge.yml | 3 +-- .github/workflows/release.yml | 4 ++-- .github/workflows/stop-staging-slots.yml | 3 +-- .github/workflows/version-bump.yml | 2 +- 6 files changed, 22 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-self-host.yml b/.github/workflows/build-self-host.yml index 9050ce333..785460df4 100644 --- a/.github/workflows/build-self-host.yml +++ b/.github/workflows/build-self-host.yml @@ -61,12 +61,16 @@ jobs: - name: Login to Azure ACR run: az acr login -n bitwardenprod + - name: Login to Azure - CI Subscription + uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf + with: + creds: ${{ secrets. AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve github PAT secrets id: retrieve-secret-pat uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "github-pat-bitwarden-devops-bot-repo-scope" - name: Retrieve secrets @@ -74,7 +78,7 @@ jobs: id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "docker-password, docker-username, dct-delegate-2-repo-passphrase, @@ -161,18 +165,18 @@ jobs: exit 1 fi - - name: Login to Azure - Prod Subscription + - name: Login to Azure - CI subscription uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf if: failure() with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets. AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af if: failure() with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fd6932b33..f7f4c7181 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -280,11 +280,16 @@ jobs: - name: Login to PROD ACR run: az acr login -n bitwardenprod + - name: Login to Azure - CI Subscription + uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf + with: + creds: ${{ secrets. AZURE_KV_CI_SERVICE_PRINCIPAL }} + - name: Retrieve github PAT secrets id: retrieve-secret-pat uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "github-pat-bitwarden-devops-bot-repo-scope" - name: Retrieve secrets @@ -292,7 +297,7 @@ jobs: id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "docker-password, docker-username, dct-delegate-2-repo-passphrase, @@ -570,7 +575,7 @@ jobs: uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af if: failure() with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure diff --git a/.github/workflows/container-registry-purge.yml b/.github/workflows/container-registry-purge.yml index b00b62780..09cf68e29 100644 --- a/.github/workflows/container-registry-purge.yml +++ b/.github/workflows/container-registry-purge.yml @@ -65,7 +65,6 @@ jobs: done - check-failures: name: Check for failures if: always() @@ -96,7 +95,7 @@ jobs: uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f if: failure() with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fb1e5adc6..c2dada71e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -111,7 +111,7 @@ jobs: - name: Retrieve secrets id: retrieve-secrets env: - VAULT_NAME: "bitwarden-prod-kv" + VAULT_NAME: "bitwarden-ci" run: | webapp_name=$( az keyvault secret show --vault-name $VAULT_NAME \ @@ -239,7 +239,7 @@ jobs: uses: bitwarden/gh-actions/setup-docker-trust@a8c384a05a974c05c48374c818b004be221d43ff with: azure-creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} - azure-keyvault-name: "bitwarden-prod-kv" + azure-keyvault-name: "bitwarden-ci" - name: Pull latest project image if: matrix.origin_docker_repo == 'bitwarden' diff --git a/.github/workflows/stop-staging-slots.yml b/.github/workflows/stop-staging-slots.yml index 6fb22046c..a2e0120f5 100644 --- a/.github/workflows/stop-staging-slots.yml +++ b/.github/workflows/stop-staging-slots.yml @@ -5,7 +5,6 @@ on: workflow_dispatch: inputs: {} - jobs: stop-slots: name: Stop Slots @@ -37,7 +36,7 @@ jobs: - name: Retrieve secrets id: retrieve-secrets env: - VAULT_NAME: "bitwarden-prod-kv" + VAULT_NAME: "bitwarden-ci" run: | webapp_name=$( az keyvault secret show --vault-name $VAULT_NAME \ diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 022b6073e..335951fed 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -25,7 +25,7 @@ jobs: id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af with: - keyvault: "bitwarden-prod-kv" + keyvault: "bitwarden-ci" secrets: "github-gpg-private-key, github-gpg-private-key-passphrase" - name: Import GPG key