diff --git a/.github/workflows/build-swift.yml b/.github/workflows/build-swift.yml index 4b690c7ae..bc5d1940b 100644 --- a/.github/workflows/build-swift.yml +++ b/.github/workflows/build-swift.yml @@ -13,6 +13,8 @@ jobs: version: name: Get Version runs-on: ubuntu-24.04 + permissions: + contents: read outputs: package_version: ${{ steps.retrieve-version.outputs.package_version }} steps: @@ -29,6 +31,8 @@ jobs: name: Build runs-on: macos-14 needs: version + permissions: + contents: read env: _VERSION: ${{ needs.version.outputs.package_version }} steps: @@ -95,11 +99,17 @@ jobs: if: github.ref == 'refs/heads/main' runs-on: ubuntu-24.04 needs: build + permissions: + contents: read + id-token: write steps: - - name: Login to Azure - CI Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + id: azure-login + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve github PAT secrets id: retrieve-secret-pat @@ -108,6 +118,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "github-pat-bitwarden-devops-bot-repo-scope" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Trigger Swift release uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: diff --git a/.github/workflows/build-wasm-internal.yml b/.github/workflows/build-wasm-internal.yml index 7afe8fe66..a29b6cd8a 100644 --- a/.github/workflows/build-wasm-internal.yml +++ b/.github/workflows/build-wasm-internal.yml @@ -18,6 +18,8 @@ jobs: build: name: Building @bitwarden/sdk-wasm-internal runs-on: ubuntu-24.04 + permissions: + contents: read steps: - name: Checkout repo @@ -94,11 +96,16 @@ jobs: if: github.ref == 'refs/heads/main' runs-on: ubuntu-24.04 needs: build + permissions: + id-token: write steps: - - name: Login to Azure - CI Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + id: azure-login + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve github PAT secrets id: retrieve-secret-pat @@ -107,6 +114,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "github-pat-bitwarden-devops-bot-repo-scope" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Trigger WASM publish uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: diff --git a/.github/workflows/publish-rust-crates.yml b/.github/workflows/publish-rust-crates.yml index 68af5bf2f..2eccb61f2 100644 --- a/.github/workflows/publish-rust-crates.yml +++ b/.github/workflows/publish-rust-crates.yml @@ -23,6 +23,8 @@ jobs: setup: name: Setup runs-on: ubuntu-24.04 + permissions: + contents: read outputs: release-version: ${{ steps.version-output.outputs.version }} release-tag: ${{ steps.version-output.outputs.tag_name }} @@ -60,16 +62,23 @@ jobs: name: Publish runs-on: ubuntu-24.04 needs: setup + permissions: + id-token: write + contents: read + deployments: write steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ needs.setup.outputs.release-tag }} - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + id: azure-login + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -78,6 +87,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "cratesio-api-token" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Install rust uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable with: diff --git a/.github/workflows/publish-wasm-internal.yml b/.github/workflows/publish-wasm-internal.yml index b11e585f1..ff08e015f 100644 --- a/.github/workflows/publish-wasm-internal.yml +++ b/.github/workflows/publish-wasm-internal.yml @@ -24,6 +24,8 @@ jobs: setup: name: Setup runs-on: ubuntu-24.04 + permissions: + contents: read outputs: release-version: ${{ steps.version-output.outputs.version }} steps: @@ -58,6 +60,9 @@ jobs: name: Publish NPM runs-on: ubuntu-24.04 needs: setup + permissions: + contents: read + id-token: write steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -67,10 +72,13 @@ jobs: with: node-version: 20 - - name: Login to Azure - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + id: azure-login + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -79,6 +87,9 @@ jobs: keyvault: "bitwarden-ci" secrets: "npm-api-key" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Download artifact uses: bitwarden/gh-actions/download-artifacts@main with: diff --git a/.github/workflows/release-swift.yml b/.github/workflows/release-swift.yml index b5fb347e9..a3b8fece0 100644 --- a/.github/workflows/release-swift.yml +++ b/.github/workflows/release-swift.yml @@ -32,6 +32,8 @@ jobs: validate: name: Set Version and SHA runs-on: ubuntu-24.04 + permissions: + contents: