You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
605 lines
20 KiB
605 lines
20 KiB
name: Build |
|
|
|
on: |
|
workflow_dispatch: |
|
push: |
|
branches: |
|
- "main" |
|
- "rc" |
|
- "hotfix-rc" |
|
pull_request: |
|
types: [opened, synchronize] |
|
workflow_call: |
|
inputs: {} |
|
|
|
permissions: |
|
contents: read |
|
|
|
env: |
|
_AZ_REGISTRY: "bitwardenprod.azurecr.io" |
|
_GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }} |
|
|
|
jobs: |
|
lint: |
|
name: Lint |
|
runs-on: ubuntu-24.04 |
|
steps: |
|
- name: Check out repo |
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
|
with: |
|
ref: ${{ github.event.pull_request.head.sha }} |
|
|
|
- name: Set up .NET |
|
uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 |
|
|
|
- name: Verify format |
|
run: dotnet format --verify-no-changes |
|
|
|
build-artifacts: |
|
name: Build Docker images |
|
runs-on: ubuntu-24.04 |
|
needs: |
|
- lint |
|
outputs: |
|
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }} |
|
permissions: |
|
security-events: write |
|
id-token: write |
|
strategy: |
|
fail-fast: false |
|
matrix: |
|
include: |
|
- project_name: Admin |
|
base_path: ./src |
|
dotnet: true |
|
node: true |
|
- project_name: Api |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: Attachments |
|
base_path: ./util |
|
- project_name: Billing |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: Events |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: EventsProcessor |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: Icons |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: Identity |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: MsSql |
|
base_path: ./util |
|
- project_name: MsSqlMigratorUtility |
|
base_path: ./util |
|
dotnet: true |
|
- project_name: Nginx |
|
base_path: ./util |
|
- project_name: Notifications |
|
base_path: ./src |
|
dotnet: true |
|
- project_name: Scim |
|
base_path: ./bitwarden_license/src |
|
dotnet: true |
|
- project_name: Setup |
|
base_path: ./util |
|
dotnet: true |
|
- project_name: Sso |
|
base_path: ./bitwarden_license/src |
|
dotnet: true |
|
steps: |
|
- name: Check secrets |
|
id: check-secrets |
|
run: | |
|
has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }} |
|
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT |
|
|
|
- name: Check out repo |
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
|
with: |
|
ref: ${{ github.event.pull_request.head.sha }} |
|
|
|
- name: Check branch to publish |
|
env: |
|
PUBLISH_BRANCHES: "main,rc,hotfix-rc" |
|
id: publish-branch-check |
|
run: | |
|
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES |
|
if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then |
|
echo "is_publish_branch=true" >> $GITHUB_ENV |
|
else |
|
echo "is_publish_branch=false" >> $GITHUB_ENV |
|
fi |
|
|
|
- name: Set up .NET |
|
uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 |
|
|
|
- name: Set up Node |
|
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 |
|
with: |
|
cache: "npm" |
|
cache-dependency-path: "**/package-lock.json" |
|
node-version: "16" |
|
|
|
- name: Print environment |
|
run: | |
|
whoami |
|
dotnet --info |
|
node --version |
|
npm --version |
|
echo "GitHub ref: $GITHUB_REF" |
|
echo "GitHub event: $GITHUB_EVENT" |
|
|
|
- name: Build node |
|
if: ${{ matrix.node }} |
|
working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }} |
|
run: | |
|
npm ci |
|
npm run build |
|
|
|
- name: Publish project |
|
working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }} |
|
if: ${{ matrix.dotnet }} |
|
run: | |
|
echo "Publish" |
|
dotnet publish -c "Release" -o obj/build-output/publish |
|
|
|
cd obj/build-output/publish |
|
zip -r ${{ matrix.project_name }}.zip . |
|
mv ${{ matrix.project_name }}.zip ../../../ |
|
|
|
pwd |
|
ls -atlh ../../../ |
|
|
|
- name: Upload project artifact |
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 |
|
if: ${{ matrix.dotnet }} |
|
with: |
|
name: ${{ matrix.project_name }}.zip |
|
path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip |
|
if-no-files-found: error |
|
|
|
########## Set up Docker ########## |
|
- name: Set up QEMU emulators |
