1
0
mirror of https://github.com/bitwarden/browser.git synced 2024-12-21 16:18:28 +01:00

Revert workflow changes (#12376)

* Revert "fix: target workflows not triggering on pull_request_target (#12370)"

This reverts commit 645d36f465.

* Revert "[PM-15126] Tighten scope of our client build pipelines to remove reliance on secrets (#12243)"

This reverts commit f8c33ea04b.
This commit is contained in:
Todd Martin 2024-12-12 12:22:55 -05:00 committed by GitHub
parent 3ce89f9945
commit 7c8b9db58f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 43 additions and 269 deletions

4
.github/CODEOWNERS vendored
View File

@ -85,13 +85,9 @@ apps/web/src/app/shared @bitwarden/team-platform-dev
apps/web/src/translation-constants.ts @bitwarden/team-platform-dev apps/web/src/translation-constants.ts @bitwarden/team-platform-dev
# Workflows # Workflows
.github/workflows/brew-bump-desktop.yml @bitwarden/team-platform-dev .github/workflows/brew-bump-desktop.yml @bitwarden/team-platform-dev
.github/workflows/build-browser-target.yml @bitwarden/team-platform-dev
.github/workflows/build-browser.yml @bitwarden/team-platform-dev .github/workflows/build-browser.yml @bitwarden/team-platform-dev
.github/workflows/build-cli-target.yml @bitwarden/team-platform-dev
.github/workflows/build-cli.yml @bitwarden/team-platform-dev .github/workflows/build-cli.yml @bitwarden/team-platform-dev
.github/workflows/build-desktop-target.yml @bitwarden/team-platform-dev
.github/workflows/build-desktop.yml @bitwarden/team-platform-dev .github/workflows/build-desktop.yml @bitwarden/team-platform-dev
.github/workflows/build-web-target.yml @bitwarden/team-platform-dev
.github/workflows/build-web.yml @bitwarden/team-platform-dev .github/workflows/build-web.yml @bitwarden/team-platform-dev
.github/workflows/chromatic.yml @bitwarden/team-platform-dev .github/workflows/chromatic.yml @bitwarden/team-platform-dev
.github/workflows/lint.yml @bitwarden/team-platform-dev .github/workflows/lint.yml @bitwarden/team-platform-dev

View File

@ -1,39 +0,0 @@
name: Build Browser on PR Target
on:
pull_request_target:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/browser/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
workflow_call:
inputs: {}
workflow_dispatch:
inputs:
sdk_branch:
description: "Custom SDK branch"
required: false
type: string
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build Browser on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-browser.yml
secrets: inherit

View File

@ -1,7 +1,7 @@
name: Build Browser name: Build Browser
on: on:
pull_request: pull_request_target:
types: [opened, synchronize] types: [opened, synchronize]
branches-ignore: branches-ignore:
- 'l10n_master' - 'l10n_master'
@ -38,14 +38,19 @@ defaults:
shell: bash shell: bash
jobs: jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
setup: setup:
name: Setup name: Setup
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs:
- check-run
outputs: outputs:
repo_url: ${{ steps.gen_vars.outputs.repo_url }} repo_url: ${{ steps.gen_vars.outputs.repo_url }}
adj_build_number: ${{ steps.gen_vars.outputs.adj_build_number }} adj_build_number: ${{ steps.gen_vars.outputs.adj_build_number }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }} node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -69,14 +74,6 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''} NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
locales-test: locales-test:
name: Locales Test name: Locales Test
@ -284,7 +281,6 @@ jobs:
needs: needs:
- setup - setup
- locales-test - locales-test
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env: env:
_BUILD_NUMBER: ${{ needs.setup.outputs.adj_build_number }} _BUILD_NUMBER: ${{ needs.setup.outputs.adj_build_number }}
_NODE_VERSION: ${{ needs.setup.outputs.node_version }} _NODE_VERSION: ${{ needs.setup.outputs.node_version }}

View File

@ -1,39 +0,0 @@
name: Build CLI on PR Target
on:
pull_request_target:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/cli/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
- '.github/workflows/build-cli.yml'
- 'bitwarden_license/bit-cli/**'
workflow_dispatch:
inputs:
sdk_branch:
description: "Custom SDK branch"
required: false
type: string
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build CLI on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-cli.yml
secrets: inherit

