Upstream/bitwarden-browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser.git synced 2025-02-21 02:11:54 +01:00
Code Issues Projects Releases Wiki Activity

[PM-15126] Third attempt: Remove reliance on secrets in build pipelines (#13222)

Browse Source 
* feat: create copy of desktop build for PR target

* chore: add temporary file to trigger ci

* fix: remove check-run from regular desktop build

* feat: change browser build to not use pr target

* fix: skip build-safari if secret is not available

* feat: skip safari build if secrets are not available

* feat: let windows desktop build without secrets

* fix: has_secrets not being output correctly

* feat: let macos desktop build without secrets

* feat: don't build browser as part of desktop

* feat: change CLI to pull_request

* feat: let web build without secrets

* feat: tweak lint to run on PR and not just push

* feat: add PR target workflows

* fix: remove wip files

* fix: lint on hotfix-rc branches

* feat: add new workflows to CODEOWNERS

* fix: remove workflow_dispatch

pull_request_target are only intended to be used with contributor PRs and we cannot dispatch builds for these branches so there was no point having that option.
This commit is contained in:
Andreas Coroiu 2025-02-11 11:14:09 +01:00 committed by GitHub
parent 55c1dd9dbb
commit 4cb8e85937
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 243 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/CODEOWNERS vendored
View File

@ -86,9 +86,13 @@ apps/web/src/app/shared @bitwarden/team-platform-dev
apps/web/src/translation-constants.ts @bitwarden/team-platform-dev apps/web/src/translation-constants.ts @bitwarden/team-platform-dev
# Workflows # Workflows
.github/workflows/brew-bump-desktop.yml @bitwarden/team-platform-dev .github/workflows/brew-bump-desktop.yml @bitwarden/team-platform-dev
.github/workflows/build-browser-target.yml @bitwarden/team-platform-dev
.github/workflows/build-browser.yml @bitwarden/team-platform-dev .github/workflows/build-browser.yml @bitwarden/team-platform-dev
.github/workflows/build-cli-target.yml @bitwarden/team-platform-dev
.github/workflows/build-cli.yml @bitwarden/team-platform-dev .github/workflows/build-cli.yml @bitwarden/team-platform-dev
.github/workflows/build-desktop-target.yml @bitwarden/team-platform-dev
.github/workflows/build-desktop.yml @bitwarden/team-platform-dev .github/workflows/build-desktop.yml @bitwarden/team-platform-dev
.github/workflows/build-web-target.yml @bitwarden/team-platform-dev
.github/workflows/build-web.yml @bitwarden/team-platform-dev .github/workflows/build-web.yml @bitwarden/team-platform-dev
.github/workflows/chromatic.yml @bitwarden/team-platform-dev .github/workflows/chromatic.yml @bitwarden/team-platform-dev
.github/workflows/lint.yml @bitwarden/team-platform-dev .github/workflows/lint.yml @bitwarden/team-platform-dev

33
.github/workflows/build-browser-target.yml vendored Normal file
View File

@ -0,0 +1,33 @@
name: Build Browser on PR Target
on:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/browser/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
workflow_call:
inputs: {}
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build Browser on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-browser.yml
secrets: inherit

18
.github/workflows/build-browser.yml vendored
View File

@ -1,7 +1,7 @@
name: Build Browser name: Build Browser
on: on:
pull_request_target: pull_request:
types: [opened, synchronize] types: [opened, synchronize]
branches-ignore: branches-ignore:
- 'l10n_master' - 'l10n_master'
@ -38,19 +38,14 @@ defaults:
shell: bash shell: bash
jobs: jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
setup: setup:
name: Setup name: Setup
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs:
- check-run
outputs: outputs:
repo_url: ${{ steps.gen_vars.outputs.repo_url }} repo_url: ${{ steps.gen_vars.outputs.repo_url }}
adj_build_number: ${{ steps.gen_vars.outputs.adj_build_number }} adj_build_number: ${{ steps.gen_vars.outputs.adj_build_number }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }} node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -74,6 +69,14 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''} NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
locales-test: locales-test:
name: Locales Test name: Locales Test
@ -281,6 +284,7 @@ jobs:
needs: needs:
- setup - setup
- locales-test - locales-test
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env: env:
_BUILD_NUMBER: ${{ needs.setup.outputs.adj_build_number }} _BUILD_NUMBER: ${{ needs.setup.outputs.adj_build_number }}
_NODE_VERSION: ${{ needs.setup.outputs.node_version }} _NODE_VERSION: ${{ needs.setup.outputs.node_version }}

33
.github/workflows/build-cli-target.yml vendored Normal file
View File

@ -0,0 +1,33 @@
name: Build CLI on PR Target
on:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/cli/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
- '.github/workflows/build-cli.yml'
- 'bitwarden_license/bit-cli/**'
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build CLI on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-cli.yml
secrets: inherit

27
.github/workflows/build-cli.yml vendored
View File

@ -1,7 +1,7 @@
name: Build CLI name: Build CLI
on: on:
pull_request_target: pull_request:
types: [opened, synchronize] types: [opened, synchronize]
branches-ignore: branches-ignore:
- 'l10n_master' - 'l10n_master'
@ -27,6 +27,8 @@ on:
- '!*.txt' - '!*.txt'
- '.github/workflows/build-cli.yml' - '.github/workflows/build-cli.yml'
- 'bitwarden_license/bit-cli/**' - 'bitwarden_license/bit-cli/**'
workflow_call:
inputs: {}
workflow_dispatch: workflow_dispatch:
inputs: inputs:
sdk_branch: sdk_branch:
@ -39,18 +41,13 @@ defaults:
working-directory: apps/cli working-directory: apps/cli
jobs: jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
setup: setup:
name: Setup name: Setup
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs:
- check-run
outputs: outputs:
package_version: ${{ steps.retrieve-package-version.outputs.package_version }} package_version: ${{ steps.retrieve-package-version.outputs.package_version }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }} node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -71,6 +68,14 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''} NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
cli: cli:
name: CLI ${{ matrix.os.base }} - ${{ matrix.license_type.readable }} name: CLI ${{ matrix.os.base }} - ${{ matrix.license_type.readable }}
strategy: strategy:
@ -117,7 +122,7 @@ jobs:
working-directory: ./ working-directory: ./
- name: Download SDK Artifacts - name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' }} if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/download-artifacts@main uses: bitwarden/gh-actions/download-artifacts@main
with: with:
github_token: ${{secrets.GITHUB_TOKEN}} github_token: ${{secrets.GITHUB_TOKEN}}
@ -130,7 +135,7 @@ jobs:
if_no_artifact_found: fail if_no_artifact_found: fail
- name: Override SDK - name: Override SDK
if: ${{ inputs.sdk_branch != '' }} if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
working-directory: ./ working-directory: ./
run: | run: |
ls -l ../ ls -l ../
@ -272,7 +277,7 @@ jobs:
working-directory: ./ working-directory: ./
- name: Download SDK Artifacts - name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' }} if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/download-artifacts@main uses: bitwarden/gh-actions/download-artifacts@main
with: with:
github_token: ${{secrets.GITHUB_TOKEN}} github_token: ${{secrets.GITHUB_TOKEN}}
@ -285,7 +290,7 @@ jobs:
if_no_artifact_found: fail if_no_artifact_found: fail
- name: Override SDK - name: Override SDK
if: ${{ inputs.sdk_branch != '' }} if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
working-directory: ./ working-directory: ./
run: | run: |
ls -l ../ ls -l ../

32
.github/workflows/build-desktop-target.yml vendored Normal file
View File

@ -0,0 +1,32 @@
name: Build Desktop on PR Target
on:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/desktop/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
- '.github/workflows/build-desktop.yml'
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build Desktop on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-desktop.yml
secrets: inherit