|
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 |
|
|
|
- name: Set up Docker Buildx |
|
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 |
|
|
|
########## ACRs ########## |
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Log in to ACR - production subscription |
|
run: az acr login -n bitwardenprod |
|
|
|
- name: Retrieve GitHub PAT secrets |
|
id: retrieve-secret-pat |
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
with: |
|
keyvault: "bitwarden-ci" |
|
secrets: "github-pat-bitwarden-devops-bot-repo-scope" |
|
|
|
########## Generate image tag and build Docker image ########## |
|
- name: Generate Docker image tag |
|
id: tag |
|
run: | |
|
if [[ "${GITHUB_EVENT_NAME}" == "pull_request" || "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then |
|
IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s/[^a-zA-Z0-9]/-/g") # Sanitize branch name to alphanumeric only |
|
else |
|
IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") |
|
fi |
|
|
|
if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then |
|
SANITIZED_REPO_NAME=$(echo "$_GITHUB_PR_REPO_NAME" | sed "s/[^a-zA-Z0-9]/-/g") # Sanitize repo name to alphanumeric only |
|
IMAGE_TAG=$SANITIZED_REPO_NAME-$IMAGE_TAG # Add repo name to the tag |
|
IMAGE_TAG=${IMAGE_TAG:0:128} # Limit to 128 characters, as that's the max length for Docker image tags |
|
fi |
|
|
|
if [[ "$IMAGE_TAG" == "main" ]]; then |
|
IMAGE_TAG=dev |
|
fi |
|
|
|
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT |
|
echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY |
|
|
|
- name: Set up project name |
|
id: setup |
|
run: | |
|
PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}') |
|
echo "Matrix name: ${{ matrix.project_name }}" |
|
echo "PROJECT_NAME: $PROJECT_NAME" |
|
echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT |
|
|
|
- name: Generate image tags(s) |
|
id: image-tags |
|
env: |
|
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} |
|
PROJECT_NAME: ${{ steps.setup.outputs.project_name }} |
|
SHA: ${{ github.sha }} |
|
run: | |
|
TAGS="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" |
|
echo "primary_tag=$TAGS" >> $GITHUB_OUTPUT |
|
if [[ "${IMAGE_TAG}" == "dev" ]]; then |
|
SHORT_SHA=$(git rev-parse --short ${SHA}) |
|
TAGS=$TAGS",${_AZ_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}" |
|
fi |
|
echo "tags=$TAGS" >> $GITHUB_OUTPUT |
|
|
|
- name: Build Docker image |
|
id: build-artifacts |
|
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 |
|
with: |
|
context: . |
|
file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile |
|
platforms: | |
|
linux/amd64, |
|
linux/arm/v7, |
|
linux/arm64 |
|
push: true |
|
tags: ${{ steps.image-tags.outputs.tags }} |
|
secrets: | |
|
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" |
|
|
|
- name: Install Cosign |
|
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' |
|
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2 |
|
|
|
- name: Sign image with Cosign |
|
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' |
|
env: |
|
DIGEST: ${{ steps.build-artifacts.outputs.digest }} |
|
TAGS: ${{ steps.image-tags.outputs.tags }} |
|
run: | |
|
IFS="," read -a tags <<< "${TAGS}" |
|
images="" |
|
for tag in "${tags[@]}"; do |
|
images+="${tag}@${DIGEST} " |
|
done |
|
cosign sign --yes ${images} |
|
|
|
- name: Scan Docker image |
|
id: container-scan |
|
uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0 |
|
with: |
|
image: ${{ steps.image-tags.outputs.primary_tag }} |
|
fail-build: false |
|
output-format: sarif |
|
|
|
- name: Upload Grype results to GitHub |
|
uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8 |
|
with: |
|
sarif_file: ${{ steps.container-scan.outputs.sarif }} |
|
sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }} |
|
ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }} |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
upload: |
|
name: Upload |
|
runs-on: ubuntu-24.04 |
|
needs: build-artifacts |
|
permissions: |
|
id-token: write |
|
actions: read |
|
steps: |
|
- name: Check out repo |
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
|
with: |
|
ref: ${{ github.event.pull_request.head.sha }} |
|
|
|
- name: Set up .NET |
|
uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 |
|
|
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Log in to ACR - production subscription |
|
run: az acr login -n $_AZ_REGISTRY --only-show-errors |
|
|
|
- name: Make Docker stubs |
|
if: | |
|
github.event_name != 'pull_request' |
|
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') |
|
run: | |
|
# Set proper setup image based on branch |
|
case "$GITHUB_REF" in |
|
"refs/heads/main") |
|
SETUP_IMAGE="$_AZ_REGISTRY/setup:dev" |
|
;; |
|
"refs/heads/rc") |
|
SETUP_IMAGE="$_AZ_REGISTRY/setup:rc" |
|
;; |
|
"refs/heads/hotfix-rc") |
|
SETUP_IMAGE="$_AZ_REGISTRY/setup:hotfix-rc" |
|
;; |
|
esac |
|
|
|
STUB_OUTPUT=$(pwd)/docker-stub |
|
|
|
# Run setup |
|
docker run -i --rm --name setup -v $STUB_OUTPUT/US:/bitwarden $SETUP_IMAGE \ |
|
/app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region US |
|
docker run -i --rm --name setup -v $STUB_OUTPUT/EU:/bitwarden $SETUP_IMAGE \ |
|
/app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region EU |
|
|
|
sudo chown -R $(whoami):$(whoami) $STUB_OUTPUT |
|
|
|
# Remove extra directories and files |
|
rm -rf $STUB_OUTPUT/US/letsencrypt |
|
rm -rf $STUB_OUTPUT/EU/letsencrypt |
|
rm $STUB_OUTPUT/US/env/uid.env $STUB_OUTPUT/US/config.yml |
|
rm $STUB_OUTPUT/EU/env/uid.env $STUB_OUTPUT/EU/config.yml |
|
|
|
# Create uid environment files |
|
touch $STUB_OUTPUT/US/env/uid.env |
|
touch $STUB_OUTPUT/EU/env/uid.env |
|
|
|
# Zip up the Docker stub files |
|
cd docker-stub/US; zip -r ../../docker-stub-US.zip *; cd ../.. |
|
cd docker-stub/EU; zip -r ../../docker-stub-EU.zip *; cd ../.. |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
- name: Upload Docker stub US artifact |
|
if: | |
|
github.event_name != 'pull_request' |
|
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') |
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 |
|
with: |
|
name: docker-stub-US.zip |
|
path: docker-stub-US.zip |
|
if-no-files-found: error |
|
|
|
- name: Upload Docker stub EU artifact |
|
if: | |
|
github.event_name != 'pull_request' |
|
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') |
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 |
|
with: |
|
name: docker-stub-EU.zip |
|
path: docker-stub-EU.zip |
|
if-no-files-found: error |
|
|
|
- name: Build Swagger files |
|
run: | |
|
cd ./dev |
|
pwsh ./generate_openapi_files.ps1 |
|
|
|
- name: Upload Public API Swagger artifact |
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 |
|
with: |
|
name: swagger.json |
|
path: api.public.json |
|
if-no-files-found: error |
|
|
|
- name: Upload Internal API Swagger artifact |
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 |
|
with: |
|
name: internal.json |
|
path: api.json |
|
if-no-files-found: error |
|
|
|
- name: Upload Identity Swagger artifact |
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 |
|
with: |
|
name: identity.json |
|
path: identity.json |
|
if-no-files-found: error |
|
|
|
build-mssqlmigratorutility: |
|
name: Build MSSQL migrator utility |
|
runs-on: ubuntu-24.04 |
|
needs: |
|
- lint |
|
defaults: |
|
run: |
|
shell: bash |
|
working-directory: "util/MsSqlMigratorUtility" |
|
strategy: |
|
fail-fast: false |
|
matrix: |
|
target: |
|
- osx-x64 |
|
- linux-x64 |
|
- win-x64 |
|
steps: |
|
- name: Check out repo |
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
|
with: |
|
ref: ${{ github.event.pull_request.head.sha }} |
|
|
|
- name: Set up .NET |
|
uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 |
|
|
|
- name: Print environment |
|
run: | |
|
whoami |
|
dotnet --info |
|
echo "GitHub ref: $GITHUB_REF" |
|
echo "GitHub event: $GITHUB_EVENT" |
|
|
|
- name: Publish project |
|
run: | |
|
dotnet publish -c "Release" -o obj/build-output/publish -r ${{ matrix.target }} -p:PublishSingleFile=true \ |
|
-p:IncludeNativeLibrariesForSelfExtract=true --self-contained true |
|
|
|
- name: Upload project artifact for Windows |
|
if: ${{ contains(matrix.target, 'win') == true }} |
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 |
|
with: |
|
