You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
637 lines
22 KiB
637 lines
22 KiB
name: Build |
|
|
|
on: |
|
pull_request: |
|
types: [opened, synchronize] |
|
push: |
|
branches: |
|
- "main" |
|
- "rc" |
|
- "hotfix-rc" |
|
workflow_call: |
|
workflow_dispatch: |
|
|
|
permissions: |
|
contents: read |
|
|
|
env: |
|
_AZ_REGISTRY: "bitwardenprod.azurecr.io" |
|
_GHCR_REGISTRY: "ghcr.io/bitwarden" |
|
_GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }} |
|
|
|
jobs: |
|
lint: |
|
name: Lint |
|
runs-on: ubuntu-22.04 |
|
steps: |
|
- name: Check out repo |
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
|
with: |
|
ref: ${{ github.event.pull_request.head.sha }} |
|
persist-credentials: false |
|
|
|
- name: Set up .NET |
|
uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 |
|
|
|
- name: Verify format |
|
run: dotnet format --verify-no-changes |
|
|
|
build-artifacts: |
|
name: Build Docker images |
|
runs-on: ubuntu-22.04 |
|
needs: lint |
|
outputs: |
|
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }} |
|
permissions: |
|
security-events: write |
|
id-token: write |
|
packages: write |
|
timeout-minutes: 45 |
|
strategy: |
|
fail-fast: false |
|
matrix: |
|
include: |
|
- project_name: Admin |
|
base_path: ./src |
|
dotnet: true |
|
node: true |
|
- project_name: Api |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: Attachments |
|
base_path: ./util |
|
- project_name: Billing |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: Events |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: EventsProcessor |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: Icons |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: Identity |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: MsSql |
|
base_path: ./util |
|
- project_name: MsSqlMigratorUtility |
|
base_path: ./util |
|
dotnet: true |
|
- project_name: Nginx |
|
base_path: ./util |
|
- project_name: Notifications |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: Scim |
|
base_path: ./bitwarden_license/src |
|
dotnet: true |
|
- project_name: SeederApi |
|
base_path: ./util |
|
platforms: linux/amd64,linux/arm64 |
|
dotnet: true |
|
- project_name: Setup |
|
base_path: ./util |
|
dotnet: true |
|
- project_name: Sso |
|
base_path: ./bitwarden_license/src |
|
dotnet: true |
|
steps: |
|
- name: Check secrets |
|
id: check-secrets |
|
run: | |
|
has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }} |
|
echo "has_secrets=$has_secrets" >> "$GITHUB_OUTPUT" |
|
|
|
- name: Check out repo |
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
|
with: |
|
ref: ${{ github.event.pull_request.head.sha }} |
|
persist-credentials: false |
|
|
|
- name: Check branch to publish |
|
env: |
|
PUBLISH_BRANCHES: "main,rc,hotfix-rc" |
|
id: publish-branch-check |
|
run: | |
|
IFS="," read -a publish_branches <<< "$PUBLISH_BRANCHES" |
|
if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then |
|
echo "is_publish_branch=true" >> "$GITHUB_ENV" |
|
else |
|
echo "is_publish_branch=false" >> "$GITHUB_ENV" |
|
fi |
|
|
|
- name: Set up .NET |
|
uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 |
|
|
|
- name: Set up Node |
|
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 |
|
with: |
|
cache: "npm" |
|
cache-dependency-path: "**/package-lock.json" |
|
node-version: "24" |
|
|
|
- name: Print environment |
|
run: | |
|
whoami |
|
dotnet --info |
|
node --version |
|
npm --version |
|
echo "GitHub ref: $GITHUB_REF" |
|
echo "GitHub event: $GITHUB_EVENT" |
|
|
|
- name: Build node |
|
if: ${{ matrix.node }} |
|
working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }} |
|
run: | |
|
npm ci |
|
npm run build |
|
|
|
- name: Publish project |
|
working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }} |
|
if: ${{ matrix.dotnet }} |
|
run: | |
|
echo "Publish" |
|
dotnet publish -c "Release" -o obj/build-output/publish |
|
|
|
cd obj/build-output/publish |
|
zip -r ${{ matrix.project_name }}.zip . |
|
mv ${{ matrix.project_name }}.zip ../../../ |
|
|
|
pwd |
|
ls -atlh ../../../ |
|
|
|
- name: Upload project artifact |
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
|
if: ${{ matrix.dotnet }} |
|
with: |
|
name: ${{ matrix.project_name }}.zip |
|
path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip |
|
if-no-files-found: error |
|
|
|
########## Set up Docker ########## |
|
- name: Set up QEMU emulators |
|
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 |
|
|
|
