Update workflows

.github/workflows/build-bitwarden-lite.yml

@@ -28,6 +28,10 @@ on:
       - ".github/workflows/build-bitwarden-lite.yml"
       - "bitwarden-lite/**"
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
@@ -81,6 +85,7 @@ jobs:
   build-docker:
     name: Build Docker image
     runs-on: ubuntu-24.04
+    timeout-minutes: 60
     needs: setup
     permissions:
       id-token: write
@@ -124,6 +129,11 @@ jobs:
             IMAGE_TAG=dev
           fi
 
+          if [[ -z "$IMAGE_TAG" ]]; then
+            echo "ERROR: Failed to generate valid IMAGE_TAG from SERVER_REF: $SERVER_REF"
+            exit 1
+          fi
+
           echo "Using $IMAGE_TAG for build"
           echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
 
@@ -178,9 +188,11 @@ jobs:
         id: set-web-artifact-path
         run: |
           WEB_ARTIFACT=$(find . -name "web-*-selfhosted-DEV.zip" | head -1)
-          if [[ -n "${WEB_ARTIFACT}" ]]; then
-            echo "path=${WEB_ARTIFACT}" >> "$GITHUB_OUTPUT"
+          if [[ -z "${WEB_ARTIFACT}" ]]; then
+            echo "ERROR: No web artifact found for dev build"
+            exit 1
           fi
+          echo "path=${WEB_ARTIFACT}" >> "$GITHUB_OUTPUT"
 
       - name: Build and push Docker image
         id: build-docker

.github/workflows/cleanup-container-images.yml

@@ -26,10 +26,15 @@ jobs:
           # Sanitize deleted branch name to match build workflow tag generation
           BRANCH_NAME="${EVENT_REF}"
           IMAGE_TAG=$(echo "$BRANCH_NAME" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g; s/-+/-/g; s/^-+|-+$//g' | cut -c1-128 | sed -E 's/[.-]$//')
+
+          if [[ -z "$IMAGE_TAG" ]]; then
+            echo "ERROR: Failed to generate valid IMAGE_TAG from EVENT_REF: $EVENT_REF"
+            exit 1
+          fi
+
           echo "tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
 
       - name: Delete container image version
-        continue-on-error: true
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           IMAGE_TAG: ${{ steps.tag.outputs.tag }}
@@ -39,7 +44,7 @@ jobs:
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
             "/orgs/bitwarden/packages/container/lite/versions" \
-            --jq ".[] | select(.metadata.container.tags[] | contains(\"$IMAGE_TAG\")) | .id" \
+            --jq ".[] | select(.metadata.container.tags[] == \"$IMAGE_TAG\") | .id" \
             | head -1)
 
           if [[ -n "$VERSION_ID" ]]; then

.github/workflows/release-digital-ocean.yml

@@ -10,6 +10,10 @@ on:
 
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
 permissions:
   contents: read
 
@@ -17,6 +21,7 @@ jobs:
   build-image:
     name: Build Image
     runs-on: ubuntu-24.04
+    timeout-minutes: 90
     permissions:
       contents: read
       id-token: write
@@ -46,9 +51,11 @@ jobs:
       - name: Set version from version.json
         id: set-version
         run: |
-          VERSION=$(grep '^ *"coreVersion":' version.json \
-            | awk -F\: '{ print $2 }' \
-            | sed -e 's/,$//' -e 's/^"//' -e 's/"$//')
+          VERSION=$(jq -r '.versions.coreVersion' version.json)
+          if [[ -z "$VERSION" ]]; then
+            echo "ERROR: Failed to extract coreVersion from version.json"
+            exit 1
+          fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Set up Hashicorp Packer

.github/workflows/release.yml

@@ -11,6 +11,10 @@ on:
 env:
   _AZ_REGISTRY: bitwardenprod.azurecr.io
 
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
 permissions:
   contents: read
 
