From 2b9c10bf56a97b03b2815e81e0f77ae4d271735a Mon Sep 17 00:00:00 2001 From: Amy Galles <9685081+AmyLGalles@users.noreply.github.com> Date: Tue, 5 May 2026 10:12:24 -0700 Subject: [PATCH 1/6] remove api commit from version bump --- .github/workflows/version-bump.yml | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 2f757df5a..f398b32d9 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -39,6 +39,8 @@ jobs: env: _VERSION: ${{ inputs.version_number }} _PROJECT: ${{ inputs.project }} + _BOT_NAME: "bw-ghapp[bot]" + _BOT_EMAIL: "178206702+bw-ghapp[bot]@users.noreply.github.com" steps: - name: Install rust uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -87,6 +89,11 @@ jobs: persist-credentials: true token: ${{ steps.app-token.outputs.token }} + - name: Configure git + run: | + git config user.name "$_BOT_NAME" + git config user.email "$_BOT_EMAIL" + - name: Create Version Branch id: create-branch run: | @@ -225,13 +232,13 @@ jobs: - name: Commit files if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} - uses: bitwarden/gh-actions/api-commit@main - with: - token: ${{ steps.app-token.outputs.token }} - branch: ${{ steps.create-branch.outputs.name }} - message: "Bumped sdk-${{ inputs.project }} version to ${{ inputs.version_number }}" - repo: sdk-sm - owner: bitwarden + env: + BRANCH: ${{ steps.create-branch.outputs.name }} + MESSAGE: "Bumped sdk-${{ inputs.project }} version to ${{ inputs.version_number }}" + run: | + git add -A + git commit -m "$MESSAGE" + git push origin "$BRANCH" - name: Create Version PR if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} @@ -298,4 +305,4 @@ jobs: - name: Cut RC branch run: | git switch --quiet --create rc - git push --quiet --set-upstream origin rc + git push --quiet --set-upstream origin rc \ No newline at end of file From 3adcb670b01680076f4d089a6d4098108a7b0806 Mon Sep 17 00:00:00 2001 From: Amy Galles <9685081+AmyLGalles@users.noreply.github.com> Date: Tue, 5 May 2026 10:16:11 -0700 Subject: [PATCH 2/6] newline --- .github/workflows/version-bump.yml | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index f398b32d9..2f757df5a 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -39,8 +39,6 @@ jobs: env: _VERSION: ${{ inputs.version_number }} _PROJECT: ${{ inputs.project }} - _BOT_NAME: "bw-ghapp[bot]" - _BOT_EMAIL: "178206702+bw-ghapp[bot]@users.noreply.github.com" steps: - name: Install rust uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -89,11 +87,6 @@ jobs: persist-credentials: true token: ${{ steps.app-token.outputs.token }} - - name: Configure git - run: | - git config user.name "$_BOT_NAME" - git config user.email "$_BOT_EMAIL" - - name: Create Version Branch id: create-branch run: | @@ -232,13 +225,13 @@ jobs: - name: Commit files if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} - env: - BRANCH: ${{ steps.create-branch.outputs.name }} - MESSAGE: "Bumped sdk-${{ inputs.project }} version to ${{ inputs.version_number }}" - run: | - git add -A - git commit -m "$MESSAGE" - git push origin "$BRANCH" + uses: bitwarden/gh-actions/api-commit@main + with: + token: ${{ steps.app-token.outputs.token }} + branch: ${{ steps.create-branch.outputs.name }} + message: "Bumped sdk-${{ inputs.project }} version to ${{ inputs.version_number }}" + repo: sdk-sm + owner: bitwarden - name: Create Version PR if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} @@ -305,4 +298,4 @@ jobs: - name: Cut RC branch run: | git switch --quiet --create rc - git push --quiet --set-upstream origin rc \ No newline at end of file + git push --quiet --set-upstream origin rc From ffaccc213c8498fae9a487ab16287e321d9314ce Mon Sep 17 00:00:00 2001 From: Amy Galles <9685081+AmyLGalles@users.noreply.github.com> Date: Tue, 5 May 2026 10:17:28 -0700 Subject: [PATCH 3/6] update publish-php --- .github/workflows/publish-php.yml | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/.github/workflows/publish-php.yml b/.github/workflows/publish-php.yml index 2bbef275d..c6a23f0ca 100644 --- a/.github/workflows/publish-php.yml +++ b/.github/workflows/publish-php.yml @@ -82,6 +82,8 @@ jobs: id-token: write env: _PKG_VERSION: ${{ needs.validate.outputs.version }} + _BOT_NAME: "bw-ghapp[bot]" + _BOT_EMAIL: "178206702+bw-ghapp[bot]@users.noreply.github.com" steps: - name: Checkout SDK repo uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -151,21 +153,25 @@ jobs: - name: Commit changes if: ${{ inputs.release_type != 'Dry Run' }} id: commit - uses: bitwarden/gh-actions/api-commit@main - with: - token: ${{ steps.app-token.outputs.token }} - branch: main - message: "Update PHP SDK to ${{ github.sha }}" - repo: sm-sdk-php - owner: bitwarden + working-directory: sm-sdk-php + env: + MESSAGE: "Update PHP SDK to ${{ github.sha }}" + run: | + git config user.name "$_BOT_NAME" + git config user.email "$_BOT_EMAIL" + git add -A + if git diff --staged --quiet; then + echo "No changes to commit" + exit 0 + fi + git commit -m "$MESSAGE" + git push origin main - name: Create release tag on PHP SDK repo if: ${{ inputs.release_type != 'Dry Run' }} working-directory: sm-sdk-php run: | - # Sync local repo with API-created commit - git fetch origin main - git checkout FETCH_HEAD + # Local repo already has the commit we just pushed; no fetch/checkout needed. # Check if tag exists, set output then exit 0 if true. if git log "v${_PKG_VERSION}" >/dev/null 2>&1; then From 590bfe05ca43abf5c1c156901239bb3227b87ccd Mon Sep 17 00:00:00 2001 From: Amy Galles <9685081+AmyLGalles@users.noreply.github.com> Date: Tue, 5 May 2026 10:19:09 -0700 Subject: [PATCH 4/6] update version-bump --- .github/workflows/version-bump.