diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml index 9c670f01c65..b17cb816336 100644 --- a/.github/workflows/build-web.yml +++ b/.github/workflows/build-web.yml @@ -31,6 +31,9 @@ on: description: "Custom image tag extension" required: false +env: + _AZ_REGISTRY: bitwardenprod.azurecr.io + jobs: cloc: name: CLOC @@ -65,8 +68,7 @@ jobs: build-artifacts: name: Build artifacts runs-on: ubuntu-22.04 - needs: - - setup + needs: setup env: _VERSION: ${{ needs.setup.outputs.version }} strategy: @@ -146,13 +148,10 @@ jobs: matrix: include: - artifact_name: cloud-QA - registries: [bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] image_name: web-qa-cloud - artifact_name: ee - registries: [bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] image_name: web-ee - artifact_name: selfhosted-COMMERCIAL - registries: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] image_name: web env: _VERSION: ${{ needs.setup.outputs.version }} @@ -174,21 +173,25 @@ jobs: fi ########## ACRs ########## - - name: Login to Azure - QA + - name: Login to Prod Azure uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 with: - creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} - - name: Log into QA container registry - run: az acr login -n bitwardenqa + - name: Log into Prod container registry + run: az acr login -n bitwardenprod - - name: Login to Azure - Prod + - name: Login to Azure - CI Subscription uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - - name: Log into Prod container registry - run: az acr login -n bitwardenprod + - name: Retrieve github PAT secrets + id: retrieve-secret-pat + uses: bitwarden/gh-actions/get-keyvault-secrets@f096207b7a2f31723165aee6ad03e91716686e78 + with: + keyvault: "bitwarden-ci" + secrets: "github-pat-bitwarden-devops-bot-repo-scope" - name: Download ${{ matrix.artifact_name }} artifact uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 @@ -218,37 +221,17 @@ jobs: echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT - - name: Generate tag list - id: tag-list - env: - IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} - PROJECT_NAME: ${{ matrix.image_name }} - run: echo "tags=bitwardenqa.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG},bitwardenprod.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT - ########## Build Image ########## - name: Extract artifact working-directory: apps/web run: unzip web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip - - name: Login to Azure - uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 - with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - - - name: Retrieve github PAT secrets - id: retrieve-secret-pat - uses: bitwarden/gh-actions/get-keyvault-secrets@a30e9c3d658dc97c4c2e61ec749fdab64b83386c - with: - keyvault: "bitwarden-ci" - secrets: "github-pat-bitwarden-devops-bot-repo-scope" - - - name: Setup DCT - if: ${{ env.is_publish_branch == 'true' }} - id: setup-dct - uses: bitwarden/gh-actions/setup-docker-trust@a30e9c3d658dc97c4c2e61ec749fdab64b83386c - with: - azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - azure-keyvault-name: "bitwarden-ci" + - name: Generate image full name + id: image-name + env: + IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} + PROJECT_NAME: ${{ matrix.image_name }} + run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT - name: Build Docker image uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1 @@ -257,21 +240,10 @@ jobs: file: apps/web/Dockerfile platforms: linux/amd64 push: true - tags: ${{ steps.tag-list.outputs.tags }} + tags: ${{ steps.image-name.outputs.name }} secrets: | "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" - - name: Push to DockerHub - if: contains(matrix.registries, 'bitwarden') && env.is_publish_branch == 'true' - env: - IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} - PROJECT_NAME: ${{ matrix.image_name }} - DOCKER_CONTENT_TRUST: 1 - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }} - run: | - docker tag bitwardenprod.azurecr.io/$PROJECT_NAME:$IMAGE_TAG bitwarden/$PROJECT_NAME:$IMAGE_TAG - docker push bitwarden/$PROJECT_NAME:$IMAGE_TAG - - name: Log out of Docker run: docker logout @@ -279,8 +251,7 @@ jobs: crowdin-push: name: Crowdin Push if: github.ref == 