Migrate Slack_Webhook to Azure Vault

AlexFenlon · pdabelf5 · commit f9cca146e17d · 2025-11-11T19:02:43.000Z
diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml
@@ -26,6 +26,7 @@ jobs:
     permissions:
       contents: read
       actions: read # for 8398a7/action-slack
+      id-token: write # for Azure login
     steps:
       - name: Data
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -48,6 +49,21 @@ jobs:
               commit_message: message_sanitized,
             }
 
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          SLACK_WEBHOOK=$(az keyvault secret show --name slack-pipeline-webhook --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$SLACK_WEBHOOK"
+          echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
+
       - name: Send Notification
         uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
         with:
@@ -83,4 +99,4 @@ jobs:
               }]
             }
         env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
+          SLACK_WEBHOOK_URL: ${{ steps.secrets.outputs.SLACK_WEBHOOK }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -635,6 +635,7 @@ jobs:
     permissions:
       contents: read
       actions: read
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -645,6 +646,21 @@ jobs:
         with:
           ref: ${{ inputs.release_branch }}
 
+      - name: Azure login
+        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+        with:
+          client-id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+
+      - name: Setup secrets
+        id: secrets
+        run: |
+          echo "Setting secrets for job"
+          SLACK_WEBHOOK=$(az keyvault secret show --name slack-pipeline-webhook --vault-name ${{ secrets.NIC_KEYVAULT_NAME }} --query value -o tsv)
+          echo "::add-mask::$SLACK_WEBHOOK"
+          echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
+
       - name: Get Image manifest digest
         id: digest
         run: |
@@ -701,4 +717,4 @@ jobs:
               }]
             }
         env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
+          SLACK_WEBHOOK_URL: ${{ steps.secrets.outputs.SLACK_WEBHOOK }}