- name: Set up Docker Buildx |
|
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 |
|
|
|
########## Registries ########## |
|
- name: Log in to GHCR |
|
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 |
|
with: |
|
registry: ghcr.io |
|
username: ${{ github.actor }} |
|
password: ${{ secrets.GITHUB_TOKEN }} |
|
|
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Log in to ACR |
|
run: az acr login -n bitwardenprod |
|
|
|
########## Generate image tag and build Docker image ########## |
|
- name: Generate Docker image tag |
|
id: tag |
|
run: | |
|
if [[ "${GITHUB_EVENT_NAME}" == "pull_request" || "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then |
|
IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s/[^a-zA-Z0-9]/-/g") # Sanitize branch name to alphanumeric only |
|
else |
|
IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") |
|
fi |
|
|
|
if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then |
|
SANITIZED_REPO_NAME=$(echo "$_GITHUB_PR_REPO_NAME" | sed "s/[^a-zA-Z0-9]/-/g") # Sanitize repo name to alphanumeric only |
|
IMAGE_TAG=$SANITIZED_REPO_NAME-$IMAGE_TAG # Add repo name to the tag |
|
IMAGE_TAG=${IMAGE_TAG:0:128} # Limit to 128 characters, as that's the max length for Docker image tags |
|
fi |
|
|
|
if [[ "$IMAGE_TAG" == "main" ]]; then |
|
IMAGE_TAG=dev |
|
fi |
|
|
|
echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT" |
|
echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> "$GITHUB_STEP_SUMMARY" |
|
|
|
- name: Set up project name |
|
id: setup |
|
run: | |
|
PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}') |
|
echo "Matrix name: ${{ matrix.project_name }}" |
|
echo "PROJECT_NAME: $PROJECT_NAME" |
|
echo "project_name=$PROJECT_NAME" >> "$GITHUB_OUTPUT" |
|
echo "platforms: ${{ matrix.platforms }}" >> "$GITHUB_STEP_SUMMARY" |
|
|
|
- name: Generate image tags(s) |
|
id: image-tags |
|
env: |
|
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} |
|
PROJECT_NAME: ${{ steps.setup.outputs.project_name }} |
|
SHA: ${{ github.sha }} |
|
run: | |
|
GHCR_TAG="${_GHCR_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" |
|
ACR_TAG="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" |
|
TAGS="${GHCR_TAG},${ACR_TAG}" |
|
echo "primary_tag=${GHCR_TAG}" >> "$GITHUB_OUTPUT" |
|
if [[ "${IMAGE_TAG}" == "dev" ]]; then |
|
SHORT_SHA=$(git rev-parse --short "${SHA}") |
|
TAGS=$TAGS",${_GHCR_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}" |
|
TAGS=$TAGS",${_AZ_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}" |
|
fi |
|
echo "tags=$TAGS" >> "$GITHUB_OUTPUT" |
|
|
|
- name: Set platforms |
|
id: platforms |
|
run: | |
|
PLATFORMS="${{ matrix.platforms }}" |
|
if [ -z "$PLATFORMS" ]; then |
|
PLATFORMS="linux/amd64,linux/arm/v7,linux/arm64" |
|
fi |
|
echo "platforms=$PLATFORMS" >> "$GITHUB_OUTPUT" |
|
|
|
- name: Build Docker image |
|
id: build-artifacts |
|
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 |
|
with: |
|
context: . |
|
file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile |
|
platforms: ${{ steps.platforms.outputs.platforms }} |
|
push: true |
|
tags: ${{ steps.image-tags.outputs.tags }} |
|
|
|
- name: Install Cosign |
|
if: github.event_name != 'pull_request' && env.is_publish_branch == 'true' |
|
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 |
|
|
|
- name: Sign image with Cosign |
|
if: github.event_name != 'pull_request' && env.is_publish_branch == 'true' |
|
env: |
|
DIGEST: ${{ steps.build-artifacts.outputs.digest }} |
|
TAGS: ${{ steps.image-tags.outputs.tags }} |
|
run: | |
|
IFS=',' read -r -a tags_array <<< "${TAGS}" |
|
images=() |
|
for tag in "${tags_array[@]}"; do |
|
images+=("${tag}@${DIGEST}") |
|
done |
|
cosign sign --yes ${images[@]} |
|
echo "images=${images[*]}" >> "$GITHUB_OUTPUT" |
|
|
|
- name: Scan Docker image |
|
id: container-scan |
|
uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2 |
|
with: |
|
image: ${{ steps.image-tags.outputs.primary_tag }} |
|
fail-build: false |
|
output-format: sarif |
|
|
|
- name: Upload Grype results to GitHub |
|
uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10 |
|
with: |
|
sarif_file: ${{ steps.container-scan.outputs.sarif }} |
|
sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }} |
|
ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }} |
|
|
|
- name: Log out from GHCR |
|
run: docker logout ghcr.io |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
upload: |
|
name: Upload |
|
runs-on: ubuntu-22.04 |
|
