bitwarden · AmyLGalles · Apr 16, 2026 · Apr 9, 2026 · Apr 9, 2026 · Apr 10, 2026
diff --git a/.github/workflows/_move_edd_db_scripts.yml b/.github/workflows/_move_edd_db_scripts.yml
@@ -20,27 +20,9 @@ jobs:
       copy_edd_scripts: ${{ steps.check-script-existence.outputs.copy_edd_scripts }}
 
     steps:
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
       - name: Check out branch
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
           persist-credentials: false
 
       - name: Get script prefix
@@ -64,14 +46,46 @@ jobs:
       contents: write
       pull-requests: write
       id-token: write
-      actions: read
     if: ${{ needs.setup.outputs.copy_edd_scripts == 'true' }}
     steps:
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Retrieve Slack secrets
+        id: retrieve-slack
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "devops-alerts-slack-webhook-url"
+
+      - name: Retrieve secrets
+        id: retrieve-secret
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: app-token
+        with:
+          app-id: ${{ steps.retrieve-secret.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.retrieve-secret.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: true
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Generate branch name
         id: branch_name
@@ -82,7 +96,9 @@ jobs:
       - name: "Create branch"
         env:
           BRANCH: ${{ steps.branch_name.outputs.branch_name }}
-        run: git switch -c "$BRANCH"
+        run: |
+          git switch -c "$BRANCH"
+          git push -u origin "$BRANCH"
 
       - name: Move scripts and finalization database schema
         id: move-files
@@ -134,58 +150,32 @@ jobs:
           done
 
           echo "moved_files=$moved_files" >> "$GITHUB_OUTPUT"
-
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-gpg-private-key,
-            github-gpg-private-key-passphrase,
-            devops-alerts-slack-webhook-url"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Import GPG keys
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
-        with:
-          gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
-          passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
-
-      - name: Commit and push changes
+
+      - name: Check for changes
         id: commit
-        env:
-          BRANCH_NAME: ${{ steps.branch_name.outputs.branch_name }}
         run: |
-          git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com"
-          git config --local user.name "bitwarden-devops-bot"
           if [ -n "$(git status --porcelain)" ]; then
-            git add .
-            git commit -m "Move EDD database scripts" -a
-            git push -u origin "${BRANCH_NAME}"
             echo "pr_needed=true" >> "$GITHUB_OUTPUT"
           else
-            echo "No changes to commit!";
             echo "pr_needed=false" >> "$GITHUB_OUTPUT"
-            echo "### :mega: No changes to commit! PR was ommited." >> "$GITHUB_STEP_SUMMARY"
+            echo "No changes to commit!"
+            echo "### :mega: No changes to commit! PR was omitted." >> "$GITHUB_STEP_SUMMARY"
           fi
 
+      - name: Commit and push changes
+        if: ${{ steps.commit.outputs.pr_needed == 'true' }}
+        uses: bitwarden/gh-actions/api-commit@main
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          branch: ${{ steps.branch_name.outputs.branch_name }}
+          message: "Move EDD database scripts"
+
       - name: Create PR for ${{ steps.branch_name.outputs.branch_name }}
         if: ${{ steps.commit.outputs.pr_needed == 'true' }}
         id: create-pr
         env:
           BRANCH: ${{ steps.branch_name.outputs.branch_name }}
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           MOVED_FILES: ${{ steps.move-files.outputs.moved_files }}
           TITLE: "Move EDD database scripts"
         run: |
@@ -205,7 +195,7 @@ jobs:
         if: ${{ steps.commit.outputs.pr_needed == 'true' }}
         uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
         env:
-          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
+          SLACK_WEBHOOK_URL: ${{ steps.retrieve-slack.outputs.devops-alerts-slack-webhook-url }}
         with:
           message: "Created PR for moving EDD database scripts: ${{ steps.create-pr.outputs.pr_url }}"
           status: ${{ job.status }}
@@ -21,20 +21,28 @@ jobs:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Retrieve bot secrets
-        id: retrieve-bot-secrets
+        id: retrieve-secret
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: bitwarden-ci
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+        id: app-token
+        with:
+          app-id: ${{ steps.retrieve-secret.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.retrieve-secret.outputs.BW-GHAPP-KEY }}
+          owner: ${{ github.repository_owner }}
+
       - name: Checkout main
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: main
-          token: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          token: ${{ steps.app-token.outputs.token }}
           persist-credentials: false
           fetch-depth: 0