Skip to content

Commit

Permalink
homebrew: switch to using an Azure Key Vault secret (#703)
Browse files Browse the repository at this point in the history
This is a companion to #702: Instead of storing the token used for the
Homebrew release workflow, let's retrieve it from the Key Vault that
already is used to store such information.
  • Loading branch information
dscho authored Oct 29, 2024
2 parents cde0eef + 9d0bdfc commit 90d5460
Showing 1 changed file with 21 additions and 1 deletion.
22 changes: 21 additions & 1 deletion .github/workflows/release-homebrew.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ on:
release:
types: [released]

permissions:
id-token: write # required for Azure login via OIDC

jobs:
release:
runs-on: ubuntu-latest
Expand All @@ -19,10 +22,27 @@ jobs:
asset: /git-(.*)\.pkg/
hash: sha256
token: ${{ secrets.GITHUB_TOKEN }}
- name: Log into Azure
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Retrieve token
id: token
run: |
az keyvault secret show \
--name ${{ secrets.HOMEBREW_TOKEN_SECRET_NAME }} \
--vault-name ${{ secrets.AZURE_VAULT }} \
--query "value" -o tsv >token &&
# avoid outputting the token under `set -x` by using `sed` instead of `echo`
sed s/^/::add-mask::/ <token &&
sed s/^/result=/ <token >>$GITHUB_OUTPUT &&
rm token
- name: Update scalar Cask
uses: mjcheetham/[email protected]
with:
token: ${{ secrets.HOMEBREW_TOKEN }}
token: ${{ steps.token.outputs.result }}
tap: microsoft/git
name: microsoft-git
type: cask
Expand Down

0 comments on commit 90d5460

Please sign in to comment.