From 6ab087b13674a0e6a48c2aee1cdc6787c5acc7e5 Mon Sep 17 00:00:00 2001
From: Lessley Dennington <ldennington@github.com>
Date: Mon, 5 Jun 2023 13:37:42 -0600
Subject: [PATCH] release: move secrets to workflow environment

Migrate applicable secrets to a new 'release' workflow environment. This
is a security measure to help ensure secrets cannot be accessed by those
without proper permissions.
---
 .github/workflows/build-git-installers.yml | 6 ++++++
 .github/workflows/release-apt-get.yml      | 1 +
 .github/workflows/release-homebrew.yml     | 1 +
 .github/workflows/release-winget.yml       | 1 +
 4 files changed, 9 insertions(+)

diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml
index d74556f6d3163c..74b730d5b7b0d7 100644
--- a/.github/workflows/build-git-installers.yml
+++ b/.github/workflows/build-git-installers.yml
@@ -9,6 +9,7 @@ jobs:
   # Check prerequisites for the workflow
   prereqs:
     runs-on: ubuntu-latest
+    environment: release
     env:
       AZ_SUB: ${{ secrets.AZURE_SUBSCRIPTION }}
       AZ_CREDS: ${{ secrets.AZURE_CREDENTIALS }}
@@ -56,6 +57,7 @@ jobs:
   # Build Windows installers (x86_64 installer & portable)
   windows_pkg:
     runs-on: windows-2019
+    environment: release
     needs: prereqs
     env:
       GPG_OPTIONS: "--batch --yes --no-tty --list-options no-show-photos --verify-options no-show-photos --pinentry-mode loopback"
@@ -151,6 +153,7 @@ jobs:
           path: artifacts
   windows_artifacts:
     runs-on: windows-2019
+    environment: release
     needs: [prereqs, windows_pkg]
     env:
       HOME: "${{github.workspace}}\\home"
@@ -377,6 +380,7 @@ jobs:
   osx_sign_payload:
     # ESRP service requires signing to run on Windows
     runs-on: windows-latest
+    environment: release
     needs: osx_build
     steps:
     - name: Check out repository
@@ -484,6 +488,7 @@ jobs:
   osx_sign_and_notarize_pkg:
     # ESRP service requires signing to run on Windows
     runs-on: windows-latest
+    environment: release
     needs: osx_pack
     steps:
     - name: Check out repository
@@ -660,6 +665,7 @@ jobs:
           path: artifacts/
   ubuntu_sign-artifacts:
     runs-on: windows-latest # Must be run on Windows due to ESRP executable OS compatibility
+    environment: release
     needs: [ubuntu_build, prereqs]
     if: needs.prereqs.outputs.deb_signable == 'true'
     env:
diff --git a/.github/workflows/release-apt-get.yml b/.github/workflows/release-apt-get.yml
index 756053df18e1ec..65a839bdc26a84 100644
--- a/.github/workflows/release-apt-get.yml
+++ b/.github/workflows/release-apt-get.yml
@@ -13,6 +13,7 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: release
     steps:
       - uses: actions/checkout@v3
 
diff --git a/.github/workflows/release-homebrew.yml b/.github/workflows/release-homebrew.yml
index 87ce3f1ca3ea1c..e2a2634ff60c97 100644
--- a/.github/workflows/release-homebrew.yml
+++ b/.github/workflows/release-homebrew.yml
@@ -6,6 +6,7 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: release
     steps:
     - id: version
       name: Compute version number
diff --git a/.github/workflows/release-winget.yml b/.github/workflows/release-winget.yml
index c631f42b33a271..61010a5ce65abb 100644
--- a/.github/workflows/release-winget.yml
+++ b/.github/workflows/release-winget.yml
@@ -13,6 +13,7 @@ on:
 jobs:
   release:
     runs-on: windows-latest
+    environment: release
     steps:
       - name: Publish manifest with winget-create
         run: |