From 145c19da22607a4870560e39fdd71ca10bf022b9 Mon Sep 17 00:00:00 2001 From: Andy Pixley <3723676+pixman20@users.noreply.github.com> Date: Tue, 15 Jul 2025 16:05:10 -0400 Subject: [PATCH] [BRE-831] migrate secrets akv (#5347) --- .github/workflows/build-authenticator.yml | 25 ++++++-- .github/workflows/build.yml | 71 +++++++++++++++-------- .github/workflows/crowdin-pull.yml | 23 ++++++-- .github/workflows/crowdin-push.yml | 10 +++- .github/workflows/github-release.yml | 22 ++++++- .github/workflows/scan-ci.yml | 45 ++++++++++++-- .github/workflows/scan.yml | 44 ++++++++++++-- 7 files changed, 194 insertions(+), 46 deletions(-) diff --git a/.github/workflows/build-authenticator.yml b/.github/workflows/build-authenticator.yml index 6d55e6d0b1..fdc8861846 100644 --- a/.github/workflows/build-authenticator.yml +++ b/.github/workflows/build-authenticator.yml @@ -32,6 +32,7 @@ env: permissions: contents: read packages: read + id-token: write jobs: build: @@ -122,9 +123,18 @@ jobs: bundle install --jobs 4 --retry 3 - name: Log in to Azure - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-android + secrets: "BWA-AAB-KEYSTORE-STORE-PASSWORD,BWA-AAB-KEYSTORE-KEY-PASSWORD,BWA-APK-KEYSTORE-STORE-PASSWORD,BWA-APK-KEYSTORE-KEY-PASSWORD" - name: Retrieve secrets env: @@ -168,6 +178,9 @@ jobs: az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ --name authenticator_play_store-creds.json --file ${{ github.workspace }}/secrets/authenticator_play_store-creds.json --output none + - name: AZ Logout + uses: bitwarden/gh-actions/azure-logout@main + - name: Verify Play Store credentials if: ${{ inputs.publish-to-play-store }} run: | @@ -222,18 +235,18 @@ jobs: run: | bundle exec fastlane bundleAuthenticatorRelease \ storeFile:${{ github.workspace }}/keystores/authenticator_aab-keystore.jks \ - storePassword:'${{ secrets.BWA_AAB_KEYSTORE_STORE_PASSWORD }}' \ + storePassword:'${{ steps.get-kv-secrets.outputs.BWA-AAB-KEYSTORE-STORE-PASSWORD }}' \ keyAlias:authenticatorupload \ - keyPassword:'${{ secrets.BWA_AAB_KEYSTORE_KEY_PASSWORD }}' + keyPassword:'${{ steps.get-kv-secrets.outputs.BWA-AAB-KEYSTORE-KEY-PASSWORD }}' - name: Generate release Play Store APK if: ${{ matrix.variant == 'apk' }} run: | bundle exec fastlane buildAuthenticatorRelease \ storeFile:${{ github.workspace }}/keystores/authenticator_apk-keystore.jks \ - storePassword:'${{ secrets.BWA_APK_KEYSTORE_STORE_PASSWORD }}' \ + storePassword:'${{ steps.get-kv-secrets.outputs.BWA-APK-KEYSTORE-STORE-PASSWORD }}' \ keyAlias:bitwardenauthenticator \ - keyPassword:'${{ secrets.BWA_APK_KEYSTORE_KEY_PASSWORD }}' + keyPassword:'${{ steps.get-kv-secrets.outputs.BWA-APK-KEYSTORE-KEY-PASSWORD }}' - name: Upload release Play Store .aab artifact if: ${{ matrix.variant == 'aab' }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 432b965be6..8e1a5d0829 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -33,6 +33,7 @@ env: permissions: contents: read packages: read + id-token: write jobs: build: @@ -130,9 +131,18 @@ jobs: bundle install --jobs 4 --retry 3 - name: Log in to Azure - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-android + secrets: "UPLOAD-KEYSTORE-PASSWORD,UPLOAD-BETA-KEYSTORE-PASSWORD,UPLOAD-BETA-KEY-PASSWORD,PLAY-KEYSTORE-PASSWORD,PLAY-BETA-KEYSTORE-PASSWORD,PLAY-BETA-KEY-PASSWORD" - name: Retrieve secrets env: @@ -169,6 +179,9 @@ jobs: az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ --name app_play_prod_firebase-creds.json --file ${{ github.workspace }}/secrets/app_play_prod_firebase-creds.json --output none + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Validate Gradle wrapper uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1 @@ -216,48 +229,48 @@ jobs: - name: Generate release Play Store bundle if: ${{ matrix.variant == 'prod' && matrix.artifact == 'aab' }} env: - UPLOAD_KEYSTORE_PASSWORD: ${{ secrets.UPLOAD_KEYSTORE_PASSWORD }} + UPLOAD-KEYSTORE-PASSWORD: ${{ steps.get-kv-secrets.outputs.UPLOAD-KEYSTORE-PASSWORD }} run: | bundle exec fastlane bundlePlayStoreRelease \ storeFile:app_upload-keystore.jks \ - storePassword:${{ env.UPLOAD_KEYSTORE_PASSWORD }} \ + storePassword:${{ env.UPLOAD-KEYSTORE-PASSWORD }} \ keyAlias:upload \ - keyPassword:${{ env.UPLOAD_KEYSTORE_PASSWORD }} + keyPassword:${{ env.UPLOAD-KEYSTORE-PASSWORD }} - name: Generate beta Play Store bundle if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'aab') }} env: - UPLOAD_BETA_KEYSTORE_PASSWORD: ${{ secrets.UPLOAD_BETA_KEYSTORE_PASSWORD }} - UPLOAD_BETA_KEY_PASSWORD: ${{ secrets.UPLOAD_BETA_KEY_PASSWORD }} + UPLOAD-BETA-KEYSTORE-PASSWORD: ${{ steps.get-kv-secrets.outputs.UPLOAD-BETA-KEYSTORE-PASSWORD }} + UPLOAD-BETA-KEY-PASSWORD: ${{ steps.get-kv-secrets.outputs.UPLOAD-BETA-KEY-PASSWORD }} run: | bundle exec fastlane bundlePlayStoreBeta \ storeFile:app_beta_upload-keystore.jks \ - storePassword:${{ env.UPLOAD_BETA_KEYSTORE_PASSWORD }} \ + storePassword:${{ env.UPLOAD-BETA-KEYSTORE-PASSWORD }} \ keyAlias:bitwarden-beta-upload \ - keyPassword:${{ env.UPLOAD_BETA_KEY_PASSWORD }} + keyPassword:${{ env.UPLOAD-BETA-KEY-PASSWORD }} - name: Generate release Play Store APK if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }} env: - PLAY_KEYSTORE_PASSWORD: ${{ secrets.PLAY_KEYSTORE_PASSWORD }} + PLAY-KEYSTORE-PASSWORD: ${{ steps.get-kv-secrets.outputs.PLAY-KEYSTORE-PASSWORD }} run: | bundle exec fastlane assemblePlayStoreReleaseApk \ storeFile:app_play-keystore.jks \ - storePassword:${{ env.PLAY_KEYSTORE_PASSWORD }} \ + storePassword:${{ env.PLAY-KEYSTORE-PASSWORD }} \ keyAlias:bitwarden \ - keyPassword:${{ env.PLAY_KEYSTORE_PASSWORD }} + keyPassword:${{ env.PLAY-KEYSTORE-PASSWORD }} - name: Generate beta Play Store APK if: ${{ (matrix.variant == 'prod') && (matrix.artifact == 'apk') }} env: - PLAY_BETA_KEYSTORE_PASSWORD: ${{ secrets.PLAY_BETA_KEYSTORE_PASSWORD }} - PLAY_BETA_KEY_PASSWORD: ${{ secrets.PLAY_BETA_KEY_PASSWORD }} + PLAY-BETA-KEYSTORE-PASSWORD: ${{ steps.get-kv-secrets.outputs.PLAY-BETA-KEYSTORE-PASSWORD }} + PLAY-BETA-KEY-PASSWORD: ${{ steps.get-kv-secrets.outputs.PLAY-BETA-KEY-PASSWORD }} run: | bundle exec fastlane assemblePlayStoreBetaApk \ storeFile:app_beta_play-keystore.jks \ - storePassword:${{ env.PLAY_BETA_KEYSTORE_PASSWORD }} \ + storePassword:${{ env.PLAY-BETA-KEYSTORE-PASSWORD }} \ keyAlias:bitwarden-beta \ - keyPassword:${{ env.PLAY_BETA_KEY_PASSWORD }} + keyPassword:${{ env.PLAY-BETA-KEY-PASSWORD }} - name: Generate debug Play Store APKs if: ${{ (matrix.variant != 'prod') && (matrix.artifact == 'apk') }} @@ -429,9 +442,18 @@ jobs: bundle install --jobs 4 --retry 3 - name: Log in to Azure - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-android + secrets: "FDROID-KEYSTORE-PASSWORD,FDROID-BETA-KEYSTORE-PASSWORD,FDROID-BETA-KEY-PASSWORD" - name: Retrieve secrets env: @@ -454,6 +476,9 @@ jobs: az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ --name app_fdroid_firebase-creds.json --file ${{ github.workspace }}/secrets/app_fdroid_firebase-creds.json --output none + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Validate