Move secrets to Azure Key Vault (#738)

mjcheetham · web-flow · commit 25202f8256fe · 2025-04-03T12:28:26.000+01:00
We should standardise on a location (and naming convention) to store secrets used as part of the build process for `microsoft/git`. Azure Key Vault is an approved store for secrets inside of Microsoft, and so we should migrate any existing secrets from GitHub environment secrets to AKV. Access to the AKV is via Managed Identity and [federated authentication through GitHub Actions](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure-openid-connect). The names of the secrets, and other configuration for accessing the Key Vault, remain in GitHub environment secrets. Forks of the project can therefore define the same set of environment secrets pointing at their own AKV to utilise the same build process. For reference, the set of secrets that must be defined for the workflow are as follows: Secret Name|Description -|- `AZURE_VAULT`|Name of the Azure Key Vault containing build secrets. `AZURE_CLIENT_ID`|Client ID of the Managed Identity with access to the Key Vault. `AZURE_TENANT_ID`|Tenant ID where the Managed Identity resides. `AZURE_SUBSCRIPTION_ID`|Subscription ID where the Key Vault resides. `WIN_CODESIGN_CERT_SECRET_NAME`|Name of the AKV secret containing the base64 encoded Windows Authenticode signing certificate. `WIN_CODESIGN_PASS_SECRET_NAME`|Name of the AKV secret containing the password for the Windows Authenticode signing certificate. `WIN_GPG_PRIVATE_SECRET_NAME`|Name of the AKV secret containing the GPG private key used to sign the Windows package. `WIN_GPG_KEYGRIP_SECRET_NAME`|Name of the AKV secret containing the keygrip for the GPG key used to sign the Windows package. `WIN_GPG_PASS_SECRET_NAME`|Name of the AKV secret containing the passphrase for the GPG private key used to sign the Windows package. `APPLE_APPCERT_SECRET_NAME`|Name of the AKV secret containing the base64 encoded Apple Application Certificate for macOS. `APPLE_APPCERT_PASS_SECRET_NAME`|Name of the AKV secret containing the password for the Apple Application Certificate. `APPLE_INSTCERT_SECRET_NAME`|Name of the AKV secret containing the base64 encode Apple InstallationCertificate for macOS. `APPLE_INSTCERT_PASS_SECRET_NAME`|Name of the AKV secret containing the password for the Apple Installation Certificate. `APPLE_TEAM_ID_SECRET_NAME`|Name of the AKV secret containing the Apple Developer Team ID. `APPLE_DEVELOPER_ID_SECRET_NAME`|Name of the AKV secret containing the Apple Developer ID account email address for developer signing. `APPLE_DEVELOPER_PASSWORD_SECRET_NAME`|Name of the AKV secret containing the Apple Developer ID account password for developer signing. `APPLE_APPSIGN_ID_SECRET_NAME`|Name of the AKV secret containing the Apple Application Signing ID. `APPLE_INSTSIGN_ID_SECRET_NAME`|Name of the AKV secret containing the Apple Installation Signing ID. `LINUX_GPG_PUBLIC_SECRET_NAME`|Name of the AKV secret containing the base64 encoded GPG public key used for Debian package signing. `LINUX_GPG_PRIVATE_SECRET_NAME`|Name of the AKV secret containing the base64 encoded GPG private key used for Debian package signing. `LINUX_GPG_PASS_SECRET_NAME`|Name of the AKV secret containing the password for the GPG signing key used for the Debian package. `LINUX_GPG_KEYGRIP_SECRET_NAME`|Name of the AKV secret containing the keygrip of the GPG signing key used for the Debian package.
diff --git a/.github/actions/akv-secret/action.yml b/.github/actions/akv-secret/action.yml
@@ -0,0 +1,54 @@
+name: Get Azure Key Vault Secrets
+
+description: |
+  Get secrets from Azure Key Vault and store the results as masked step outputs,
+  environment variables, or files.
+
+inputs:
+  vault:
+    required: true
+    description: Name of the Azure Key Vault.
+  secrets:
+    required: true
+    description: |
+      Comma- or newline-separated list of secret names in Azure Key Vault.
+      The output and encoding of secrets can be specified using this syntax:
+
+        SECRET ENCODING> $output:OUTPUT
+        SECRET ENCODING> $env:ENVAR
+        SECRET ENCODING> FILE
+
+        SECRET      Name of the secret in Azure Key Vault.
+        ENCODING    (optional) Encoding of the secret: base64.
+        OUTPUT      Name of a step output variable.
+        ENVAR       Name of an environment variable.
+        FILE        File path (relative or absolute).
+
+      If no output format is specified the default is a step output variable
+      with the same name as the secret. I.e, SECRET > $output:SECRET.
