GitHub Onboarding — Juan Munoz

Purpose: Get Juan set up with the secops-pipeline repo so he can pull scripts for Azure Automation graduation and reference runbook documentation.

Last updated: 2026-03-18

1. One-Time Setup

Create GitHub Account

Go to https://github.com and create a free account
Use your juanmunoz@pacificdebt.com email
Tell Max your GitHub username so he can send the collaborator invite

Accept Collaborator Invite

Check your email for an invite from MaxSimonPacificDebt
Click "Accept invitation"
You now have read access to https://github.com/MaxSimonPacificDebt/secops-pipeline

Install Git on Windows

Open PowerShell as admin and run:

winget install Git.Git

Close and reopen PowerShell after install.

Clone the Repo

cd C:\Users\juanmunoz
git clone https://github.com/MaxSimonPacificDebt/secops-pipeline.git
cd secops-pipeline

This creates a local copy of the entire repo on your machine.

VS Code (Optional but Recommended)

Install VS Code: winget install Microsoft.VisualStudioCode
Open the repo: File > Open Folder > C:\Users\juanmunoz\secops-pipeline
VS Code has built-in Git integration — you'll see changes, history, and can pull from the Source Control tab

1b. Bitwarden Secrets Manager Setup (One-time, ~15 minutes)

Why This Matters

The credential bus (Get-SecOpsCredential.ps1) pulls all API keys, tokens, and credentials from Bitwarden Secrets Manager at runtime. Without this setup, scripts cannot authenticate to any service. Do NOT create a .env file with hardcoded credentials — Bitwarden is the secure source of truth.

Step 1 — Accept the Bitwarden Invitation

Check your email for an invitation from Bitwarden Secrets Manager. Accept it and create your account at vault.bitwarden.com.

You have been granted Read access to two projects:

secops-pipeline — Veriato, Slack, Graph API credentials
service-desk — Zendesk credentials

Step 2 — Install Bitwarden Secrets Manager CLI

On Windows (PowerShell as Admin):

winget install Bitwarden.SecretsManagerCLI

Verify installation:

bws --version

Step 3 — Generate Your Access Token

Log into vault.bitwarden.com → Secrets Manager
Machine Accounts → svc-secops-pipeline → Access Tokens → Create Access Token
Name it: juan-local-dev
Copy the token immediately — it is only shown once

Step 4 — Add Token to Your Environment

Add this to your PowerShell profile so it loads automatically:

$env:BITWARDEN_SM_ACCESS_TOKEN = "your-token-here"

To find your PowerShell profile path:

$PROFILE

Open that file and add the line above with your actual token. Restart PowerShell after saving.

Step 5 — Test the Credential Bus

Navigate to the secops-pipeline repo and run:

cd C:\Users\juanmunoz\secops-pipeline
. .\scripts\powershell\Get-SecOpsCredential.ps1
Get-SecOpsCredential -SecretKey 'VERIATO_API_KEY'

If it returns a value without error — you are connected.

If it returns nothing or errors — contact Max.

Step 6 — Add Required Local Environment Variables

These are NOT secrets so they go in your PowerShell profile alongside the Bitwarden token:

$env:TEST_USER_UPN = "pdrveriatoservice@pacificdebt.com"
$env:OPERATOR_NAME = "Juan Munoz"

Open your profile: notepad $PROFILE

Add the two lines above. Save. Restart PowerShell.

Without these two variables, every pipeline script will fail before it reaches Bitwarden SM. The error will say "Missing required environment variables" — this is the fix. You do NOT need a .env file.

Step 7 — Azure Automation Variables (for graduation Stage 3+)

When graduating scripts to Azure Automation, these same values must be set as Automation Account Variables (not encrypted — they are not secrets):

Variable Name	Value	Encrypted
`TEST_USER_UPN`	`pdrveriatoservice@pacificdebt.com`	No
`OPERATOR_NAME`	`svc-secops-pipeline`	No
`BWS_ACCESS_TOKEN`	(your machine account token)	Yes

Set these in: Azure Portal > pdr-sharepoint-automation > Variables > Add Variable

The wrapper scripts (Invoke-VeriatoGovPipeline.ps1, Invoke-ServiceDeskPipeline.ps1) read from Automation Variables when running in Azure Automation context. If these are missing, the runbook will fail at startup with the same "Missing required environment variables" error.

