diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 11e79590f2..aa868cd1b5 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -66,6 +66,7 @@ src/Admin/Views/Tools @bitwarden/team-billing-dev # Platform team .github/workflows/build.yml @bitwarden/team-platform-dev +.github/workflows/build_target.yml @bitwarden/team-platform-dev .github/workflows/cleanup-after-pr.yml @bitwarden/team-platform-dev .github/workflows/cleanup-rc-branch.yml @bitwarden/team-platform-dev .github/workflows/repository-management.yml @bitwarden/team-platform-dev diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8f125b7811..f0df238b34 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,22 +7,18 @@ on: - "main" - "rc" - "hotfix-rc" - pull_request_target: + pull_request: types: [opened, synchronize] + workflow_call: + inputs: {} env: _AZ_REGISTRY: "bitwardenprod.azurecr.io" jobs: - check-run: - name: Check PR run - uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main - lint: name: Lint runs-on: ubuntu-22.04 - needs: - - check-run steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -40,6 +36,8 @@ jobs: runs-on: ubuntu-22.04 needs: - lint + outputs: + has_secrets: ${{ steps.check-secrets.outputs.has_secrets }} strategy: fail-fast: false matrix: @@ -75,6 +73,14 @@ jobs: base_path: ./bitwarden_license/src node: true steps: + - name: Check secrets + id: check-secrets + env: + AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + run: | + has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }} + echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT + - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -134,6 +140,7 @@ jobs: id-token: write needs: - build-artifacts + if: ${{ needs.build-artifacts.outputs.has_secrets == 'true' }} strategy: fail-fast: false matrix: @@ -227,7 +234,7 @@ jobs: - name: Generate Docker image tag id: tag run: | - if [[ "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then + if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g") else IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") @@ -289,11 +296,11 @@ jobs: "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" - name: Install Cosign - if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - name: Sign image with Cosign - if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' env: DIGEST: ${{ steps.build-docker.outputs.digest }} TAGS: ${{ steps.image-tags.outputs.tags }} @@ -343,7 +350,7 @@ jobs: - name: Make Docker stubs if: | - github.event_name != 'pull_request_target' + github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') run: | # Set proper setup image based on branch @@ -385,7 +392,7 @@ jobs: - name: Make Docker stub checksums if: | - github.event_name != 'pull_request_target' + github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') run: | sha256sum docker-stub-US.zip > docker-stub-US-sha256.txt @@ -393,7 +400,7 @@ jobs: - name: Upload Docker stub US artifact if: | - github.event_name != 'pull_request_target' + github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: @@ -403,7 +410,7 @@ jobs: - name: Upload Docker stub EU artifact if: | - github.event_name != 'pull_request_target' + github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: @@ -413,7 +420,7 @@ jobs: - name: Upload Docker stub US checksum artifact if: | - github.event_name != 'pull_request_target' + github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: @@ -423,7 +430,7 @@ jobs: - name: Upload Docker stub EU checksum artifact if: | - github.event_name != 'pull_request_target' + github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: @@ -552,7 +559,7 @@ jobs: self-host-build: name: Trigger self-host build if: | - github.event_name != 'pull_request_target' + github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') runs-on: ubuntu-22.04 needs: @@ -587,7 +594,7 @@ jobs: trigger-k8s-deploy: name: Trigger k8s deploy - if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' + if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' runs-on: ubuntu-22.04 needs: - build-docker @@ -623,7 +630,8 @@ jobs: trigger-ee-updates: name: Trigger Ephemeral Environment updates if: | - github.event_name == 'pull_request_target' + needs.build-artifacts.outputs.has_secrets == 'true' + && github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment') runs-on: ubuntu-24.04 needs: @@ -660,7 +668,8 @@ jobs: name: Trigger Ephemeral Environment Sync needs: trigger-ee-updates if: | - github.event_name == 'pull_request_target' + needs.build-artifacts.outputs.has_secrets == 'true' + && github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'ephemeral-environment') uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main with: @@ -670,7 +679,6 @@ jobs: pull_request_number: ${{ github.event.number }} secrets: inherit - check-failures: name: Check for failures if: always() @@ -686,7 +694,7 @@ jobs: steps: - name: Check if any job failed if: | - github.event_name != 'pull_request_target' + github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') && contains(needs.*.result, 'failure') run: exit 1 diff --git a/.github/workflows/build_target.yml b/.github/workflows/build_target.yml new file mode 100644 index 0000000000..313446c949 --- /dev/null +++ b/.github/workflows/build_target.yml @@ -0,0 +1,21 @@ +name: Build on PR Target + +on: + pull_request_target: + types: [opened, synchronize] + +defaults: + run: + shell: bash + +jobs: + check-run: + name: Check PR run + uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main + + run-workflow: + name: Run Build on PR Target + needs: check-run + if: ${{ github.event.pull_request.head.repo.full_name != github.repository }} + uses: ./.github/workflows/build.yml + secrets: inherit