GitHub-Bitwarden
/
self-host
mirror of https://github.com/bitwarden/self-host.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Clean up workflow files from Zizmor output (#414)

pull/319/head
Matt Andreko 2 months ago committed by GitHub
parent
6d2ce1e696
commit
10a9a9d9fd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 109 additions and 81 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 52
      .github/workflows/build-unified.yml
  2. 6
      .github/workflows/release-digital-ocean.yml
  3. 113
      .github/workflows/release.yml
  4. 19
      .github/workflows/update-versions.yml

52
.github/workflows/build-unified.yml
Unescape View File

@ -41,6 +41,8 @@ jobs:
steps: steps:
- name: Checkout Repository - name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Get server branch to checkout - name: Get server branch to checkout
id: server-branch-name id: server-branch-name
@ -51,14 +53,14 @@ jobs:
# Extract coreVersion from versions.json # Extract coreVersion from versions.json
CORE_VERSION=$(jq -r '.versions.coreVersion' versions.json) CORE_VERSION=$(jq -r '.versions.coreVersion' versions.json)
echo "Server version from versions.json: $CORE_VERSION" echo "Server version from versions.json: $CORE_VERSION"
echo "server_ref=refs/tags/v$CORE_VERSION" >> $GITHUB_OUTPUT echo "server_ref=refs/tags/v$CORE_VERSION" >> "$GITHUB_OUTPUT"
echo "ref_type=tag" >> $GITHUB_OUTPUT echo "ref_type=tag" >> "$GITHUB_OUTPUT"
elif [[ -z "${SERVER_BRANCH}" ]]; then elif [[ -z "${SERVER_BRANCH}" ]]; then
echo "server_ref=main" >> $GITHUB_OUTPUT echo "server_ref=main" >> "$GITHUB_OUTPUT"
echo "ref_type=branch" >> $GITHUB_OUTPUT echo "ref_type=branch" >> "$GITHUB_OUTPUT"
else else
echo "server_ref=${SERVER_BRANCH#refs/heads/}" >> $GITHUB_OUTPUT echo "server_ref=${SERVER_BRANCH#refs/heads/}" >> "$GITHUB_OUTPUT"
echo "ref_type=branch" >> $GITHUB_OUTPUT echo "ref_type=branch" >> "$GITHUB_OUTPUT"
fi fi
- name: Check Branch to Publish - name: Check Branch to Publish
@ -70,15 +72,15 @@ jobs:
run: | run: |
REF=${GITHUB_REF#refs/heads/} REF=${GITHUB_REF#refs/heads/}
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES IFS="," read -a publish_branches <<< "$PUBLISH_BRANCHES"
if [[ "${REF_TYPE}" == "tag" ]]; then if [[ "${REF_TYPE}" == "tag" ]]; then
# If the build is triggered by a tag, always publish # If the build is triggered by a tag, always publish
echo "is_publish_branch=true" >> $GITHUB_ENV echo "is_publish_branch=true" >> "$GITHUB_ENV"
elif [[ "${publish_branches[*]}" =~ "${REF}" && "${publish_branches[*]}" =~ "${SERVER_BRANCH}" ]]; then elif [[ "${publish_branches[*]}" =~ "${REF}" && "${publish_branches[*]}" =~ "${SERVER_BRANCH}" ]]; then
echo "is_publish_branch=true" >> $GITHUB_ENV echo "is_publish_branch=true" >> "$GITHUB_ENV"
else else
echo "is_publish_branch=false" >> $GITHUB_ENV echo "is_publish_branch=false" >> "$GITHUB_ENV"
fi fi
########## Set up Docker ########## ########## Set up Docker ##########
@ -127,7 +129,7 @@ jobs:
fi fi
fi fi
echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
- name: Generate tag list - name: Generate tag list
id: tag-list id: tag-list
@ -136,9 +138,9 @@ jobs:
IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }} IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }}
run: | run: |
if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "beta") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "beta") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then
echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},ghcr.io/bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},ghcr.io/bitwarden/self-host:${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
else else
echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
fi fi
- name: Get Azure Key Vault secrets - name: Get Azure Key Vault secrets
@ -162,6 +164,7 @@ jobs:
token: ${{ steps.app-token.outputs.token }} token: ${{ steps.app-token.outputs.token }}
ref: ${{ steps.server-branch-name.outputs.server_ref }} ref: ${{ steps.server-branch-name.outputs.server_ref }}
path: "server" path: "server"
persist-credentials: false
- name: Download web client branch artifacts for dev builds - name: Download web client branch artifacts for dev builds
if: steps.tag.outputs.image_tag == 'dev' if: steps.tag.outputs.image_tag == 'dev'
@ -180,7 +183,7 @@ jobs:
run: | run: |
WEB_ARTIFACT=$(find . -name "web-*-selfhosted-DEV.zip" | head -1) WEB_ARTIFACT=$(find . -name "web-*-selfhosted-DEV.zip" | head -1)
if [[ -n "${WEB_ARTIFACT}" ]]; then if [[ -n "${WEB_ARTIFACT}" ]]; then
echo "WEB_ARTIFACT_PATH=${WEB_ARTIFACT}" >> $GITHUB_ENV echo "WEB_ARTIFACT_PATH=${WEB_ARTIFACT}" >> "$GITHUB_ENV"
fi fi
- name: Build and push Docker image - name: Build and push Docker image
@ -209,21 +212,24 @@ jobs:
DIGEST: ${{ steps.build-docker.outputs.digest }} DIGEST: ${{ steps.build-docker.outputs.digest }}
TAGS: ${{ steps.tag-list.outputs.tags }} TAGS: ${{ steps.tag-list.outputs.tags }}
run: | run: |
IFS="," read -a tags <<< "${TAGS}" IFS=',' read -r -a tags_array <<< "${TAGS}"
images="" images=()
for tag in "${tags[@]}"; do for tag in "${tags_array[@]}"; do
images+="${tag}@${DIGEST} " images+=("${tag}@${DIGEST}")
done done
cosign sign --yes ${images} cosign sign --yes "${images[@]}"
echo "images=${images}" >> $GITHUB_OUTPUT echo "images=${images[*]}" >> "$GITHUB_OUTPUT"
- name: Verify the signed image(s) with Cosign - name: Verify the signed image(s) with Cosign
if: env.is_publish_branch == 'true' if: env.is_publish_branch == 'true'
env:
IMAGES: ${{ steps.sign.outputs.images }}
run: | run: |
read -r -a images_array <<< "${COSIGN_IMAGES}"
cosign verify \ cosign verify \
--certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \ --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
${{ steps.sign.outputs.images }} "${images_array[@]}"
- name: Scan Docker image - name: Scan Docker image
id: container-scan id: container-scan
@ -244,7 +250,7 @@ jobs:
if: env.is_publish_branch == 'true' if: env.is_publish_branch == 'true'
run: | run: |
docker logout ghcr.io docker logout ghcr.io
docker logout $_AZ_REGISTRY docker logout "$_AZ_REGISTRY"
- name: Log out from Azure - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main uses: bitwarden/gh-actions/azure-logout@main

6
.github/workflows/release-digital-ocean.yml
Unescape View File

@ -23,6 +23,8 @@ jobs:
steps: steps:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Log in to Azure - name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main uses: bitwarden/gh-actions/azure-login@main
@ -47,7 +49,7 @@ jobs:
VERSION=$(grep '^ *"coreVersion":' version.json \ VERSION=$(grep '^ *"coreVersion":' version.json \
| awk -F\: '{ print $2 }' \ | awk -F\: '{ print $2 }' \
| sed -e 's/,$//' -e 's/^"//' -e 's/"$//') | sed -e 's/,$//' -e 's/^"//' -e 's/"$//')