needs: build-artifacts |
|
permissions: |
|
id-token: write |
|
actions: read |
|
steps: |
|
- name: Check out repo |
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
|
with: |
|
ref: ${{ github.event.pull_request.head.sha }} |
|
persist-credentials: false |
|
|
|
- name: Set up .NET |
|
uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 |
|
|
|
- name: Log in to GHCR |
|
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 |
|
with: |
|
registry: ghcr.io |
|
username: ${{ github.actor }} |
|
password: ${{ secrets.GITHUB_TOKEN }} |
|
|
|
- name: Make Docker stubs |
|
if: | |
|
github.event_name != 'pull_request' |
|
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') |
|
run: | |
|
# Set proper setup image based on branch |
|
case "$GITHUB_REF" in |
|
"refs/heads/main") |
|
SETUP_IMAGE="${_GHCR_REGISTRY}/setup:dev" |
|
;; |
|
"refs/heads/rc") |
|
SETUP_IMAGE="${_GHCR_REGISTRY}/setup:rc" |
|
;; |
|
"refs/heads/hotfix-rc") |
|
SETUP_IMAGE="${_GHCR_REGISTRY}/setup:hotfix-rc" |
|
;; |
|
esac |
|
|
|
STUB_OUTPUT=$(pwd)/docker-stub |
|
|
|
# Run setup |
|
docker run -i --rm --name setup -v "$STUB_OUTPUT/US:/bitwarden" "$SETUP_IMAGE" \ |
|
/app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region US |
|
docker run -i --rm --name setup -v "$STUB_OUTPUT/EU:/bitwarden" "$SETUP_IMAGE" \ |
|
/app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region EU |
|
|
|
sudo chown -R "$(whoami):$(whoami)" "$STUB_OUTPUT" |
|
|
|
# Remove extra directories and files |
|
rm -rf "$STUB_OUTPUT/US/letsencrypt" |
|
rm -rf "$STUB_OUTPUT/EU/letsencrypt" |
|
rm "$STUB_OUTPUT/US/env/uid.env" "$STUB_OUTPUT/US/config.yml" |
|
rm "$STUB_OUTPUT/EU/env/uid.env" "$STUB_OUTPUT/EU/config.yml" |
|
|
|
# Create uid environment files |
|
touch "$STUB_OUTPUT/US/env/uid.env" |
|
touch "$STUB_OUTPUT/EU/env/uid.env" |
|
|
|
# Zip up the Docker stub files |
|
cd docker-stub/US; zip -r ../../docker-stub-US.zip ./*; cd ../.. |
|
cd docker-stub/EU; zip -r ../../docker-stub-EU.zip ./*; cd ../.. |
|
|
|
- name: Log out from GHCR |
|
run: docker logout ghcr.io |
|
|
|
- name: Upload Docker stub US artifact |
|
if: | |
|
github.event_name != 'pull_request' |
|
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') |
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
|
with: |
|
name: docker-stub-US.zip |
|
path: docker-stub-US.zip |
|
if-no-files-found: error |
|
|
|
- name: Upload Docker stub EU artifact |
|
if: | |
|
github.event_name != 'pull_request' |
|
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') |
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
|
with: |
|
name: docker-stub-EU.zip |
|
path: docker-stub-EU.zip |
|
if-no-files-found: error |
|
|
|
- name: Build Swagger files |
|
run: | |
|
cd ./dev |
|
pwsh ./generate_openapi_files.ps1 |
|
|
|
- name: Upload Public API Swagger artifact |
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
|
with: |
|
name: swagger.json |
|
path: api.public.json |
|
if-no-files-found: error |
|
|
|
- name: Upload Internal API Swagger artifact |
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
|
with: |
|
name: internal.json |
|
path: api.json |
|
if-no-files-found: error |
|
|
|
- name: Upload Identity Swagger artifact |
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
|
with: |
|
name: identity.json |
|
path: identity.json |
|
if-no-files-found: error |
|
|
|
build-mssqlmigratorutility: |
|
name: Build MSSQL migrator utility |
|
runs-on: ubuntu-22.04 |
|
needs: lint |
|
defaults: |
|
run: |
|
shell: bash |
|
working-directory: "util/MsSqlMigratorUtility" |
|
strategy: |
|
fail-fast: false |
|
matrix: |
|
target: |
|
- osx-x64 |
|
- linux-x64 |
|
- win-x64 |
|
steps: |
|
- name: Check out repo |
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
|
with: |
|
ref: ${{ github.event.pull_request.head.sha }} |
|
persist-credentials: false |
|
|
|
- name: Set up .NET |
|
uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 |
|
|
|
- name: Print environment |
|
run: | |
|
whoami |
|
dotnet --info |
|
echo "GitHub ref: $GITHUB_REF" |
|
echo "GitHub event: $GITHUB_EVENT" |
|
|
|
- name: Publish project |
|
run: | |
|
dotnet publish -c "Release" -o obj/build-output/publish -r ${{ matrix.target }} -p:PublishSingleFile=true \ |
|
-p:IncludeNativeLibrariesForSelfExtract=true --self-contained true |
|
|
|
- name: Upload project artifact for Windows |
|
if: ${{ contains(matrix.target, 'win') == true }} |
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
|
with: |
|
