From 0cfddca6573e84798c72aee5667d26a29d8464bd Mon Sep 17 00:00:00 2001
From: David Britch <davidbritch@users.noreply.github.com>
Date: Mon, 2 Dec 2024 08:58:15 +0000
Subject: [PATCH] Update QUEST workflows. (#545)

---
 .github/workflows/quest-bulk.yml | 29 ++++++++++++++++++-----------
 .github/workflows/quest.yml      | 22 +++++++++++++---------
 2 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/quest-bulk.yml b/.github/workflows/quest-bulk.yml
index ddf7d0ef8..441508721 100644
--- a/.github/workflows/quest-bulk.yml
+++ b/.github/workflows/quest-bulk.yml
@@ -1,13 +1,20 @@
 name: "bulk quest import"
 on:
   schedule:
-    - cron: '0 6 * * *' # UTC time, that's 6pm UTC, 1pm EST.
+    - cron: '0 2 * * *' # UTC time, that's 9:00 pm EST, 6:00 pm PST.
   workflow_dispatch:
     inputs:
       reason:
         description: "The reason for running the bulk import workflow"
         required: true
         default: "Initial import into Quest (Azure DevOps)"
+      duration:
+        description: "The duration of the query, in days, to search for issues. Defaults to 5 days."
+        required: false
+        default: "5"
+
+permissions:
+  contents: read
 
 jobs:
   bulk-import:
@@ -16,36 +23,36 @@ jobs:
       issues: write
       id-token: write
     if: ${{ github.repository_owner == 'dotnet' }}
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
       - name: "Print manual bulk import run reason"
         if: ${{ github.event_name == 'workflow_dispatch' }}
         run: |
           echo "Reason: ${{ github.event.inputs.reason }}"
 
       - name: Azure OpenID Connect
-        uses: azure/login@v2
+        id: azure-oidc-auth
+        uses: dotnet/docs-tools/.github/actions/oidc-auth-flow@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main
         with:
           client-id: ${{ secrets.CLIENT_ID }}
           tenant-id: ${{ secrets.TENANT_ID }}
           audience: ${{ secrets.OSMP_API_AUDIENCE }}
-          allow-no-subscriptions: true
-
-      - name: OSMP API access
-        run: |
-          TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
-          echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
 
       - name: bulk-sequester
         id: bulk-sequester
-        uses: dotnet/docs-tools/actions/sequester@main
+        uses: dotnet/docs-tools/actions/sequester@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main
         env:
           ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
-          ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
           ImportOptions__ApiKeys__QuestKey: ${{ secrets.QUEST_KEY }}
+          ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
           ImportOptions__ApiKeys__SequesterPrivateKey: ${{ secrets.SEQUESTER_PRIVATEKEY }}
           ImportOptions__ApiKeys__SequesterAppID: ${{ secrets.SEQUESTER_APPID }}
         with:
           org: ${{ github.repository_owner }}
           repo: ${{ github.repository }}
           issue: '-1'
+          duration: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.duration || 5 }}
diff --git a/.github/workflows/quest.yml b/.github/workflows/quest.yml
index 482789ce0..f41a674d0 100644
--- a/.github/workflows/quest.yml
+++ b/.github/workflows/quest.yml
@@ -10,6 +10,9 @@ on:
         description: "The issue number to manually test"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   import:
     if: |
@@ -21,9 +24,15 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       issues: write
+      pull-requests: write
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+        with:
+          egress-policy: audit
+
       - name: "Print manual run reason"
         if: ${{ github.event_name == 'workflow_dispatch' }}
         run: |
@@ -31,23 +40,18 @@ jobs:
           echo "Issue number: ${{ github.event.inputs.issue }}"
 
       - name: Azure OpenID Connect
-        uses: azure/login@v2
+        id: azure-oidc-auth
+        uses: dotnet/docs-tools/.github/actions/oidc-auth-flow@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main
         with:
           client-id: ${{ secrets.CLIENT_ID }}
           tenant-id: ${{ secrets.TENANT_ID }}
           audience: ${{ secrets.OSMP_API_AUDIENCE }}
-          allow-no-subscriptions: true
-
-      - name: OSMP API access
-        run: |
-          TOKEN=$(az account get-access-token --query 'accessToken' -o tsv --resource ${{ secrets.OSMP_API_AUDIENCE }})
-          echo "AZURE_ACCESS_TOKEN=$TOKEN" >> $GITHUB_ENV
 
       # This step occurs when ran manually, passing the manual issue number input
       - name: manual-sequester
         if: ${{ github.event_name == 'workflow_dispatch' }}
         id: manual-sequester
-        uses: dotnet/docs-tools/actions/sequester@main
+        uses: dotnet/docs-tools/actions/sequester@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main
         env:
           ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
           ImportOptions__ApiKeys__AzureAccessToken: ${{ env.AZURE_ACCESS_TOKEN }}
@@ -63,7 +67,7 @@ jobs:
       - name: auto-sequester
         if: ${{ github.event_name != 'workflow_dispatch' }}
         id: auto-sequester
-        uses: dotnet/docs-tools/actions/sequester@main
+        uses: dotnet/docs-tools/actions/sequester@5e8bcc78465d45a7544bba56509a1a69922b6a5a # main
         env:
           ImportOptions__ApiKeys__GitHubToken: ${{ secrets.GITHUB_TOKEN }}
           ImportOptions__ApiKeys__AzureAccessToken: $AZURE_ACCESS_TOKEN