GitHub-Bitwarden
/
self-host
mirror of https://github.com/bitwarden/self-host.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Bitwarden's self-hosted release repository
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
289 Commits
16 Branches
99 Tags
2.2 MiB
 
 
 
 
 
Tree: d9844a1a21
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd9844a1a21'
${ noResults }
self-host/.github/workflows/build-unified.yml

269 lines
9.5 KiB
Raw Blame History

name: Build Self-Host Unified
on:
push:
paths:
- "docker-unified/**"
- ".github/workflows/build-unified.yml"
workflow_dispatch:
inputs:
server_branch:
description: "Server branch name to deploy (examples: 'main', 'rc', 'feature/sm')"
type: string
default: main
use_latest_core_version:
description: "Use the latest core version from versions.json instead of branch"
type: boolean
default: false
pull_request:
paths:
- ".github/workflows/build-unified.yml"
- "docker-unified/**"
env:
_AZ_REGISTRY: bitwardenprod.azurecr.io
permissions:
contents: read
jobs:
build-docker:
name: Build Docker image
runs-on: ubuntu-24.04
permissions:
id-token: write
packages: write
security-events: write
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Get server branch to checkout
id: server-branch-name
env:
SERVER_BRANCH: ${{ inputs.server_branch }}
run: |
if [[ "${{ inputs.use_latest_core_version }}" == "true" ]]; then
# Extract coreVersion from versions.json
CORE_VERSION=$(jq -r '.versions.coreVersion' versions.json)
echo "Server version from versions.json: $CORE_VERSION"
echo "server_ref=refs/tags/v$CORE_VERSION" >> $GITHUB_OUTPUT
echo "ref_type=tag" >> $GITHUB_OUTPUT
elif [[ -z "${SERVER_BRANCH}" ]]; then
echo "server_ref=main" >> $GITHUB_OUTPUT
echo "ref_type=branch" >> $GITHUB_OUTPUT
else
echo "server_ref=${SERVER_BRANCH#refs/heads/}" >> $GITHUB_OUTPUT
echo "ref_type=branch" >> $GITHUB_OUTPUT
fi
- name: Check Branch to Publish
env:
PUBLISH_BRANCHES: "main,rc,hotfix-rc"
SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_ref }}
REF_TYPE: ${{ steps.server-branch-name.outputs.ref_type }}
id: publish-branch-check
run: |
REF=${GITHUB_REF#refs/heads/}
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
if [[ "${REF_TYPE}" == "tag" ]]; then
# If the build is triggered by a tag, always publish
echo "is_publish_branch=true" >> $GITHUB_ENV
elif [[ "${publish_branches[*]}" =~ "${REF}" && "${publish_branches[*]}" =~ "${SERVER_BRANCH}" ]]; then
echo "is_publish_branch=true" >> $GITHUB_ENV
else
echo "is_publish_branch=false" >> $GITHUB_ENV
fi
########## Set up Docker ##########
- name: Set up QEMU emulators
uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
########## Login to Docker registries ##########
- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Login to Azure ACR
run: az acr login -n bitwardenprod
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
########## Generate image tag and build Docker image ##########
- name: Generate Docker image tag
id: tag
env:
SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_ref }}
REF_TYPE: ${{ steps.server-branch-name.outputs.ref_type }}
run: |
if [[ "${REF_TYPE}" == "tag" ]]; then
# When using a tag (core version), always use beta tag
IMAGE_TAG=beta
echo "Using beta tag for core version release"
else
# For branch-based builds, use the logic
IMAGE_TAG=$(echo "${SERVER_BRANCH}" | sed "s#/#-#g") # slash safe branch name
if [[ "${IMAGE_TAG}" == "main" ]]; then
IMAGE_TAG=dev
elif [[ ("${IMAGE_TAG}" == "rc") || ("${IMAGE_TAG}" == "hotfix-rc") ]]; then
IMAGE_TAG=beta
fi
fi
echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
- name: Generate tag list
id: tag-list
env:
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }}
run: |
if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "beta") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then
echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},ghcr.io/bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
else
echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
fi
- name: Get Azure Key Vault secrets
id: get-kv-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: gh-org-bitwarden
secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
- name: Generate GH App token
uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
id: app-token
with:
app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
- name: Checkout server repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: bitwarden/server
token: ${{ steps.app-token.outputs.token }}
ref: ${{ steps.server-branch-name.outputs.server_ref }}
path: "server"
- name: Build and push Docker image
id: build-docker
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: .
file: docker-unified/Dockerfile
platforms: |
linux/amd64,
linux/arm/v7,
linux/arm64/v8
push: true
tags: ${{ steps.tag-list.outputs.tags }}
- name: Install Cosign
if: env.is_publish_branch == 'true'
uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
- name: Sign image with Cosign
if: env.is_publish_branch == 'true'
id: sign
env:
DIGEST: ${{ steps.build-docker.outputs.digest }}
TAGS: ${{ steps.tag-list.outputs.tags }}
run: |
IFS="," read -a tags <<< "${TAGS}"
images=""
for tag in "${tags[@]}"; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
echo "images=${images}" >> $GITHUB_OUTPUT
- name: Verify the signed image(s) with Cosign
if: env.is_publish_branch == 'true'
run: |
cosign verify \
--certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
${{ steps.sign.outputs.images }}
- name: Scan Docker image
id: container-scan
uses: anchore/scan-action@2c901ab7378897c01b8efaa2d0c9bf519cc64b9e # v6.2.0
with:
image: ${{ steps.tag-list.outputs.primary_tag }}
fail-build: false
output-format: sarif
- name: Upload Grype results to GitHub
uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
with:
sarif_file: ${{ steps.container-scan.outputs.sarif }}
sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
- name: Log out of Docker
if: ${{ env.is_publish_branch == 'true' }}
run: |
docker logout ghcr.io
docker logout $_AZ_REGISTRY
- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
check-failures:
name: Check for failures
if: always()
runs-on: ubuntu-24.04
needs: build-docker
permissions:
id-token: write
steps:
- name: Check if any job failed
if: |
(github.ref == 'refs/heads/main'
|| github.ref == 'refs/heads/rc'
|| github.ref == 'refs/heads/hotfix-rc')
&& contains(needs.*.result, 'failure')
run: exit 1
- name: Log in to Azure
if: failure()
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
if: failure()
with:
keyvault: "bitwarden-ci"
secrets: "devops-alerts-slack-webhook-url"
- name: Log out from Azure
if: failure()
uses: bitwarden/gh-actions/azure-logout@main
- name: Notify Slack on failure
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
if: failure()
env:
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
with:
status: ${{ job.status }}