Skip to content
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ jobs:
setup:
name: Setup
runs-on: ubuntu-24.04
permissions:
contents: read

outputs:
release-version: ${{ steps.version-output.outputs.version }}
release-tag: ${{ steps.version-output.outputs.tag_name }}
Expand Down Expand Up @@ -59,16 +62,23 @@ jobs:
name: Publish
runs-on: ubuntu-24.04
needs: setup
permissions:
contents: read
id-token: write
deployments: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ needs.setup.outputs.release-tag }}

- name: Login to Azure
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
- name: Log in to Azure
id: azure-login
Comment thread
pixman20 marked this conversation as resolved.
Outdated
uses: bitwarden/gh-actions/azure-login@main
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}

- name: Retrieve secrets
id: retrieve-secrets
Expand All @@ -77,6 +87,9 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "cratesio-api-token"

- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main

- name: Install rust
uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable
with:
Expand Down
48 changes: 44 additions & 4 deletions .github/workflows/scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
permissions:
contents: read

sast:
name: SAST scan
Expand All @@ -30,23 +32,42 @@ jobs:
contents: read
pull-requests: write
security-events: write
id-token: write

steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: Log in to Azure
id: azure-login
Comment thread
pixman20 marked this conversation as resolved.
Outdated
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}

- name: Get Azure Key Vault secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: gh-org-bitwarden
secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"

- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main

- name: Scan with Checkmarx
uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19
env:
INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
with:
project_name: ${{ github.repository }}
cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
base_uri: https://ast.checkmarx.net/
cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
additional_params: |
--report-format sarif \
--filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
Expand All @@ -66,6 +87,7 @@ jobs:
permissions:
contents: read
pull-requests: write
id-token: write

steps:
- name: Check out repo
Expand All @@ -74,10 +96,28 @@ jobs:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}

- name: Log in to Azure
id: azure-login
Comment thread
pixman20 marked this conversation as resolved.
Outdated
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}

- name: Get Azure Key Vault secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: gh-org-bitwarden
secrets: "SONAR-TOKEN"

- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main

- name: Scan with SonarCloud
uses: sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
with:
args: >
-Dsonar.organization=${{ github.repository_owner }}
Expand Down
19 changes: 16 additions & 3 deletions .github/workflows/version-bump.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@ jobs:
bump_version:
name: "Bump ${{ inputs.project }} Version to v${{ inputs.version_number }}"
runs-on: ubuntu-24.04
permissions:
contents: read
pull-requests: write
id-token: write

steps:
- name: Install rust
uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable
Expand All @@ -36,10 +41,13 @@ jobs:
- name: Install cargo-release
run: cargo install cargo-edit --locked

- name: Login to Azure - CI Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
- name: Log in to Azure
id: azure-login
Comment thread
pixman20 marked this conversation as resolved.
Outdated
uses: bitwarden/gh-actions/azure-login@main
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}

- name: Retrieve secrets
id: retrieve-secrets
Expand All @@ -50,6 +58,9 @@ jobs:
github-gpg-private-key-passphrase,
github-pat-bitwarden-devops-bot-repo-scope"

- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main

- name: Checkout Branch
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
Expand Down Expand Up @@ -160,6 +171,8 @@ jobs:
cut_rc:
name: Cut RC branch
needs: bump_version
permissions:
contents: write
if: ${{ inputs.cut_rc_branch == true }}
runs-on: ubuntu-24.04
steps:
Expand Down