read outputs: version: ${{ steps.version.outputs.version }} sha: ${{ steps.set-sha.outputs.sha }} @@ -103,6 +105,9 @@ jobs: name: Push changed files to SDK Swift repo runs-on: ubuntu-24.04 needs: validate + permissions: + contents: read + id-token: write env: _BOT_EMAIL: 106330231+bitwarden-devops-bot@users.noreply.github.com _BOT_NAME: bitwarden-devops-bot @@ -126,10 +131,13 @@ jobs: echo "ref=main" >> $GITHUB_OUTPUT fi - - name: Login to Azure - Prod Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + id: azure-login + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -140,6 +148,9 @@ jobs: github-gpg-private-key-passphrase, github-pat-bitwarden-devops-bot-repo-scope" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Checkout SDK-Swift repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -221,15 +232,22 @@ jobs: needs: - validate - repo-sync + permissions: + actions: read + contents: write + id-token: write env: _PKG_VERSION: ${{ needs.validate.outputs.version }} _RELEASE_NAME: ${{ needs.validate.outputs.release_name }} _BUILD_RUN_ID: ${{ needs.validate.outputs.run_id }} steps: - - name: Login to Azure - Prod Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + id: azure-login + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -238,6 +256,9 @@ jobs: keyvault: ${{ env._KEY_VAULT }} secrets: "github-pat-bitwarden-devops-bot-repo-scope" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Download BitwardenEFI artifact uses: bitwarden/gh-actions/download-artifacts@main id: download-artifact diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index a8849094e..e5e256c4a 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -33,6 +33,7 @@ jobs: contents: read pull-requests: write security-events: write + id-token: write steps: - name: Check out repo @@ -40,16 +41,34 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} + - name: Log in to Azure + id: azure-login + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Scan with Checkmarx uses: checkmarx/ast-github-action@9fda4ab4c1b67c35de380552a972a82997d97731 # 2.0.42 env: INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}" with: project_name: ${{ github.repository }} - cx_tenant: ${{ secrets.CHECKMARX_TENANT }} + cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }} base_uri: https://ast.checkmarx.net/ - cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CHECKMARX_SECRET }} + cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }} + cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }} additional_params: | --report-format sarif \ --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \ @@ -69,6 +88,7 @@ jobs: permissions: contents: read pull-requests: write + id-token: write steps: - name: Check out repo @@ -77,10 +97,28 @@ jobs: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} + - name: Log in to Azure + id: azure-login + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get Azure Key Vault secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "SONAR-TOKEN" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Scan with SonarCloud uses: sonarsource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0 env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }} with: args: > -Dsonar.organization=${{ github.repository_owner }} diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 729792bca..8753c9125 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -22,6 +22,9 @@ jobs: bump_version: name: "Bump ${{ inputs.project }} Version to v${{ inputs.version_number }}" runs-on: ubuntu-24.04 + permissions: + contents: read + id-token: write steps: - name: Install rust uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable @@ -34,10 +37,13 @@ jobs: - name: Install cargo-release run: cargo install cargo-edit --locked - - name: Login to Azure - CI Subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + - name: Log in to Azure + id: azure-login + uses: bitwarden/gh-actions/azure-login@main with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets @@ -48,6 +54,9 @@ jobs: github-gpg-private-key-passphrase, github-pat-bitwarden-devops-bot-repo-scope" + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Checkout Branch uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -162,6 +171,8 @@ jobs: needs: bump_version if: ${{ inputs.cut_rc_branch == true }} runs-on: ubuntu-24.04 + permissions: + contents: write steps: - name: Checkout Branch uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2