diff --git a/.github/workflows/build-unified.yml b/.github/workflows/build-unified.yml index b5f0103..0d1f6d6 100644 --- a/.github/workflows/build-unified.yml +++ b/.github/workflows/build-unified.yml @@ -81,13 +81,6 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Setup Docker Trust - if: ${{ env.is_publish_branch == 'true' }} - uses: bitwarden/gh-actions/setup-docker-trust@main - with: - azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - azure-keyvault-name: "bitwarden-ci" - ########## Generate image tag and build Docker image ########## - name: Generate Docker image tag id: tag @@ -110,7 +103,7 @@ jobs: IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }} run: | if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "beta") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then - echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},bitwarden/self-host:${IMAGE_TAG},ghcr.io/bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT + echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},ghcr.io/bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT else echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT fi @@ -183,11 +176,11 @@ jobs: with: sarif_file: ${{ steps.container-scan.outputs.sarif }} - - name: Log out of Docker and disable Docker Notary + - name: Log out of Docker if: ${{ env.is_publish_branch == 'true' }} run: | - docker logout - echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV + docker logout ghcr.io + docker logout $_AZ_REGISTRY check-failures: diff --git a/.github/workflows/release-digital-ocean.yml b/.github/workflows/release-digital-ocean.yml index 2687b10..f74695c 100644 --- a/.github/workflows/release-digital-ocean.yml +++ b/.github/workflows/release-digital-ocean.yml @@ -13,7 +13,7 @@ on: jobs: build-image: name: Build Image - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 301a999..0689229 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,7 +5,7 @@ on: workflow_dispatch: inputs: release_version: - description: "Release Version" + description: "Release Version (example: '2025.2.1')" required: true release_type: description: "Release Options" @@ -247,31 +247,6 @@ jobs: echo "_RELEASE_TAG=${{ matrix.release_tag }}" >> $GITHUB_ENV fi - ########## DockerHub ########## - - name: Setup DCT - id: setup-dct - uses: bitwarden/gh-actions/setup-docker-trust@main - with: - azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - azure-keyvault-name: "bitwarden-ci" - - - name: Pull versioned image - run: docker pull $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG - - - name: Tag release version and latest image - run: | - docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG bitwarden/$_PROJECT_NAME:$_RELEASE_TAG - docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG bitwarden/$_PROJECT_NAME:latest - - - name: Push release version and latest image to DockerHub - if: ${{ inputs.release_type != 'Dry Run' }} - env: - DOCKER_CONTENT_TRUST: 1 - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }} - run: | - docker push bitwarden/$_PROJECT_NAME:$_RELEASE_TAG - docker push bitwarden/$_PROJECT_NAME:latest - ### ghcr.io section - name: Login to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 @@ -279,6 +254,9 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + + - name: Pull versioned image + run: docker pull $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG - name: Tag release version and latest image run: | @@ -310,7 +288,6 @@ jobs: - name: Log out of Docker run: | - docker logout docker logout ghcr.io docker logout $_AZ_REGISTRY @@ -327,38 +304,48 @@ jobs: id-token: write packages: write steps: - ########## DockerHub ########## - - name: Setup DCT - id: setup-dct - uses: bitwarden/gh-actions/setup-docker-trust@main - with: - azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - azure-keyvault-name: "bitwarden-ci" - - - name: Install Cosign - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 - - name: Login to Azure - PROD Subscription uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 with: creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + - name: Login to GitHub Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Push version and latest image if: ${{ inputs.release_type != 'Dry Run' }} - env: - DOCKER_CONTENT_TRUST: 1 - DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }} run: | skopeo --version skopeo login $_AZ_REGISTRY -u 00000000-0000-0000-0000-000000000000 -p $(az acr login --expose-token --name ${_AZ_REGISTRY%.azurecr.io} | jq -r .accessToken) - skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://docker.io/bitwarden/self-host:$_RELEASE_VERSION - skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://docker.io/bitwarden/self-host:beta # TODO: Delete after GA - # skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://docker.io/bitwarden/self-host:latest # TODO: uncomment after GA + skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:$_RELEASE_VERSION + skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:beta # TODO: Delete after GA + # skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:latest # TODO: uncomment after GA + + - name: Sign image with Cosign + run: | + cosign sign --yes ghcr.io/bitwarden/self-host:$_RELEASE_TAG + cosign sign --yes ghcr.io/bitwarden/self-host:latest + + - name: Verify the signed image with Cosign + run: | + cosign verify \ + --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + ghcr.io/bitwarden/self-host:$_RELEASE_TAG + + cosign verify \ + --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + ghcr.io/bitwarden/self-host:latest - - name: Log out of Docker, skopeo and disable Docker Notary + - name: Log out of skopeo and ghcr.io run: | - docker logout skopeo logout --all + docker logout ghcr.io ########## ACR PROD ########## - name: Login to Azure ACR @@ -390,45 +377,6 @@ jobs: - name: Log out of Docker run: docker logout $_AZ_REGISTRY - ########## ghcr.io ########## - - name: Login to GitHub Container Registry - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Tag release version and latest image - run: | - docker tag $_AZ_REGISTRY/self-host:$_RELEASE_VERSION ghcr.io/bitwarden/self-host:$_RELEASE_VERSION - docker tag $_AZ_REGISTRY/self-host:$_RELEASE_VERSION ghcr.io/bitwarden/self-host:latest - - - name: Push release version and latest image - if: ${{ inputs.release_type != 'Dry Run' }} - run: | - docker push ghcr.io/bitwarden/self-host:$_RELEASE_VERSION - docker push ghcr.io/bitwarden/self-host:latest - - - name: Sign image with Cosign - run: | - cosign sign --yes ghcr.io/bitwarden/self-host:$_RELEASE_VERSION - cosign sign --yes ghcr.io/bitwarden/self-host:latest - - - name: Verify the signed image with Cosign - run: | - cosign verify \ - --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - ghcr.io/bitwarden/self-host:$_RELEASE_VERSION - - cosign verify \ - --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \ - --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ - ghcr.io/bitwarden/self-host:latest - - - name: Log out of Docker - run: docker logout ghcr.io - trigger-workflows: name: Trigger workflows diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 6a9855f..a327212 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -15,13 +15,12 @@ jobs: sast: name: SAST scan - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: check-run permissions: contents: read pull-requests: write security-events: write - steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -55,7 +54,6 @@ jobs: permissions: contents: read pull-requests: write - steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/update-versions.yml b/.github/workflows/update-versions.yml index d30f621..8f42b53 100644 --- a/.github/workflows/update-versions.yml +++ b/.github/workflows/update-versions.yml @@ -7,7 +7,7 @@ jobs: setup: name: Setup if: github.ref_name == 'main' - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 outputs: core_version: ${{ steps.get-core.outputs.version }} core_version_update: ${{ steps.core-update.outputs.update }} @@ -15,7 +15,6 @@ jobs: web_version_update: ${{ steps.web-update.outputs.update }} key_connector_version: ${{ steps.get-key-connector.outputs.version }} key_connector_version_update: ${{ steps.key-connector-update.outputs.update }} - steps: - name: Checkout Branch uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -95,46 +94,27 @@ jobs: needs.setup.outputs.core_version_update == 1 || needs.setup.outputs.web_version_update == 1 || needs.setup.outputs.key_connector_version_update == 1 - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: setup steps: - - name: Log in to Azure - CI subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 - with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - - - name: Retrieve secrets - id: retrieve-secrets - uses: bitwarden/gh-actions/get-keyvault-secrets@main + - name: Generate GH App token + uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3 + id: app-token with: - keyvault: "bitwarden-ci" - secrets: "github-gpg-private-key, - github-gpg-private-key-passphrase" + app-id: ${{ secrets.BW_GHAPP_ID }} + private-key: ${{ secrets.BW_GHAPP_KEY }} + owner: ${{ github.repository_owner }} - name: Checkout Branch uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: main - - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0 - with: - gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }} - passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }} - git_user_signingkey: true - git_commit_gpgsign: true - - - name: Set up Git - run: | - git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com" - git config --local user.name "bitwarden-devops-bot" - - - name: Create version branch - id: create-branch + token: ${{ steps.app-token.outputs.token }} + + - name: Configure Git run: | - NAME=version_bump_${{ github.ref_name }}_$(date +"%Y-%m-%d") - git switch -c $NAME - echo "name=$NAME" >> $GITHUB_OUTPUT + git config --local user.email "actions@github.com" + git config --local user.name "Github Actions" - name: Update Core Version env: @@ -176,52 +156,4 @@ jobs: - name: Push changes if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} - env: - PR_BRANCH: ${{ steps.create-branch.outputs.name }} - run: git push -u origin $PR_BRANCH - - - name: Generate GH App token - uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3 - id: app-token - with: - app-id: ${{ secrets.BW_GHAPP_ID }} - private-key: ${{ secrets.BW_GHAPP_KEY }} - owner: ${{ github.repository_owner }} - - - name: Create versions PR - if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} - id: create-pr - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} - PR_BRANCH: ${{ steps.create-branch.outputs.name }} - TITLE: "Update core, web, and key-connector versions" - run: | - PR_URL=$(gh pr create --title "$TITLE" \ - --base "main" \ - --head "$PR_BRANCH" \ - --label "automated pr" \ - --body " - ## Type of change - - [ ] Bug fix - - [ ] New feature development - - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - - [ ] Build/deploy pipeline (DevOps) - - [X] Other - - ## Objective - Automated version updates to core, web, and key-connector versions in version.json, bitwarden.sh and bitwarden.ps1.") - echo "pr_number=${PR_URL##*/}" >> $GITHUB_OUTPUT - - - name: Approve PR - if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }} - run: gh pr review $PR_NUMBER --approve - - - name: Merge PR - if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }} - env: - GH_TOKEN: ${{ steps.app-token.outputs.token }} - PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }} - run: gh pr merge $PR_NUMBER --squash --auto --delete-branch + run: git push diff --git a/DigitalOceanMarketplace/files/var/lib/cloud/scripts/per-instance/001_onboot b/DigitalOceanMarketplace/files/var/lib/cloud/scripts/per-instance/001_onboot index a3a04ad..fd32031 100755 --- a/DigitalOceanMarketplace/files/var/lib/cloud/scripts/per-instance/001_onboot +++ b/DigitalOceanMarketplace/files/var/lib/cloud/scripts/per-instance/001_onboot @@ -9,7 +9,7 @@ # ref: https://help.bitwarden.com/article/install-on-premise/ # -docker pull bitwarden/setup +docker pull ghcr.io/bitwarden/setup curl -L -s -o /root/bitwarden.sh "https://func.bitwarden.com/api/dl/?app=self-host&platform=linux" diff --git a/bitwarden.ps1 b/bitwarden.ps1 index d4f9c2a..96c7c5e 100644 --- a/bitwarden.ps1 +++ b/bitwarden.ps1 @@ -99,7 +99,7 @@ Write-Line @' Write-Line " Open source password management solutions -Copyright 2015-${year}, 8bit Solutions LLC +Copyright 2015-${year}, Bitwarden, Inc. https://bitwarden.com, https://github.com/bitwarden =================================================== diff --git a/bitwarden.sh b/bitwarden.sh index a109b3c..0c17134 100755 --- a/bitwarden.sh +++ b/bitwarden.sh @@ -12,7 +12,7 @@ EOF cat << EOF Open source password management solutions -Copyright 2015-$(date +'%Y'), 8bit Solutions LLC +Copyright 2015-$(date +'%Y'), Bitwarden, Inc. https://bitwarden.com, https://github.com/bitwarden =================================================== diff --git a/docker-unified/docker-compose.yml b/docker-unified/docker-compose.yml index 5223058..8cd2918 100644 --- a/docker-unified/docker-compose.yml +++ b/docker-unified/docker-compose.yml @@ -6,7 +6,7 @@ services: - db env_file: - settings.env - image: ${REGISTRY:-bitwarden}/self-host:${TAG:-beta} + image: ${REGISTRY:-ghcr.io/bitwarden}/self-host:${TAG:-beta} restart: always ports: - "80:8080" diff --git a/run.ps1 b/run.ps1 index 56f84ed..fdba06f 100644 --- a/run.ps1 +++ b/run.ps1 @@ -81,7 +81,7 @@ function Install() { } Pull-Setup - docker run -it --rm --name setup -v ${outputDir}:/bitwarden bitwarden/setup:$coreVersion ` + docker run -it --rm --name setup -v ${outputDir}:/bitwarden ghcr.io/bitwarden/setup:$coreVersion ` dotnet Setup.dll -install 1 -domain ${domain} -letsencrypt ${letsEncrypt} ` -os win -corev $coreVersion -webv $webVersion -keyconnectorv $keyConnectorVersion -q $setupQuiet -dbname "$database" } @@ -177,7 +177,7 @@ function Update-Database { } docker run -it --rm --name setup $dockerNetworkArgs ` - -v ${outputDir}:/bitwarden bitwarden/setup:$coreVersion ` + -v ${outputDir}:/bitwarden ghcr.io/bitwarden/setup:$coreVersion ` dotnet Setup.dll -update 1 -db 1 -os win -corev $coreVersion -webv $webVersion ` -keyconnectorv $keyConnectorVersion -q $setupQuiet Write-Line "Database update complete" @@ -187,7 +187,7 @@ function Update([switch] $withpull) { if ($withpull) { Pull-Setup } - docker run -it --rm --name setup -v ${outputDir}:/bitwarden bitwarden/setup:$coreVersion ` + docker run -it --rm --name setup -v ${outputDir}:/bitwarden ghcr.io/bitwarden/setup:$coreVersion ` dotnet Setup.dll -update 1 -os win -corev $coreVersion -webv $webVersion ` -keyconnectorv $keyConnectorVersion -q $setupQuiet } @@ -226,7 +226,7 @@ function Uninstall() { function Print-Environment { Pull-Setup - docker run -it --rm --name setup -v ${outputDir}:/bitwarden bitwarden/setup:$coreVersion ` + docker run -it --rm --name setup -v ${outputDir}:/bitwarden ghcr.io/bitwarden/setup:$coreVersion ` dotnet Setup.dll -printenv 1 -os win -corev $coreVersion -webv $webVersion ` -keyconnectorv $keyConnectorVersion -q $setupQuiet } @@ -249,7 +249,7 @@ function Cert-Restart { function Pull-Setup { - Invoke-Expression ("docker pull{0} bitwarden/setup:${coreVersion}" -f "") #TODO: qFlag + Invoke-Expression ("docker pull{0} ghcr.io/bitwarden/setup:${coreVersion}" -f "") #TODO: qFlag } function Write-Line($str) { diff --git a/run.sh b/run.sh index 57d2f9f..1b8fe63 100755 --- a/run.sh +++ b/run.sh @@ -103,7 +103,7 @@ function install() { pullSetup docker run -it --rm --name setup -v $OUTPUT_DIR:/bitwarden \ - --env-file $ENV_DIR/uid.env bitwarden/setup:$COREVERSION \ + --env-file $ENV_DIR/uid.env ghcr.io/bitwarden/setup:$COREVERSION \ dotnet Setup.dll -install 1 -domain $DOMAIN -letsencrypt $LETS_ENCRYPT -os $OS \ -corev $COREVERSION -webv $WEBVERSION -dbname "$DATABASE" -keyconnectorv $KEYCONNECTORVERSION } @@ -199,7 +199,7 @@ function updateDatabase() { fi docker run -i --rm --name setup $docker_network_args \ - -v $OUTPUT_DIR:/bitwarden --env-file $ENV_DIR/uid.env bitwarden/setup:$COREVERSION \ + -v $OUTPUT_DIR:/bitwarden --env-file $ENV_DIR/uid.env ghcr.io/bitwarden/setup:$COREVERSION \ dotnet Setup.dll -update 1 -db 1 -os $OS -corev $COREVERSION -webv $WEBVERSION -keyconnectorv $KEYCONNECTORVERSION echo "Database update complete" } @@ -241,7 +241,7 @@ function update() { pullSetup fi docker run -i --rm --name setup -v $OUTPUT_DIR:/bitwarden \ - --env-file $ENV_DIR/uid.env bitwarden/setup:$COREVERSION \ + --env-file $ENV_DIR/uid.env ghcr.io/bitwarden/setup:$COREVERSION \ dotnet Setup.dll -update 1 -os $OS -corev $COREVERSION -webv $WEBVERSION -keyconnectorv $KEYCONNECTORVERSION } @@ -286,7 +286,7 @@ function uninstall() { function printEnvironment() { pullSetup docker run -i --rm --name setup -v $OUTPUT_DIR:/bitwarden \ - --env-file $ENV_DIR/uid.env bitwarden/setup:$COREVERSION \ + --env-file $ENV_DIR/uid.env ghcr.io/bitwarden/setup:$COREVERSION \ dotnet Setup.dll -printenv 1 -os $OS -corev $COREVERSION -webv $WEBVERSION -keyconnectorv $KEYCONNECTORVERSION } @@ -307,7 +307,7 @@ function certRestart() { } function pullSetup() { - docker pull bitwarden/setup:$COREVERSION + docker pull ghcr.io/bitwarden/setup:$COREVERSION } # Commands