From 3b0222c6b55a9ea92afbc59f40448050388e6766 Mon Sep 17 00:00:00 2001
From: Michal Checinski <mchecinski@bitwarden.com>
Date: Fri, 24 Jan 2025 16:22:15 +0100
Subject: [PATCH] Update main workflow to use GitHub App token for deployment

---
 .github/workflows/main.yml | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e8ec078ef..b8ced670a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -237,21 +237,18 @@ jobs:
     permissions: {} # no permissions required
 
     steps:
-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
+        id: app-token
         with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve GitHub PAT secrets
-        id: retrieve-secret-pat
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+          app-id: ${{ secrets.BW_GHAPP_ID }}
+          private-key: ${{ secrets.BW_GHAPP_KEY }}
+          owner: bitwarden
+          repositories: passwordless-devops
 
       - name: Dispatch deployment
         env:
-          GITHUB_TOKEN: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: >
           gh workflow run deploy-passwordless-server.yml
           --repo bitwarden/passwordless-devops