From 5eb17dfc480c5a992c33dcae37756b7184b4dfb7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?=
 <michal.checinski@outlook.com>
Date: Mon, 26 Jun 2023 20:05:32 +0200
Subject: [PATCH] [DEVOPS-1203] Update Release Flow (#119)

* Add unified release job

* Comment for testing

* Add input

* Add release version to run name

* Add release type

* Add release type

* Fix

* User server branch to tag the image instead of the self-host branch

* Add branch name

* add latest tag for docker hub

* Fix

* FIx

* Fix
---
 .github/workflows/build-unified.yml |   7 +-
 .github/workflows/release.yml       | 128 ++++++++++++++++++++++++++++
 2 files changed, 132 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-unified.yml b/.github/workflows/build-unified.yml
index f1683ba..0f27b3b 100644
--- a/.github/workflows/build-unified.yml
+++ b/.github/workflows/build-unified.yml
@@ -32,6 +32,7 @@ jobs:
           GITHUB_EVENT_NAME: ${{ github.event_name }}
           SERVER_BRANCH: ${{ github.event.inputs.server_branch }}
         run: |
+          SERVER_BRANCH=${SERVER_BRANCH:11}
           if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
             echo "server_branch=$SERVER_BRANCH" >> $GITHUB_OUTPUT
             echo "Branch: $SERVER_BRANCH"
@@ -100,12 +101,12 @@ jobs:
       ########## Generate image tag and build Docker image ##########
       - name: Generate Docker image tag
         id: tag
+        env:
+          SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_branch }}
         run: |
-          IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
+          IMAGE_TAG=$(echo "${SERVER_BRANCH}" | sed "s#/#-#g")  # slash safe branch name
           if [[ "$IMAGE_TAG" == "master" ]]; then
             IMAGE_TAG=dev
-          elif [[ "$IMAGE_TAG" == "rc" ]] || [[ "$IMAGE_TAG" == "hotfix-rc" ]]; then
-            IMAGE_TAG=beta
           fi
 
           echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6a899cc..c618fed 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,6 @@
 ---
 name: Release
+run-name: Release ${{ github.event.inputs.release_type }} v${{ github.event.inputs.release_version }}
 
 on:
   workflow_dispatch:
@@ -7,6 +8,14 @@ on:
       release_version:
         description: "Release Version"
         required: true
+      release_type:
+        description: "Release Options"
+        required: true
+        default: "Release"
+        type: choice
+        options:
+          - Release
+          - Dry Run
 
 jobs:
   setup:
@@ -15,8 +24,10 @@ jobs:
     outputs:
       _WEB_RELEASE_TAG: ${{ steps.set-tags.outputs.WEB_RELEASE_TAG }}
       _CORE_RELEASE_TAG: ${{ steps.set-tags.outputs.CORE_RELEASE_TAG }}
+      branch-name: ${{ steps.branch.outputs.branch-name }}
     steps:
       - name: Branch check
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         run: |
           if [[ "$GITHUB_REF" != "refs/heads/master" ]]; then
             echo "==================================="
@@ -53,6 +64,11 @@ jobs:
           echo "WEB_RELEASE_TAG=$WEB" >> $GITHUB_OUTPUT
           echo "CORE_RELEASE_TAG=$CORE" >> $GITHUB_OUTPUT
 
+      - name: Get branch name
+        id: branch
+        run: |
+          BRANCH_NAME=$(basename ${{ github.ref }})
+          echo "branch-name=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
   release:
     name: Create GitHub Release
@@ -65,6 +81,7 @@ jobs:
           ref: master
 
       - name: Create release
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         uses: ncipollo/release-action@a2e71bdd4e7dab70ca26a852f29600c98b33153e # v1.12.0
         with:
           artifacts: 'bitwarden.sh,
@@ -109,6 +126,7 @@ jobs:
             cf-prod-account"
 
       - name: Upload version.json to S3 bucket
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         env:
           AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.aws-selfhost-version-access-id }}
           AWS_SECRET_ACCESS_KEY: ${{ steps.retrieve-secrets.outputs.aws-selfhost-version-access-key }}
@@ -120,6 +138,7 @@ jobs:
           --quiet
 
       - name: Upload version.json to R2 bucket
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         env:
           AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.r2-electron-access-id }}
           AWS_SECRET_ACCESS_KEY: ${{ steps.retrieve-secrets.outputs.r2-electron-access-key }}
@@ -208,6 +227,7 @@ jobs:
         run: docker tag bitwarden/$PROJECT_NAME:$RELEASE_TAG bitwarden/$PROJECT_NAME:latest
 
