bitwarden_workflow_linter 1.1.7__tar.gz → 1.1.8__tar.gz

{bitwarden_workflow_linter-1.1.7 → bitwarden_workflow_linter-1.1.8}/.github/workflows/bwwl_operations.yml

@@ -20,6 +20,7 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       contents: write
+      id-token: write
       pull-requests: write
     env:
       _ACTION: ${{ inputs.action }}
@@ -28,10 +29,12 @@ jobs:
          if: ${{ inputs.operation == 'add' && !env._ACTION }}
          run: echo "Action input is required for operation 'add'" && exit 1
 
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
         with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Retrieve secrets
         id: retrieve-secrets
@@ -41,6 +44,16 @@ jobs:
           secrets: "github-gpg-private-key,
             github-gpg-private-key-passphrase"
 
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
       - name: Checkout Branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -112,8 +125,8 @@ jobs:
         uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
         id: app-token
         with:
-          app-id: ${{ secrets.BW_GHAPP_ID }}
-          private-key: ${{ secrets.BW_GHAPP_KEY }}
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
 
       - name: Create PR
         if: ${{ steps.new-changes.outputs.new_changes == 'TRUE' }}

{bitwarden_workflow_linter-1.1.7 → bitwarden_workflow_linter-1.1.8}/.github/workflows/cd.yml

@@ -14,27 +14,29 @@ jobs:
     name: Get version type
     if: github.event.pull_request.merged == true
     uses: ./.github/workflows/_version_type.yml
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
 
   version-bump:
     name: Version bump
     if: needs.version-type.outputs.version_bump_type != 'skip'
     runs-on: ubuntu-24.04
     needs: version-type
+    permissions:
+      contents: write
+      id-token: write
     outputs:
       version: ${{ steps.get-version.outputs.version }}
       commit_hash: ${{ steps.version-commit.outputs.commit_hash }}
     steps:
-      - name: Generate GH App token
-        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
-        id: app-token
-        with:
-          app-id: ${{ secrets.BW_GHAPP_ID }}
-          private-key: ${{ secrets.BW_GHAPP_KEY }}
-
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
         with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Retrieve secrets
         id: retrieve-secrets
@@ -44,6 +46,23 @@ jobs:
           secrets: "github-gpg-private-key,
             github-gpg-private-key-passphrase"
 
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1.12.0
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -92,7 +111,7 @@ jobs:
           git tag v$VERSION
           git push
           git push --tags
-      
+
       - name: Output version bump commit hash
         id: version-commit
         run: |
@@ -102,6 +121,8 @@ jobs:
     name: GitHub release
     runs-on: ubuntu-22.04
     needs: version-bump
+    permissions:
+      contents: write
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -119,6 +140,9 @@ jobs:
     name: Deploy workflow-linter (v2)
     runs-on: ubuntu-22.04
     needs: version-bump
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -134,10 +158,12 @@ jobs:
       - name: Install hatch
         run: pip install hatch
 
-      - name: Login to Azure - CI Subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
         with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Retrieve pypi api token
         id: retrieve-secret
@@ -146,6 +172,9 @@ jobs:
           keyvault: "bitwarden-ci"
           secrets: "pypi-api-token"
 
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
       - name: Build
         run: hatch build
 

{bitwarden_workflow_linter-1.1.7 → bitwarden_workflow_linter-1.1.8}/.github/workflows/examples/example-references/_docker.yml

@@ -25,6 +25,9 @@ jobs:
   docker:
     name: Docker
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Check out repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -33,9 +36,11 @@ jobs:
 
       - name: Log in to Azure
         if: ${{ inputs.push-docker-image }}
-        uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.6.1
+        uses: bitwarden/gh-actions/azure-login@main
         with:
-          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Log in to ACR
         if: ${{ inputs.push-docker-image }}
@@ -81,3 +86,7 @@ jobs:
           tags: ${{ steps.tag-list.outputs.tags }}
         env:
           DOCKER_BUILD_RECORD_UPLOAD: false
+
+      - name: Log out from Azure
+        if: ${{ inputs.push-docker-image }}
+        uses: bitwarden/gh-actions/azure-logout@main

{bitwarden_workflow_linter-1.1.7 → bitwarden_workflow_linter-1.1.8}/.github/workflows/examples/example.yaml