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 2f757df5a..39f53d05f 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -39,6 +39,8 @@ jobs: env: _VERSION: ${{ inputs.version_number }} _PROJECT: ${{ inputs.project }} + _BOT_NAME: "bw-ghapp[bot]" + _BOT_EMAIL: "178206702+bw-ghapp[bot]@users.noreply.github.com" steps: - name: Install rust uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable @@ -87,6 +89,11 @@ jobs: persist-credentials: true token: ${{ steps.app-token.outputs.token }} + - name: Configure git + run: | + git config user.name "$_BOT_NAME" + git config user.email "$_BOT_EMAIL" + - name: Create Version Branch id: create-branch run: | @@ -225,13 +232,13 @@ jobs: - name: Commit files if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} - uses: bitwarden/gh-actions/api-commit@main - with: - token: ${{ steps.app-token.outputs.token }} - branch: ${{ steps.create-branch.outputs.name }} - message: "Bumped sdk-${{ inputs.project }} version to ${{ inputs.version_number }}" - repo: sdk-sm - owner: bitwarden + env: + BRANCH: ${{ steps.create-branch.outputs.name }} + MESSAGE: "Bumped sdk-${{ inputs.project }} version to ${{ inputs.version_number }}" + run: | + git add -A + git commit -m "$MESSAGE" + git push origin "$BRANCH" - name: Create Version PR if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} From e6134e496cd2191ece6d813acb398039c6c3bf42 Mon Sep 17 00:00:00 2001 From: Amy Galles <9685081+AmyLGalles@users.noreply.github.com> Date: Tue, 5 May 2026 10:21:38 -0700 Subject: [PATCH 5/6] update release-go --- .github/workflows/release-go.yml | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release-go.yml b/.github/workflows/release-go.yml index d947344dc..b3de34fa4 100644 --- a/.github/workflows/release-go.yml +++ b/.github/workflows/release-go.yml @@ -58,6 +58,8 @@ jobs: id-token: write env: _PKG_VERSION: ${{ needs.validate.outputs.version }} + _BOT_NAME: "bw-ghapp[bot]" + _BOT_EMAIL: "178206702+bw-ghapp[bot]@users.noreply.github.com" steps: - name: Checkout SDK repo @@ -183,21 +185,25 @@ jobs: - name: Commit changes if: ${{ inputs.release_type != 'Dry Run' }} - uses: bitwarden/gh-actions/api-commit@main - with: - token: ${{ steps.app-token.outputs.token }} - branch: main - message: "Update Go SDK to ${{ github.sha }}" - repo: sdk-go - owner: bitwarden + working-directory: sdk-go + env: + MESSAGE: "Update Go SDK to ${{ github.sha }}" + run: | + git config user.name "$_BOT_NAME" + git config user.email "$_BOT_EMAIL" + git add -A + if git diff --staged --quiet; then + echo "No changes to commit" + exit 0 + fi + git commit -m "$MESSAGE" + git push origin main - name: Create release tag on SDK Go repo if: ${{ inputs.release_type != 'Dry Run' }} working-directory: sdk-go run: | - # Sync local repo with API-created commit - git fetch origin main - git checkout FETCH_HEAD + # Local repo already has the commit we just pushed; no fetch/checkout needed. # Check if tag exists, set output then exit 0 if true. if git log "v${_PKG_VERSION}" >/dev/null 2>&1; then From e56c4a4794b90b478671e857f4aa3ecf7c140712 Mon Sep 17 00:00:00 2001 From: Amy Galles <9685081+AmyLGalles@users.noreply.github.com> Date: Tue, 5 May 2026 10:25:51 -0700 Subject: [PATCH 6/6] remove PAT token from docker build --- .github/workflows/build-cli-docker.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-cli-docker.yml b/.github/workflows/build-cli-docker.yml index 395e2e38b..582e14349 100644 --- a/.github/workflows/build-cli-docker.yml +++ b/.github/workflows/build-cli-docker.yml @@ -51,12 +51,21 @@ jobs: - name: Login to Azure ACR run: az acr login -n "${_AZ_REGISTRY%.azurecr.io}" - - name: Retrieve github PAT secrets - id: retrieve-secret-pat + - name: Retrieve GH App secrets + id: retrieve-secret uses: bitwarden/gh-actions/get-keyvault-secrets@main with: - keyvault: "bitwarden-ci" - secrets: "github-pat-bitwarden-devops-bot-repo-scope" + keyvault: gh-org-bitwarden + secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" + + - name: Generate GH App token + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 + id: app-token + with: + app-id: ${{ steps.retrieve-secret.outputs.BW-GHAPP-ID }} + private-key: ${{ steps.retrieve-secret.outputs.BW-GHAPP-KEY }} + owner: ${{ github.repository_owner }} + permission-contents: read - name: Setup Docker Trust if: ${{ env.is_publish_branch == 'true' }} @@ -99,7 +108,7 @@ jobs: push: true tags: ${{ steps.tag-list.outputs.tags }} secrets: | - "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" + "GH_PAT=${{ steps.app-token.outputs.token }}" cache-from: type=gha cache-to: type=gha,mode=max