Feature/feature branch docker images (#1824)

* enabling ACR images for feature branches * fixing typo in docker tag name * Adding a workflow that cleans up the docker images from a branch when it gets merged in. * Updating job name * Fixing trigger syntax issue * adding a manual trigger * Removing the copy + paste mistake * Adding non-tty confirmation for the deletion of the image * Un-paralellizing workflow * fixing the yq options * trying a different way to get the var data * trying with quotes * trying it for real * adding in a message and testing deleting a tag that doesn't exist * handling the case where the tag doesn't exist * fixing a typo * logging some vaules to try to get some answers * trying a different way of passing the var into jq * final cleanup and test * fixing linting issues * normalizing the ACR and Dockerhub pushes * removing the manual trigger after done testing * Update .github/workflows/build.yml removing missed an added whitespace Co-authored-by: Micaiah Martin <77340197+mimartin12@users.noreply.github.com> * fixing the EventsProcessor docker repo issue * switching repos for EventsProcessor Co-authored-by: Micaiah Martin <77340197+mimartin12@users.noreply.github.com>
2025-04-05 13:08:17 -05:00 · 2022-01-24 11:12:37 -08:00 · 2022-01-24 11:12:37 -08:00 · 41f3e27ace
commit 41f3e27ace
parent a9a5417350
2 changed files with 142 additions and 102 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -190,91 +190,61 @@ jobs:
        include:
          - service_name: Admin
            base_path: ./src
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
            dotnet: true
          - service_name: Api
            base_path: ./src
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
            dotnet: true
          - service_name: Attachments
            base_path: ./util
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
          - service_name: Events
            base_path: ./src
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
            dotnet: true
          - service_name: EventsProcessor
            base_path: ./src
-            docker_repo: bitwardenqa.azurecr.io
+            docker_repos: [bitwardenqa.azurecr.io]
            dotnet: true
          - service_name: Icons
            base_path: ./src
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
            dotnet: true
          - service_name: Identity
            base_path: ./src
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
            dotnet: true
          - service_name: K8S-Proxy
            base_path: ./util
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
          - service_name: MsSql
            base_path: ./util
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
          - service_name: Nginx
            base_path: ./util
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
          - service_name: Notifications
            base_path: ./src
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
            dotnet: true
          - service_name: Server
            base_path: ./util
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
            dotnet: true
          - service_name: Setup
            base_path: ./util
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
            dotnet: true
          - service_name: Sso
            base_path: ./bitwarden_license/src
-            docker_repo: bitwarden
+            docker_repos: [bitwarden, bitwardenqa.azurecr.io]
            dotnet: true
    steps:
      - name: Checkout repo
        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-      - name: Login to Azure - Prod Subscription
+      ########## Build Docker Image ##########
        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
      - name: Retrieve secrets
        id: retrieve-secrets
        uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
        with:
          keyvault: "bitwarden-prod-kv"
          secrets: "docker-password,
                    docker-username,
                    dct-delegate-2-repo-passphrase,
                    dct-delegate-2-key"
      - name: Log into Docker
        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix'
        env:
          DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
          DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}
        run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
      - name: Setup Docker Trust
        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix'
        env:
          DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
          DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
        run: |
          mkdir -p ~/.docker/trust/private
          echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
      - name: Setup service name
        id: setup
        run: |
@ -306,43 +276,7 @@ jobs:
              ${{ matrix.base_path }}/${{ matrix.service_name }}
          fi
-      - name: Docker Trust setup
+      ########## ACR ##########
        if: |
          matrix.docker_repo == 'bitwarden'
          && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix')
        env:
          DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
        run: |
          echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV
          echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV
      - name: Tag and Push RC to Docker Hub
        if: (github.ref == 'refs/heads/rc' && matrix.docker_repo == 'bitwarden')
        run: |
          docker tag ${{ steps.setup.outputs.service_name }} \
            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc
          docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:rc
      - name: Tag and Push Hotfix to Docker Hub
        if: (github.ref == 'refs/heads/hotfix' && matrix.docker_repo == 'bitwarden')
        run: |
          docker tag ${{ steps.setup.outputs.service_name }} \
            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix
          docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:hotfix
      - name: Tag and Push Dev to Docker Hub
        if: (github.ref == 'refs/heads/master' && matrix.docker_repo == 'bitwarden')
        run: |
          docker tag ${{ steps.setup.outputs.service_name }} \
            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
          docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
      - name: Log out of Docker and disable Docker Notary
        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix'
        run: |
          docker logout