name: MsSqlMigratorUtility-${{ matrix.target }} |
|
path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe |
|
if-no-files-found: error |
|
|
|
- name: Upload project artifact |
|
if: ${{ contains(matrix.target, 'win') == false }} |
|
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 |
|
with: |
|
name: MsSqlMigratorUtility-${{ matrix.target }} |
|
path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility |
|
if-no-files-found: error |
|
|
|
bitwarden-lite-build: |
|
name: Trigger Bitwarden lite build |
|
if: | |
|
github.event_name != 'pull_request' |
|
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') |
|
runs-on: ubuntu-22.04 |
|
needs: build-artifacts |
|
permissions: |
|
id-token: write |
|
steps: |
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Get Azure Key Vault secrets |
|
id: get-kv-secrets |
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
with: |
|
keyvault: gh-org-bitwarden |
|
secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
- name: Generate GH App token |
|
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 |
|
id: app-token |
|
with: |
|
app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} |
|
private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} |
|
owner: ${{ github.repository_owner }} |
|
repositories: self-host |
|
|
|
- name: Trigger Bitwarden lite build |
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 |
|
with: |
|
github-token: ${{ steps.app-token.outputs.token }} |
|
script: | |
|
await github.rest.actions.createWorkflowDispatch({ |
|
owner: 'bitwarden', |
|
repo: 'self-host', |
|
workflow_id: 'build-bitwarden-lite.yml', |
|
ref: 'main', |
|
inputs: { |
|
server_branch: process.env.GITHUB_REF |
|
} |
|
}); |
|
|
|
trigger-k8s-deploy: |
|
name: Trigger K8s deploy |
|
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' |
|
runs-on: ubuntu-22.04 |
|
needs: build-artifacts |
|
permissions: |
|
id-token: write |
|
steps: |
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Get Azure Key Vault secrets |
|
id: get-kv-secrets |
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
with: |
|
keyvault: gh-org-bitwarden |
|
secrets: "BW-GHAPP-ID,BW-GHAPP-KEY" |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
- name: Generate GH App token |
|
uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 |
|
id: app-token |
|
with: |
|
app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }} |
|
private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }} |
|
owner: ${{ github.repository_owner }} |
|
repositories: devops |
|
|
|
- name: Trigger K8s deploy |
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 |
|
with: |
|
github-token: ${{ steps.app-token.outputs.token }} |
|
script: | |
|
await github.rest.actions.createWorkflowDispatch({ |
|
owner: 'bitwarden', |
|
repo: 'devops', |
|
workflow_id: 'deploy-k8s.yml', |
|
ref: 'main', |
|
inputs: { |
|
environment: 'US-DEV Cloud', |
|
tag: 'main' |
|
} |
|
}) |
|
|
|
setup-ephemeral-environment: |
|
name: Setup Ephemeral Environment |
|
needs: build-artifacts |
|
if: | |
|
needs.build-artifacts.outputs.has_secrets == 'true' |
|
&& github.event_name == 'pull_request' |
|
&& contains(github.event.pull_request.labels.*.name, 'ephemeral-environment') |
|
uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main |
|
with: |
|
project: server |
|
pull_request_number: ${{ github.event.number || 0 }} |
|
secrets: inherit |
|
permissions: |
|
contents: read |
|
id-token: write |
|
|
|
check-failures: |
|
name: Check for failures |
|
if: always() |
|
runs-on: ubuntu-22.04 |
|
needs: |
|
- lint |
|
- build-artifacts |
|
- upload |
|
- build-mssqlmigratorutility |
|
- bitwarden-lite-build |
|
- trigger-k8s-deploy |
|
permissions: |
|
id-token: write |
|
steps: |
|
- name: Check if any job failed |
|
if: | |
|
github.event_name != 'pull_request' |
|
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') |
|
&& contains(needs.*.result, 'failure') |
|
run: exit 1 |
|
|
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Retrieve secrets |
|
id: retrieve-secrets |
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
if: failure() |
|
with: |
|
keyvault: "bitwarden-ci" |
|
secrets: "devops-alerts-slack-webhook-url" |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
- name: Notify Slack on failure |
|
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 |
|
if: failure() |
|
env: |
|
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} |
|
with: |
|
status: ${{ job.status }}
|
|
|