68
.github/workflows/build-desktop.yml vendored
View File

@ -1,7 +1,7 @@
name: Build Desktop name: Build Desktop
on: on:
pull_request_target: pull_request:
types: [opened, synchronize] types: [opened, synchronize]
branches-ignore: branches-ignore:
- 'l10n_master' - 'l10n_master'
@ -25,6 +25,8 @@ on:
- '!*.md' - '!*.md'
- '!*.txt' - '!*.txt'
- '.github/workflows/build-desktop.yml' - '.github/workflows/build-desktop.yml'
workflow_call:
inputs: {}
workflow_dispatch: workflow_dispatch:
inputs: inputs:
sdk_branch: sdk_branch:
@ -37,15 +39,9 @@ defaults:
shell: bash shell: bash
jobs: jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
electron-verify: electron-verify:
name: Verify Electron Version name: Verify Electron Version
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs:
- check-run
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -67,8 +63,6 @@ jobs:
setup: setup:
name: Setup name: Setup
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs:
- check-run
outputs: outputs:
package_version: ${{ steps.retrieve-version.outputs.package_version }} package_version: ${{ steps.retrieve-version.outputs.package_version }}
release_channel: ${{ steps.release-channel.outputs.channel }} release_channel: ${{ steps.release-channel.outputs.channel }}
@ -76,6 +70,7 @@ jobs:
rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }} rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }}
hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }} hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }} node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
defaults: defaults:
run: run:
working-directory: apps/desktop working-directory: apps/desktop
@ -138,6 +133,14 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''} NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
linux: linux:
name: Linux Build name: Linux Build
# Note, before updating the ubuntu version of the workflow, ensure the snap base image # Note, before updating the ubuntu version of the workflow, ensure the snap base image
@ -333,12 +336,14 @@ jobs:
rustup show rustup show
- name: Login to Azure - name: Login to Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/get-keyvault-secrets@main uses: bitwarden/gh-actions/get-keyvault-secrets@main
with: with:
keyvault: "bitwarden-ci" keyvault: "bitwarden-ci"
@ -353,7 +358,7 @@ jobs:
working-directory: ./ working-directory: ./
- name: Download SDK Artifacts - name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' }} if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/download-artifacts@main uses: bitwarden/gh-actions/download-artifacts@main
with: with:
github_token: ${{secrets.GITHUB_TOKEN}} github_token: ${{secrets.GITHUB_TOKEN}}
@ -366,7 +371,7 @@ jobs:
if_no_artifact_found: fail if_no_artifact_found: fail
- name: Override SDK - name: Override SDK
if: ${{ inputs.sdk_branch != '' }} if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
working-directory: ./ working-directory: ./
run: | run: |
ls -l ../ ls -l ../
@ -386,7 +391,17 @@ jobs:
working-directory: apps/desktop/desktop_native working-directory: apps/desktop/desktop_native
run: node build.js cross-platform run: node build.js cross-platform
- name: Build & Sign (dev) - name: Build
run: |
npm run build
- name: Pack
if: ${{ needs.setup.outputs.has_secrets == 'false' }}
run: |
npm run pack:win
- name: Pack & Sign (dev)
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env: env:
ELECTRON_BUILDER_SIGN: 1 ELECTRON_BUILDER_SIGN: 1
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }} SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }}
@ -395,10 +410,10 @@ jobs:
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets.outputs.code-signing-client-secret }} SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets.outputs.code-signing-client-secret }}
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets.outputs.code-signing-cert-name }} SIGNING_CERT_NAME: ${{ steps.retrieve-secrets.outputs.code-signing-cert-name }}
run: | run: |
npm run build
npm run pack:win npm run pack:win
- name: Rename appx files for store - name: Rename appx files for store
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: | run: |
Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx" ` Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx" `
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx" -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx"
@ -408,6 +423,7 @@ jobs:
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx" -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx"
- name: Package for Chocolatey - name: Package for Chocolatey
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: | run: |
Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse
Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe ` Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe `
@ -419,6 +435,7 @@ jobs:
choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:_PACKAGE_VERSION" --out ./dist/chocolatey choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:_PACKAGE_VERSION" --out ./dist/chocolatey
- name: Fix NSIS artifact names for auto-updater - name: Fix NSIS artifact names for auto-updater
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: | run: |
Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z ` Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z `
-NewName bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z -NewName bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
@ -435,6 +452,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload installer exe artifact - name: Upload installer exe artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe
@ -442,6 +460,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload appx ia32 artifact - name: Upload appx ia32 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx
@ -449,6 +468,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload store appx ia32 artifact - name: Upload store appx ia32 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx
@ -456,6 +476,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload NSIS ia32 artifact - name: Upload NSIS ia32 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z name: bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
@ -463,6 +484,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload appx x64 artifact - name: Upload appx x64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx
@ -470,6 +492,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload store appx x64 artifact - name: Upload store appx x64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx
@ -477,6 +500,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload NSIS x64 artifact - name: Upload NSIS x64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z name: bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z
@ -484,6 +508,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload appx ARM64 artifact - name: Upload appx ARM64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx
@ -491,6 +516,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload store appx ARM64 artifact - name: Upload store appx ARM64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx
@ -498,6 +524,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload NSIS ARM64 artifact - name: Upload NSIS ARM64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z name: bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z
@ -505,6 +532,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload nupkg artifact - name: Upload nupkg artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: bitwarden.${{ env._PACKAGE_VERSION }}.nupkg name: bitwarden.${{ env._PACKAGE_VERSION }}.nupkg
@ -512,6 +540,7 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload auto-update artifact - name: Upload auto-update artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with: with:
name: ${{ needs.setup.outputs.release_channel }}.yml name: ${{ needs.setup.outputs.release_channel }}.yml
@ -574,11 +603,13 @@ jobs:
key: ${{ runner.os }}-${{ github.run_id }}-safari-extension key: ${{ runner.os }}-${{ github.run_id }}-safari-extension
- name: Login to Azure - name: Login to Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Download Provisioning Profiles secrets - name: Download Provisioning Profiles secrets
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env: env:
ACCOUNT_NAME: bitwardenci ACCOUNT_NAME: bitwardenci
CONTAINER_NAME: profiles CONTAINER_NAME: profiles
@ -591,6 +622,7 @@ jobs:
--output none --output none
- name: Get certificates - name: Get certificates
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: | run: |
mkdir -p $HOME/certificates mkdir -p $HOME/certificates
@ -613,6 +645,7 @@ jobs:
jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12
- name: Set up keychain - name: Set up keychain
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env: env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: | run: |
@ -642,6 +675,7 @@ jobs:
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
- name: Set up provisioning profiles - name: Set up provisioning profiles
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: | run: |
cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \
$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile $GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile
@ -661,7 +695,7 @@ jobs:
working-directory: ./ working-directory: ./
- name: Download SDK Artifacts - name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' }} if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/download-artifacts@main uses: bitwarden/gh-actions/download-artifacts@main
with: with:
github_token: ${{secrets.GITHUB_TOKEN}} github_token: ${{secrets.GITHUB_TOKEN}}
@ -674,7 +708,7 @@ jobs:
if_no_artifact_found: fail if_no_artifact_found: fail
- name: Override SDK - name: Override SDK
if: ${{ inputs.sdk_branch != '' }} if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
working-directory: ./ working-directory: ./
run: | run: |
ls -l ../ ls -l ../
@ -701,6 +735,7 @@ jobs:
browser-build: browser-build:
name: Browser Build name: Browser Build
needs: setup needs: setup
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: ./.github/workflows/build-browser.yml uses: ./.github/workflows/build-browser.yml
secrets: inherit secrets: inherit
@ -708,6 +743,7 @@ jobs:
macos-package-github: macos-package-github:
name: MacOS Package GitHub Release Assets name: MacOS Package GitHub Release Assets
runs-on: macos-13 runs-on: macos-13
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
needs: needs:
- browser-build - browser-build
- macos-build - macos-build
@ -949,6 +985,7 @@ jobs:
macos-package-mas: macos-package-mas:
name: MacOS Package Prod Release Asset name: MacOS Package Prod Release Asset
runs-on: macos-13 runs-on: macos-13
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
needs: needs:
- browser-build - browser-build
- macos-build - macos-build
@ -1217,6 +1254,7 @@ jobs:
macos-package-dev: macos-package-dev:
name: MacOS Package Dev Release Asset name: MacOS Package Dev Release Asset
runs-on: macos-13 runs-on: macos-13
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
needs: needs:
- browser-build - browser-build
- macos-build - macos-build