echo "version=$VERSION" >> $GITHUB_OUTPUT echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Set up Hashicorp Packer - name: Set up Hashicorp Packer
uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 # v3.1.0 uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 # v3.1.0
@ -76,4 +78,4 @@ jobs:
DO_ARTIFACT=$(jq -r '.builds[-1].artifact_id' manifest.json | cut -d ":" -f2) DO_ARTIFACT=$(jq -r '.builds[-1].artifact_id' manifest.json | cut -d ":" -f2)
# Force remove the snapshot # Force remove the snapshot
doctl compute image delete $DO_ARTIFACT -f doctl compute image delete "$DO_ARTIFACT" -f

113
.github/workflows/release.yml
Unescape View File

@ -46,6 +46,8 @@ jobs:
- name: Checkout repo - name: Checkout repo
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Get Latest Self-Host Version - name: Get Latest Self-Host Version
id: get-self-host id: get-self-host
@ -70,9 +72,11 @@ jobs:
CORE=$(jq -r '.versions.coreVersion' < version.json) CORE=$(jq -r '.versions.coreVersion' < version.json)
KEY_CONNECTOR=$(jq -r '.versions.keyConnectorVersion' < version.json) KEY_CONNECTOR=$(jq -r '.versions.keyConnectorVersion' < version.json)
echo "WEB_RELEASE_TAG=$WEB" >> $GITHUB_OUTPUT {
echo "CORE_RELEASE_TAG=$CORE" >> $GITHUB_OUTPUT echo "WEB_RELEASE_TAG=$WEB"
echo "KEY_CONNECTOR_RELEASE_TAG=$KEY_CONNECTOR" >> $GITHUB_OUTPUT echo "CORE_RELEASE_TAG=$CORE"
echo "KEY_CONNECTOR_RELEASE_TAG=$KEY_CONNECTOR"
} >> "$GITHUB_OUTPUT"
release: release:
name: Create GitHub Release name: Create GitHub Release
@ -85,54 +89,63 @@ jobs:
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Get projects that changed versions - name: Get projects that changed versions
id: changed-projects id: changed-projects
env: env:
_LATEST_SELF_HOST_VERSION: ${{ needs.setup.outputs._LATEST_SELF_HOST_VERSION }} _LATEST_SELF_HOST_VERSION: ${{ needs.setup.outputs._LATEST_SELF_HOST_VERSION }}
run: | run: |
git diff --unified=0 $_LATEST_SELF_HOST_VERSION $GITHUB_REF_NAME -- version.json >> diff.txt git diff --unified=0 "$_LATEST_SELF_HOST_VERSION" "$GITHUB_REF_NAME" -- version.json >> diff.txt
if grep -q "webVersion" diff.txt; then if grep -q "webVersion" diff.txt; then
echo "WEB_VERSION_CHANGED=true" >> $GITHUB_OUTPUT echo "WEB_VERSION_CHANGED=true" >> "$GITHUB_OUTPUT"
fi fi
if grep -q "coreVersion" diff.txt; then if grep -q "coreVersion" diff.txt; then
echo "CORE_VERSION_CHANGED=true" >> $GITHUB_OUTPUT echo "CORE_VERSION_CHANGED=true" >> "$GITHUB_OUTPUT"
fi fi
if grep -q "keyConnectorVersion" diff.txt; then if grep -q "keyConnectorVersion" diff.txt; then
echo "KEY_CONNECTOR_VERSION_CHANGED=true" >> $GITHUB_OUTPUT echo "KEY_CONNECTOR_VERSION_CHANGED=true" >> "$GITHUB_OUTPUT"
fi fi
- name: Prepare release notes - name: Prepare release notes
id: prepare-release-notes id: prepare-release-notes
env:
CORE_VERSION_CHANGED: ${{ steps.changed-projects.outputs.CORE_VERSION_CHANGED }}
CORE_RELEASE_TAG: ${{ needs.setup.outputs._CORE_RELEASE_TAG }}
WEB_VERSION_CHANGED: ${{ steps.changed-projects.outputs.WEB_VERSION_CHANGED }}
WEB_RELEASE_TAG: ${{ needs.setup.outputs._WEB_RELEASE_TAG }}
KEY_CONNECTOR_VERSION_CHANGED: ${{ steps.changed-projects.outputs.KEY_CONNECTOR_VERSION_CHANGED }}
KEY_CONNECTOR_RELEASE_TAG: ${{ needs.setup.outputs._KEY_CONNECTOR_RELEASE_TAG }}
run: | run: |
RELEASE_NOTES="" RELEASE_NOTES=""
if [ -n "${{ steps.changed-projects.outputs.CORE_VERSION_CHANGED }}" ]; then if [ -n "${CORE_VERSION_CHANGED}" ]; then
