From f3d6a430257873933feeda33c8a0eadf2db4300d Mon Sep 17 00:00:00 2001
From: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com>
Date: Fri, 22 Oct 2021 08:41:38 -0700
Subject: [PATCH] Change protected release branch to `release` (#1656)

* Adding a contraint around the new release branch strategy

* Adding a constraint on what CI code can be used to release the release branch

* updating the self host docker image building and releasing

* removing master branch release ci code execution

* updating some verbiage
---
 .github/workflows/build.yml   | 15 +++++-
 .github/workflows/release.yml | 95 +++++++++++++++++++++++++++++++----
 2 files changed, 98 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a7178a0933..0c8e46c61b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -298,8 +298,8 @@ jobs:
       - name: Setup build artifact
         if: ${{ matrix.dotnet }}
         run: |
-          mkdir -p ${{ matrix.base_path}}/${{ matrix.service_name}}/obj/build-output/publish
-          unzip ${{ matrix.service_name }}.zip -d ${{ matrix.base_path}}/${{ matrix.service_name}}/obj/build-output/publish
+          mkdir -p ${{ matrix.base_path}}/${{ matrix.service_name }}/obj/build-output/publish
+          unzip ${{ matrix.service_name }}.zip -d ${{ matrix.base_path }}/${{ matrix.service_name }}/obj/build-output/publish
 
       - name: Build Docker images
         run: |
@@ -323,6 +323,12 @@ jobs:
           docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
             ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
 
+      - name: Tag latest
+        if: github.ref == 'refs/heads/release'
+        run: |
+          docker tag ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }} \
+            ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:latest
+
       - name: List Docker images
         if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
         run: docker images
@@ -343,6 +349,11 @@ jobs:
         run: |
           docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:dev
 
+      - name: Push latest images
+        if: github.ref == 'refs/heads/release'
+        run: |
+          docker push ${{ matrix.docker_repo }}/${{ steps.setup.outputs.service_name }}:latest
+
       - name: Log out of Docker
         if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
         run: docker logout
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 013144c43b..e7f804583a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,11 +3,7 @@ name: Release
 
 on:
   workflow_dispatch:
-    inputs:
-      release_branch:
-        description: "branch to release from"
-        required: true
-        default: "rc"
+    inputs: {}
 
 
 jobs:
@@ -17,10 +13,19 @@ jobs:
     outputs:
       release_version: ${{ steps.version.outputs.package }}
     steps:
+      - name: Branch check
+        run: |
+          if [[ "$GITHUB_REF" != "refs/heads/release" ]]; then
+            echo "==================================="
+            echo "[!] Can only release from the 'release' branch"
+            echo "==================================="
+            exit 1
+          fi
+
       - name: Checkout repo
         uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
-          ref: ${{ github.event.inputs.release_branch }}
+          ref: release
 
       - name: Check Release Version
         id: version
@@ -62,12 +67,12 @@ jobs:
           echo "NAME_LOWER: $NAME_LOWER"
           echo "::set-output name=name_lower::$NAME_LOWER"
 
-      - name: Download latest ${{ github.event.inputs.release_branch }} ${{ matrix.name }} asset
+      - name: Download latest Release ${{ matrix.name }} asset
         uses: bitwarden/gh-actions/download-artifacts@23433be15ed6fd046ce12b6889c5184a8d9c8783
         with:
           workflow: build.yml
           workflow_conclusion: success
-          branch: ${{ github.event.inputs.release_branch }}
+          branch: release
           artifacts: ${{ matrix.name }}.zip
 
       - name: Login to Azure
@@ -96,6 +101,76 @@ jobs:
           slot: "staging"
 
 
+  release-docker:
+    name: Build Docker images
+    runs-on: ubuntu-20.04
+    needs: build-artifacts
+    env:
+      _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - service_name: Admin
+          - service_name: Api
+          - service_name: Attachments
+          - service_name: Events
+          - service_name: Icons
+          - service_name: Identity
+          - service_name: K8S-Proxy
+          - service_name: MsSql
+          - service_name: Nginx
+          - service_name: Notifications
+          - service_name: Server
+          - service_name: Setup
+          - service_name: Sso
+    steps:
+      - name: Print environment
+        run: |
+          whoami
+          docker --version
+          echo "GitHub ref: $GITHUB_REF"
+          echo "GitHub event: $GITHUB_EVENT"
+
+      - name: Setup DCT
+        id: setup-dct
+        uses: bitwarden/gh-actions/setup-docker-trust@a8c384a05a974c05c48374c818b004be221d43ff
+        with:
+          azure-creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+          azure-keyvault-name: "bitwarden-prod-kv"
+
+      - name: Checkout repo
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+
+      - name: Setup service name
+        id: setup
+        run: |
+          SERVICE_NAME=$(echo "${{ matrix.service_name }}" | awk '{print tolower($0)}')
+          echo "Matrix name: ${{ matrix.service_name }}"
+          echo "SERVICE_NAME: $SERVICE_NAME"
+          echo "::set-output name=service_name::$SERVICE_NAME"
+
+      - name: Pull latest selfhost Release image
+        run: docker pull bitwarden/${{ steps.setup.outputs.service_name }}:latest
+
+      - name: Tag version
+        run: |
+          docker tag bitwarden/${{ steps.setup.outputs.service_name }}:latest bitwarden/${{ steps.setup.outputs.service_name }}:$_RELEASE_VERSION
+
+      - name: List Docker images
+        run: docker images
+
+      - name: Push latest image
+        run: |
+          docker push bitwarden/${{ steps.setup.outputs.service_name }}:$_RELEASE_VERSION
+        env:
+          DOCKER_CONTENT_TRUST: 1
+          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
+
+      - name: Log out of Docker
+        run: docker logout
+
+
   release:
     name: Create GitHub Release
     runs-on: ubuntu-20.04
@@ -103,12 +178,12 @@ jobs:
       - setup
       - deploy
     steps:
-      - name: Download latest ${{ github.event.inputs.release_branch }} docker-stub
+      - name: Download latest Release docker-stub
         uses: bitwarden/gh-actions/download-artifacts@23433be15ed6fd046ce12b6889c5184a8d9c8783
         with:
           workflow: build.yml
           workflow_conclusion: success
-          branch: ${{ github.event.inputs.release_branch }}
+          branch: release
           artifacts: "docker-stub.zip,
                       swagger.json"