Upstream/bitwarden-browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser.git synced 2025-02-15 01:11:47 +01:00
Code Issues Projects Releases Wiki Activity

[PM-15126] Third attempt: Remove reliance on secrets in build pipelines (#13222)

Browse Source 
* feat: create copy of desktop build for PR target

* chore: add temporary file to trigger ci

* fix: remove check-run from regular desktop build

* feat: change browser build to not use pr target

* fix: skip build-safari if secret is not available

* feat: skip safari build if secrets are not available

* feat: let windows desktop build without secrets

* fix: has_secrets not being output correctly

* feat: let macos desktop build without secrets

* feat: don't build browser as part of desktop

* feat: change CLI to pull_request

* feat: let web build without secrets

* feat: tweak lint to run on PR and not just push

* feat: add PR target workflows

* fix: remove wip files

* fix: lint on hotfix-rc branches

* feat: add new workflows to CODEOWNERS

* fix: remove workflow_dispatch

pull_request_target are only intended to be used with contributor PRs and we cannot dispatch builds for these branches so there was no point having that option.
This commit is contained in:
Andreas Coroiu 2025-02-11 11:14:09 +01:00 committed by GitHub
parent 55c1dd9dbb
commit 4cb8e85937
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 243 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/CODEOWNERS vendored
View File

@ -86,9 +86,13 @@ apps/web/src/app/shared @bitwarden/team-platform-dev
apps/web/src/translation-constants.ts @bitwarden/team-platform-dev
# Workflows
.github/workflows/brew-bump-desktop.yml @bitwarden/team-platform-dev
.github/workflows/build-browser-target.yml @bitwarden/team-platform-dev
.github/workflows/build-browser.yml @bitwarden/team-platform-dev
.github/workflows/build-cli-target.yml @bitwarden/team-platform-dev
.github/workflows/build-cli.yml @bitwarden/team-platform-dev
.github/workflows/build-desktop-target.yml @bitwarden/team-platform-dev
.github/workflows/build-desktop.yml @bitwarden/team-platform-dev
.github/workflows/build-web-target.yml @bitwarden/team-platform-dev
.github/workflows/build-web.yml @bitwarden/team-platform-dev
.github/workflows/chromatic.yml @bitwarden/team-platform-dev
.github/workflows/lint.yml @bitwarden/team-platform-dev

33
.github/workflows/build-browser-target.yml vendored Normal file
View File

@ -0,0 +1,33 @@
name: Build Browser on PR Target
on:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/browser/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
workflow_call:
inputs: {}
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build Browser on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-browser.yml
secrets: inherit

18
.github/workflows/build-browser.yml vendored
View File

@ -1,7 +1,7 @@
name: Build Browser
on:
pull_request_target:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
@ -38,19 +38,14 @@ defaults:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
setup:
name: Setup
runs-on: ubuntu-22.04
needs:
- check-run
outputs:
repo_url: ${{ steps.gen_vars.outputs.repo_url }}
adj_build_number: ${{ steps.gen_vars.outputs.adj_build_number }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -74,6 +69,14 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
locales-test:
name: Locales Test
@ -281,6 +284,7 @@ jobs:
needs:
- setup
- locales-test
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env:
_BUILD_NUMBER: ${{ needs.setup.outputs.adj_build_number }}
_NODE_VERSION: ${{ needs.setup.outputs.node_version }}

33
.github/workflows/build-cli-target.yml vendored Normal file
View File

@ -0,0 +1,33 @@
name: Build CLI on PR Target
on:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/cli/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
- '.github/workflows/build-cli.yml'
- 'bitwarden_license/bit-cli/**'
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build CLI on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-cli.yml
secrets: inherit

27
.github/workflows/build-cli.yml vendored
View File

@ -1,7 +1,7 @@
name: Build CLI
on:
pull_request_target:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
@ -27,6 +27,8 @@ on:
- '!*.txt'
- '.github/workflows/build-cli.yml'
- 'bitwarden_license/bit-cli/**'
workflow_call:
inputs: {}
workflow_dispatch:
inputs:
sdk_branch:
@ -39,18 +41,13 @@ defaults:
working-directory: apps/cli
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
setup:
name: Setup
runs-on: ubuntu-22.04
needs:
- check-run
outputs:
package_version: ${{ steps.retrieve-package-version.outputs.package_version }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -71,6 +68,14 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
cli:
name: CLI ${{ matrix.os.base }} - ${{ matrix.license_type.readable }}
strategy:
@ -117,7 +122,7 @@ jobs:
working-directory: ./
- name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' }}
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/download-artifacts@main
with:
github_token: ${{secrets.GITHUB_TOKEN}}
@ -130,7 +135,7 @@ jobs:
if_no_artifact_found: fail
- name: Override SDK
if: ${{ inputs.sdk_branch != '' }}
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
working-directory: ./
run: |
ls -l ../
@ -272,7 +277,7 @@ jobs:
working-directory: ./
- name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' }}
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/download-artifacts@main
with:
github_token: ${{secrets.GITHUB_TOKEN}}
@ -285,7 +290,7 @@ jobs:
if_no_artifact_found: fail
- name: Override SDK
if: ${{ inputs.sdk_branch != '' }}
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
working-directory: ./
run: |
ls -l ../