'refs/heads/master' - needs: - - build-artifacts + needs: build-artifacts runs-on: ubuntu-22.04 steps: - name: Checkout repo diff --git a/.github/workflows/release-web.yml b/.github/workflows/release-web.yml index 0a9a0bcb23f..b53542747d9 100644 --- a/.github/workflows/release-web.yml +++ b/.github/workflows/release-web.yml @@ -15,6 +15,9 @@ on: - Redeploy - Dry Run +env: + _AZ_REGISTRY: bitwardenprod.azurecr.io + jobs: setup: name: Setup @@ -46,7 +49,6 @@ jobs: monorepo: true monorepo-project: web - self-host: name: Release self-host docker runs-on: ubuntu-22.04 @@ -67,42 +69,6 @@ jobs: - name: Checkout repo uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - ########## DockerHub ########## - - name: Setup DCT - id: setup-dct - uses: bitwarden/gh-actions/setup-docker-trust@a30e9c3d658dc97c4c2e61ec749fdab64b83386c - with: - azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - azure-keyvault-name: "bitwarden-ci" - - - name: Pull branch image - run: | - if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then - docker pull bitwarden/web:latest - else - docker pull bitwarden/web:$_BRANCH_NAME - fi - - - name: Docker Tag version - run: | - if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then - docker tag bitwarden/web:latest bitwarden/web:$_RELEASE_VERSION - else - docker tag bitwarden/web:$_BRANCH_NAME bitwarden/web:$_RELEASE_VERSION - fi - - - name: Docker Push version - if: ${{ github.event.inputs.release_type != 'Dry Run' }} - env: - DOCKER_CONTENT_TRUST: 1 - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }} - run: docker push bitwarden/web:$_RELEASE_VERSION - - - name: Log out of Docker and disable Docker Notary - run: | - docker logout - echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV - ########## ACR ########## - name: Login to Azure - PROD Subscription uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 @@ -112,28 +78,37 @@ jobs: - name: Login to Azure ACR run: az acr login -n bitwardenprod - - name: Tag version - env: - REGISTRY: bitwardenprod.azurecr.io + - name: Pull branch image run: | if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then - docker tag bitwarden/web:latest $REGISTRY/web:$_RELEASE_VERSION - - docker tag bitwarden/web:latest $REGISTRY/web-sh:$_RELEASE_VERSION + docker pull $_AZ_REGISTRY/web:latest else - docker tag bitwarden/web:$_BRANCH_NAME $REGISTRY/web:$_RELEASE_VERSION + docker pull $_AZ_REGISTRY/web:$_BRANCH_NAME + fi - docker tag bitwarden/web:$_BRANCH_NAME $REGISTRY/web-sh:$_RELEASE_VERSION + - name: Tag version + run: | + if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then + docker tag $_AZ_REGISTRY/web:latest $_AZ_REGISTRY/web:dryrun + docker tag $_AZ_REGISTRY/web:latest $_AZ_REGISTRY/web-sh:dryrun + else + docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web:$_RELEASE_VERSION + docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web-sh:$_RELEASE_VERSION + docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web:latest + docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web-sh:latest fi - name: Push version - if: ${{ github.event.inputs.release_type != 'Dry Run' }} - env: - REGISTRY: bitwardenprod.azurecr.io run: | - docker push $REGISTRY/web:$_RELEASE_VERSION - - docker push $REGISTRY/web-sh:$_RELEASE_VERSION + if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then + docker push $_AZ_REGISTRY/web:dryrun + docker push $_AZ_REGISTRY/web-sh:dryrun + else + docker push $_AZ_REGISTRY/web:$_RELEASE_VERSION + docker push $_AZ_REGISTRY/web-sh:$_RELEASE_VERSION + docker push $_AZ_REGISTRY/web:latest + docker push $_AZ_REGISTRY/web-sh:latest + fi - name: Log out of Docker run: docker logout @@ -190,7 +165,7 @@ jobs: - name: Unzip build asset working-directory: assets run: unzip web-*-cloud-COMMERCIAL.zip - + - name: Create new branch run: | cd ${{ github.workspace }}/ghpages-deployment @@ -199,12 +174,12 @@ jobs: git config --global url."https://github.com/".insteadOf ssh://git@github.com/ git config --global url."https://".insteadOf ssh:// git checkout -b ${_BRANCH} - + - name: Copy build files run: | rm -rf ${{ github.workspace }}/ghpages-deployment/* cp -Rf ${{ github.workspace }}/assets/build/* ghpages-deployment/ - + - name: Commit and push changes working-directory: ghpages-deployment run: |