Gradle wrapper uses: gradle/actions/wrapper-validation@06832c7b30a0129d7fb559bcc6e43d26f6374244 # v4.3.1 @@ -508,7 +533,7 @@ jobs: echo "Version Number: $VERSION_CODE" >> $GITHUB_STEP_SUMMARY - name: Generate F-Droid artifacts env: - FDROID_STORE_PASSWORD: ${{ secrets.FDROID_KEYSTORE_PASSWORD }} + FDROID_STORE_PASSWORD: ${{ steps.get-kv-secrets.outputs.FDROID-KEYSTORE-PASSWORD }} run: | bundle exec fastlane assembleFDroidReleaseApk \ storeFile:app_fdroid-keystore.jks \ @@ -518,14 +543,14 @@ jobs: - name: Generate F-Droid Beta Artifacts env: - FDROID_BETA_KEYSTORE_PASSWORD: ${{ secrets.FDROID_BETA_KEYSTORE_PASSWORD }} - FDROID_BETA_KEY_PASSWORD: ${{ secrets.FDROID_BETA_KEY_PASSWORD }} + FDROID-BETA-KEYSTORE-PASSWORD: ${{ steps.get-kv-secrets.outputs.FDROID-BETA-KEYSTORE-PASSWORD }} + FDROID-BETA-KEY-PASSWORD: ${{ steps.get-kv-secrets.outputs.FDROID-BETA-KEY-PASSWORD }} run: | bundle exec fastlane assembleFDroidBetaApk \ storeFile:app_beta_fdroid-keystore.jks \ - storePassword:"${{ env.FDROID_BETA_KEYSTORE_PASSWORD }}" \ + storePassword:"${{ env.FDROID-BETA-KEYSTORE-PASSWORD }}" \ keyAlias:bitwarden-beta \ - keyPassword:"${{ env.FDROID_BETA_KEY_PASSWORD }}" + keyPassword:"${{ env.FDROID-BETA-KEY-PASSWORD }}" - name: Upload F-Droid .apk artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 diff --git a/.github/workflows/crowdin-pull.yml b/.github/workflows/crowdin-pull.yml index 59d5f81009..5f42757cb4 100644 --- a/.github/workflows/crowdin-pull.yml +++ b/.github/workflows/crowdin-pull.yml @@ -13,6 +13,7 @@ jobs: permissions: contents: write pull-requests: write + id-token: write strategy: matrix: include: @@ -28,10 +29,19 @@ jobs: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Login to Azure - CI Subscription - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" - name: Retrieve secrets id: retrieve-secrets @@ -40,12 +50,15 @@ jobs: keyvault: "bitwarden-ci" secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Generate GH App token uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2 id: app-token with: - app-id: ${{ secrets.BW_GHAPP_ID }} - private-key: ${{ secrets.BW_GHAPP_KEY }} + app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} - name: Download translations for ${{ matrix.name }} uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2 # v2.7.0 diff --git a/.github/workflows/crowdin-push.yml b/.github/workflows/crowdin-push.yml index e9ac7a2d8f..3a9c59ac0e 100644 --- a/.github/workflows/crowdin-push.yml +++ b/.github/workflows/crowdin-push.yml @@ -13,14 +13,17 @@ jobs: runs-on: ubuntu-24.04 permissions: contents: read + id-token: write steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Log in to Azure - uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -40,6 +43,9 @@ jobs: upload_sources: true upload_translations: false + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Upload sources for Authenticator uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2 # v2.7.0 env: diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml index 345b7416a2..8d11eaf831 100644 --- a/.github/workflows/github-release.yml +++ b/.github/workflows/github-release.yml @@ -21,6 +21,7 @@ jobs: runs-on: ubuntu-24.04 permissions: contents: write + id-token: write steps: - name: Check out repository @@ -115,6 +116,23 @@ jobs: find $ARTIFACTS_PATH -type f fi + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-android + secrets: "JIRA-API-EMAIL,JIRA-API-TOKEN" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Get