32
.github/workflows/build-desktop-target.yml vendored Normal file
View File

@ -0,0 +1,32 @@
name: Build Desktop on PR Target
on:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/desktop/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
- '.github/workflows/build-desktop.yml'
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build Desktop on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-desktop.yml
secrets: inherit

68
.github/workflows/build-desktop.yml vendored
View File

@ -1,7 +1,7 @@
name: Build Desktop
on:
pull_request_target:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
@ -25,6 +25,8 @@ on:
- '!*.md'
- '!*.txt'
- '.github/workflows/build-desktop.yml'
workflow_call:
inputs: {}
workflow_dispatch:
inputs:
sdk_branch:
@ -37,15 +39,9 @@ defaults:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
electron-verify:
name: Verify Electron Version
runs-on: ubuntu-22.04
needs:
- check-run
steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -67,8 +63,6 @@ jobs:
setup:
name: Setup
runs-on: ubuntu-22.04
needs:
- check-run
outputs:
package_version: ${{ steps.retrieve-version.outputs.package_version }}
release_channel: ${{ steps.release-channel.outputs.channel }}
@ -76,6 +70,7 @@ jobs:
rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }}
hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
defaults:
run:
working-directory: apps/desktop
@ -138,6 +133,14 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
linux:
name: Linux Build
# Note, before updating the ubuntu version of the workflow, ensure the snap base image
@ -333,12 +336,14 @@ jobs:
rustup show
- name: Login to Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets
id: retrieve-secrets
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
@ -353,7 +358,7 @@ jobs:
working-directory: ./
- name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' }}
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/download-artifacts@main
with:
github_token: ${{secrets.GITHUB_TOKEN}}
@ -366,7 +371,7 @@ jobs:
if_no_artifact_found: fail
- name: Override SDK
if: ${{ inputs.sdk_branch != '' }}
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
working-directory: ./
run: |
ls -l ../
@ -386,7 +391,17 @@ jobs:
working-directory: apps/desktop/desktop_native
run: node build.js cross-platform
- name: Build & Sign (dev)
- name: Build
run: |
npm run build
- name: Pack
if: ${{ needs.setup.outputs.has_secrets == 'false' }}
run: |
npm run pack:win
- name: Pack & Sign (dev)
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env:
ELECTRON_BUILDER_SIGN: 1
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }}
@ -395,10 +410,10 @@ jobs:
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets.outputs.code-signing-client-secret }}
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets.outputs.code-signing-cert-name }}
run: |
npm run build
npm run pack:win
- name: Rename appx files for store
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: |
Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx" `
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx"
@ -408,6 +423,7 @@ jobs:
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx"
- name: Package for Chocolatey
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: |
Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse
Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe `
@ -419,6 +435,7 @@ jobs:
choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:_PACKAGE_VERSION" --out ./dist/chocolatey
- name: Fix NSIS artifact names for auto-updater
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: |
Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z `
-NewName bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
@ -435,6 +452,7 @@ jobs:
if-no-files-found: error
- name: Upload installer exe artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe
@ -442,6 +460,7 @@ jobs:
if-no-files-found: error
- name: Upload appx ia32 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx
@ -449,6 +468,7 @@ jobs:
if-no-files-found: error
- name: Upload store appx ia32 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx
@ -456,6 +476,7 @@ jobs:
if-no-files-found: error
- name: Upload NSIS ia32 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
@ -463,6 +484,7 @@ jobs:
if-no-files-found: error
- name: Upload appx x64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx
@ -470,6 +492,7 @@ jobs:
if-no-files-found: error
- name: Upload store appx x64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx
@ -477,6 +500,7 @@ jobs:
if-no-files-found: error
- name: Upload NSIS x64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z
@ -484,6 +508,7 @@ jobs:
if-no-files-found: error
- name: Upload appx ARM64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx
@ -491,6 +516,7 @@ jobs:
if-no-files-found: error
- name: Upload store appx ARM64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx
@ -498,6 +524,7 @@ jobs:
if-no-files-found: error
- name: Upload NSIS ARM64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z
@ -505,6 +532,7 @@ jobs:
if-no-files-found: error
- name: Upload nupkg artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: bitwarden.${{ env._PACKAGE_VERSION }}.nupkg
@ -512,6 +540,7 @@ jobs:
if-no-files-found: error
- name: Upload auto-update artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: ${{ needs.setup.outputs.release_channel }}.yml
@ -574,11 +603,13 @@ jobs:
key: ${{ runner.os }}-${{ github.run_id }}-safari-extension
- name: Login to Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Download Provisioning Profiles secrets
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env:
ACCOUNT_NAME: bitwardenci
CONTAINER_NAME: profiles
@ -591,6 +622,7 @@ jobs:
--output none
- name: Get certificates
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: |
mkdir -p $HOME/certificates
@ -613,6 +645,7 @@ jobs:
jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12
- name: Set up keychain
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
@ -642,6 +675,7 @@ jobs:
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
- name: Set up provisioning profiles
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: |
cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \
$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile
@ -661,7 +695,7 @@ jobs:
working-directory: ./
- name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' }}
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/download-artifacts@main
with:
github_token: ${{secrets.GITHUB_TOKEN}}
@ -674,7 +708,7 @@ jobs:
if_no_artifact_found: fail
- name: Override SDK
if: ${{ inputs.sdk_branch != '' }}
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
working-directory: ./
run: |
ls -l ../
@ -701,6 +735,7 @@ jobs:
browser-build:
name: Browser Build
needs: setup
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: ./.github/workflows/build-browser.yml
secrets: inherit
@ -708,6 +743,7 @@ jobs:
macos-package-github:
name: MacOS Package GitHub Release Assets
runs-on: macos-13
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
needs:
- browser-build
- macos-build
@ -949,6 +985,7 @@ jobs:
macos-package-mas:
name: MacOS Package Prod Release Asset
runs-on: macos-13
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
needs:
- browser-build
- macos-build
@ -1217,6 +1254,7 @@ jobs:
macos-package-dev:
name: MacOS Package Dev Release Asset
runs-on: macos-13
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
needs:
- browser-build
- macos-build