RELEASE_NOTES+="Update Core version to [v${{ needs.setup.outputs._CORE_RELEASE_TAG }}](https://github.com/bitwarden/server/releases/tag/v${{ needs.setup.outputs._CORE_RELEASE_TAG }})" RELEASE_NOTES+="Update Core version to [v${CORE_RELEASE_TAG}](https://github.com/bitwarden/server/releases/tag/v${CORE_RELEASE_TAG})"
fi fi
if [ -n "${{ steps.changed-projects.outputs.WEB_VERSION_CHANGED }}" ]; then if [ -n "${WEB_VERSION_CHANGED}" ]; then
if [ -n "$RELEASE_NOTES" ]; then if [ -n "$RELEASE_NOTES" ]; then
RELEASE_NOTES+=$'\n' RELEASE_NOTES+=$'\n'
fi fi
RELEASE_NOTES+="Update Web version to [v${{ needs.setup.outputs._WEB_RELEASE_TAG }}](https://github.com/bitwarden/clients/releases/tag/web-v${{ needs.setup.outputs._WEB_RELEASE_TAG }})" RELEASE_NOTES+="Update Web version to [v${WEB_RELEASE_TAG}](https://github.com/bitwarden/clients/releases/tag/web-v${WEB_RELEASE_TAG})"
fi fi
if [ -n "${{ steps.changed-projects.outputs.KEY_CONNECTOR_VERSION_CHANGED }}" ]; then if [ -n "${KEY_CONNECTOR_VERSION_CHANGED}" ]; then
if [ -n "$RELEASE_NOTES" ]; then if [ -n "$RELEASE_NOTES" ]; then
RELEASE_NOTES+=$'\n' RELEASE_NOTES+=$'\n'
fi fi
RELEASE_NOTES+="Update Key Connector version to [v${{ needs.setup.outputs._KEY_CONNECTOR_RELEASE_TAG }}](https://github.com/bitwarden/key-connector/releases/tag/v${{ needs.setup.outputs._KEY_CONNECTOR_RELEASE_TAG }})" RELEASE_NOTES+="Update Key Connector version to [v${KEY_CONNECTOR_RELEASE_TAG}](https://github.com/bitwarden/key-connector/releases/tag/v${KEY_CONNECTOR_RELEASE_TAG})"
fi fi
( (
echo 'RELEASE_NOTES<<EOF' echo 'RELEASE_NOTES<<EOF'
echo "$RELEASE_NOTES" echo "$RELEASE_NOTES"
echo EOF echo EOF
) >> $GITHUB_OUTPUT ) >> "$GITHUB_OUTPUT"
- name: Create release - name: Create release
if: ${{ inputs.release_type != 'Dry Run' }} if: ${{ inputs.release_type != 'Dry Run' }}
@ -165,6 +178,7 @@ jobs:
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
ref: main ref: main
persist-credentials: false
- name: Log in to Azure - name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main uses: bitwarden/gh-actions/azure-login@main
@ -193,7 +207,7 @@ jobs:
AWS_DEFAULT_REGION: 'us-east-1' AWS_DEFAULT_REGION: 'us-east-1'
AWS_S3_BUCKET_NAME: ${{ steps.retrieve-secrets.outputs.aws-selfhost-version-bucket-name }} AWS_S3_BUCKET_NAME: ${{ steps.retrieve-secrets.outputs.aws-selfhost-version-bucket-name }}
run: | run: |
aws s3 cp version.json $AWS_S3_BUCKET_NAME \ aws s3 cp version.json "$AWS_S3_BUCKET_NAME" \
--acl "public-read" \ --acl "public-read" \
--quiet --quiet
@ -235,6 +249,7 @@ jobs:
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with: with:
ref: main ref: main
persist-credentials: false
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
@ -248,17 +263,19 @@ jobs:
- name: Setup project name and release tag - name: Setup project name and release tag
id: setup id: setup
env:
MATRIX_RELEASE_TAG: ${{ matrix.release_tag }}
run: | run: |
PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}') PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}')
echo "Matrix name: ${{ matrix.project_name }}" echo "Matrix name: ${{ matrix.project_name }}"
echo "PROJECT_NAME: $PROJECT_NAME" echo "PROJECT_NAME: $PROJECT_NAME"
echo "_PROJECT_NAME=$PROJECT_NAME" >> $GITHUB_ENV echo "_PROJECT_NAME=$PROJECT_NAME" >> "$GITHUB_ENV"
if [ -z "${{ matrix.release_tag }}" ]; then if [ -z "${MATRIX_RELEASE_TAG}" ]; then
