Skip to content

Commit

Permalink
winget: switch to using an Azure KeyVault (#702)
Browse files Browse the repository at this point in the history
Instead of storing the Personal Access Token in an environment secret,
store it in Azure KeyVault instead. This allows for much better auditing
when (and where) the secret is used.

Ideally, we would even switch away from using a Personal Access Token in
the first place. But there is no alternative, such as a Managed Identity
on GitHub, where one could define in a fine-grained way which usage
scenario can be performed using that identity, and recent reorgs at
GitHub suggest that adding such an alternative may not be on the list of
priorities at all.

So let's just stay with a Personal Access Token, but do safeguard it
better by putting it into a KeyVault that can only be accessed by a
narrowly-scoped GitHub Actions environment.
  • Loading branch information
dscho authored and mjcheetham committed Dec 3, 2024
2 parents 8a9d221 + a98c3d7 commit fcdfc1d
Showing 1 changed file with 11 additions and 1 deletion.
12 changes: 11 additions & 1 deletion .github/workflows/release-winget.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,21 @@ on:
required: true
default: 'latest'

permissions:
id-token: write # required for Azure login via OIDC

jobs:
release:
runs-on: windows-latest
environment: release
steps:
- name: Log into Azure
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: Publish manifest with winget-create
run: |
# Get correct release asset
Expand All @@ -37,5 +47,5 @@ jobs:
# Submit manifests
$manifestDirectory = Split-Path "$manifestPath"
.\wingetcreate.exe submit -t "${{ secrets.WINGET_TOKEN }}" $manifestDirectory
.\wingetcreate.exe submit -t "(az keyvault secret show --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --query "value")" $manifestDirectory
shell: powershell

0 comments on commit fcdfc1d

Please sign in to comment.