fixup! homebrew: add GitHub workflow to release Cask

Instead of storing the Personal Access Token in an environment secret, store it in Azure KeyVault instead. This allows for much better auditing when (and where) the secret is used. Ideally, we would even switch away from using a Personal Access Token in the first place. But there is no alternative, such as a Managed Identity on GitHub, where one could define in a fine-grained way which usage scenario can be performed using that identity, and recent reorgs at GitHub suggest that adding such an alternative may not be on the list of priorities at all. So let's just stay with a Personal Access Token, but do safeguard it better by putting it into a KeyVault that can only be accessed by a narrowly-scoped GitHub Actions environment. Signed-off-by: Johannes Schindelin <[email protected]>
dscho · Oct 28, 2024 · 7cf963f · 7cf963f
1 parent cde0eef
commit 7cf963f
Showing 1 changed file with 21 additions and 1 deletion.
diff --git a/.github/workflows/release-homebrew.yml b/.github/workflows/release-homebrew.yml
@@ -3,6 +3,9 @@ on:
   release:
     types: [released]
 
+permissions:
+  id-token: write # required for Azure login via OIDC
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -19,10 +22,27 @@ jobs:
         asset: /git-(.*)\.pkg/
         hash: sha256
         token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Log into Azure
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+    - name: Retrieve token
+      id: token
+      run: |
+        az keyvault secret show \
+          --name ${{ secrets.HOMEBREW_TOKEN_SECRET_NAME }} \
+          --vault-name ${{ secrets.AZURE_VAULT }} \
+          --query "value" -o tsv >token &&
+        # avoid outputting the token under `set -x` by using `sed` instead of `echo`
+        sed s/^/::add-mask::/ <token &&
+        sed s/^/result=/ <token >>$GITHUB_OUTPUT &&
+        rm token
     - name: Update scalar Cask
       uses: mjcheetham/[email protected]
       with:
-        token: ${{ secrets.HOMEBREW_TOKEN }}
+        token: ${{ steps.token.outputs.result }}
         tap: microsoft/git
         name: microsoft-git
         type: cask