release: move secrets to workflow environment

Migrate applicable secrets to a new 'release' workflow environment. This is a security measure to help ensure secrets cannot be accessed by those without proper permissions.
microsoft · Aug 8, 2023 · 6ab087b · 6ab087b
1 parent cbbefe1
commit 6ab087b
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 0 deletions.
diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml
@@ -9,6 +9,7 @@ jobs:
   # Check prerequisites for the workflow
   prereqs:
     runs-on: ubuntu-latest
+    environment: release
     env:
       AZ_SUB: ${{ secrets.AZURE_SUBSCRIPTION }}
       AZ_CREDS: ${{ secrets.AZURE_CREDENTIALS }}
@@ -56,6 +57,7 @@ jobs:
   # Build Windows installers (x86_64 installer & portable)
   windows_pkg:
     runs-on: windows-2019
+    environment: release
     needs: prereqs
     env:
       GPG_OPTIONS: "--batch --yes --no-tty --list-options no-show-photos --verify-options no-show-photos --pinentry-mode loopback"
@@ -151,6 +153,7 @@ jobs:
           path: artifacts
   windows_artifacts:
     runs-on: windows-2019
+    environment: release
     needs: [prereqs, windows_pkg]
     env:
       HOME: "${{github.workspace}}\\home"
@@ -377,6 +380,7 @@ jobs:
   osx_sign_payload:
     # ESRP service requires signing to run on Windows
     runs-on: windows-latest
+    environment: release
     needs: osx_build
     steps:
     - name: Check out repository
@@ -484,6 +488,7 @@ jobs:
   osx_sign_and_notarize_pkg:
     # ESRP service requires signing to run on Windows
     runs-on: windows-latest
+    environment: release
     needs: osx_pack
     steps:
     - name: Check out repository
@@ -660,6 +665,7 @@ jobs:
           path: artifacts/
   ubuntu_sign-artifacts:
     runs-on: windows-latest # Must be run on Windows due to ESRP executable OS compatibility
+    environment: release
     needs: [ubuntu_build, prereqs]
     if: needs.prereqs.outputs.deb_signable == 'true'
     env:

diff --git a/.github/workflows/release-apt-get.yml b/.github/workflows/release-apt-get.yml
@@ -13,6 +13,7 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: release
     steps:
       - uses: actions/checkout@v3
 

diff --git a/.github/workflows/release-homebrew.yml b/.github/workflows/release-homebrew.yml
@@ -6,6 +6,7 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: release
     steps:
     - id: version
       name: Compute version number

diff --git a/.github/workflows/release-winget.yml b/.github/workflows/release-winget.yml
@@ -13,6 +13,7 @@ on:
 jobs:
   release:
     runs-on: windows-latest
+    environment: release
     steps:
       - name: Publish manifest with winget-create
         run: |