Migrate nginx pat to Azure Vault

pdabelf5 · pdabelf5 · commit 8f3e1bf92900 · 2025-11-12T11:35:21.000Z
diff --git a/.github/workflows/cherry-pick.yml b/.github/workflows/cherry-pick.yml
@@ -13,6 +13,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     runs-on: ubuntu-24.04
     name: Cherry pick into release branch
     if: ${{ contains(github.event.pull_request.labels.*.name, 'needs cherry pick') && github.event.pull_request.merged == true }}
@@ -31,10 +32,25 @@ jobs:
           echo "branch=${release_branch}" >> $GITHUB_OUTPUT
           cat $GITHUB_OUTPUT
 
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$NGINX_PAT"
+          echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
+
       - name: Cherry pick into ${{ steps.branch.outputs.branch }}
         uses: carloscastrojumo/github-cherry-pick-action@503773289f4a459069c832dc628826685b75b4b3 # v1.0.10
         with:
           branch: ${{ steps.branch.outputs.branch }}
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ steps.secrets.outputs.NGINX_PAT }}
           author: ${{ github.actor }} <${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com>
           title: "[cherry-pick] {old_title}"
diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml
@@ -36,12 +36,28 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
     steps:
       - name: Checkout NIC repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ inputs.source_branch }}
 
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$NGINX_PAT"
+          echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
+
       - name: Create new release branch
         run: |
           branch="${{ inputs.branch_prefix }}${{ inputs.release_version }}"
@@ -66,4 +82,4 @@ jobs:
               git push --dry-run origin "${branch}"
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
+          GITHUB_TOKEN: ${{ steps.secrets.outputs.NGINX_PAT }}
diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml
@@ -89,6 +89,9 @@ jobs:
           DOCKER_PASSWORD=$(az keyvault secret show --name docker-password --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
           echo "::add-mask::$DOCKER_PASSWORD"
           echo "DOCKER_PASSWORD=$DOCKER_PASSWORD" >> $GITHUB_OUTPUT
+          NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$NGINX_PAT"
+          echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -125,7 +128,7 @@ jobs:
         with:
           repository: nginxinc/helm-charts
           fetch-depth: 1
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ steps.secrets.outputs.NGINX_PAT }}
           path: helm-charts
         if: ${{ inputs.nginx_helm_repo }}
 
diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml
@@ -57,6 +57,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     runs-on: ubuntu-24.04
     steps:
       - name: Branch
@@ -72,6 +73,21 @@ jobs:
           ref: ${{ steps.branch.outputs.branch }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$NGINX_PAT"
+          echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
+
       - name: Replace
         run: |
           .github/scripts/release-version-update.sh \
@@ -91,14 +107,14 @@ jobs:
         env:
           GITHUB_USERNAME: ${{ github.actor }}
           GITHUB_EMAIL: ${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com
-          GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
+          GITHUB_TOKEN: ${{ steps.secrets.outputs.NGINX_PAT }}
           DRY_RUN: ${{ inputs.dry_run && 'true' || 'false' }}
           DEBUG: ${{ inputs.debug && 'true' || 'false' }}
 
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ steps.secrets.outputs.NGINX_PAT }}
           commit-message: Release ${{ github.event.inputs.new_version }}
           title: Release ${{ github.event.inputs.new_version }}
           branch: docs/release-${{ github.event.inputs.new_version }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -345,11 +345,29 @@ jobs:
     name: Trigger PR for Operator
     runs-on: ubuntu-24.04
     needs: [variables,publish-helm-chart]
+    permissions:
+      contents: read
+      id-token: write
     steps:
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$NGINX_PAT"
+          echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
+
       - name:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
-          github-token: ${{ secrets.NGINX_PAT }}
+          github-token: ${{ steps.secrets.outputs.NGINX_PAT }}
           script: |
             await github.rest.actions.createWorkflowDispatch({
               owner: context.repo.owner,
@@ -370,11 +388,29 @@ jobs:
   #   name: Trigger PR for GCP Marketplace
   #   runs-on: ubuntu-24.04
   #   needs: [publish-helm-chart,release-plus-gcr-mktpl]
+  #   permissions:
+  #     contents: read
+  #     id-token: write
   #   steps:
+  #     - name: Azure login
+  #       uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+  #       with:
+  #         client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
+  #         tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
+  #         subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
+
+  #     - name: Setup secrets
+  #       id: secrets
+  #       run: |
+  #         echo "Setting secrets for job"
+  #         NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
+  #         echo "::add-mask::$NGINX_PAT"
+  #         echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
+
   #     - name:
   #       uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
   #       with:
-  #         github-token: ${{ secrets.NGINX_PAT }}
+  #         github-token: ${{ steps.secrets.outputs.NGINX_PAT }}
   #         script: |
   #           await github.rest.actions.createWorkflowDispatch({
   #             owner: context.repo.owner,
@@ -391,12 +427,29 @@ jobs:
   #   if: ${{ ! cancelled() && ! failure() && ! inputs.dry_run && ! contains(inputs.skip_step, 'azure-marketplace') }}
   #   name: Trigger CNAB Build for Azure Marketplace
   #   runs-on: ubuntu-24.04
+  #   permissions:
+  #     contents: read
+  #     id-token: write
   #   needs: [publish-helm-chart,release-plus-azure-mktpl]
   #   steps:
+  #     - name: Azure login
+  #       uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+  #       with:
+  #         client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
+  #         tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
+  #         subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
+
+  #     - name: Setup secrets
+  #       id: secrets
+  #       run: |
+  #         echo "Setting secrets for job"
+  #         NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
+  #         echo "::add-mask::$NGINX_PAT"
+  #         echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
   #     - name:
   #       uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
   #       with:
-  #         github-token: ${{ secrets.NGINX_PAT }}
+  #         github-token: ${{ steps.secrets.outputs.NGINX_PAT }}
   #         script: |
   #           await github.rest.actions.createWorkflowDispatch({
   #             owner: context.repo.owner,
diff --git a/.github/workflows/update-docker-sha.yml b/.github/workflows/update-docker-sha.yml
@@ -45,6 +45,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     runs-on: ubuntu-24.04
     needs: [vars]
     steps:
@@ -74,11 +75,26 @@ jobs:
           echo "docker_md5=${docker_md5:0:8}" >> $GITHUB_OUTPUT
           echo $GITHUB_OUTPUT
 
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$NGINX_PAT"
+          echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
+
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         id: pr
         with:
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ steps.secrets.outputs.NGINX_PAT }}
           commit-message: Update docker images ${{ steps.update_images.outputs.docker_md5 }}
           title: Docker image update ${{ steps.update_images.outputs.docker_md5 }}
           branch: deps/image-update-${{ needs.vars.outputs.source_branch }}-${{ steps.update_images.outputs.docker_md5 }}
diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml
@@ -28,6 +28,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout Repository
@@ -52,10 +53,25 @@ jobs:
         run: |
           make test-update-snaps
 
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_COMMON_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_COMMON_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_COMMON_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          NGINX_PAT=$(az keyvault secret show --name nginx-bot-pat --vault-name ${{ secrets.COMMON_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$NGINX_PAT"
+          echo "NGINX_PAT=$NGINX_PAT" >> $GITHUB_OUTPUT
+
       - name: Create Pull Request
         uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
         with:
-          token: ${{ secrets.NGINX_PAT }}
+          token: ${{ steps.secrets.outputs.NGINX_PAT }}
           commit-message: Version Bump for ${{ github.event.inputs.ic_version }}
           title: Version Bump for ${{ github.event.inputs.ic_version }}
           branch: chore/version-bump-${{ github.event.inputs.ic_version }}