          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV
      - name: Login to Azure - QA Subscription
        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
        with:
@ -352,31 +286,87 @@ jobs:
        run: az acr login -n bitwardenqa
      - name: Tag and Push RC to Azure ACR QA registry
        if: github.ref == 'refs/heads/rc'
        env:
          REGISTRY: bitwardenqa.azurecr.io
        run: |
-          docker tag ${{ steps.setup.outputs.service_name }} \
+          IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
-            $REGISTRY/${{ steps.setup.outputs.service_name }}:rc
+          if [[ "$IMAGE_TAG" == "master" ]]; then
-          docker push $REGISTRY/${{ steps.setup.outputs.service_name }}:rc
+            IMAGE_TAG=dev
          fi
      - name: Tag and Push Hotfix to Azure ACR QA registry
        if: github.ref == 'refs/heads/hotfix'
        env:
          REGISTRY: bitwardenqa.azurecr.io
        run: |
          docker tag ${{ steps.setup.outputs.service_name }} \
-            $REGISTRY/${{ steps.setup.outputs.service_name }}:hotfix
+            $REGISTRY/${{ steps.setup.outputs.service_name }}:$IMAGE_TAG
-          docker push $REGISTRY/${{ steps.setup.outputs.service_name }}:hotfix
+          docker push $REGISTRY/${{ steps.setup.outputs.service_name }}:$IMAGE_TAG
-      - name: Tag and Push Dev to Azure ACR QA registry
+      - name: Log out of Docker
-        if: github.ref == 'refs/heads/master'
+        run: docker logout
      ########## DockerHub ##########
      - name: Login to Azure - Prod Subscription
        if: |
          contains(matrix.docker_repos, 'bitwarden')
          && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix')
        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
      - name: Retrieve secrets
        if: |
          contains(matrix.docker_repos, 'bitwarden')
          && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix')
        id: retrieve-secrets
        uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
        with:
          keyvault: "bitwarden-prod-kv"
          secrets: "docker-password,
                    docker-username,
                    dct-delegate-2-repo-passphrase,
                    dct-delegate-2-key"
      - name: Log into Docker
        if: |
          contains(matrix.docker_repos, 'bitwarden')
          && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix')
        env:
-          REGISTRY: bitwardenqa.azurecr.io
+          DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
          DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}
        run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
      - name: Setup Docker Trust
        if: |
          contains(matrix.docker_repos, 'bitwarden')
          && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix')
        env:
          DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
          DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
          DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
        run: |
          mkdir -p ~/.docker/trust/private
          echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
          echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV
          echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV
      - name: Tag and Push RC to Docker Hub
        if: |
          contains(matrix.docker_repos, 'bitwarden')
          && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix')
        run: |
          IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
          if [[ "$IMAGE_TAG" == "master" ]]; then
            IMAGE_TAG=dev
          fi
          docker tag ${{ steps.setup.outputs.service_name }} \
-            $REGISTRY/${{ steps.setup.outputs.service_name }}:dev
+            $REGISTRY/${{ steps.setup.outputs.service_name }}:$IMAGE_TAG
-          docker push $REGISTRY/${{ steps.setup.outputs.service_name }}:dev
+          docker push $REGISTRY/${{ steps.setup.outputs.service_name }}:$IMAGE_TAG
      - name: Log out of Docker and disable Docker Notary
        if: |
          contains(matrix.docker_repos, 'bitwarden')
          && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix')
        run: |
          docker logout
          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV
  upload:
--- a/.github/workflows/cleanup-after-pr.yml
+++ b/.github/workflows/cleanup-after-pr.yml
@ -4,13 +4,63 @@ name: Clean After PR
 on:
  pull_request:
    types: [closed]
  workflow_dispatch:
    inputs: {}
 jobs:
  build-docker:
    name: Remove feature branch docker images
    runs-on: ubuntu-20.04
    steps:
-      - name: Stub
+      - name: Checkout repo
-        run: echo "This is a workflow stub"
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
      ########## ACR ##########
      - name: Login to Azure - QA Subscription
        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
        with:
          creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}
      - name: Login to Azure ACR
        run: az acr login -n bitwardenqa
      ########## Remove Docker images ##########
      - name: Remove the docker image from ACR
        env:
          REGISTRY_NAME: bitwardenqa
          SERVICES: |
            services:
              - Admin
              - Api
              - Attachments
              - Events
              - EventsProcessor
              - Icons
              - Identity
              - K8S-Proxy
              - MsSql
              - Nginx
              - Notifications
              - Server
              - Setup
              - Sso
        run: |
          for SERVICE in $(echo "${{ env.SERVICES }}" | yq e ".services[]" - )
          do
            SERVICE_NAME=$(echo $SERVICE | awk '{print tolower($0)}')
            IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
            echo "[*] Checking if remote exists: $REGISTRY_NAME.azurecr.io/$SERVICE_NAME:$IMAGE_TAG"
            TAG_EXISTS=$(
              az acr repository show-tags --name $REGISTRY_NAME --repository $SERVICE_NAME \
              | jq --arg $TAG "$IMAGE_TAG" -e '. | any(. == "$TAG")'
            )
            if [[ "$TAG_EXISTS" == "true" ]]; then
              echo "[*] Tag exists. Removing tag"
              az acr repository delete --name $REGISTRY_NAME --image $SERVICE_NAME:$IMAGE_TAG --yes
            else
              echo "[*] Tag does not exist. No action needed"
            fi
          done
      - name: Log out of Docker
        run: docker logout