32
.github/workflows/build-web-target.yml vendored Normal file
View File

@ -0,0 +1,32 @@
name: Build Web on PR Target
on:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/web/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
- '.github/workflows/build-web.yml'
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build Web on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-web.yml
secrets: inherit

30
.github/workflows/build-web.yml vendored
View File

@ -1,7 +1,7 @@
name: Build Web
on:
pull_request_target:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
@ -27,6 +27,8 @@ on:
- '.github/workflows/build-web.yml'
release:
types: [published]
workflow_call:
inputs: {}
workflow_dispatch:
inputs:
custom_tag_extension:
@ -41,18 +43,13 @@ env:
_AZ_REGISTRY: bitwardenprod.azurecr.io
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
setup:
name: Setup
runs-on: ubuntu-22.04
needs:
- check-run
outputs:
version: ${{ steps.version.outputs.value }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -70,6 +67,14 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
build-artifacts:
name: Build artifacts
runs-on: ubuntu-22.04
@ -128,7 +133,7 @@ jobs:
run: npm ci
- name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' }}
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/download-artifacts@main
with:
github_token: ${{secrets.GITHUB_TOKEN}}
@ -141,7 +146,7 @@ jobs:
if_no_artifact_found: fail
- name: Override SDK
if: ${{ inputs.sdk_branch != '' }}
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
working-directory: ./
run: |
ls -l ../
@ -213,19 +218,23 @@ jobs:
########## ACRs ##########
- name: Login to Prod Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Log into Prod container registry
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: az acr login -n bitwardenprod
- name: Login to Azure - CI Subscription
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve github PAT secrets
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
@ -273,6 +282,7 @@ jobs:
run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
- name: Build Docker image
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
id: build-docker
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
with:
@ -283,7 +293,7 @@ jobs:
tags: ${{ steps.image-name.outputs.name }}
secrets: |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
- name: Install Cosign
if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

10
.github/workflows/lint.yml vendored
View File

@ -1,12 +1,20 @@
name: Lint
on:
push:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths-ignore:
- '.github/workflows/**'
push:
branches:
- 'main'
- 'rc'
- 'hotfix-rc-*'
paths-ignore:
- '.github/workflows/**'
workflow_dispatch:
inputs: {}