From 0fde17fc0ed3ef2d73a58717f134e6d4960699d0 Mon Sep 17 00:00:00 2001 From: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com> Date: Thu, 16 Feb 2023 14:16:32 -0800 Subject: [PATCH] Add in QA temporary ACR (#2711) * Adding QA registry back into self-host build pipeline * switching order of the ACR signin * Update build pipeline to follow same patterns as build-self-host and push to both Prod and QA registries * Add Bitwarden QA registry to the PR clean up workflow * Fix project name and path to dockerfile * Add a publish branch check to the tag list generator * Fix bash env var typo --- .github/workflows/build-self-host.yml | 15 +- .github/workflows/build.yml | 222 ++++++++++++------------- .github/workflows/cleanup-after-pr.yml | 42 +++-- 3 files changed, 149 insertions(+), 130 deletions(-) diff --git a/.github/workflows/build-self-host.yml b/.github/workflows/build-self-host.yml index 8d2a6ec498..9050ce333a 100644 --- a/.github/workflows/build-self-host.yml +++ b/.github/workflows/build-self-host.yml @@ -45,7 +45,15 @@ jobs: uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 ########## Login to Docker registries ########## - - name: Login to Azure - PROD Subscription + - name: Login to Azure - QA Subscription + uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf + with: + creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }} + + - name: Login to Azure ACR + run: az acr login -n bitwardenqa + + - name: Login to Azure - Prod Subscription uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf with: creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} @@ -53,6 +61,7 @@ jobs: - name: Login to Azure ACR run: az acr login -n bitwardenprod + - name: Retrieve github PAT secrets id: retrieve-secret-pat uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af @@ -109,9 +118,9 @@ jobs: IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} run: | if [ "$IMAGE_TAG" = "dev" ] || [ "$IMAGE_TAG" = "beta" ]; then - echo "tags=bitwardenprod.azurecr.io/self-host:${IMAGE_TAG},bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT + echo "tags=bitwardenqa.azurecr.io/self-host:${IMAGE_TAG},bitwardenprod.azurecr.io/self-host:${IMAGE_TAG},bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT else - echo "tags=bitwardenprod.azurecr.io/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT + echo "tags=bitwardenqa.azurecr.io/self-host:${IMAGE_TAG},bitwardenprod.azurecr.io/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT fi - name: Build Docker image diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bc2cec89d1..24cc0097bf 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -191,74 +191,145 @@ jobs: include: - project_name: Admin base_path: ./src - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: Api base_path: ./src - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: Attachments base_path: ./util - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] - project_name: Events base_path: ./src - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: EventsProcessor base_path: ./src - docker_repos: [bitwardenprod.azurecr.io] + docker_repos: [bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: Icons base_path: ./src - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: Identity base_path: ./src - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: MsSql base_path: ./util - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] - project_name: Nginx base_path: ./util - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] - project_name: Notifications base_path: ./src - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: Server base_path: ./util - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: Setup base_path: ./util - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: Sso base_path: ./bitwarden_license/src - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: Scim base_path: ./bitwarden_license/src - docker_repos: [bitwarden, bitwardenprod.azurecr.io] + docker_repos: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true - project_name: Billing base_path: ./src - docker_repos: [bitwardenprod.azurecr.io] + docker_repos: [bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] dotnet: true steps: - name: Checkout repo uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 - - name: Set up image tag + - name: Check Branch to Publish + env: + PUBLISH_BRANCHES: "master,rc,hotfix-rc" + id: publish-branch-check + run: | + IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES + + if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then + echo "is_publish_branch=true" >> $GITHUB_ENV + else + echo "is_publish_branch=false" >> $GITHUB_ENV + fi + + ########## ACRs ########## + - name: Login to Azure - QA Subscription + uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf + with: + creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }} + + - name: Login to QA ACR + run: az acr login -n bitwardenqa + + - name: Login to Azure - PROD Subscription + uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf + with: + creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + + - name: Login to PROD ACR + run: az acr login -n bitwardenprod + + - name: Retrieve github PAT secrets + id: retrieve-secret-pat + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "github-pat-bitwarden-devops-bot-repo-scope" + + - name: Retrieve secrets + if: ${{ env.is_publish_branch == 'true' }} + id: retrieve-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af + with: + keyvault: "bitwarden-prod-kv" + secrets: "docker-password, + docker-username, + dct-delegate-2-repo-passphrase, + dct-delegate-2-key" + + - name: Log into Docker + if: ${{ env.is_publish_branch == 'true' }} + env: + DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }} + DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }} + run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin + + - name: Setup Docker Trust + if: ${{ env.is_publish_branch == 'true' }} + env: + DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c" + DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }} + DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }} + run: | + mkdir -p ~/.docker/trust/private + echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key + echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV + echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV + + ########## Generate image tag and build Docker image ########## + - name: Generate Docker image tag + id: tag run: | IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") # slash safe branch name if [[ "$IMAGE_TAG" == "master" ]]; then IMAGE_TAG=dev + elif [[ "$IMAGE_TAG" == "rc" ]] || [[ "$IMAGE_TAG" == "hotfix-rc" ]]; then + IMAGE_TAG=beta fi - echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV - ########## Build Docker Image ########## + echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT + - name: Setup project name id: setup run: | @@ -267,6 +338,18 @@ jobs: echo "PROJECT_NAME: $PROJECT_NAME" echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT + - name: Generate tag list + id: tag-list + env: + IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} + PROJECT_NAME: ${{ steps.setup.outputs.project_name }} + run: | + if [ "${{ env.is_publish_branch }}" == "true" ]; then + echo "tags=bitwardenqa.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG},bitwardenprod.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG},bitwarden/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT + else + echo "tags=bitwardenqa.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG},bitwardenprod.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT + fi + - name: Get build artifact if: ${{ matrix.dotnet }} uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 @@ -281,104 +364,17 @@ jobs: -d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish - name: Build Docker image - env: - PROJECT_NAME: ${{ steps.setup.outputs.project_name }} - run: docker build -t $PROJECT_NAME ${{ matrix.base_path }}/${{ matrix.project_name }} - - ########## PROD ACR ########## - - name: Login to Azure - PROD Subscription - uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf + uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} - - - name: Login to PROD ACR - run: az acr login -n bitwardenprod - - - name: Tag and push image to PROD ACR - env: - PROJECT_NAME: ${{ steps.setup.outputs.project_name }} - REGISTRY: bitwardenprod.azurecr.io - run: | - docker tag $PROJECT_NAME \ - $REGISTRY/$PROJECT_NAME:${{ env.IMAGE_TAG }} - docker push $REGISTRY/$PROJECT_NAME:${{ env.IMAGE_TAG }} + context: ${{ matrix.base_path }}/${{ matrix.project_name }} + file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile + platforms: linux/amd64 + push: true + tags: ${{ steps.tag-list.outputs.tags }} + secrets: | + "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" - name: Log out of Docker - run: docker logout - - ########## DockerHub ########## - - name: Login to Azure - Prod Subscription - if: | - contains(matrix.docker_repos, 'bitwarden') - && (github.ref == 'refs/heads/master' || - github.ref == 'refs/heads/rc' || - github.ref == 'refs/heads/hotfix-rc') - uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf - with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} - - - name: Retrieve secrets - if: | - contains(matrix.docker_repos, 'bitwarden') - && (github.ref == 'refs/heads/master' || - github.ref == 'refs/heads/rc' || - github.ref == 'refs/heads/hotfix-rc') - id: retrieve-secrets - uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af - with: - keyvault: "bitwarden-prod-kv" - secrets: "docker-password, - docker-username, - dct-delegate-2-repo-passphrase, - dct-delegate-2-key" - - - name: Log into Docker - if: | - contains(matrix.docker_repos, 'bitwarden') - && (github.ref == 'refs/heads/master' || - github.ref == 'refs/heads/rc' || - github.ref == 'refs/heads/hotfix-rc') - env: - DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }} - DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }} - run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin - - - name: Setup Docker Trust - if: | - contains(matrix.docker_repos, 'bitwarden') - && (github.ref == 'refs/heads/master' || - github.ref == 'refs/heads/rc' || - github.ref == 'refs/heads/hotfix-rc') - env: - DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c" - DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }} - DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }} - run: | - mkdir -p ~/.docker/trust/private - echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key - echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV - echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV - - - name: Tag and Push RC to Docker Hub - if: | - contains(matrix.docker_repos, 'bitwarden') - && (github.ref == 'refs/heads/master' || - github.ref == 'refs/heads/rc' || - github.ref == 'refs/heads/hotfix-rc') - env: - PROJECT_NAME: ${{ steps.setup.outputs.project_name }} - REGISTRY: bitwarden - run: | - docker tag $PROJECT_NAME \ - $REGISTRY/$PROJECT_NAME:${{ env.IMAGE_TAG }} - docker push $REGISTRY/$PROJECT_NAME:${{ env.IMAGE_TAG }} - - - name: Log out of Docker and disable Docker Notary - if: | - contains(matrix.docker_repos, 'bitwarden') - && (github.ref == 'refs/heads/master' || - github.ref == 'refs/heads/rc' || - github.ref == 'refs/heads/hotfix-rc') run: | docker logout echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV diff --git a/.github/workflows/cleanup-after-pr.yml b/.github/workflows/cleanup-after-pr.yml index 5fc34700fb..c1eca91079 100644 --- a/.github/workflows/cleanup-after-pr.yml +++ b/.github/workflows/cleanup-after-pr.yml @@ -14,6 +14,14 @@ jobs: uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f ########## ACR ########## + - name: Login to Azure - QA Subscription + uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a + with: + creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }} + + - name: Login to Azure ACR + run: az acr login -n bitwardenqa + k - name: Login to Azure - PROD Subscription uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a with: @@ -25,7 +33,10 @@ jobs: ########## Remove Docker images ########## - name: Remove the docker image from ACR env: - REGISTRY_NAME: bitwardenprod + REGISTRIES: | + registries: + - bitwardenprod + - bitwardenqa SERVICES: | services: - Admin @@ -45,21 +56,24 @@ jobs: run: | for SERVICE in $(echo "${{ env.SERVICES }}" | yq e ".services[]" - ) do - SERVICE_NAME=$(echo $SERVICE | awk '{print tolower($0)}') - IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") # slash safe branch name + for REGISTRY in $( echo "${{ env.REGISTRIES }}" | yq e ".registries[]" - ) + do + SERVICE_NAME=$(echo $SERVICE | awk '{print tolower($0)}') + IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") # slash safe branch name - echo "[*] Checking if remote exists: $REGISTRY_NAME.azurecr.io/$SERVICE_NAME:$IMAGE_TAG" - TAG_EXISTS=$( - az acr repository show-tags --name $REGISTRY_NAME --repository $SERVICE_NAME \ - | jq --arg $TAG "$IMAGE_TAG" -e '. | any(. == "$TAG")' - ) + echo "[*] Checking if remote exists: $REGISTRY.azurecr.io/$SERVICE_NAME:$IMAGE_TAG" + TAG_EXISTS=$( + az acr repository show-tags --name $REGISTRY --repository $SERVICE_NAME \ + | jq --arg $TAG "$IMAGE_TAG" -e '. | any(. == "$TAG")' + ) - if [[ "$TAG_EXISTS" == "true" ]]; then - echo "[*] Tag exists. Removing tag" - az acr repository delete --name $REGISTRY_NAME --image $SERVICE_NAME:$IMAGE_TAG --yes - else - echo "[*] Tag does not exist. No action needed" - fi + if [[ "$TAG_EXISTS" == "true" ]]; then + echo "[*] Tag exists. Removing tag" + az acr repository delete --name $REGISTRY --image $SERVICE_NAME:$IMAGE_TAG --yes + else + echo "[*] Tag does not exist. No action needed" + fi + done done - name: Log out of Docker