@@ -306,8 +310,9 @@ jobs:
 
 
   tag-push-latest-images:
-    name: Tag and push ${{ matrix.project_name }} image with release version and latest
+    name: Release ${{ matrix.project_name }} image
     runs-on: ubuntu-24.04
+    timeout-minutes: 45
     needs:
       - update-versions
       - release-github
@@ -315,7 +320,7 @@ jobs:
       id-token: write
       packages: write
     strategy:
-      fail-fast: true
+      fail-fast: false
       matrix:
         include:
           - project_name: Admin
@@ -379,7 +384,6 @@ jobs:
           PROJECT_NAME: ${{ steps.image-setup.outputs.project_name }}
           RELEASE_TAG: ${{ steps.image-setup.outputs.release_tag }}
         run: |
-          skopeo --version
           skopeo login "$_AZ_REGISTRY" -u 00000000-0000-0000-0000-000000000000 -p "$(az acr login --expose-token --name "${_AZ_REGISTRY%.azurecr.io}" | jq -r .accessToken)"
           skopeo copy --all "docker://$_AZ_REGISTRY/$PROJECT_NAME:$RELEASE_TAG" "docker://ghcr.io/bitwarden/$PROJECT_NAME:$RELEASE_TAG"
           skopeo copy --all "docker://$_AZ_REGISTRY/$PROJECT_NAME:latest" "docker://ghcr.io/bitwarden/$PROJECT_NAME:latest"
@@ -393,23 +397,21 @@ jobs:
           cosign sign --yes "ghcr.io/bitwarden/$PROJECT_NAME:latest"
 
       - name: Log out of Docker
-        run: |
-          docker logout ghcr.io
-          docker logout "$_AZ_REGISTRY"
+        run: docker logout ghcr.io "$_AZ_REGISTRY"
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
 
-  release-bitwarden-lite:
-    name: Release Bitwarden lite
+  update-lite-changelog:
+    name: Update Bitwarden lite CHANGELOG
     runs-on: ubuntu-24.04
     needs: update-versions
     env:
-      _RELEASE_VERSION: ${{ inputs.release_version }}-beta # TODO: remove `-beta` after GA
+      _CORE_VERSION: ${{ needs.update-versions.outputs.core_release_tag }}
     permissions:
+      contents: write
       id-token: write
-      packages: write
     steps:
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -418,56 +420,109 @@ jobs:
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          keyvault: gh-org-bitwarden
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
 
-      - name: Push version and latest image
-        run: |
-          skopeo --version
-          skopeo login "$_AZ_REGISTRY" -u 00000000-0000-0000-0000-000000000000 -p "$(az acr login --expose-token --name "${_AZ_REGISTRY%.azurecr.io}" | jq -r .accessToken)"
-          skopeo copy --all "docker://$_AZ_REGISTRY/lite:beta" "docker://ghcr.io/bitwarden/lite:$_RELEASE_VERSION"
-          skopeo copy --all "docker://$_AZ_REGISTRY/lite:beta" "docker://ghcr.io/bitwarden/lite:beta" # TODO: Delete after GA
-          # skopeo copy --all "docker://$_AZ_REGISTRY/lite:beta" "docker://ghcr.io/bitwarden/lite:latest" # TODO: uncomment after GA
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
+        id: app-token
+        with:
+          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
+          permission-contents: write # for pushing commits
 
-      - name: Sign image with Cosign
+      - name: Checkout Branch
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: main
+          token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: true
+
+      - name: Update CHANGELOG.md
         run: |
-          cosign sign --yes "ghcr.io/bitwarden/lite:$_RELEASE_VERSION"
-          cosign sign --yes "ghcr.io/bitwarden/lite:latest"
+          RELEASE_DATE=$(date +%Y-%m-%d)
+
+          # Create temporary file with new content
+          cat > /tmp/new_entry.txt << EOF
 