@@ -6,8 +6,8 @@
 
 name: Build
 
-permissions:
-    read-all # Sets permissions of the GITHUB_TOKEN
+permissions: # Sets permissions of the GITHUB_TOKEN (Can be set at the workflow level or job level)
+    contents: read
     # More info: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
 
 on: # Describes when to run the workflow
@@ -83,6 +83,9 @@ jobs: # A workflow run is made up of one or more jobs that can run sequentially
     second-job:
         name: Second Job Name
         runs-on: ubuntu-22.04 # The type of runner that the job will run on, not available if "uses" is used
+        permissions:
+            contents: read
+            id-token: write # Required to fetch an OpenID Connect (OIDC) token
         defaults:
             run: # Set the default shell and working directory
                 shell: bash
@@ -92,6 +95,26 @@ jobs: # A workflow run is made up of one or more jobs that can run sequentially
             - first-job # This job will wait until first-job completes
         # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/setting-a-default-shell-and-working-directory
         steps:
+            # Using Azure go obtain secrets from Azure Key Vault
+            - name: Log in to Azure
+              uses: bitwarden/gh-actions/azure-login@main
+              with:
+                subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+                tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+                client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+            # Obtain the Key Vault secrets and use them later via GitHub outputs
+            - name: Get Azure Key Vault secrets
+              id: get-kv-secrets
+              uses: bitwarden/gh-actions/get-keyvault-secrets@main
+              with:
+                keyvault: gh-REPOSITORY_NAME_EXAMPLE # The name of the Azure Key Vault created for this repossitory
+                secrets: "SECRETS-OR-CREDENTIALS,ANOTHER-SECRET" # Comma-separated list of secrets to retrieve from Azure Key Vault
+
+            # Logout to remove access to Azure Key Vault secrets
+            - name: Log out from Azure
+              uses: bitwarden/gh-actions/azure-logout@main
+
             - name: Descriptive step name
               # NOT RECOMMENDED if: always()  # run even if previous steps failed or the workflow is canceled, this can cause a workflow run to hang indefinitely
               if: failure() # run when any previous step of a job fails
@@ -100,7 +123,7 @@ jobs: # A workflow run is made up of one or more jobs that can run sequentially
               with: # Parameters specific to this action that need to be defined in order for the step to be completed
                   fetch-depth: 0 # Full git history for actions that rely on whether a change has occurred
                   ref: ${{ github.event.pull_request.head.sha }}
-                  creds: ${{ secrets.SECRETS_OR_CREDENTIALS }}
+                  creds: ${{ steps.get-kv-secrets.outputs.SECRETS-OR-CREDENTIALS }} # Use the secrets retrieved from Azure Key Vault in the previous step
             - name: Another descriptive step name
               # Run a script instead of an existing github action
               run: |

{bitwarden_workflow_linter-1.1.7 → bitwarden_workflow_linter-1.1.8}/.github/workflows/examples/scan.yaml

@@ -52,6 +52,7 @@ jobs:
             pull-requests: write # For github actions to upload feedback to PR
             # For github/codeql-action/upload-sarif to upload SARIF results
             security-events: write
+            id-token: write # For bitwarden/gh-actions/azure-login to get an ID token
 
         # Steps represent a sequence of tasks executed as part of the job
         steps:
@@ -65,33 +66,50 @@ jobs:
                   # in order for the step to be completed
                   ref: ${{  github.event.pull_request.head.sha }}
 
+            - name: Log in to Azure
+              uses: bitwarden/gh-actions/azure-login@main
+              with:
+                subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+                tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+                client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+            - name: Get Azure Key Vault secrets
+              id: get-kv-secrets
+              uses: bitwarden/gh-actions/get-keyvault-secrets@main
+              with:
+                keyvault: gh-org-bitwarden
+                secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"
+
+            - name: Log out from Azure
+              uses: bitwarden/gh-actions/azure-logout@main
+
             - name: Scan with Checkmarx
               if: github.event.pull_request.draft == false # Prevent step from running on draft PR
               uses: checkmarx/ast-github-action@f0869bd1a37fddc06499a096101e6c900e815d81 # 2.0.36
               # Environment variables set for this step but not accessible by all
               # workflows, steps or jobs
               env:
-                  INCREMENTAL:
-                      "${{ contains(github.event_name, 'pull_request') \
-                      && '--sast-incremental' || '' }}"
+                INCREMENTAL:
+                    "${{ contains(github.event_name, 'pull_request') \
+                    && '--sast-incremental' || '' }}"
               with:
-                  project_name: ${{ github.repository }}
-                  cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
-                  base_uri: https://ast.checkmarx.net/
-                  cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
-                  cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
-                  additional_params: |
-                      --report-format sarif \
-                      --filter \
-                      "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT"\
-                      --output-path . ${{ env.INCREMENTAL }}
+                project_name: ${{ github.repository }}
+                cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
+                base_uri: https://ast.checkmarx.net/
+                cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
+                cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
+                additional_params: |
+                    --report-format sarif \
+                    --filter \
+                    "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT"\
+                    --output-path . ${{ env.INCREMENTAL }}
 
