[DEVOPS-1161] fix the rate limiting issue in building bitwarden unified (#2694)

* Add GH_PAT secret to build * Fix secret * Fix * Fix * Maybe fix * add cat for tags.json * Maybe fix * Matbe fix * Trying to fix * Change gh_pat path * Fix * Remove obsolete tags obtaining
3 years ago · 5aa8f3db81
2 changed files with 18 additions and 3 deletions
--- a/.github/workflows/build-self-host.yml
+++ b/.github/workflows/build-self-host.yml
@ -48,11 +48,17 @@ jobs:
				@@ -48,11 +48,17 @@ jobs:
        run: az acr login -n bitwardenqa

      - name: Login to Azure - Prod Subscription
-        if: ${{ env.is_publish_branch == 'true' }}
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

+      - name: Retrieve github PAT secrets
+        id: retrieve-secret-pat
+        uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
+        with:
+          keyvault: "bitwarden-prod-kv"
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+
      - name: Retrieve secrets
        if: ${{ env.is_publish_branch == 'true' }}
        id: retrieve-secrets
@ -62,7 +68,8 @@ jobs:
				@@ -62,7 +68,8 @@ jobs:
          secrets: "docker-password,
            docker-username,
            dct-delegate-2-repo-passphrase,
-            dct-delegate-2-key"
+            dct-delegate-2-key
+            github-pat-bitwarden-devops-bot-repo-scope"

      - name: Log into Docker
        if: ${{ env.is_publish_branch == 'true' }}
@ -118,6 +125,8 @@ jobs:
				@@ -118,6 +125,8 @@ jobs:
            linux/arm64/v8
          push: true
          tags: ${{ steps.tag-list.outputs.tags }}
+          secrets: |
+            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

      - name: Log out of Docker and disable Docker Notary
        if: ${{ env.is_publish_branch == 'true' }}
--- a/docker-unified/Dockerfile
+++ b/docker-unified/Dockerfile
@ -1,3 +1,4 @@
				@@ -1,3 +1,4 @@
+# syntax = docker/dockerfile:1.2
 ###############################################
 #                 Build stage                 #
 ###############################################
@ -13,7 +14,12 @@ RUN apt-get update && apt-get install -y \
				@@ -13,7 +14,12 @@ RUN apt-get update && apt-get install -y \
 WORKDIR /tmp

 # Download tags from 'clients' repository
-RUN curl https://api.github.com/repos/bitwarden/clients/git/refs/tags --output tags.json
+RUN --mount=type=secret,id=GH_PAT,target=/etc/secrets/GH_PAT if [ -e "/etc/secrets/GH_PAT" ]; then \
+curl --header "Authorization: token $(cat /etc/secrets/GH_PAT)" \
+  https://api.github.com/repos/bitwarden/clients/git/refs/tags --output tags.json ; else \
+  curl https://api.github.com/repos/bitwarden/clients/git/refs/tags --output tags.json ; fi
+
+RUN cat tags.json

 # Grab last tag/release of the 'web' client
 RUN cat tags.json | jq -r 'last(.[] | select(.ref|test("refs/tags/web-v[0-9]{4}.[0-9]{1,2}.[0-9]+"))) | .ref | split("/")[2]' > tag.txt