[BRE-831] migrate secrets AKV (#87)

pixman20 · web-flow · commit 1aeb48d2704f · 2025-07-18T14:11:10.000-04:00
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -6,12 +6,15 @@ on:
 
 jobs:
   publish:
-    runs-on: ubuntu-latest
+    name: Publish
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
+      id-token: write
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install poetry
         run: pipx install poetry
       - name: Set up Python
@@ -23,7 +26,21 @@ jobs:
         run: poetry env use 3.9
       - name: Environment information
         run: poetry env info
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-passwordless-python
+          secrets: "PYPI-TOKEN"
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
       - name: Configure PYPI
-        run: poetry config pypi-token.pypi ${{ secrets.PYPI_TOKEN }}
+        run: poetry config pypi-token.pypi ${{ steps.get-kv-secrets.outputs.PYPI-TOKEN }}
       - name: Publish to PYPI
         run: poetry publish --build