# Use core release tag by default. # Use core release tag by default.
echo "_RELEASE_TAG=$_CORE_RELEASE_TAG" >> $GITHUB_ENV echo "_RELEASE_TAG=$_CORE_RELEASE_TAG" >> "$GITHUB_ENV"
else else
echo "_RELEASE_TAG=${{ matrix.release_tag }}" >> $GITHUB_ENV echo "_RELEASE_TAG=${MATRIX_RELEASE_TAG}" >> "$GITHUB_ENV"
fi fi
### ghcr.io section ### ghcr.io section
@ -273,31 +290,31 @@ jobs:
if: ${{ inputs.release_type != 'Dry Run' }} if: ${{ inputs.release_type != 'Dry Run' }}
run: | run: |
skopeo --version skopeo --version
skopeo login $_AZ_REGISTRY -u 00000000-0000-0000-0000-000000000000 -p $(az acr login --expose-token --name ${_AZ_REGISTRY%.azurecr.io} | jq -r .accessToken) skopeo login "$_AZ_REGISTRY" -u 00000000-0000-0000-0000-000000000000 -p "$(az acr login --expose-token --name "${_AZ_REGISTRY%.azurecr.io}" | jq -r .accessToken)"
skopeo copy --all docker://$_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG docker://ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG skopeo copy --all "docker://$_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG" "docker://ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG"
skopeo copy --all docker://$_AZ_REGISTRY/$_PROJECT_NAME:latest docker://ghcr.io/bitwarden/$_PROJECT_NAME:latest skopeo copy --all "docker://$_AZ_REGISTRY/$_PROJECT_NAME:latest" "docker://ghcr.io/bitwarden/$_PROJECT_NAME:latest"
- name: Sign image with Cosign - name: Sign image with Cosign
run: | run: |
cosign sign --yes ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG cosign sign --yes "ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG"
cosign sign --yes ghcr.io/bitwarden/$_PROJECT_NAME:latest cosign sign --yes "ghcr.io/bitwarden/$_PROJECT_NAME:latest"
- name: Verify the signed image with Cosign - name: Verify the signed image with Cosign
run: | run: |
cosign verify \ cosign verify \
--certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \ --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG "ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_TAG"
cosign verify \ cosign verify \
--certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \ --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/bitwarden/$_PROJECT_NAME:latest "ghcr.io/bitwarden/$_PROJECT_NAME:latest"
- name: Log out of Docker - name: Log out of Docker
run: | run: |
docker logout ghcr.io docker logout ghcr.io
docker logout $_AZ_REGISTRY docker logout "$_AZ_REGISTRY"
- name: Log out from Azure - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main uses: bitwarden/gh-actions/azure-logout@main
@ -336,27 +353,27 @@ jobs:
if: ${{ inputs.release_type != 'Dry Run' }} if: ${{ inputs.release_type != 'Dry Run' }}
run: | run: |
skopeo --version skopeo --version
skopeo login $_AZ_REGISTRY -u 00000000-0000-0000-0000-000000000000 -p $(az acr login --expose-token --name ${_AZ_REGISTRY%.azurecr.io} | jq -r .accessToken) skopeo login "$_AZ_REGISTRY" -u 00000000-0000-0000-0000-000000000000 -p "$(az acr login --expose-token --name "${_AZ_REGISTRY%.azurecr.io}" | jq -r .accessToken)"
skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:$_RELEASE_VERSION skopeo copy --all "docker://$_AZ_REGISTRY/self-host:beta" "docker://ghcr.io/bitwarden/self-host:$_RELEASE_VERSION"
skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:beta # TODO: Delete after GA skopeo copy --all "docker://$_AZ_REGISTRY/self-host:beta" "docker://ghcr.io/bitwarden/self-host:beta" # TODO: Delete after GA
# skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:latest # TODO: uncomment after GA # skopeo copy --all "docker://$_AZ_REGISTRY/self-host:beta" "docker://ghcr.io/bitwarden/self-host:latest" # TODO: uncomment after GA
- name: Sign image with Cosign - name: Sign image with Cosign
run: | run: |
cosign sign --yes ghcr.io/bitwarden/self-host:$_RELEASE_VERSION cosign sign --yes "ghcr.io/bitwarden/self-host:$_RELEASE_VERSION"
cosign sign --yes ghcr.io/bitwarden/self-host:latest cosign sign --yes "ghcr.io/bitwarden/self-host:latest"
- name: Verify the signed image with Cosign - name: Verify the signed image with Cosign
run: | run: |
cosign verify \ cosign verify \
--certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \ --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/bitwarden/self-host:$_RELEASE_VERSION "ghcr.io/bitwarden/self-host:$_RELEASE_VERSION"
cosign verify \ cosign verify \
--certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \ --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/bitwarden/self-host:latest "ghcr.io/bitwarden/self-host:latest"
- name: Log out of skopeo and ghcr.io - name: Log out of skopeo and ghcr.io
run: | run: |
@ -365,33 +382,33 @@ jobs:
########## ACR PROD ########## ########## ACR PROD ##########
- name: Login to Azure ACR - name: Login to Azure ACR
run: az acr login -n ${_AZ_REGISTRY%.azurecr.io} run: az acr login -n "${_AZ_REGISTRY%.azurecr.io}"
- name: Pull latest project image - name: Pull latest project image
run: | run: |
if [[ "${{ inputs.release_type }}" == "Dry Run" ]]; then if [[ "${{ inputs.release_type }}" == "Dry Run" ]]; then
docker pull $_AZ_REGISTRY/self-host:dev docker pull "$_AZ_REGISTRY/self-host:dev"
else else
docker pull $_AZ_REGISTRY/self-host:beta docker pull "$_AZ_REGISTRY/self-host:beta"
fi fi
- name: Tag version and latest - name: Tag version and latest
run: | run: |
if [[ "${{ inputs.release_type }}" == "Dry Run" ]]; then if [[ "${{ inputs.release_type }}" == "Dry Run" ]]; then
docker tag $_AZ_REGISTRY/self-host:dev $_AZ_REGISTRY/self-host:dryrun docker tag "$_AZ_REGISTRY/self-host:dev" "$_AZ_REGISTRY/self-host:dryrun"
else else
docker tag $_AZ_REGISTRY/self-host:beta $_AZ_REGISTRY/self-host:$_RELEASE_VERSION docker tag "$_AZ_REGISTRY/self-host:beta" "$_AZ_REGISTRY/self-host:$_RELEASE_VERSION"
docker tag $_AZ_REGISTRY/self-host:beta $_AZ_REGISTRY/self-host:latest docker tag "$_AZ_REGISTRY/self-host:beta" "$_AZ_REGISTRY/self-host:latest"
fi fi
- name: Push version and latest image - name: Push version and latest image
if: ${{ inputs.release_type != 'Dry Run' }} if: ${{ inputs.release_type != 'Dry Run' }}
run: | run: |
docker push $_AZ_REGISTRY/self-host:$_RELEASE_VERSION docker push "$_AZ_REGISTRY/self-host:$_RELEASE_VERSION"
docker push $_AZ_REGISTRY/self-host:latest docker push "$_AZ_REGISTRY/self-host:latest"
- name: Log out of Docker - name: Log out of Docker
run: docker logout $_AZ_REGISTRY run: docker logout "$_AZ_REGISTRY"
- name: Log out from Azure - name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main uses: bitwarden/gh-actions/azure-logout@main

19
.github/workflows/update-versions.yml
Unescape View File

@ -20,6 +20,8 @@ jobs:
steps: steps:
- name: Checkout Branch - name: Checkout Branch
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Get Latest Core Version - name: Get Latest Core Version
id: get-core id: get-core
@ -38,9 +40,9 @@ jobs:
echo "Latest Core Version: $LATEST_CORE_VERSION" echo "Latest Core Version: $LATEST_CORE_VERSION"
if [ "$CORE_VERSION" != "$LATEST_CORE_VERSION" ]; then if [ "$CORE_VERSION" != "$LATEST_CORE_VERSION" ]; then
echo "Needs Core update!" echo "Needs Core update!"