product release notes id: get_release_notes env: @@ -122,8 +140,8 @@ jobs: ARTIFACT_RUN_ID: ${{ inputs.artifact-run-id }} _VERSION_NAME: ${{ steps.get_release_info.outputs.version_name }} _RELEASE_TICKET_ID: ${{ inputs.release-ticket-id }} - _JIRA_API_EMAIL: ${{ secrets.JIRA_API_EMAIL }} - _JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + _JIRA_API_EMAIL: ${{ steps.get-kv-secrets.outputs.JIRA-API-EMAIL }} + _JIRA_API_TOKEN: ${{ steps.get-kv-secrets.outputs.JIRA-API-TOKEN }} run: | echo "Getting product release notes" product_release_notes=$(python3 .github/scripts/jira-get-release-notes/jira_release_notes.py $_RELEASE_TICKET_ID $_JIRA_API_EMAIL $_JIRA_API_TOKEN) diff --git a/.github/workflows/scan-ci.yml b/.github/workflows/scan-ci.yml index 0091ece10f..8a4246426f 100644 --- a/.github/workflows/scan-ci.yml +++ b/.github/workflows/scan-ci.yml @@ -13,6 +13,7 @@ jobs: permissions: contents: read security-events: write + id-token: write steps: - name: Check out repo @@ -20,14 +21,31 @@ jobs: with: fetch-depth: 0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Scan with Checkmarx uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19 with: project_name: ${{ github.repository }} - cx_tenant: ${{ secrets.CHECKMARX_TENANT }} + cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }} base_uri: https://ast.checkmarx.net/ - cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CHECKMARX_SECRET }} + cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }} + cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }} additional_params: | --report-format sarif \ --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \ @@ -43,17 +61,36 @@ jobs: runs-on: ubuntu-24.04 permissions: contents: read + id-token: write steps: + - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "SONAR-TOKEN" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Scan with SonarCloud uses: sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0 env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }} with: args: > -Dsonar.organization=${{ github.repository_owner }} diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index f72bc72c7f..9fe35a9af5 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -28,6 +28,7 @@ jobs: contents: read pull-requests: write security-events: write + id-token: write steps: - name: Check out repo @@ -35,16 +36,33 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Scan with Checkmarx uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19 env: INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}" with: project_name: ${{ github.repository }} - cx_tenant: ${{ secrets.CHECKMARX_TENANT }} + cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }} base_uri: https://ast.checkmarx.net/ - cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CHECKMARX_SECRET }} + cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }} + cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }} additional_params: | --report-format sarif \ --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \ @@ -64,6 +82,7 @@ jobs: permissions: contents: read pull-requests: write + id-token: write steps: - name: Check out repo @@ -72,10 +91,27 @@ jobs: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "SONAR-TOKEN" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Scan with SonarCloud uses: sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0 env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }} with: args: > -Dsonar.organization=${{ github.repository_owner }}