name: MsSqlMigratorUtility-${{ matrix.target }} |
|
path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe |
|
if-no-files-found: error |
|
|
|
- name: Upload project artifact |
|
if: ${{ contains(matrix.target, 'win') == false }} |
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 |
|
with: |
|
name: MsSqlMigratorUtility-${{ matrix.target }} |
|
path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility |
|
if-no-files-found: error |
|
|
|
self-host-build: |
|
name: Trigger self-host build |
|
if: | |
|
github.event_name != 'pull_request' |
|
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') |
|
runs-on: ubuntu-24.04 |
|
needs: |
|
- build-artifacts |
|
permissions: |
|
id-token: write |
|
steps: |
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Retrieve GitHub PAT secrets |
|
id: retrieve-secret-pat |
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
with: |
|
keyvault: "bitwarden-ci" |
|
secrets: "github-pat-bitwarden-devops-bot-repo-scope" |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
- name: Trigger self-host build |
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 |
|
with: |
|
github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }} |
|
script: | |
|
await github.rest.actions.createWorkflowDispatch({ |
|
owner: 'bitwarden', |
|
repo: 'self-host', |
|
workflow_id: 'build-unified.yml', |
|
ref: 'main', |
|
inputs: { |
|
server_branch: process.env.GITHUB_REF |
|
} |
|
}); |
|
|
|
trigger-k8s-deploy: |
|
name: Trigger k8s deploy |
|
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' |
|
runs-on: ubuntu-22.04 |
|
needs: |
|
- build-artifacts |
|
permissions: |
|
id-token: write |
|
steps: |
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Retrieve GitHub PAT secrets |
|
id: retrieve-secret-pat |
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
with: |
|
keyvault: "bitwarden-ci" |
|
secrets: "github-pat-bitwarden-devops-bot-repo-scope" |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
- name: Trigger k8s deploy |
|
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 |
|
with: |
|
github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }} |
|
script: | |
|
await github.rest.actions.createWorkflowDispatch({ |
|
owner: 'bitwarden', |
|
repo: 'devops', |
|
workflow_id: 'deploy-k8s.yml', |
|
ref: 'main', |
|
inputs: { |
|
environment: 'US-DEV Cloud', |
|
tag: 'main' |
|
} |
|
}) |
|
|
|
setup-ephemeral-environment: |
|
name: Setup Ephemeral Environment |
|
needs: |
|
- build-artifacts |
|
if: | |
|
needs.build-artifacts.outputs.has_secrets == 'true' |
|
&& github.event_name == 'pull_request' |
|
&& contains(github.event.pull_request.labels.*.name, 'ephemeral-environment') |
|
uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main |
|
with: |
|
project: server |
|
pull_request_number: ${{ github.event.number || 0 }} |
|
secrets: inherit |
|
permissions: |
|
contents: read |
|
id-token: write |
|
|
|
check-failures: |
|
name: Check for failures |
|
if: always() |
|
runs-on: ubuntu-22.04 |
|
needs: |
|
- lint |
|
- build-artifacts |
|
- upload |
|
- build-mssqlmigratorutility |
|
- self-host-build |
|
- trigger-k8s-deploy |
|
permissions: |
|
id-token: write |
|
steps: |
|
- name: Check if any job failed |
|
if: | |
|
github.event_name != 'pull_request' |
|
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') |
|
&& contains(needs.*.result, 'failure') |
|
run: exit 1 |
|
|
|
- name: Log in to Azure |
|
uses: bitwarden/gh-actions/azure-login@main |
|
with: |
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} |
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }} |
|
client_id: ${{ secrets.AZURE_CLIENT_ID }} |
|
|
|
- name: Retrieve secrets |
|
id: retrieve-secrets |
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main |
|
if: failure() |
|
with: |
|
keyvault: "bitwarden-ci" |
|
secrets: "devops-alerts-slack-webhook-url" |
|
|
|
- name: Log out from Azure |
|
uses: bitwarden/gh-actions/azure-logout@main |
|
|
|
- name: Notify Slack on failure |
|
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 |
|
if: failure() |
|
env: |
|
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} |
|
with: |
|
status: ${{ job.status }}
|
|
|