echo "update=1" >> $GITHUB_OUTPUT echo "update=1" >> "$GITHUB_OUTPUT"
else else
echo "update=0" >> $GITHUB_OUTPUT echo "update=0" >> "$GITHUB_OUTPUT"
fi fi
- name: Get Latest Web Version - name: Get Latest Web Version
@ -62,9 +64,9 @@ jobs:
echo "Latest Web Version: $LATEST_WEB_VERSION" echo "Latest Web Version: $LATEST_WEB_VERSION"
if [ "$WEB_VERSION" != "$LATEST_WEB_VERSION" ]; then if [ "$WEB_VERSION" != "$LATEST_WEB_VERSION" ]; then
echo "Needs Web update!" echo "Needs Web update!"
echo "update=1" >> $GITHUB_OUTPUT echo "update=1" >> "$GITHUB_OUTPUT"
else else
echo "update=0" >> $GITHUB_OUTPUT echo "update=0" >> "$GITHUB_OUTPUT"
fi fi
- name: Get Latest Key Connector Version - name: Get Latest Key Connector Version
@ -84,9 +86,9 @@ jobs:
echo "Latest Key Connector Version: $LATEST_KEY_CONNECTOR_VERSION" echo "Latest Key Connector Version: $LATEST_KEY_CONNECTOR_VERSION"
if [ "$KEY_CONNECTOR_VERSION" != "$LATEST_KEY_CONNECTOR_VERSION" ]; then if [ "$KEY_CONNECTOR_VERSION" != "$LATEST_KEY_CONNECTOR_VERSION" ]; then
echo "Needs Key Connector update!" echo "Needs Key Connector update!"
echo "update=1" >> $GITHUB_OUTPUT echo "update=1" >> "$GITHUB_OUTPUT"
else else
echo "update=0" >> $GITHUB_OUTPUT echo "update=0" >> "$GITHUB_OUTPUT"
fi fi
@ -131,6 +133,7 @@ jobs:
with: with:
ref: main ref: main
token: ${{ steps.app-token.outputs.token }} token: ${{ steps.app-token.outputs.token }}
persist-credentials: true
- name: Configure Git - name: Configure Git
run: | run: |
@ -165,9 +168,9 @@ jobs:
id: version-changed id: version-changed
run: | run: |
if [ -n "$(git status --porcelain)" ]; then if [ -n "$(git status --porcelain)" ]; then
echo "changes_to_commit=TRUE" >> $GITHUB_OUTPUT echo "changes_to_commit=TRUE" >> "$GITHUB_OUTPUT"
else else
echo "changes_to_commit=FALSE" >> $GITHUB_OUTPUT echo "changes_to_commit=FALSE" >> "$GITHUB_OUTPUT"
echo "No changes to commit!"; echo "No changes to commit!";
fi fi

Write Preview
Loading…
Cancel
Save