[BRE 1670] update token for build workflows (#19660)

* replace PAT with github app token

* test deploy

* remove test conditions

* replace PAT with github app token

* add repositories

* add if to match related steps

* temporarily disable ifs to test token generation

* dry run

* remove test conditions

* fix built-in token

* trying with github token

* speed up test process

* trying with github token

* revert to working state

* try again with built in token

* remove test conditions

* try again with built in token

* try test conditions

* try test conditions

* try test conditions

* try test conditions

* try test conditions

* remove test conditions

* found straggling test conditions

* upddating branches
This commit is contained in:
Amy Galles 2026-04-06 11:12:59 -07:00 committed by GitHub
parent 65583f6452
commit cd4698c9c0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 4 additions and 35 deletions

View File

@ -407,7 +407,6 @@ jobs:
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/azure-logout@main
crowdin-push:
name: Crowdin Push
if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
@ -453,7 +452,6 @@ jobs:
upload_sources: true
upload_translations: false
trigger-web-vault-deploy:
name: Trigger web vault deploy
if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
@ -461,6 +459,7 @@ jobs:
needs: build-containers
permissions:
id-token: write
actions: write
steps:
- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main
@ -469,20 +468,10 @@ jobs:
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve github PAT secrets
id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Trigger web vault deploy using GitHub Run ID
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'bitwarden',
@ -495,7 +484,6 @@ jobs:
}
})
check-failures:
name: Check for failures
if: always()

View File

@ -189,6 +189,7 @@ jobs:
permissions:
contents: read
id-token: write
actions: write
env:
_ENVIRONMENT_ARTIFACT: ${{ needs.setup.outputs.environment_artifact }}
outputs:
@ -218,26 +219,6 @@ jobs:
branch: ${{ inputs.branch-or-tag }}
artifacts: ${{ env._ENVIRONMENT_ARTIFACT }}
- name: Log in to Azure
if: ${{ steps.download-latest-artifacts.outcome == 'failure' }}
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets for Build trigger
if: ${{ steps.download-latest-artifacts.outcome == 'failure' }}
id: retrieve-secret
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Log out from Azure
if: ${{ steps.download-latest-artifacts.outcome == 'failure' }}
uses: bitwarden/gh-actions/azure-logout@main
- name: 'Trigger build web for missing branch/tag ${{ inputs.branch-or-tag }}'
if: ${{ steps.download-latest-artifacts.outcome == 'failure' }}
uses: convictional/trigger-workflow-and-wait@f69fa9eedd3c62a599220f4d5745230e237904be # v1.6.5
@ -245,7 +226,7 @@ jobs:
with:
owner: bitwarden
repo: clients
github_token: ${{ steps.retrieve-secret.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
github_token: ${{ secrets.GITHUB_TOKEN }}
workflow_file_name: build-web.yml
ref: ${{ inputs.branch-or-tag }}
wait_interval: 100