             - name: Upload Checkmarx results to GitHub
               uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
               with:
-                  sarif_file: cx_result.sarif
-                  sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
-                  ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
+                sarif_file: cx_result.sarif
+                sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+                ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
     quality:
         name: Quality scan
@@ -100,6 +118,7 @@ jobs:
         permissions:
             contents: read
             pull-requests: write
+            id-token: write
 
         steps:
             # Set up whatever resources your environment will need
@@ -107,8 +126,8 @@ jobs:
             - name: Set up JDK 17
               uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0
               with:
-                  java-version: 17
-                  distribution: "zulu"
+                java-version: 17
+                distribution: "zulu"
             # This step checks out a copy of your repository
             - name: Set up .NET
               uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
@@ -116,18 +135,35 @@ jobs:
             - name: Install SonarCloud scanner
               run: dotnet tool install dotnet-sonarscanner -g
 
+            - name: Log in to Azure
+              uses: bitwarden/gh-actions/azure-login@main
+              with:
+                subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+                tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+                client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+            - name: Get Azure Key Vault secrets
+              id: get-kv-secrets
+              uses: bitwarden/gh-actions/get-keyvault-secrets@main
+              with:
+                keyvault: gh-org-bitwarden
+                secrets: "SONAR-TOKEN"
+
+            - name: Log out from Azure
+              uses: bitwarden/gh-actions/azure-logout@main
+
             - name: Scan with SonarCloud
               env:
-                  SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-              # Additional scripts to run outside of a Github Action
+                SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
+                GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+                # Additional scripts to run outside of a Github Action
               run: |
-                  dotnet-sonarscanner begin /k:" \
-                  ${{ github.repository_owner }}_${{ github.event.repository.name }}" \
-                  /d:sonar.test.inclusions=test/,bitwarden_license/test/ \
-                  /d:sonar.exclusions=test/,bitwarden_license/test/ \
-                  /o:"${{ github.repository_owner }}" \
-                  /d:sonar.token="${{ secrets.SONAR_TOKEN }}" \
-                  /d:sonar.host.url="https://sonarcloud.io"
-                  dotnet build
-                  dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"
+                dotnet-sonarscanner begin /k:" \
+                ${{ github.repository_owner }}_${{ github.event.repository.name }}" \
+                /d:sonar.test.inclusions=test/,bitwarden_license/test/ \
+                /d:sonar.exclusions=test/,bitwarden_license/test/ \
+                /o:"${{ github.repository_owner }}" \
+                /d:sonar.token="${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}" \
+                /d:sonar.host.url="https://sonarcloud.io"
+                dotnet build
+                dotnet-sonarscanner end /d:sonar.token="${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}"

{bitwarden_workflow_linter-1.1.7 → bitwarden_workflow_linter-1.1.8}/.github/workflows/scan.yml

@@ -33,6 +33,7 @@ jobs:
       contents: read
       pull-requests: write
       security-events: write
+      id-token: write
 
     steps:
       - name: Check out repo
@@ -40,16 +41,33 @@ jobs:
         with:
           ref: ${{  github.event.pull_request.head.sha }}
 
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
       - name: Scan with Checkmarx
         uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19
         env:
           INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
         with:
           project_name: ${{ github.repository }}
-          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }}
           base_uri: https://ast.checkmarx.net/
-          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
-          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }}
+          cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }}
           additional_params: |
             --report-format sarif \
             --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
@@ -69,6 +87,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+      id-token: write
 
     steps:
       - name: Check out repo
@@ -77,10 +96,27 @@ jobs:
           fetch-depth: 0
           ref: ${{  github.event.pull_request.head.sha }}
 
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-org-bitwarden
+          secrets: "SONAR-TOKEN"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
       - name: Scan with SonarCloud
         uses: sonarsource/sonarqube-scan-action@2500896589ef8f7247069a56136f8dc177c27ccf # v5.2.0
         env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }}
         with:
           args: >
             -Dsonar.organization=${{ github.repository_owner }}

{bitwarden_workflow_linter-1.1.7 → bitwarden_workflow_linter-1.1.8}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bitwarden_workflow_linter
-Version: 1.1.7
+Version: 1.1.8
 Summary: Custom GitHub Action Workflow Linter
 Project-URL: Homepage, https://github.com/bitwarden/workflow-linter
 Project-URL: Issues, https://github.com/bitwarden/workflow-linter/issues

{bitwarden_workflow_linter-1.1.7 → bitwarden_workflow_linter-1.1.8}/src/bitwarden_workflow_linter/__about__.py

@@ -1,3 +1,3 @@
 """Metadata for Workflow Linter."""
 
-__version__ = "1.1.7"
+__version__ = "1.1.8"