You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
301 lines
11 KiB
301 lines
11 KiB
name: Build Self-Host Unified |
|
|
|
on: |
|
push: |
|
paths: |
|
- "docker-unified/**" |
|
- ".github/workflows/build-unified.yml" |
|
workflow_dispatch: |
|
inputs: |
|
server_branch: |
|
description: "Server branch name to deploy (examples: 'main', 'rc', 'feature/sm')" |
|
type: string |
|
default: main |
|
web_branch: |
|
description: "Web client branch name to deploy (examples: 'main', 'rc', 'feature/sm')" |
|
type: string |
|
default: main |
|
use_latest_core_version: |
|
description: "Use the latest core version from versions.json instead of branch" |
|
type: boolean |
|
default: false |
|
pull_request: |
|
paths: |
|
- ".github/workflows/build-unified.yml" |
|
- "docker-unified/**" |
|
|
|
env: |
|
_AZ_REGISTRY: bitwardenprod.azurecr.io |
|
|
|
permissions: |
|
contents: read |
|
|
|
jobs: |
|
build-docker: |
|
name: Build Docker image |
|
runs-on: ubuntu-24.04 |
|
permissions: |
|
id-token: write |
|
packages: write |
|
security-events: write |
|
steps: |
|
- name: Checkout Repository |
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 |
|
with: |
|
persist-credentials: false |
|
|
|
- name: Get server branch to checkout |
|
id: server-branch-name |
|
env: |
|
SERVER_BRANCH: ${{ inputs.server_branch }} |
|
run: | |
|
if [[ "${{ inputs.use_latest_core_version }}" == "true" ]]; then |
|
# Extract coreVersion from versions.json |
|
CORE_VERSION=$(jq -r '.versions.coreVersion' versions.json) |
|
echo "Server version from versions.json: $CORE_VERSION" |
|
echo "server_ref=refs/tags/v$CORE_VERSION" >> "$GITHUB_OUTPUT" |
|
echo "ref_type=tag" >> "$GITHUB_OUTPUT" |
|
elif [[ -z "${SERVER_BRANCH}" ]]; then |
|
echo "server_ref=main" >> "$GITHUB_OUTPUT" |
|
echo "ref_type=branch" >> "$GITHUB_OUTPUT" |
|
else |
|
echo "server_ref=${SERVER_BRANCH#refs/heads/}" >> "$GITHUB_OUTPUT" |
|
echo "ref_type=branch" >> "$GITHUB_OUTPUT" |
|
fi |
|
|
|
- name: Check Branch to Publish |
|
env: |
|
PUBLISH_BRANCHES: "main,rc,hotfix-rc" |
|
SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_ref }} |
|
REF_TYPE: ${{ steps.server-branch-name.outputs.ref_type }} |
|
id: publish-branch-check |
|
run: | |
|
REF=${GITHUB_REF#refs/heads/} |
|
|
|
IFS="," read -a publish_branches <<< "$PUBLISH_BRANCHES" |
|
|
|
if [[ "${REF_TYPE}" == "tag" ]]; then |
|
# If the build is triggered by a tag, always publish |
|
echo "is_publish_branch=true" >> "$GITHUB_ENV" |
|
elif [[ "${publish_branches[*]}" =~ "${REF}" && "${publish_branches[*]}" =~ "${SERVER_BRANCH}" ]]; then |
|
echo "is_publish_branch=true" >> "$GITHUB_ENV" |
|
else |
|
echo "is_publish_branch=false" >> "$GITHUB_ENV" |
|
fi |
|
|
|
########## Set up Docker ########## |
|
- name: Set up QEMU emulators |
|
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 |
|
|
|
- name: Set up Docker Buildx |
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 |
|
|
|
########## Login to Docker registries ########## |
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Login to Azure ACR |
|
run: az acr login -n bitwardenprod |
|
|
|
- name: Login to GitHub Container Registry |
|
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 |
|
with: |
|
registry: ghcr.io |
|
username: ${{ github.actor }} |
|
password: ${{ secrets.GITHUB_TOKEN }} |
|
|
|
########## Generate image tag and build Docker image ########## |
|
- name: Generate Docker image tag |
|
id: tag |
|
env: |
|
SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_ref }} |
|
REF_TYPE: ${{ steps.server-branch-name.outputs.ref_type }} |
|
run: | |
|
if [[ "${REF_TYPE}" == "tag" ]]; then |
|
# When using a tag (core version), always use beta tag |
|
IMAGE_TAG=beta |
|
echo "Using beta tag for core version release" |
|
else |
|
# For branch-based builds, use the logic |
|
IMAGE_TAG=$(echo "${SERVER_BRANCH}" | sed "s#/#-#g") # slash safe branch name |
|
if [[ "${IMAGE_TAG}" == "main" ]]; then |
|
IMAGE_TAG=dev |
|
elif [[ ("${IMAGE_TAG}" == "rc") || ("${IMAGE_TAG}" == "hotfix-rc") ]]; then |
|
IMAGE_TAG=beta |
|
fi |
|
fi |
|
|
|
echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT" |
|
|
|
- name: Generate tag list |
|
id: tag-list |
|
env: |
|
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} |
|
IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }} |
|
run: | |
|
if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "beta") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then |
|
echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},ghcr.io/bitwarden/self-host:${IMAGE_TAG}" >> "$GITHUB_OUTPUT" |
|
else |
|
echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> "$GITHUB_OUTPUT" |
|
fi |
|
|
|
- name: Get Azure Key Vault secrets |
|
id: get-kv-secrets |
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
with: |
|
keyvault: gh-org-bitwarden |
|
secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" |
|
|
|
- name: Generate GH App token |
|
uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0 |
|
id: app-token |
|
with: |
|
app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} |
|
private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} |
|
|
|
- name: Checkout server repo |
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 |
|
with: |
|
repository: bitwarden/server |
|
token: ${{ steps.app-token.outputs.token }} |
|
ref: ${{ steps.server-branch-name.outputs.server_ref }} |
|
path: "server" |
|
persist-credentials: false |
|
|
|
- name: Download web client branch artifacts for dev builds |
|
if: steps.tag.outputs.image_tag == 'dev' |
|
uses: bitwarden/gh-actions/download-artifacts@main |
|
with: |
|
github_token: ${{ steps.app-token.outputs.token }} |
|
workflow: build-web.yml |
|
workflow_conclusion: success |
|
branch: ${{ inputs.web_branch }} |
|
repo: bitwarden/clients |
|
artifacts: "web-*-selfhosted-DEV.zip" |
|
|
|
- name: Set web artifact path for dev builds |
|
if: steps.tag.outputs.image_tag == 'dev' |
|
id: set-web-artifact-path |
|
run: | |
|
WEB_ARTIFACT=$(find . -name "web-*-selfhosted-DEV.zip" | head -1) |
|
if [[ -n "${WEB_ARTIFACT}" ]]; then |
|
echo "WEB_ARTIFACT_PATH=${WEB_ARTIFACT}" >> "$GITHUB_ENV" |
|
fi |
|
|
|
- name: Build and push Docker image |
|
id: build-docker |
|
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 |
|
with: |
|
context: . |
|
file: docker-unified/Dockerfile |
|
platforms: | |
|
linux/amd64, |
|
linux/arm/v7, |
|
linux/arm64/v8 |
|
push: true |
|
tags: ${{ steps.tag-list.outputs.tags }} |
|
build-args: | |
|
WEB_ARTIFACT_PATH=${{ env.WEB_ARTIFACT_PATH }} |
|
|
|
- name: Install Cosign |
|
if: env.is_publish_branch == 'true' |
|
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 |
|
|
|
- name: Sign image with Cosign |
|
if: env.is_publish_branch == 'true' |
|
id: sign |
|
env: |
|
DIGEST: ${{ steps.build-docker.outputs.digest }} |
|
TAGS: ${{ steps.tag-list.outputs.tags }} |
|
run: | |
|
IFS=',' read -r -a tags_array <<< "${TAGS}" |
|
images=() |
|
for tag in "${tags_array[@]}"; do |
|
images+=("${tag}@${DIGEST}") |
|
done |
|
cosign sign --yes "${images[@]}" |
|
echo "images=${images[*]}" >> "$GITHUB_OUTPUT" |
|
|
|
- name: Verify the signed image(s) with Cosign |
|
if: env.is_publish_branch == 'true' |
|
env: |
|
IMAGES: ${{ steps.sign.outputs.images }} |
|
run: | |
|
read -r -a images_array <<< "${COSIGN_IMAGES}" |
|
cosign verify \ |
|
--certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \ |
|
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ |
|
"${images_array[@]}" |
|
|
|
- name: Scan Docker image |
|
id: container-scan |
|
uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0 |
|
with: |
|
image: ${{ steps.tag-list.outputs.primary_tag }} |
|
fail-build: false |
|
output-format: sarif |
|
|
|
- name: Upload Grype results to GitHub |
|
uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3.29.8 |
|
with: |
|
sarif_file: ${{ steps.container-scan.outputs.sarif }} |
|
sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }} |
|
ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }} |
|
|
|
- name: Log out of Docker |
|
if: env.is_publish_branch == 'true' |
|
run: | |
|
docker logout ghcr.io |
|
docker logout "$_AZ_REGISTRY" |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
|
|
check-failures: |
|
name: Check for failures |
|
if: always() |
|
runs-on: ubuntu-24.04 |
|
needs: build-docker |
|
permissions: |
|
id-token: write |
|
steps: |
|
- name: Check if any job failed |
|
if: | |
|
(github.ref == 'refs/heads/main' |
|
|| github.ref == 'refs/heads/rc' |
|
|| github.ref == 'refs/heads/hotfix-rc') |
|
&& contains(needs.*.result, 'failure') |
|
run: exit 1 |
|
|
|
- name: Log in to Azure |
|
if: failure() |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Retrieve secrets |
|
id: retrieve-secrets |
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
if: failure() |
|
with: |
|
keyvault: "bitwarden-ci" |
|
secrets: "devops-alerts-slack-webhook-url" |
|
|
|
- name: Log out from Azure |
|
if: failure() |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
- name: Notify Slack on failure |
|
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 |
|
if: failure() |
|
env: |
|
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} |
|
with: |
|
status: ${{ job.status }}
|
|
|