Onboard .NET Docker Bot to secret manager (#1405)

ellahathaway · web-flow · commit f43564d70c70 · 2024-08-21T12:59:39.000-07:00
diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
@@ -0,0 +1,13 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "microsoft.dnceng.secretmanager": {
+      "version": "1.1.0-beta.24413.3",
+      "commands": [
+        "secret-manager"
+      ],
+      "rollForward": false
+    }
+  }
+}
diff --git a/.vault-config/secrets.yaml b/.vault-config/secrets.yaml
@@ -0,0 +1,19 @@
+# Partially copied from https://github.com/dotnet/arcade/blob/dfc6882da43decb37f12e0d9011ce82b25225578/.vault-config/product-builds-dnceng-pipeline-secrets.yaml
+
+storageLocation:
+  type: azure-key-vault
+  parameters:
+    name: DotnetDockerKeyVault
+    subscription: 941d4baa-5ef2-462e-b4b1-505791294610
+
+secrets:
+  BotAccount-dotnet-docker-bot:
+    type: github-account
+    parameters:
+      Name: dotnet-docker-bot
+
+  BotAccount-dotnet-docker-bot-PAT:
+    type: github-access-token
+    parameters:
+      gitHubBotAccountSecret: BotAccount-dotnet-docker-bot
+      gitHubBotAccountName: dotnet-docker-bot
diff --git a/eng/pipelines/secret-management-weekly.yml b/eng/pipelines/secret-management-weekly.yml
@@ -0,0 +1,47 @@
+trigger: none
+
+schedules:
+- cron: 0 12 * * 0
+  displayName: Weekly Sunday build
+  branches:
+    include:
+    - main
+  always: true
+
+stages:
+- stage: SynchronizeSecrets
+  jobs:
+  - job: Synchronize
+    displayName: Synchronize secrets
+    pool:
+      name: NetCore1ESPool-Internal
+      demands: ImageOverride -equals 1es-windows-2019
+
+    steps:
+    - task: UseDotNet@2
+      displayName: Install .NET 8.0 SDK
+      inputs:
+        packageType: sdk
+        version: 8.0.x
+        installationPath: '$(Build.Repository.LocalPath)/.dotnet'
+
+    - task: UseDotNet@2
+      displayName: Install .NET 6.0 runtime
+      inputs:
+        packageType: runtime
+        version: 6.0.x
+        installationPath: '$(Build.Repository.LocalPath)/.dotnet'
+
+    - powershell: .dotnet/dotnet tool restore --tool-manifest .config/dotnet-tools.json
+      workingDirectory: $(Build.Repository.LocalPath)
+      displayName: Restore secret-manager
+
+    - task: AzureCLI@2
+      inputs:
+        azureSubscription: DotNet Eng Services Secret Manager
+        scriptType: pscore
+        scriptLocation: inlineScript
+        inlineScript: |
+          Get-ChildItem .vault-config/*.yaml |% { .dotnet/dotnet secret-manager synchronize $_}
+        workingDirectory: $(Build.Repository.LocalPath)
+      displayName: Run secret-manager synchronize
