nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-05-11 06:32:22 -05:00
Code

update build workflow

Browse Source
This commit is contained in:
tangowithfoxtrot 2025-05-01 07:55:39 -07:00 committed by GitHub
parent 284501a493
commit 192b058f74
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 116 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

298
.github/workflows/build.yml vendored
View File

@ -18,7 +18,7 @@ env:
jobs: jobs:
lint: lint:
name: Lint name: Lint
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -31,11 +31,12 @@ jobs:
- name: Verify format - name: Verify format
run: dotnet format --verify-no-changes run: dotnet format --verify-no-changes
build-artifacts: build-container:
name: Build artifacts name: Build container images
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
needs: permissions:
- lint id-token: write
security-events: write
outputs: outputs:
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }} has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
strategy: strategy:
@ -44,9 +45,10 @@ jobs:
include: include:
- project_name: Admin - project_name: Admin
base_path: ./src base_path: ./src
node: true
- project_name: Api - project_name: Api
base_path: ./src base_path: ./src
- project_name: Attachments
base_path: ./util
- project_name: Billing - project_name: Billing
base_path: ./src base_path: ./src
- project_name: Events - project_name: Events
@ -57,21 +59,20 @@ jobs:
base_path: ./src base_path: ./src
- project_name: Identity - project_name: Identity
base_path: ./src base_path: ./src
- project_name: MsSql
base_path: ./util
- project_name: MsSqlMigratorUtility - project_name: MsSqlMigratorUtility
base_path: ./util base_path: ./util
dotnet: true - project_name: Nginx
base_path: ./util
- project_name: Notifications - project_name: Notifications
base_path: ./src base_path: ./src
- project_name: Scim - project_name: Scim
base_path: ./bitwarden_license/src base_path: ./bitwarden_license/src
dotnet: true
- project_name: Server
base_path: ./util
- project_name: Setup - project_name: Setup
base_path: ./util base_path: ./util
- project_name: Sso - project_name: Sso
base_path: ./bitwarden_license/src base_path: ./bitwarden_license/src
node: true
steps: steps:
- name: Check secrets - name: Check secrets
id: check-secrets id: check-secrets
@ -86,116 +87,6 @@ jobs:
with: with:
ref: ${{ github.event.pull_request.head.sha }} ref: ${{ github.event.pull_request.head.sha }}
- name: Set up .NET
uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
- name: Set up Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
cache: "npm"
cache-dependency-path: "**/package-lock.json"
node-version: "16"
- name: Print environment
run: |
whoami
dotnet --info
node --version
npm --version
echo "GitHub ref: $GITHUB_REF"
echo "GitHub event: $GITHUB_EVENT"
- name: Build node
if: ${{ matrix.node }}
working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
run: |
npm ci
npm run build
- name: Publish project
working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
run: |
echo "Publish"
dotnet publish -c "Release" -o obj/build-output/publish
cd obj/build-output/publish
zip -r ${{ matrix.project_name }}.zip .
mv ${{ matrix.project_name }}.zip ../../../
pwd
ls -atlh ../../../
- name: Upload project artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: ${{ matrix.project_name }}.zip
path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
if-no-files-found: error
build-docker:
name: Build Docker images
runs-on: ubuntu-22.04
permissions:
security-events: write
id-token: write
needs:
- build-artifacts
if: ${{ needs.build-artifacts.outputs.has_secrets == 'true' }}
strategy:
fail-fast: false
matrix:
include:
- project_name: Admin
base_path: ./src
dotnet: true
- project_name: Api
base_path: ./src
dotnet: true
- project_name: Attachments
base_path: ./util
- project_name: Billing
base_path: ./src
dotnet: true
- project_name: Events
base_path: ./src
dotnet: true
- project_name: EventsProcessor
base_path: ./src
dotnet: true
- project_name: Icons
base_path: ./src
dotnet: true
- project_name: Identity
base_path: ./src
dotnet: true
- project_name: MsSql
base_path: ./util
- project_name: MsSqlMigratorUtility
base_path: ./util
dotnet: true
- project_name: Nginx
base_path: ./util
- project_name: Notifications
base_path: ./src
dotnet: true
- project_name: Scim
base_path: ./bitwarden_license/src
dotnet: true
- project_name: Server
base_path: ./util
dotnet: true
- project_name: Setup
base_path: ./util
dotnet: true
- project_name: Sso
base_path: ./bitwarden_license/src
dotnet: true
steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Check branch to publish - name: Check branch to publish
env: env:
PUBLISH_BRANCHES: "main,rc,hotfix-rc" PUBLISH_BRANCHES: "main,rc,hotfix-rc"
@ -209,6 +100,20 @@ jobs:
echo "is_publish_branch=false" >> $GITHUB_ENV echo "is_publish_branch=false" >> $GITHUB_ENV
fi fi
########## Set up Docker ##########
- name: Set up QEMU emulators
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
########## Set up Docker ##########
- name: Set up QEMU emulators
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
########## ACRs ########## ########## ACRs ##########
- name: Log in to Azure - production subscription - name: Log in to Azure - production subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@ -218,20 +123,8 @@ jobs:
- name: Log in to ACR - production subscription - name: Log in to ACR - production subscription
run: az acr login -n bitwardenprod run: az acr login -n bitwardenprod
- name: Log in to Azure - CI subscription ########## Generate image tag and build container image ##########
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 - name: Generate container image tag
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve GitHub PAT secrets
id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
########## Generate image tag and build Docker image ##########
- name: Generate Docker image tag
id: tag id: tag
run: | run: |
if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
@ -245,7 +138,7 @@ jobs:
fi fi
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY echo "### :mega: Container Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
- name: Set up project name - name: Set up project name
id: setup id: setup
@ -270,30 +163,26 @@ jobs:
fi fi
echo "tags=$TAGS" >> $GITHUB_OUTPUT echo "tags=$TAGS" >> $GITHUB_OUTPUT
- name: Get build artifact - name: Generate image full name
if: ${{ matrix.dotnet }} id: cache-name
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 env:
with: PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
name: ${{ matrix.project_name }}.zip run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:buildcache" >> $GITHUB_OUTPUT
- name: Set up build artifact - name: Build Container image
if: ${{ matrix.dotnet }} id: build-container
run: |
mkdir -p ${{ matrix.base_path}}/${{ matrix.project_name }}/obj/build-output/publish
unzip ${{ matrix.project_name }}.zip \
-d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish
- name: Build Docker image
id: build-docker
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0 uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
with: with:
context: ${{ matrix.base_path }}/${{ matrix.project_name }} cache-from: type=registry,ref=${{ steps.cache-name.outputs.name }}
cache-to: type=registry,ref=${{ steps.cache-name.outputs.name}},mode=max
context: .
file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
platforms: linux/amd64 platforms: |
linux/amd64,
linux/arm/v7,
linux/arm64
push: true push: true
tags: ${{ steps.image-tags.outputs.tags }} tags: ${{ steps.image-tags.outputs.tags }}
secrets: |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
- name: Install Cosign - name: Install Cosign
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
@ -302,7 +191,7 @@ jobs:
- name: Sign image with Cosign - name: Sign image with Cosign
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
env: env:
DIGEST: ${{ steps.build-docker.outputs.digest }} DIGEST: ${{ steps.build-container.outputs.digest }}
TAGS: ${{ steps.image-tags.outputs.tags }} TAGS: ${{ steps.image-tags.outputs.tags }}
run: | run: |
IFS="," read -a tags <<< "${TAGS}" IFS="," read -a tags <<< "${TAGS}"
@ -312,7 +201,7 @@ jobs:
done done
cosign sign --yes ${images} cosign sign --yes ${images}
- name: Scan Docker image - name: Scan container image
id: container-scan id: container-scan
uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342 # v6.0.0 uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342 # v6.0.0
with: with:
@ -327,10 +216,10 @@ jobs:
sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }} sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }} ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
upload: build-stub-swagger:
name: Upload name: Build Docker-Stub/Swagger
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
needs: build-docker needs: build-container
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -345,8 +234,11 @@ jobs:
with: with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Log in to ACR - production subscription - name: Login to PROD ACR
run: az acr login -n $_AZ_REGISTRY --only-show-errors run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
- name: Restore
run: dotnet tool restore
- name: Make Docker stubs - name: Make Docker stubs
if: | if: |
@ -441,8 +333,10 @@ jobs:
- name: Build Public API Swagger - name: Build Public API Swagger
run: | run: |
cd ./src/Api cd ./src/Api
echo "Restore tools" echo "Restore"
dotnet tool restore dotnet restore --locked-mode
echo "Clean"
dotnet clean -c "Release" -o obj/build-output/publish
echo "Publish" echo "Publish"
dotnet publish -c "Release" -o obj/build-output/publish dotnet publish -c "Release" -o obj/build-output/publish
@ -505,9 +399,7 @@ jobs:
build-mssqlmigratorutility: build-mssqlmigratorutility:
name: Build MSSQL migrator utility name: Build MSSQL migrator utility
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
needs:
- lint
defaults: defaults:
run: run:
shell: bash shell: bash
@ -535,6 +427,11 @@ jobs:
echo "GitHub ref: $GITHUB_REF" echo "GitHub ref: $GITHUB_REF"
echo "GitHub event: $GITHUB_EVENT" echo "GitHub event: $GITHUB_EVENT"
- name: Restore project
run: |
echo "Restore"
dotnet restore --locked-mode
- name: Publish project - name: Publish project
run: | run: |
dotnet publish -c "Release" -o obj/build-output/publish -r ${{ matrix.target }} -p:PublishSingleFile=true \ dotnet publish -c "Release" -o obj/build-output/publish -r ${{ matrix.target }} -p:PublishSingleFile=true \
@ -561,9 +458,8 @@ jobs:
if: | if: |
github.event_name != 'pull_request' github.event_name != 'pull_request'
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
needs: needs: build-container
- build-docker
steps: steps:
- name: Log in to Azure - CI subscription - name: Log in to Azure - CI subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@ -595,9 +491,8 @@ jobs:
trigger-k8s-deploy: trigger-k8s-deploy:
name: Trigger k8s deploy name: Trigger k8s deploy
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
needs: needs: build-container
- build-docker
steps: steps:
- name: Log in to Azure - CI subscription - name: Log in to Azure - CI subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@ -627,11 +522,49 @@ jobs:
} }
}) })
setup-ephemeral-environment: trigger-ee-updates:
name: Setup Ephemeral Environment name: Trigger Ephemeral Environment updates
needs: build-docker
if: | if: |
needs.build-artifacts.outputs.has_secrets == 'true' needs.build-container.outputs.has_secrets == 'true'
&& github.event_name == 'pull_request'
&& contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
runs-on: ubuntu-24.04
needs: build-container
steps:
- name: Log in to Azure - CI subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve GitHub PAT secrets
id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Trigger Ephemeral Environment update
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'bitwarden',
repo: 'devops',
workflow_id: '_update_ephemeral_tags.yml',
ref: 'main',
inputs: {
ephemeral_env_branch: process.env.GITHUB_HEAD_REF
}
})
trigger-ephemeral-environment-sync:
name: Trigger Ephemeral Environment Sync
needs:
- build-container
- trigger-ee-updates
if: |
needs.build-container.outputs.has_secrets == 'true'
&& github.event_name == 'pull_request' && github.event_name == 'pull_request'
&& contains(github.event.pull_request.labels.*.name, 'ephemeral-environment') && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main
@ -643,15 +576,16 @@ jobs:
check-failures: check-failures:
name: Check for failures name: Check for failures
if: always() if: always()
runs-on: ubuntu-22.04 runs-on: ubuntu-24.04
needs: needs:
- lint - lint
- build-artifacts - build-container
- build-docker - build-stub-swagger
- upload
- build-mssqlmigratorutility - build-mssqlmigratorutility
- self-host-build - self-host-build
- trigger-k8s-deploy - trigger-k8s-deploy
- trigger-ee-updates
- trigger-ephemeral-environment-sync
steps: steps:
- name: Check if any job failed - name: Check if any job failed
if: | if: |