+
+      Examples:
+
+        Assign output variable named `raw-var` to the raw value of the secret
+        `raw-secret`:
+
+          raw-secret > $output:raw-var
+
+        Assign output variable named `decoded-var` to the base64 decoded value
+        of the secret `encoded-secret`:
+
+          encoded-secret base64> $output:decoded-var
+
+        Download the secret named `tls-certificate` to the file path
+        `.certs/tls.cert`:
+
+          tls-certificate > .certs/tls.cert
+
+        Assign environment variable `ENV_SECRET` to the base64 decoded value of
+        the secret `encoded-secret`:
+
+        encoded-secret base64> $env:ENV_SECRET
+
+runs:
+  using: node20
+  main: index.js
diff --git a/.github/actions/akv-secret/index.js b/.github/actions/akv-secret/index.js
@@ -0,0 +1,135 @@
+const { spawnSync } = require('child_process');
+const fs = require('fs');
+const os = require('os');
+
+// Note that we are not using the `@actions/core` package as it is not available
+// without either committing node_modules/ to the repository, or using something
+// like ncc to bundle the code.
+
+// See https://github.com/actions/toolkit/blob/%40actions/core%401.1.0/packages/core/src/command.ts#L81-L87
+const escapeData = (s) => {
+  return s
+    .replace(/%/g, '%25')
+    .replace(/\r/g, '%0D')
+    .replace(/\n/g, '%0A')
+}
+
+const writeCommand = (file, name, value) => {
+  // Unique delimiter to avoid conflicts with actual values
+  let delim;
+  for (let count = 0; ; count++) {
+    delim = `XXXXXX${count}`;
+    if (!name.includes(delim) && !value.includes(delim)) {
+      break;
+    }
+  }
+
+  fs.appendFileSync(file, `${name}<<${delim}${os.EOL}${value}${os.EOL}${delim}${os.EOL}`);
+}
+
+const setSecret = (value) => {
+  process.stdout.write(`::add-mask::${escapeData(value)}${os.EOL}`);
+}
+
+const setOutput = (name, value) => {
+  writeCommand(process.env.GITHUB_OUTPUT, name, value);
+}
+
+const exportVariable = (name, value) => {
+  writeCommand(process.env.GITHUB_ENV, name, value);
+}
+
+const logInfo = (message) => {
+  process.stdout.write(`${message}${os.EOL}`);
+}
+
+const setFailed = (error) => {
+  process.stdout.write(`::error::${escapeData(error.message)}${os.EOL}`);
+  process.exitCode = 1;
+}
+
+(async () => {
+  const vault = process.env.INPUT_VAULT;
+  const secrets = process.env.INPUT_SECRETS;
+  // Parse and normalize secret mappings
+  const secretMappings = secrets
+    .split(/[\n,]+/)
+    .map((entry) => entry.trim())
+    .filter((entry) => entry)
+    .map((entry) => {
+      const [input, encoding, output] = entry.split(/(\S+)?>/).map((part) => part?.trim());
+      return { input, encoding, output: output || `\$output:${input}` }; // Default output to $output:input if not specified
+    });
+
+  if (secretMappings.length === 0) {
+    throw new Error('No secrets provided.');
+  }
+
+  // Fetch secrets from Azure Key Vault
+  for (const { input: secretName, encoding, output } of secretMappings) {
+    let secretValue = '';
+
+    const az = spawnSync('az',
+      [
+        'keyvault',
+        'secret',
+        'show',
+        '--vault-name',
+        vault,
+        '--name',
+        secretName,
+        '--query',
+        'value',
+        '--output',
+        'tsv'
+      ],
+      {
+        stdio: ['ignore', 'pipe', 'inherit'],
+        shell: true // az is a batch script on Windows
+      }
+    );
+
+    if (az.error) throw new Error(az.error, { cause: az.error });
+    if (az.status !== 0) throw new Error(`az failed with status ${az.status}`);
+
+    secretValue = az.stdout.toString('utf-8').trim();
+
+    // Mask the raw secret value in logs
+    setSecret(secretValue);
+
+    // Handle encoded values if specified
+    // Sadly we cannot use the `--encoding` parameter of the `az keyvault
+    // secret (show|download)` command as the former does not support it, and
+    // the latter must be used with `--file` (we could use /dev/stdout on UNIX
+    // but not on Windows).
+    if (encoding) {
+      switch (encoding.toLowerCase()) {
+        case 'base64':
+          secretValue = Buffer.from(secretValue, 'base64').toString();
+          break;
+        default:
+          // No decoding needed
+      }
+
+      setSecret(secretValue); // Mask the decoded value as well
+    }
+
+    if (output.startsWith('$env:')) {
+      // Environment variable
+      const envVarName = output.replace('$env:', '').trim();
+      exportVariable(envVarName, secretValue);
+      logInfo(`Secret set as environment variable: ${envVarName}`);
+    } else if (output.startsWith('$output:')) {
+      // GitHub Actions output variable
+      const outputName = output.replace('$output:', '').trim();
+      setOutput(outputName, secretValue);
+      logInfo(`Secret set as output variable: ${outputName}`);
+    } else {
+      // File output
+      const filePath = output.trim();
+      fs.mkdirSync(path.dirname(filePath), { recursive: true });
+      fs.writeFileSync(filePath, secretValue);
+      logInfo(`Secret written to file: ${filePath}`);
+    }
+  }
+})().catch(setFailed);
diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml
