From 192b058f743f4ac7d0bdeb7bb3e7833fc5ce71dc Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Thu, 1 May 2025 07:55:39 -0700 Subject: [PATCH] update build workflow --- .github/workflows/build.yml | 298 ++++++++++++++---------------------- 1 file changed, 116 insertions(+), 182 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 33edd075a0..d67ba7ce08 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ env: jobs: lint: name: Lint - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -31,11 +31,12 @@ jobs: - name: Verify format run: dotnet format --verify-no-changes - build-artifacts: - name: Build artifacts - runs-on: ubuntu-22.04 - needs: - - lint + build-container: + name: Build container images + runs-on: ubuntu-24.04 + permissions: + id-token: write + security-events: write outputs: has_secrets: ${{ steps.check-secrets.outputs.has_secrets }} strategy: @@ -44,9 +45,10 @@ jobs: include: - project_name: Admin base_path: ./src - node: true - project_name: Api base_path: ./src + - project_name: Attachments + base_path: ./util - project_name: Billing base_path: ./src - project_name: Events @@ -57,21 +59,20 @@ jobs: base_path: ./src - project_name: Identity base_path: ./src + - project_name: MsSql + base_path: ./util - project_name: MsSqlMigratorUtility base_path: ./util - dotnet: true + - project_name: Nginx + base_path: ./util - project_name: Notifications base_path: ./src - project_name: Scim base_path: ./bitwarden_license/src - dotnet: true - - project_name: Server - base_path: ./util - project_name: Setup base_path: ./util - project_name: Sso base_path: ./bitwarden_license/src - node: true steps: - name: Check secrets id: check-secrets @@ -86,116 +87,6 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - name: Set up .NET - uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0 - - - name: Set up Node - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 - with: - cache: "npm" - cache-dependency-path: "**/package-lock.json" - node-version: "16" - - - name: Print environment - run: | - whoami - dotnet --info - node --version - npm --version - echo "GitHub ref: $GITHUB_REF" - echo "GitHub event: $GITHUB_EVENT" - - - name: Build node - if: ${{ matrix.node }} - working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }} - run: | - npm ci - npm run build - - - name: Publish project - working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }} - run: | - echo "Publish" - dotnet publish -c "Release" -o obj/build-output/publish - - cd obj/build-output/publish - zip -r ${{ matrix.project_name }}.zip . - mv ${{ matrix.project_name }}.zip ../../../ - - pwd - ls -atlh ../../../ - - - name: Upload project artifact - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 - with: - name: ${{ matrix.project_name }}.zip - path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip - if-no-files-found: error - - build-docker: - name: Build Docker images - runs-on: ubuntu-22.04 - permissions: - security-events: write - id-token: write - needs: - - build-artifacts - if: ${{ needs.build-artifacts.outputs.has_secrets == 'true' }} - strategy: - fail-fast: false - matrix: - include: - - project_name: Admin - base_path: ./src - dotnet: true - - project_name: Api - base_path: ./src - dotnet: true - - project_name: Attachments - base_path: ./util - - project_name: Billing - base_path: ./src - dotnet: true - - project_name: Events - base_path: ./src - dotnet: true - - project_name: EventsProcessor - base_path: ./src - dotnet: true - - project_name: Icons - base_path: ./src - dotnet: true - - project_name: Identity - base_path: ./src - dotnet: true - - project_name: MsSql - base_path: ./util - - project_name: MsSqlMigratorUtility - base_path: ./util - dotnet: true - - project_name: Nginx - base_path: ./util - - project_name: Notifications - base_path: ./src - dotnet: true - - project_name: Scim - base_path: ./bitwarden_license/src - dotnet: true - - project_name: Server - base_path: ./util - dotnet: true - - project_name: Setup - base_path: ./util - dotnet: true - - project_name: Sso - base_path: ./bitwarden_license/src - dotnet: true - steps: - - name: Check out repo - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - ref: ${{ github.event.pull_request.head.sha }} - - name: Check branch to publish env: PUBLISH_BRANCHES: "main,rc,hotfix-rc" @@ -209,6 +100,20 @@ jobs: echo "is_publish_branch=false" >> $GITHUB_ENV fi + ########## Set up Docker ########## + - name: Set up QEMU emulators + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + ########## Set up Docker ########## + - name: Set up QEMU emulators + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + ########## ACRs ########## - name: Log in to Azure - production subscription uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 @@ -218,20 +123,8 @@ jobs: - name: Log in to ACR - production subscription run: az acr login -n bitwardenprod - - name: Log in to Azure - CI subscription - uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 - with: - creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - - - name: Retrieve GitHub PAT secrets - id: retrieve-secret-pat - uses: bitwarden/gh-actions/get-keyvault-secrets@main - with: - keyvault: "bitwarden-ci" - secrets: "github-pat-bitwarden-devops-bot-repo-scope" - - ########## Generate image tag and build Docker image ########## - - name: Generate Docker image tag + ########## Generate image tag and build container image ########## + - name: Generate container image tag id: tag run: | if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then @@ -245,7 +138,7 @@ jobs: fi echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT - echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY + echo "### :mega: Container Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY - name: Set up project name id: setup @@ -270,30 +163,26 @@ jobs: fi echo "tags=$TAGS" >> $GITHUB_OUTPUT - - name: Get build