ci: clean Azure Key Vault secret retrieval in reusable reviews

Mehdi-Bl · Mehdi-Bl · commit 3c02b46d02c2 · 2026-02-19T02:41:52.000Z
diff --git a/.github/workflows/reusable-claude-review.yml b/.github/workflows/reusable-claude-review.yml
@@ -109,23 +109,29 @@ jobs:
           client-id: ${{ inputs.azure_client_id }}
           tenant-id: ${{ inputs.azure_tenant_id }}
           subscription-id: ${{ inputs.azure_subscription_id }}
+          enable-AzPSSession: true
 
       - name: Fetch Claude OAuth token from Azure Key Vault
         id: keyvault
+        uses: azure/powershell@6101bc5f8a23168669e44f7e68db621ec5ecbc6e # v2
         env:
           AZURE_KEY_VAULT_NAME: ${{ inputs.azure_key_vault_name }}
           CLAUDE_SECRET_NAME: ${{ inputs.claude_secret_name }}
-        run: |
-          set -euo pipefail
+        with:
+          azPSVersion: latest
+          inlineScript: |
+            $ErrorActionPreference = "Stop"
 
-          claude_token="$(az keyvault secret show --vault-name "${AZURE_KEY_VAULT_NAME}" --name "${CLAUDE_SECRET_NAME}" --query value -o tsv)"
-          if [ -z "${claude_token}" ]; then
-            echo "Failed to read Claude token from Azure Key Vault secret '${CLAUDE_SECRET_NAME}'."
-            exit 1
-          fi
+            $vaultName = $env:AZURE_KEY_VAULT_NAME
+            $secretName = $env:CLAUDE_SECRET_NAME
+            $claudeToken = Get-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -AsPlainText
+
+            if ([string]::IsNullOrWhiteSpace($claudeToken)) {
+              throw "Failed to read Claude token from Azure Key Vault secret '$secretName'."
+            }
 
-          echo "::add-mask::${claude_token}"
-          echo "claude_code_oauth_token=${claude_token}" >> "${GITHUB_OUTPUT}"
+            Write-Output "::add-mask::$claudeToken"
+            "claude_code_oauth_token=$claudeToken" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
 
       - name: Resolve pull request metadata
         id: pr
diff --git a/.github/workflows/reusable-opencode-review.yml b/.github/workflows/reusable-opencode-review.yml
@@ -180,23 +180,29 @@ jobs:
           client-id: ${{ inputs.azure_client_id }}
           tenant-id: ${{ inputs.azure_tenant_id }}
           subscription-id: ${{ inputs.azure_subscription_id }}
+          enable-AzPSSession: true
 
       - name: Fetch OpenCode model key from Azure Key Vault
         id: keyvault
+        uses: azure/powershell@6101bc5f8a23168669e44f7e68db621ec5ecbc6e # v2
         env:
           AZURE_KEY_VAULT_NAME: ${{ inputs.azure_key_vault_name }}
           ZHIPU_SECRET_NAME: ${{ inputs.zhipu_secret_name }}
-        run: |
-          set -euo pipefail
+        with:
+          azPSVersion: latest
+          inlineScript: |
+            $ErrorActionPreference = "Stop"
 
-          zhipu_api_key="$(az keyvault secret show --vault-name "${AZURE_KEY_VAULT_NAME}" --name "${ZHIPU_SECRET_NAME}" --query value -o tsv)"
-          if [ -z "${zhipu_api_key}" ]; then
-            echo "Failed to read OpenCode API key from Azure Key Vault secret '${ZHIPU_SECRET_NAME}'."
-            exit 1
-          fi
+            $vaultName = $env:AZURE_KEY_VAULT_NAME
+            $secretName = $env:ZHIPU_SECRET_NAME
+            $zhipuApiKey = Get-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -AsPlainText
+
+            if ([string]::IsNullOrWhiteSpace($zhipuApiKey)) {
+              throw "Failed to read OpenCode API key from Azure Key Vault secret '$secretName'."
+            }
 
-          echo "::add-mask::${zhipu_api_key}"
-          echo "zhipu_api_key=${zhipu_api_key}" >> "${GITHUB_OUTPUT}"
+            Write-Output "::add-mask::$zhipuApiKey"
+            "zhipu_api_key=$zhipuApiKey" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
 
       - name: Resolve pull request metadata
         id: pr