32
.github/workflows/build-web-target.yml vendored Normal file
View File

@ -0,0 +1,32 @@
name: Build Web on PR Target
on:
pull_request:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/web/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
- '.github/workflows/build-web.yml'
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build Web on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-web.yml
secrets: inherit

28
.github/workflows/build-web.yml vendored
View File

@ -1,7 +1,7 @@
name: Build Web name: Build Web
on: on:
pull_request_target: pull_request:
types: [opened, synchronize] types: [opened, synchronize]
branches-ignore: branches-ignore:
- 'l10n_master' - 'l10n_master'
@ -27,6 +27,8 @@ on:
- '.github/workflows/build-web.yml' - '.github/workflows/build-web.yml'
release: release:
types: [published] types: [published]
workflow_call:
inputs: {}
workflow_dispatch: workflow_dispatch:
inputs: inputs:
custom_tag_extension: custom_tag_extension:
@ -41,18 +43,13 @@ env:
_AZ_REGISTRY: bitwardenprod.azurecr.io _AZ_REGISTRY: bitwardenprod.azurecr.io
jobs: jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
setup: setup:
name: Setup name: Setup
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs:
- check-run
outputs: outputs:
version: ${{ steps.version.outputs.value }} version: ${{ steps.version.outputs.value }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }} node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -70,6 +67,14 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''} NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
build-artifacts: build-artifacts:
name: Build artifacts name: Build artifacts
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
@ -128,7 +133,7 @@ jobs:
run: npm ci run: npm ci
- name: Download SDK Artifacts - name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' }} if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/download-artifacts@main uses: bitwarden/gh-actions/download-artifacts@main
with: with:
github_token: ${{secrets.GITHUB_TOKEN}} github_token: ${{secrets.GITHUB_TOKEN}}
@ -141,7 +146,7 @@ jobs:
if_no_artifact_found: fail if_no_artifact_found: fail
- name: Override SDK - name: Override SDK
if: ${{ inputs.sdk_branch != '' }} if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
working-directory: ./ working-directory: ./
run: | run: |
ls -l ../ ls -l ../
@ -213,19 +218,23 @@ jobs:
########## ACRs ########## ########## ACRs ##########
- name: Login to Prod Azure - name: Login to Prod Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with: with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Log into Prod container registry - name: Log into Prod container registry
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: az acr login -n bitwardenprod run: az acr login -n bitwardenprod
- name: Login to Azure - CI Subscription - name: Login to Azure - CI Subscription
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve github PAT secrets - name: Retrieve github PAT secrets
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
id: retrieve-secret-pat id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@main uses: bitwarden/gh-actions/get-keyvault-secrets@main
with: with:
@ -273,6 +282,7 @@ jobs:
run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
- name: Build Docker image - name: Build Docker image
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
id: build-docker id: build-docker
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0 uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
with: with:

10
.github/workflows/lint.yml vendored
View File

@ -1,12 +1,20 @@
name: Lint name: Lint
on: on:
push: pull_request:
types: [opened, synchronize]
branches-ignore: branches-ignore:
- 'l10n_master' - 'l10n_master'
- 'cf-pages' - 'cf-pages'
paths-ignore: paths-ignore:
- '.github/workflows/**' - '.github/workflows/**'
push:
branches:
- 'main'
- 'rc'
- 'hotfix-rc-*'
paths-ignore:
- '.github/workflows/**'
workflow_dispatch: workflow_dispatch:
inputs: {} inputs: {}