From d6fbb9802fc19e640bc16f6598825b9f9e532e9a Mon Sep 17 00:00:00 2001 From: sneakernuts <671942+sneakernuts@users.noreply.github.com> Date: Fri, 7 Oct 2022 11:13:56 -0600 Subject: [PATCH 1/5] crowdin workflow update --- .github/workflows/crowdin-pull.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/crowdin-pull.yml b/.github/workflows/crowdin-pull.yml index 9aca46ebd69d..1e4749ead8cf 100644 --- a/.github/workflows/crowdin-pull.yml +++ b/.github/workflows/crowdin-pull.yml @@ -56,11 +56,14 @@ jobs: upload_sources: false upload_translations: false download_translations: true - github_user_name: "github-actions" - github_user_email: "<>" + github_user_name: "bitwarden-devops-bot" + github_user_email: "106330231+bitwarden-devops-bot@users.noreply.github.com" commit_message: "Autosync the updated translations" localization_branch_name: crowdin-auto-sync-${{ matrix.app_name }} create_pull_request: true pull_request_title: "Autosync Crowdin Translations for ${{ matrix.app_name }}" pull_request_body: "Autosync the updated translations" working_directory: apps/${{ matrix.app_name }} + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }} + From 1b472724b121bc54a02625f92860b290b8151e5e Mon Sep 17 00:00:00 2001 From: sneakernuts <671942+sneakernuts@users.noreply.github.com> Date: Fri, 7 Oct 2022 11:18:25 -0600 Subject: [PATCH 2/5] version bump workflow update --- .github/workflows/crowdin-pull.yml | 2 +- .github/workflows/version-bump.yml | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/crowdin-pull.yml b/.github/workflows/crowdin-pull.yml index 1e4749ead8cf..1f7fee75002b 100644 --- a/.github/workflows/crowdin-pull.yml +++ b/.github/workflows/crowdin-pull.yml @@ -65,5 +65,5 @@ jobs: pull_request_body: "Autosync the updated translations" working_directory: apps/${{ matrix.app_name }} gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }} + gpg_passphrase: ${{ secrets.PASSPHRASE }} diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 1fc0fde1bb36..fb19831ffe58 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -29,6 +29,14 @@ jobs: - name: Checkout Branch uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 + - name: Import GPG key + uses: crazy-max/ghaction-import-gpg@v5 + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.PASSPHRASE }} + git_user_signingkey: true + git_commit_gpgsign: true + - name: Create Version Branch id: branch env: @@ -104,8 +112,8 @@ jobs: - name: Setup git run: | - git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com" - git config --local user.name "github-actions[bot]" + git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com" + git config --local user.name "bitwarden-devops-bot" - name: Check if version changed id: version-changed From 31ae9622d91f20b0f0ee946e73a542ad2ef92d0e Mon Sep 17 00:00:00 2001 From: sneakernuts <671942+sneakernuts@users.noreply.github.com> Date: Wed, 12 Oct 2022 09:07:21 -0600 Subject: [PATCH 3/5] pinned gha for importing gpg key --- .github/workflows/version-bump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index fb19831ffe58..da8e4d8ea7d7 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -30,7 +30,7 @@ jobs: uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v5 + uses: crazy-max/ghaction-import-gpg@c8bb57c57e8df1be8c73ff3d59deab1dbc00e0d1 with: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.PASSPHRASE }} From 4bbcb62be14246c70a7a650f5b1c0c9fe6e56879 Mon Sep 17 00:00:00 2001 From: sneakernuts <671942+sneakernuts@users.noreply.github.com> Date: Thu, 13 Oct 2022 08:20:34 -0600 Subject: [PATCH 4/5] added steps for kv + updated import gpg key action --- .github/workflows/version-bump.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index da8e4d8ea7d7..8a3101bd2e84 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -29,11 +29,23 @@ jobs: - name: Checkout Branch uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 + - name: Login to Azure - Prod Subscription + uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf + with: + creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + + - name: Retrieve secrets + id: retrieve-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "github-gpg-private-key, github-gpg-private-key-passphrase" + - name: Import GPG key uses: crazy-max/ghaction-import-gpg@c8bb57c57e8df1be8c73ff3d59deab1dbc00e0d1 with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.PASSPHRASE }} + gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }} + passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }} git_user_signingkey: true git_commit_gpgsign: true From e0db024a17f1633a722f398ec5bb2a423fa35ace Mon Sep 17 00:00:00 2001 From: sneakernuts <671942+sneakernuts@users.noreply.github.com> Date: Thu, 13 Oct 2022 11:00:10 -0600 Subject: [PATCH 5/5] Updated crowdin workflow to utilize kv --- .github/workflows/crowdin-pull.yml | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/.github/workflows/crowdin-pull.yml b/.github/workflows/crowdin-pull.yml index 1f7fee75002b..acb660177f73 100644 --- a/.github/workflows/crowdin-pull.yml +++ b/.github/workflows/crowdin-pull.yml @@ -32,17 +32,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-prod-kv - SECRETS: | - crowdin-api-token - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "::set-output name=$i::$VALUE" - done + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "crowdin-api-token, github-gpg-private-key, github-gpg-private-key-passphrase" - name: Download translations uses: bitwarden/gh-actions/crowdin@05052c5c575ceb09ceea397fe241879e199ed44b @@ -64,6 +57,6 @@ jobs: pull_request_title: "Autosync Crowdin Translations for ${{ matrix.app_name }}" pull_request_body: "Autosync the updated translations" working_directory: apps/${{ matrix.app_name }} - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - gpg_passphrase: ${{ secrets.PASSPHRASE }} + gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }} + gpg_passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}