Update main workflow to use GitHub App token for deployment (#792)

michalchecinski · web-flow · commit e9d0d0015650 · 2025-02-14T15:31:52.000+01:00
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -237,21 +237,18 @@ jobs:
     permissions: {} # no permissions required
 
     steps:
-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
         with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          app-id: ${{ secrets.BW_GHAPP_ID }}
+          private-key: ${{ secrets.BW_GHAPP_KEY }}
+          owner: bitwarden
+          repositories: passwordless-devops
 
       - name: Dispatch deployment
         env:
-          GITHUB_TOKEN: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: >
           gh workflow run deploy-passwordless-server.yml
           --repo bitwarden/passwordless-devops