-      - name: Log out of skopeo and ghcr.io
+          ## [$_CORE_VERSION] - $RELEASE_DATE
+
+          ### Release
+
+          - Bitwarden lite $_CORE_VERSION release, aligned with Bitwarden Server core version $_CORE_VERSION
+          EOF
+
+          # Insert new release entry after the ## [Unreleased] line
+          sed -i "/## \[Unreleased\]/r /tmp/new_entry.txt" bitwarden-lite/CHANGELOG.md
+          rm /tmp/new_entry.txt
+
+      - name: Check if changelog changed
+        id: changelog-changed
         run: |
-          skopeo logout --all
-          docker logout ghcr.io
+          if [ -n "$(git status --porcelain bitwarden-lite/CHANGELOG.md)" ]; then
+            echo "changes_to_commit=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "changes_to_commit=false" >> "$GITHUB_OUTPUT"
+            echo "No changes to commit!";
+          fi
 
-      ########## ACR PROD ##########
-      - name: Login to Azure ACR
-        run: az acr login -n "${_AZ_REGISTRY%.azurecr.io}"
+      - name: Configure Git
+        if: ${{ steps.changelog-changed.outputs.changes_to_commit == 'true' }}
+        run: |
+          git config --local user.email "178206702+bw-ghapp[bot]@users.noreply.github.com"
+          git config --local user.name "bw-ghapp[bot]"
 
-      - name: Pull latest project image
-        run: docker pull "$_AZ_REGISTRY/lite:beta"
+      - name: Commit CHANGELOG.md
+        if: ${{ steps.changelog-changed.outputs.changes_to_commit == 'true' }}
+        run: git commit -m "Update Bitwarden lite CHANGELOG for $_CORE_VERSION" bitwarden-lite/CHANGELOG.md
 
-      - name: Tag version and latest
+      - name: Push changes
+        if: ${{ steps.changelog-changed.outputs.changes_to_commit == 'true' }}
         run: |
-          docker tag "$_AZ_REGISTRY/lite:beta" "$_AZ_REGISTRY/lite:$_RELEASE_VERSION"
-          docker tag "$_AZ_REGISTRY/lite:beta" "$_AZ_REGISTRY/lite:latest"
+          git push
+          echo "✅ Updated Bitwarden lite CHANGELOG for $_CORE_VERSION" >> "$GITHUB_STEP_SUMMARY"
 
-      - name: Push version and latest image
+
+  release-bitwarden-lite:
+    name: Release Bitwarden lite
+    runs-on: ubuntu-24.04
+    timeout-minutes: 30
+    needs:
+      - update-versions
+      - update-lite-changelog
+    env:
+      _CORE_VERSION: ${{ needs.update-versions.outputs.core_release_tag }}
+    permissions:
+      id-token: write
+      packages: write
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Copy version tag to latest
         run: |
-          docker push "$_AZ_REGISTRY/lite:$_RELEASE_VERSION"
-          docker push "$_AZ_REGISTRY/lite:latest"
+          skopeo copy --all "docker://ghcr.io/bitwarden/lite:$_CORE_VERSION" "docker://ghcr.io/bitwarden/lite:latest"
+          echo "✅ Promoted Bitwarden lite $_CORE_VERSION to latest" >> "$GITHUB_STEP_SUMMARY"
 
-      - name: Log out of Docker
-        run: docker logout "$_AZ_REGISTRY"
+      - name: Sign latest image with Cosign
+        run: cosign sign --yes "ghcr.io/bitwarden/lite:latest"
 
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
+      - name: Log out of ghcr.io
+        run: docker logout ghcr.io
 
 
   trigger-workflows:

bitwarden-lite/CHANGELOG.md

@@ -0,0 +1,10 @@
+# Changelog - Bitwarden lite
+
+All notable changes to Bitwarden lite will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project uses version numbers that align with Bitwarden Server core versions.
+
+## [Unreleased]
+
+<!-- New releases will be added here by automation -->