diff --git a/.github/workflows/_move_edd_db_scripts.yml b/.github/workflows/_move_edd_db_scripts.yml index 91d069da8db7..54daf6b3eed7 100644 --- a/.github/workflows/_move_edd_db_scripts.yml +++ b/.github/workflows/_move_edd_db_scripts.yml @@ -20,27 +20,9 @@ jobs: copy_edd_scripts: ${{ steps.check-script-existence.outputs.copy_edd_scripts }} steps: - - name: Log in to Azure - uses: bitwarden/gh-actions/azure-login@main - with: - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - client_id: ${{ secrets.AZURE_CLIENT_ID }} - - - name: Retrieve secrets - id: retrieve-secrets - uses: bitwarden/gh-actions/get-keyvault-secrets@main - with: - keyvault: "bitwarden-ci" - secrets: "github-pat-bitwarden-devops-bot-repo-scope" - - - name: Log out from Azure - uses: bitwarden/gh-actions/azure-logout@main - - name: Check out branch uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: - token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }} persist-credentials: false - name: Get script prefix @@ -64,14 +46,46 @@ jobs: contents: write pull-requests: write id-token: write - actions: read if: ${{ needs.setup.outputs.copy_edd_scripts == 'true' }} steps: + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Retrieve Slack secrets + id: retrieve-slack + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: "bitwarden-ci" + secrets: "devops-alerts-slack-webhook-url" + + - name: Retrieve secrets + id: retrieve-secret + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + + - name: Generate GH App token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-token + with: + app-id: ${{ steps.retrieve-secret.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.retrieve-secret.outputs.BW-GHAPP-KEY }} + owner: ${{ github.repository_owner }} + - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: true + token: ${{ steps.app-token.outputs.token }} - name: Generate branch name id: branch_name @@ -82,7 +96,9 @@ jobs: - name: "Create branch" env: BRANCH: ${{ steps.branch_name.outputs.branch_name }} - run: git switch -c "$BRANCH" + run: | + git switch -c "$BRANCH" + git push -u origin "$BRANCH" - name: Move scripts and finalization database schema id: move-files @@ -134,58 +150,32 @@ jobs: done echo "moved_files=$moved_files" >> "$GITHUB_OUTPUT" - - - name: Log in to Azure - uses: bitwarden/gh-actions/azure-login@main - with: - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - client_id: ${{ secrets.AZURE_CLIENT_ID }} - - - name: Retrieve secrets - id: retrieve-secrets - uses: bitwarden/gh-actions/get-keyvault-secrets@main - with: - keyvault: "bitwarden-ci" - secrets: "github-gpg-private-key, - github-gpg-private-key-passphrase, - devops-alerts-slack-webhook-url" - - - name: Log out from Azure - uses: bitwarden/gh-actions/azure-logout@main - - - name: Import GPG keys - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0 - with: - gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }} - passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }} - git_user_signingkey: true - git_commit_gpgsign: true - - - name: Commit and push changes + + - name: Check for changes id: commit - env: - BRANCH_NAME: ${{ steps.branch_name.outputs.branch_name }} run: | - git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com" - git config --local user.name "bitwarden-devops-bot" if [ -n "$(git status --porcelain)" ]; then - git add . - git commit -m "Move EDD database scripts" -a - git push -u origin "${BRANCH_NAME}" echo "pr_needed=true" >> "$GITHUB_OUTPUT" else - echo "No changes to commit!"; echo "pr_needed=false" >> "$GITHUB_OUTPUT" - echo "### :mega: No changes to commit! PR was ommited." >> "$GITHUB_STEP_SUMMARY" + echo "No changes to commit!" + echo "### :mega: No changes to commit! PR was omitted." >> "$GITHUB_STEP_SUMMARY" fi + - name: Commit and push changes + if: ${{ steps.commit.outputs.pr_needed == 'true' }} + uses: bitwarden/gh-actions/api-commit@main + with: + token: ${{ steps.app-token.outputs.token }} + branch: ${{ steps.branch_name.outputs.branch_name }} + message: "Move EDD database scripts" + - name: Create PR for ${{ steps.branch_name.outputs.branch_name }} if: ${{ steps.commit.outputs.pr_needed == 'true' }} id: create-pr env: BRANCH: ${{ steps.branch_name.outputs.branch_name }} - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} MOVED_FILES: ${{ steps.move-files.outputs.moved_files }} TITLE: "Move EDD database scripts" run: | @@ -205,7 +195,7 @@ jobs: if: ${{ steps.commit.outputs.pr_needed == 'true' }} uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 env: - SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} + SLACK_WEBHOOK_URL: ${{ steps.retrieve-slack.outputs.devops-alerts-slack-webhook-url }} with: message: "Created PR for moving EDD database scripts: ${{ steps.create-pr.outputs.pr_url }}" status: ${{ job.status }} diff --git a/.github/workflows/cleanup-rc-branch.yml b/.github/workflows/cleanup-rc-branch.yml index 3ccccbdda163..c35770469965 100644 --- a/.github/workflows/cleanup-rc-branch.yml +++ b/.github/workflows/cleanup-rc-branch.yml @@ -21,20 +21,28 @@ jobs: client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve bot secrets - id: retrieve-bot-secrets + id: retrieve-secret uses: bitwarden/gh-actions/get-keyvault-secrets@main with: - keyvault: bitwarden-ci - secrets: "github-pat-bitwarden-devops-bot-repo-scope" + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main + - name: Generate GH App token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-token + with: + app-id: ${{ steps.retrieve-secret.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.retrieve-secret.outputs.BW-GHAPP-KEY }} + owner: ${{ github.repository_owner }} + - name: Checkout main uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: main - token: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }} + token: ${{ steps.app-token.outputs.token }} persist-credentials: false fetch-depth: 0