From 0635943cf5b4f46e3afd6d80408d7b1f98d702f1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?=
 <michal.checinski@outlook.com>
Date: Fri, 20 Dec 2024 19:25:00 +0100
Subject: [PATCH] BRE-505 Use GitHub token from KeyVault (#172)

---
 .github/workflows/main.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 6d00d8a..d6ca6fc 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -196,9 +196,21 @@ jobs:
     permissions: {} # no permissions required
 
     steps:
+      - name: Log in to Azure - CI subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve GitHub PAT secrets
+        id: retrieve-secret-pat
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+
       - name: Dispatch deployment
         env:
-          GITHUB_TOKEN: ${{ secrets.DEPLOYMENT_GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
         run: >
           gh workflow run deploy-passwordless-dotnet
           --repo bitwarden/passwordless-devops