View File

@ -1,7 +1,7 @@
name: Build CLI name: Build CLI
on: on:
pull_request: pull_request_target:
types: [opened, synchronize] types: [opened, synchronize]
branches-ignore: branches-ignore:
- 'l10n_master' - 'l10n_master'
@ -27,8 +27,6 @@ on:
- '!*.txt' - '!*.txt'
- '.github/workflows/build-cli.yml' - '.github/workflows/build-cli.yml'
- 'bitwarden_license/bit-cli/**' - 'bitwarden_license/bit-cli/**'
workflow_call:
inputs: {}
workflow_dispatch: workflow_dispatch:
inputs: inputs:
sdk_branch: sdk_branch:
@ -41,13 +39,18 @@ defaults:
working-directory: apps/cli working-directory: apps/cli
jobs: jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
setup: setup:
name: Setup name: Setup
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs:
- check-run
outputs: outputs:
package_version: ${{ steps.retrieve-package-version.outputs.package_version }} package_version: ${{ steps.retrieve-package-version.outputs.package_version }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }} node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -68,14 +71,6 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''} NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
cli: cli:
name: CLI ${{ matrix.os.base }} - ${{ matrix.license_type.readable }} name: CLI ${{ matrix.os.base }} - ${{ matrix.license_type.readable }}
strategy: strategy:
@ -122,7 +117,7 @@ jobs:
working-directory: ./ working-directory: ./
- name: Download SDK Artifacts - name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }} if: ${{ inputs.sdk_branch != '' }}
uses: bitwarden/gh-actions/download-artifacts@main uses: bitwarden/gh-actions/download-artifacts@main
with: with:
github_token: ${{secrets.GITHUB_TOKEN}} github_token: ${{secrets.GITHUB_TOKEN}}
@ -135,7 +130,7 @@ jobs:
if_no_artifact_found: fail if_no_artifact_found: fail
- name: Override SDK - name: Override SDK
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }} if: ${{ inputs.sdk_branch != '' }}
working-directory: ./ working-directory: ./
run: | run: |
ls -l ../ ls -l ../
@ -277,7 +272,7 @@ jobs:
working-directory: ./ working-directory: ./
- name: Download SDK Artifacts - name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }} if: ${{ inputs.sdk_branch != '' }}
uses: bitwarden/gh-actions/download-artifacts@main uses: bitwarden/gh-actions/download-artifacts@main
with: with:
github_token: ${{secrets.GITHUB_TOKEN}} github_token: ${{secrets.GITHUB_TOKEN}}
@ -290,7 +285,7 @@ jobs:
if_no_artifact_found: fail if_no_artifact_found: fail
- name: Override SDK - name: Override SDK
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }} if: ${{ inputs.sdk_branch != '' }}
working-directory: ./ working-directory: ./
run: | run: |
ls -l ../ ls -l ../

View File

@ -1,38 +0,0 @@
name: Build Desktop on PR Target
on:
pull_request_target:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/desktop/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
- '.github/workflows/build-desktop.yml'
workflow_dispatch:
inputs:
sdk_branch:
description: "Custom SDK branch"
required: false
type: string
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build Desktop on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-desktop.yml
secrets: inherit

