|
|
|
@ -26,6 +26,8 @@ jobs: |
|
|
|
setup: |
|
|
|
setup: |
|
|
|
name: Setup |
|
|
|
name: Setup |
|
|
|
runs-on: ubuntu-24.04 |
|
|
|
runs-on: ubuntu-24.04 |
|
|
|
|
|
|
|
permissions: |
|
|
|
|
|
|
|
contents: read |
|
|
|
outputs: |
|
|
|
outputs: |
|
|
|
_WEB_RELEASE_TAG: ${{ steps.set-tags.outputs.WEB_RELEASE_TAG }} |
|
|
|
_WEB_RELEASE_TAG: ${{ steps.set-tags.outputs.WEB_RELEASE_TAG }} |
|
|
|
_CORE_RELEASE_TAG: ${{ steps.set-tags.outputs.CORE_RELEASE_TAG }} |
|
|
|
_CORE_RELEASE_TAG: ${{ steps.set-tags.outputs.CORE_RELEASE_TAG }} |
|
|
|
@ -155,16 +157,21 @@ jobs: |
|
|
|
needs: |
|
|
|
needs: |
|
|
|
- setup |
|
|
|
- setup |
|
|
|
- release |
|
|
|
- release |
|
|
|
|
|
|
|
permissions: |
|
|
|
|
|
|
|
contents: read |
|
|
|
|
|
|
|
id-token: write |
|
|
|
steps: |
|
|
|
steps: |
|
|
|
- name: Checkout repo |
|
|
|
- name: Checkout repo |
|
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
|
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
|
|
|
with: |
|
|
|
with: |
|
|
|
ref: main |
|
|
|
ref: main |
|
|
|
|
|
|
|
|
|
|
|
- name: Login to Azure - CI Subscription |
|
|
|
- name: Log in to Azure |
|
|
|
uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 |
|
|
|
uses: bitwarden/gh-actions/azure-login@main |
|
|
|
with: |
|
|
|
with: |
|
|
|
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} |
|
|
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
|
|
|
|
|
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
|
|
|
|
|
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
|
|
|
|
|
|
|
|
- name: Retrieve secrets |
|
|
|
- name: Retrieve secrets |
|
|
|
id: retrieve-secrets |
|
|
|
id: retrieve-secrets |
|
|
|
@ -175,6 +182,9 @@ jobs: |
|
|
|
aws-selfhost-version-access-key, |
|
|
|
aws-selfhost-version-access-key, |
|
|
|
aws-selfhost-version-bucket-name" |
|
|
|
aws-selfhost-version-bucket-name" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: Log out from Azure |
|
|
|
|
|
|
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
|
|
|
|
|
|
|
|
- name: Upload version.json to S3 bucket |
|
|
|
- name: Upload version.json to S3 bucket |
|
|
|
if: ${{ inputs.release_type != 'Dry Run' }} |
|
|
|
if: ${{ inputs.release_type != 'Dry Run' }} |
|
|
|
env: |
|
|
|
env: |
|
|
|
@ -229,10 +239,12 @@ jobs: |
|
|
|
- name: Install Cosign |
|
|
|
- name: Install Cosign |
|
|
|
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 |
|
|
|
uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 |
|
|
|
|
|
|
|
|
|
|
|
- name: Login to Azure - Prod Subscription |
|
|
|
- name: Log in to Azure |
|
|
|
uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 |
|
|
|
uses: bitwarden/gh-actions/azure-login@main |
|
|
|
with: |
|
|
|
with: |
|
|
|
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} |
|
|
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
|
|
|
|
|
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
|
|
|
|
|
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
|
|
|
|
|
|
|
|
- name: Setup project name and release tag |
|
|
|
- name: Setup project name and release tag |
|
|
|
id: setup |
|
|
|
id: setup |
|
|
|
@ -287,6 +299,9 @@ jobs: |
|
|
|
docker logout ghcr.io |
|
|
|
docker logout ghcr.io |
|
|
|
docker logout $_AZ_REGISTRY |
|
|
|
docker logout $_AZ_REGISTRY |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: Log out from Azure |
|
|
|
|
|
|
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
release-unified: |
|
|
|
release-unified: |
|
|
|
name: Release Self-host unified |
|
|
|
name: Release Self-host unified |
|
|
|
@ -300,10 +315,12 @@ jobs: |
|
|
|
id-token: write |
|
|
|
id-token: write |
|
|
|
packages: write |
|
|
|
packages: write |
|
|
|
steps: |
|
|
|
steps: |
|
|
|
- name: Login to Azure - PROD Subscription |
|
|
|
- name: Log in to Azure |
|
|
|
uses: Azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 |
|
|
|
uses: bitwarden/gh-actions/azure-login@main |
|
|
|
with: |
|
|
|
with: |
|
|
|
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} |
|
|
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
|
|
|
|
|
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
|
|
|
|
|
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
|
|
|
|
|
|
|
|
- name: Login to GitHub Container Registry |
|
|
|
- name: Login to GitHub Container Registry |
|
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 |
|
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 |
|
|
|
@ -376,6 +393,9 @@ jobs: |
|
|
|
- name: Log out of Docker |
|
|
|
- name: Log out of Docker |
|
|
|
run: docker logout $_AZ_REGISTRY |
|
|
|
run: docker logout $_AZ_REGISTRY |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: Log out from Azure |
|
|
|
|
|
|
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
trigger-workflows: |
|
|
|
trigger-workflows: |
|
|
|
name: Trigger workflows |
|
|
|
name: Trigger workflows |
|
|
|
@ -385,13 +405,32 @@ jobs: |
|
|
|
- release |
|
|
|
- release |
|
|
|
- tag-push-latest-images |
|
|
|
- tag-push-latest-images |
|
|
|
- release-unified |
|
|
|
- release-unified |
|
|
|
|
|
|
|
permissions: |
|
|
|
|
|
|
|
id-token: write |
|
|
|
steps: |
|
|
|
steps: |
|
|
|
|
|
|
|
- name: Log in to Azure |
|
|
|
|
|
|
|
uses: bitwarden/gh-actions/azure-login@main |
|
|
|
|
|
|
|
with: |
|
|
|
|
|
|
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
|
|
|
|
|
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
|
|
|
|
|
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: Get Azure Key Vault secrets |
|
|
|
|
|
|
|
id: get-kv-secrets |
|
|
|
|
|
|
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
|
|
|
|
|
|
with: |
|
|
|
|
|
|
|
keyvault: gh-org-bitwarden |
|
|
|
|
|
|
|
secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- name: Log out from Azure |
|
|
|
|
|
|
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
|
|
|
|
|
|
|
|
- name: Generate GH App token |
|
|
|
- name: Generate GH App token |
|
|
|
uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 |
|
|
|
uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6 |
|
|
|
id: app-token |
|
|
|
id: app-token |
|
|
|
with: |
|
|
|
with: |
|
|
|
app-id: ${{ secrets.BW_GHAPP_ID }} |
|
|
|
app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} |
|
|
|
private-key: ${{ secrets.BW_GHAPP_KEY }} |
|
|
|
private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} |
|
|
|
|
|
|
|
|
|
|
|
- name: Trigger release-digital-ocean workflow |
|
|
|
- name: Trigger release-digital-ocean workflow |
|
|
|
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 |
|
|
|
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 |
|
|
|
|
Andy Pixley
5 months ago
committed by
GitHub