artifact - if: ${{ matrix.dotnet }} - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: ${{ matrix.project_name }}.zip + - name: Generate image full name + id: cache-name + env: + PROJECT_NAME: ${{ steps.setup.outputs.project_name }} + run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:buildcache" >> $GITHUB_OUTPUT - - name: Set up build artifact - if: ${{ matrix.dotnet }} - run: | - mkdir -p ${{ matrix.base_path}}/${{ matrix.project_name }}/obj/build-output/publish - unzip ${{ matrix.project_name }}.zip \ - -d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish - - - name: Build Docker image - id: build-docker + - name: Build Container image + id: build-container uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0 with: - context: ${{ matrix.base_path }}/${{ matrix.project_name }} + cache-from: type=registry,ref=${{ steps.cache-name.outputs.name }} + cache-to: type=registry,ref=${{ steps.cache-name.outputs.name}},mode=max + context: . file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile - platforms: linux/amd64 + platforms: | + linux/amd64, + linux/arm/v7, + linux/arm64 push: true tags: ${{ steps.image-tags.outputs.tags }} - secrets: | - "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" - name: Install Cosign if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' @@ -302,7 +191,7 @@ jobs: - name: Sign image with Cosign if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' env: - DIGEST: ${{ steps.build-docker.outputs.digest }} + DIGEST: ${{ steps.build-container.outputs.digest }} TAGS: ${{ steps.image-tags.outputs.tags }} run: | IFS="," read -a tags <<< "${TAGS}" @@ -312,7 +201,7 @@ jobs: done cosign sign --yes ${images} - - name: Scan Docker image + - name: Scan container image id: container-scan uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342 # v6.0.0 with: @@ -327,10 +216,10 @@ jobs: sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }} ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }} - upload: - name: Upload - runs-on: ubuntu-22.04 - needs: build-docker + build-stub-swagger: + name: Build Docker-Stub/Swagger + runs-on: ubuntu-24.04 + needs: build-container steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -345,8 +234,11 @@ jobs: with: creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} - - name: Log in to ACR - production subscription - run: az acr login -n $_AZ_REGISTRY --only-show-errors + - name: Login to PROD ACR + run: az acr login -n ${_AZ_REGISTRY%.azurecr.io} + + - name: Restore + run: dotnet tool restore - name: Make Docker stubs if: | @@ -441,8 +333,10 @@ jobs: - name: Build Public API Swagger run: | cd ./src/Api - echo "Restore tools" - dotnet tool restore + echo "Restore" + dotnet restore --locked-mode + echo "Clean" + dotnet clean -c "Release" -o obj/build-output/publish echo "Publish" dotnet publish -c "Release" -o obj/build-output/publish @@ -505,9 +399,7 @@ jobs: build-mssqlmigratorutility: name: Build MSSQL migrator utility - runs-on: ubuntu-22.04 - needs: - - lint + runs-on: ubuntu-24.04 defaults: run: shell: bash @@ -535,6 +427,11 @@ jobs: echo "GitHub ref: $GITHUB_REF" echo "GitHub event: $GITHUB_EVENT" + - name: Restore project + run: | + echo "Restore" + dotnet restore --locked-mode + - name: Publish project run: | dotnet publish -c "Release" -o obj/build-output/publish -r ${{ matrix.target }} -p:PublishSingleFile=true \ @@ -561,9 +458,8 @@ jobs: if: | github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') - runs-on: ubuntu-22.04 - needs: - - build-docker + runs-on: ubuntu-24.04 + needs: build-container steps: - name: Log in to Azure - CI subscription uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 @@ -595,9 +491,8 @@ jobs: trigger-k8s-deploy: name: Trigger k8s deploy if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' - runs-on: ubuntu-22.04 - needs: - - build-docker + runs-on: ubuntu-24.04 + needs: build-container steps: - name: Log in to Azure - CI subscription uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 @@ -627,11 +522,49 @@ jobs: } }) - setup-ephemeral-environment: - name: Setup Ephemeral Environment - needs: build-docker + trigger-ee-updates: + name: Trigger Ephemeral Environment updates if: | - needs.build-artifacts.outputs.has_secrets == 'true' + needs.build-container.outputs.has_secrets == 'true' + && github.event_name == 'pull_request' + && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment') + runs-on: ubuntu-24.04 + needs: build-container + steps: + - name: Log in to Azure - CI subscription + uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Retrieve GitHub PAT secrets + id: retrieve-secret-pat + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: "bitwarden-ci" + secrets: "github-pat-bitwarden-devops-bot-repo-scope" + + - name: Trigger Ephemeral Environment update + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 + with: + github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }} + script: | + await github.rest.actions.createWorkflowDispatch({ + owner: 'bitwarden', + repo: 'devops', + workflow_id: '_update_ephemeral_tags.yml', + ref: 'main', + inputs: { + ephemeral_env_branch: process.env.GITHUB_HEAD_REF + } + }) + + trigger-ephemeral-environment-sync: + name: Trigger Ephemeral Environment Sync + needs: + - build-container + - trigger-ee-updates + if: | + needs.build-container.outputs.has_secrets == 'true' && github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment') uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main @@ -643,15 +576,16 @@ jobs: check-failures: name: Check for failures if: always() - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 needs: - lint - - build-artifacts - - build-docker - - upload + - build-container + - build-stub-swagger - build-mssqlmigratorutility - self-host-build - trigger-k8s-deploy + - trigger-ee-updates + - trigger-ephemeral-environment-sync steps: - name: Check if any job failed if: |