From f62575ecd8a269bdc202d5fea1360b3ef5f66b48 Mon Sep 17 00:00:00 2001
From: Ekaterina Kukushkina <epifanova.ekaterina@gmail.com>
Date: Fri, 1 May 2026 15:52:12 +0100
Subject: [PATCH] get secrets from azure keyvault

---
 .github/workflows/cleanup.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
index 0c20492a3..6f21629f9 100644
--- a/.github/workflows/cleanup.yml
+++ b/.github/workflows/cleanup.yml
@@ -17,15 +17,21 @@ permissions:
 
 env:
   DEFAULT_RETENTION_DAYS: "30"
-  AWSAccount: ${{ secrets.AWS_ACCOUNT_ID }}
-  AWSRoleName: ${{ secrets.AWS_ROLE_NAME }}
-  AWSS3Bucket: "nginx-org-staging"
 
 jobs:
   cleanup:
     runs-on: ubuntu-24.04
     if: github.repository == 'nginx/nginx.org'
     steps:
+      - name: Get secrets from Azure
+        uses: nginx/ci-self-hosted/.github/actions/get-from-vault@0fc1fc087a55f75740cebba008010c812b6d0da2
+        with:
+          client-id: ${{secrets.NGINX_ORG_CLIENT_ID}}
+          tenant-id: ${{secrets.NGINX_ORG_TENANT_ID}}
+          vault-name: ${{secrets.NGINX_ORG_VAULT_NAME}}
+          secret-names: "NginxOrgAwsAccountID, NginxOrgAwsRoleName, NginxOrgAwsS3Bucket"
+          env-names: "AWSAccount, AWSRoleName, AWSS3Bucket"
+
       - name: Configure AWS credentials via OIDC (assume role)
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
         with: