From 41f3e27acedd2d4190cb79bab76d9a689499186a Mon Sep 17 00:00:00 2001 From: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com> Date: Mon, 24 Jan 2022 11:12:37 -0800 Subject: [PATCH] Feature/feature branch docker images (#1824) * enabling ACR images for feature branches * fixing typo in docker tag name * Adding a workflow that cleans up the docker images from a branch when it gets merged in. * Updating job name * Fixing trigger syntax issue * adding a manual trigger * Removing the copy + paste mistake * Adding non-tty confirmation for the deletion of the image * Un-paralellizing workflow * fixing the yq options * trying a different way to get the var data * trying with quotes * trying it for real * adding in a message and testing deleting a tag that doesn't exist * handling the case where the tag doesn't exist * fixing a typo * logging some vaules to try to get some answers * trying a different way of passing the var into jq * final cleanup and test * fixing linting issues * normalizing the ACR and Dockerhub pushes * removing the manual trigger after done testing * Update .github/workflows/build.yml removing missed an added whitespace Co-authored-by: Micaiah Martin <77340197+mimartin12@users.noreply.github.com> * fixing the EventsProcessor docker repo issue * switching repos for EventsProcessor Co-authored-by: Micaiah Martin <77340197+mimartin12@users.noreply.github.com> --- .github/workflows/build.yml | 186 ++++++++++++------------- .github/workflows/cleanup-after-pr.yml | 58 +++++++- 2 files changed, 142 insertions(+), 102 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1f967b26a6..a488a1f549 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -190,91 +190,61 @@ jobs: include: - service_name: Admin base_path: ./src - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] dotnet: true - service_name: Api base_path: ./src - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] dotnet: true - service_name: Attachments base_path: ./util - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] - service_name: Events base_path: ./src - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] dotnet: true - service_name: EventsProcessor base_path: ./src - docker_repo: bitwardenqa.azurecr.io + docker_repos: [bitwardenqa.azurecr.io] dotnet: true - service_name: Icons base_path: ./src - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] dotnet: true - service_name: Identity base_path: ./src - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] dotnet: true - service_name: K8S-Proxy base_path: ./util - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] - service_name: MsSql base_path: ./util - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] - service_name: Nginx base_path: ./util - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] - service_name: Notifications base_path: ./src - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] dotnet: true - service_name: Server base_path: ./util - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] dotnet: true - service_name: Setup base_path: ./util - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] dotnet: true - service_name: Sso base_path: ./bitwarden_license/src - docker_repo: bitwarden + docker_repos: [bitwarden, bitwardenqa.azurecr.io] dotnet: true steps: - name: Checkout repo uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f - - name: Login to Azure - Prod Subscription - uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a - with: - creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} - - - name: Retrieve secrets - id: retrieve-secrets - uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403 - with: - keyvault: "bitwarden-prod-kv" - secrets: "docker-password, - docker-username, - dct-delegate-2-repo-passphrase, - dct-delegate-2-key" - - - name: Log into Docker - if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix' - env: - DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }} - DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }} - run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin - - - name: Setup Docker Trust - if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix' - env: - DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c" - DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }} - run: | - mkdir -p ~/.docker/trust/private - echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key - + ########## Build Docker Image ########## - name: Setup service name id: setup run: | @@ -306,43 +276,7 @@ jobs: ${{ matrix.base_path }}/${{ matrix.service_name }} fi - - name: Docker Trust setup - if: | - matrix.docker_repo == 'bitwarden' - && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix') - env: - DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }} - run: | - echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV - echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV - - - name: Tag and Push RC to Docker Hub - if: (github.ref == 'refs/heads/rc' && matrix.docker_repo == 'bitwarden') - run: | - docker tag ${{ steps.setup.outputs.service_name }} \ - ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc - docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc - - - name: Tag and Push Hotfix to Docker Hub - if: (github.ref == 'refs/heads/hotfix' && matrix.docker_repo == 'bitwarden') - run: | - docker tag ${{ steps.setup.outputs.service_name }} \ - ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix - docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix - - - name: Tag and Push Dev to Docker Hub - if: (github.ref == 'refs/heads/master' && matrix.docker_repo == 'bitwarden') - run: | - docker tag ${{ steps.setup.outputs.service_name }} \ - ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev - docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev - - - name: Log out of Docker and disable Docker Notary - if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix' - run: | - docker logout - echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV - + ########## ACR ########## - name: Login to Azure - QA Subscription uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a with: @@ -352,31 +286,87 @@ jobs: run: az acr login -n bitwardenqa - name: Tag and Push RC to Azure ACR QA registry - if: github.ref == 'refs/heads/rc' env: REGISTRY: bitwardenqa.azurecr.io run: | - docker tag ${{ steps.setup.outputs.service_name }} \ - $REGISTRY/${{ steps.setup.outputs.service_name }}:rc - docker push $REGISTRY/${{ steps.setup.outputs.service_name }}:rc + IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") # slash safe branch name + if [[ "$IMAGE_TAG" == "master" ]]; then + IMAGE_TAG=dev + fi - - name: Tag and Push Hotfix to Azure ACR QA registry - if: github.ref == 'refs/heads/hotfix' - env: - REGISTRY: bitwardenqa.azurecr.io - run: | docker tag ${{ steps.setup.outputs.service_name }} \ - $REGISTRY/${{ steps.setup.outputs.service_name }}:hotfix - docker push $REGISTRY/${{ steps.setup.outputs.service_name }}:hotfix + $REGISTRY/${{ steps.setup.outputs.service_name }}:$IMAGE_TAG + docker push $REGISTRY/${{ steps.setup.outputs.service_name }}:$IMAGE_TAG - - name: Tag and Push Dev to Azure ACR QA registry - if: github.ref == 'refs/heads/master' + - name: Log out of Docker + run: docker logout + + ########## DockerHub ########## + - name: Login to Azure - Prod Subscription + if: | + contains(matrix.docker_repos, 'bitwarden') + && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix') + uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a + with: + creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + + - name: Retrieve secrets + if: | + contains(matrix.docker_repos, 'bitwarden') + && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix') + id: retrieve-secrets + uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403 + with: + keyvault: "bitwarden-prod-kv" + secrets: "docker-password, + docker-username, + dct-delegate-2-repo-passphrase, + dct-delegate-2-key" + + - name: Log into Docker + if: | + contains(matrix.docker_repos, 'bitwarden') + && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix') env: - REGISTRY: bitwardenqa.azurecr.io + DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }} + DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }} + run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin + + - name: Setup Docker Trust + if: | + contains(matrix.docker_repos, 'bitwarden') + && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix') + env: + DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c" + DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }} + DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }} run: | + mkdir -p ~/.docker/trust/private + echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key + echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV + echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV + + - name: Tag and Push RC to Docker Hub + if: | + contains(matrix.docker_repos, 'bitwarden') + && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix') + run: | + IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") # slash safe branch name + if [[ "$IMAGE_TAG" == "master" ]]; then + IMAGE_TAG=dev + fi + docker tag ${{ steps.setup.outputs.service_name }} \ - $REGISTRY/${{ steps.setup.outputs.service_name }}:dev - docker push $REGISTRY/${{ steps.setup.outputs.service_name }}:dev + $REGISTRY/${{ steps.setup.outputs.service_name }}:$IMAGE_TAG + docker push $REGISTRY/${{ steps.setup.outputs.service_name }}:$IMAGE_TAG + + - name: Log out of Docker and disable Docker Notary + if: | + contains(matrix.docker_repos, 'bitwarden') + && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix') + run: | + docker logout + echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV upload: diff --git a/.github/workflows/cleanup-after-pr.yml b/.github/workflows/cleanup-after-pr.yml index f2806a0c35..696d84c8f4 100644 --- a/.github/workflows/cleanup-after-pr.yml +++ b/.github/workflows/cleanup-after-pr.yml @@ -4,13 +4,63 @@ name: Clean After PR on: pull_request: types: [closed] - workflow_dispatch: - inputs: {} jobs: build-docker: name: Remove feature branch docker images runs-on: ubuntu-20.04 steps: - - name: Stub - run: echo "This is a workflow stub" + - name: Checkout repo + uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f + + ########## ACR ########## + - name: Login to Azure - QA Subscription + uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a + with: + creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }} + + - name: Login to Azure ACR + run: az acr login -n bitwardenqa + + ########## Remove Docker images ########## + - name: Remove the docker image from ACR + env: + REGISTRY_NAME: bitwardenqa + SERVICES: | + services: + - Admin + - Api + - Attachments + - Events + - EventsProcessor + - Icons + - Identity + - K8S-Proxy + - MsSql + - Nginx + - Notifications + - Server + - Setup + - Sso + run: | + for SERVICE in $(echo "${{ env.SERVICES }}" | yq e ".services[]" - ) + do + SERVICE_NAME=$(echo $SERVICE | awk '{print tolower($0)}') + IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") # slash safe branch name + + echo "[*] Checking if remote exists: $REGISTRY_NAME.azurecr.io/$SERVICE_NAME:$IMAGE_TAG" + TAG_EXISTS=$( + az acr repository show-tags --name $REGISTRY_NAME --repository $SERVICE_NAME \ + | jq --arg $TAG "$IMAGE_TAG" -e '. | any(. == "$TAG")' + ) + + if [[ "$TAG_EXISTS" == "true" ]]; then + echo "[*] Tag exists. Removing tag" + az acr repository delete --name $REGISTRY_NAME --image $SERVICE_NAME:$IMAGE_TAG --yes + else + echo "[*] Tag does not exist. No action needed" + fi + done + + - name: Log out of Docker + run: docker logout