       - name: Push latest image
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         env:
           DOCKER_CONTENT_TRUST: 1
           DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
@@ -240,6 +260,7 @@ jobs:
         run: docker tag bitwarden/$PROJECT_NAME:$RELEASE_TAG $REGISTRY/$PROJECT_NAME:latest
 
       - name: Push latest image
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         env:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
           REGISTRY: bitwardenqa.azurecr.io
@@ -306,6 +327,7 @@ jobs:
         run: docker tag $REGISTRY/$PROJECT_NAME:$_RELEASE_TAG $REGISTRY/$PROJECT_NAME:latest
 
       - name: Push latest image
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         env:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
           REGISTRY: bitwardenprod.azurecr.io
@@ -313,3 +335,109 @@ jobs:
 
       - name: Log out of Docker
         run: docker logout
+
+  release-unified:
+    name: Release Self-host unified
+    runs-on: ubuntu-22.04
+    needs:
+      - setup
+      - release
+    env:
+      _RELEASE_VERSION: ${{ github.event.inputs.release_version }}-beta # TODO: remove `-beta` after GA
+    steps:
+
+      - name: Get tag
+        id: get-tag
+        env:
+          RELEASE_VERSION: ${{ github.event.inputs.release_version }}
+        run: |
+          last_number=$(echo $RELEASE_VERSION | cut -d '.' -f 3)
+          if [ $last_number -eq 0 ]; then
+            echo "branch_name=rc" >> $GITHUB_OUTPUT
+          else
+            echo "branch_name=hotfix-rc" >> $GITHUB_OUTPUT
+          fi
+
+      ########## DockerHub ##########
+      - name: Setup DCT
+        id: setup-dct
+        uses: bitwarden/gh-actions/setup-docker-trust@c86ced0dc8c9daeecf057a6333e6f318db9c5a2b
+        with:
+          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          azure-keyvault-name: "bitwarden-ci"
+
+      - name: Pull self-host image
+        run: |
+          if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
+            docker pull bitwarden/self-host:dev
+          else
+            docker pull bitwarden/self-host:$_BRANCH_NAME
+          fi
+
+      - name: Tag version and latest
+        env:
+          _BRANCH_NAME: ${{ steps.setup.outputs.branch_name }}
+        run: |
+          if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
+            docker tag bitwarden/self-host:dev bitwarden/self-host:dryrun
+          else
+            docker tag bitwarden/self-host:$_BRANCH_NAME bitwarden/self-host:$_RELEASE_VERSION
+            # docker tag bitwarden/self-host:$_BRANCH_NAME bitwarden/self-host:latest # TODO: uncomment this line after GA
+          fi
+
+      - name: Push version and latest image
+        if: ${{ github.event.inputs.release_type != 'Dry Run' && matrix.origin_docker_repo == 'bitwarden' }}
+        env:
+          DOCKER_CONTENT_TRUST: 1
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
+        run: |
+          docker push bitwarden/self-host:$_RELEASE_VERSION
+          # docker push bitwarden/self-host:latest # TODO: uncomment this line after GA
+
+      - name: Log out of Docker and disable Docker Notary
+        run: |
+          docker logout
+          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV
+
+      ########## ACR PROD ##########
+      - name: Login to Azure - PROD Subscription
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3
+        with:
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Login to Azure ACR
+        run: az acr login -n bitwardenprod
+
+      - name: Pull latest project image
+        env:
+          REGISTRY: bitwardenprod.azurecr.io
+          _BRANCH_NAME: ${{ steps.setup.outputs.branch_name }}
+        run: |
+          if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
+            docker pull $REGISTRY/self-host:dev
+          else
+            docker pull $REGISTRY/self-host:$_BRANCH_NAME
+          fi
+
+      - name: Tag version and latest
+        env:
+          REGISTRY: bitwardenprod.azurecr.io
+          _BRANCH_NAME: ${{ steps.setup.outputs.branch_name }}
+        run: |
+          if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
+            docker tag $REGISTRY/self-host:dev $REGISTRY/self-host:dryrun
+          else
+            docker tag $REGISTRY/self-host:$_BRANCH_NAME $REGISTRY/self-host:$_RELEASE_VERSION
+            docker tag $REGISTRY/self-host:$_BRANCH_NAME $REGISTRY/self-host:latest
+          fi
+
+      - name: Push version and latest image
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
+        env:
+          REGISTRY: bitwardenprod.azurecr.io
+        run: |
+          docker push $REGISTRY/self-host:$_RELEASE_VERSION
+          docker push $REGISTRY/self-host:latest
+
+      - name: Log out of Docker
+        run: docker logout