IMPORTANT — Never Do This

Never hardcode credentials in scripts
Never create a .env file with real credentials
Never share your access token with anyone
Never commit credentials to GitHub

Credential Management Responsibilities

Juan: Run scripts using the credential bus. Report any authentication failures to Max immediately.
Max: Owns all secrets, manages rotation schedule, updates Bitwarden when credentials change. Juan does not need to know what secrets contain — only that the bus works.
If a script fails with an auth error, notify Max before attempting any credential troubleshooting.

2. Daily Workflow

Always Pull Latest Before Starting Work

cd C:\Users\juanmunoz\secops-pipeline
git pull origin master

Do this every time before you open a script or runbook. Max pushes updates frequently.

Repo Layout — Where Things Live

Path	What's There
`scripts/powershell/`	All PowerShell scripts (.ps1 files)
`runbooks/`	Step-by-step runbook docs for each script
`data/`	CSV exports from scripts (Power BI feeds)
`evidence/`	SOC 2 compliance evidence (do not modify)
`logs/`	Script execution logs
`PROJECTS.md`	Active project tracker
`PROJECT-CLARITY-CONTEXT.md`	Script inventory and quick win tracker

Your Access Level

Read-only — you can pull and view everything, you cannot push changes
If you need a script modified, tell Max and he will update it in the repo
Always pull the latest version before uploading anything to Azure Automation

3. Azure Automation Graduation (Your Primary Job)

This is the main reason you need repo access. When graduating a script to Azure Automation:

Step-by-Step

Pull latest:

```powershell

cd C:\Users\juanmunoz\secops-pipeline

git pull origin master

```

Navigate to the script:

```powershell

cd scripts\powershell

```

The .ps1 file is ready to upload — copy it directly into Azure Automation as a runbook
Read the matching runbook doc in runbooks/ BEFORE running anything
Follow the 8-stage graduation path documented in CLAUDE.md

Do NOT Modify Scripts

Credential handling is already built in. Every script uses Get-SecOpsCredential.ps1 to pull secrets from Bitwarden SM (or .env fallback). Do not change the credential variable names or add your own.
Auth patterns are standardized. The Graph API token flow, Zendesk auth, and Veriato auth all follow the same pattern. Do not modify Get-GraphToken, Get-SecOpsCredential, or any $azure* variable assignments.
Azure Automation Credentials vault must have the same variable names the scripts expect. Check the runbook doc for the exact list.

Active Graduation Tickets

Ticket	Script	Priority
#17348	Get-MfaGapReport.ps1	High — weekly Monday 06:00 UTC
#17349	Import-VeriatoProductivity.ps1	Normal — monthly 1st
#17350	Defender P2 license assignment + onboarding	High
#17383	BitLocker remediation (Intune policy)	High

4. What You Should NEVER Do

Modify any script without Max's approval. If something needs changing, tell Max. He will update the repo and you pull the new version.
Hardcode credentials, tenant IDs, or API keys. All secrets come from Bitwarden SM or Azure Automation Credentials vault. Never paste a secret into a script, a runbook variable, or a comment.
Run scripts against production without the -ConfirmProduction flag. Every script defaults to the test account (pdrveriato). Production scope requires explicitly passing -ConfirmProduction.
Skip -WhatIf testing. Always run with -WhatIf first to see what the script would do. Then run against the test account. Then production.
Create your own versions of existing scripts. There is one version of each script, in the repo. Do not create copies, forks, or "Juan's version." If the script doesn't work in Azure Automation, troubleshoot with Max.
Delete or overwrite files in evidence/. Evidence files are immutable compliance artifacts. Never delete, rename, or modify them.

5. Who to Contact

Question	First Step	Then
How does a script work?	Read the runbook in `runbooks/`	Ask Max
Script error during graduation	Check the runbook troubleshooting section	Ask Max
Azure Automation config	Check the runbook's AA setup section	Ask Max
Credential not working	Check Bitwarden (IT Shared folder)	Ask Max
Need a script change	Do not change it yourself	Ask Max
Something broke in production	Stop the runbook, document what happened, notify Max immediately	Follow incident response in CLAUDE.md

Source: secops-pipeline/runbooks/GitHub-Onboarding-Juan.md | Last synced: 2026-03-23T08:24:32Z | Do not edit in Zendesk -- changes will be overwritten on next sync.