View File

@ -1,7 +1,7 @@
name: Build Desktop name: Build Desktop
on: on:
pull_request: pull_request_target:
types: [opened, synchronize] types: [opened, synchronize]
branches-ignore: branches-ignore:
- 'l10n_master' - 'l10n_master'
@ -25,8 +25,6 @@ on:
- '!*.md' - '!*.md'
- '!*.txt' - '!*.txt'
- '.github/workflows/build-desktop.yml' - '.github/workflows/build-desktop.yml'
workflow_call:
inputs: {}
workflow_dispatch: workflow_dispatch:
inputs: inputs:
sdk_branch: sdk_branch:
@ -39,9 +37,15 @@ defaults:
shell: bash shell: bash
jobs: jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
electron-verify: electron-verify:
name: Verify Electron Version name: Verify Electron Version
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs:
- check-run
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -63,6 +67,8 @@ jobs:
setup: setup:
name: Setup name: Setup
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs:
- check-run
outputs: outputs:
package_version: ${{ steps.retrieve-version.outputs.package_version }} package_version: ${{ steps.retrieve-version.outputs.package_version }}
release_channel: ${{ steps.release-channel.outputs.channel }} release_channel: ${{ steps.release-channel.outputs.channel }}
@ -70,7 +76,6 @@ jobs:
rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }} rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }}
hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }} hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }} node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
defaults: defaults:
run: run:
working-directory: apps/desktop working-directory: apps/desktop
@ -133,14 +138,6 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''} NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
linux: linux:
name: Linux Build name: Linux Build
# Note, before updating the ubuntu version of the workflow, ensure the snap base image # Note, before updating the ubuntu version of the workflow, ensure the snap base image
@ -336,14 +333,12 @@ jobs:
rustup show rustup show
- name: Login to Azure - name: Login to Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets - name: Retrieve secrets
id: retrieve-secrets id: retrieve-secrets
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/get-keyvault-secrets@main uses: bitwarden/gh-actions/get-keyvault-secrets@main
with: with:
keyvault: "bitwarden-ci" keyvault: "bitwarden-ci"
@ -358,7 +353,7 @@ jobs:
working-directory: ./ working-directory: ./
- name: Download SDK Artifacts - name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }} if: ${{ inputs.sdk_branch != '' }}
uses: bitwarden/gh-actions/download-artifacts@main uses: bitwarden/gh-actions/download-artifacts@main
with: with:
github_token: ${{secrets.GITHUB_TOKEN}} github_token: ${{secrets.GITHUB_TOKEN}}
@ -371,7 +366,7 @@ jobs:
if_no_artifact_found: fail if_no_artifact_found: fail
- name: Override SDK - name: Override SDK
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }} if: ${{ inputs.sdk_branch != '' }}
working-directory: ./ working-directory: ./
run: | run: |
ls -l ../ ls -l ../
@ -391,17 +386,7 @@ jobs:
working-directory: apps/desktop/desktop_native working-directory: apps/desktop/desktop_native
run: node build.js cross-platform run: node build.js cross-platform
- name: Build - name: Build & Sign (dev)
run: |
npm run build
- name: Pack
if: ${{ needs.setup.outputs.has_secrets == 'false' }}
run: |
npm run pack:win
- name: Pack & Sign (dev)
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env: env:
ELECTRON_BUILDER_SIGN: 1 ELECTRON_BUILDER_SIGN: 1
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }} SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }}
@ -410,10 +395,10 @@ jobs:
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets.outputs.code-signing-client-secret }} SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets.outputs.code-signing-client-secret }}
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets.outputs.code-signing-cert-name }} SIGNING_CERT_NAME: ${{ steps.retrieve-secrets.outputs.code-signing-cert-name }}
run: | run: |
npm run build
npm run pack:win npm run pack:win
- name: Rename appx files for store - name: Rename appx files for store
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: | run: |
Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx" ` Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx" `
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx" -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx"
@ -423,7 +408,6 @@ jobs:
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx" -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx"
- name: Package for Chocolatey - name: Package for Chocolatey
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: | run: |
Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse
Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe ` Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe `
@ -435,7 +419,6 @@ jobs:
choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:_PACKAGE_VERSION" --out ./dist/chocolatey choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:_PACKAGE_VERSION" --out ./dist/chocolatey
- name: Fix NSIS artifact names for auto-updater - name: Fix NSIS artifact names for auto-updater
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: | run: |
Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z ` Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z `
-NewName bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z -NewName bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
@ -452,7 +435,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload installer exe artifact - name: Upload installer exe artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe
@ -460,7 +442,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload appx ia32 artifact - name: Upload appx ia32 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx
@ -468,7 +449,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload store appx ia32 artifact - name: Upload store appx ia32 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx
@ -476,7 +456,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload NSIS ia32 artifact - name: Upload NSIS ia32 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z name: bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
@ -484,7 +463,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload appx x64 artifact - name: Upload appx x64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx
@ -492,7 +470,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload store appx x64 artifact - name: Upload store appx x64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx
@ -500,7 +477,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload NSIS x64 artifact - name: Upload NSIS x64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z name: bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z
@ -508,7 +484,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload appx ARM64 artifact - name: Upload appx ARM64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx
@ -516,7 +491,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload store appx ARM64 artifact - name: Upload store appx ARM64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx
@ -524,7 +498,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload NSIS ARM64 artifact - name: Upload NSIS ARM64 artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z name: bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z
@ -532,7 +505,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload nupkg artifact - name: Upload nupkg artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: bitwarden.${{ env._PACKAGE_VERSION }}.nupkg name: bitwarden.${{ env._PACKAGE_VERSION }}.nupkg
@ -540,7 +512,6 @@ jobs:
if-no-files-found: error if-no-files-found: error
- name: Upload auto-update artifact - name: Upload auto-update artifact
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with: with:
name: ${{ needs.setup.outputs.release_channel }}.yml name: ${{ needs.setup.outputs.release_channel }}.yml
@ -603,13 +574,11 @@ jobs:
key: ${{ runner.os }}-${{ github.run_id }}-safari-extension key: ${{ runner.os }}-${{ github.run_id }}-safari-extension
- name: Login to Azure - name: Login to Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Download Provisioning Profiles secrets - name: Download Provisioning Profiles secrets
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env: env:
ACCOUNT_NAME: bitwardenci ACCOUNT_NAME: bitwardenci
CONTAINER_NAME: profiles CONTAINER_NAME: profiles
@ -622,7 +591,6 @@ jobs:
--output none --output none
- name: Get certificates - name: Get certificates
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: | run: |
mkdir -p $HOME/certificates mkdir -p $HOME/certificates
@ -645,7 +613,6 @@ jobs:
jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12
- name: Set up keychain - name: Set up keychain
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env: env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: | run: |
@ -675,7 +642,6 @@ jobs:
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
- name: Set up provisioning profiles - name: Set up provisioning profiles
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: | run: |
cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \
$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile $GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile
@ -695,7 +661,7 @@ jobs:
working-directory: ./ working-directory: ./
- name: Download SDK Artifacts - name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }} if: ${{ inputs.sdk_branch != '' }}
uses: bitwarden/gh-actions/download-artifacts@main uses: bitwarden/gh-actions/download-artifacts@main
with: with:
github_token: ${{secrets.GITHUB_TOKEN}} github_token: ${{secrets.GITHUB_TOKEN}}
@ -708,7 +674,7 @@ jobs:
if_no_artifact_found: fail if_no_artifact_found: fail
- name: Override SDK - name: Override SDK
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }} if: ${{ inputs.sdk_branch != '' }}
working-directory: ./ working-directory: ./
run: | run: |
ls -l ../ ls -l ../
@ -735,7 +701,6 @@ jobs:
browser-build: browser-build:
name: Browser Build name: Browser Build
needs: setup needs: setup
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: ./.github/workflows/build-browser.yml uses: ./.github/workflows/build-browser.yml
secrets: inherit secrets: inherit
@ -743,7 +708,6 @@ jobs:
macos-package-github: macos-package-github:
name: MacOS Package GitHub Release Assets name: MacOS Package GitHub Release Assets
runs-on: macos-13 runs-on: macos-13
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
needs: needs:
- browser-build - browser-build
- macos-build - macos-build
@ -985,7 +949,6 @@ jobs:
macos-package-mas: macos-package-mas:
name: MacOS Package Prod Release Asset name: MacOS Package Prod Release Asset
runs-on: macos-13 runs-on: macos-13
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
needs: needs:
- browser-build - browser-build
- macos-build - macos-build
@ -1253,7 +1216,6 @@ jobs:
macos-package-dev: macos-package-dev:
name: MacOS Package Dev Release Asset name: MacOS Package Dev Release Asset
runs-on: macos-13 runs-on: macos-13
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
needs: needs:
- browser-build - browser-build
- macos-build - macos-build

View File

@ -1,41 +0,0 @@
name: Build Web on PR Target
on:
pull_request_target:
types: [opened, synchronize]
branches-ignore:
- 'l10n_master'
- 'cf-pages'
paths:
- 'apps/web/**'
- 'libs/**'
- '*'
- '!*.md'
- '!*.txt'
- '.github/workflows/build-web.yml'
workflow_dispatch:
inputs:
custom_tag_extension:
description: "Custom image tag extension"
required: false
sdk_branch:
description: "Custom SDK branch"
required: false
type: string
defaults:
run:
shell: bash
jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
run-workflow:
name: Run Build Web on PR Target
needs: check-run
if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
uses: ./.github/workflows/build-web.yml
secrets: inherit

View File

@ -1,7 +1,7 @@
name: Build Web name: Build Web
on: on:
pull_request: pull_request_target:
types: [opened, synchronize] types: [opened, synchronize]
branches-ignore: branches-ignore:
- 'l10n_master' - 'l10n_master'
@ -27,8 +27,6 @@ on:
- '.github/workflows/build-web.yml' - '.github/workflows/build-web.yml'
release: release:
types: [published] types: [published]
workflow_call:
inputs: {}
workflow_dispatch: workflow_dispatch:
inputs: inputs:
custom_tag_extension: custom_tag_extension:
@ -43,13 +41,18 @@ env:
_AZ_REGISTRY: bitwardenprod.azurecr.io _AZ_REGISTRY: bitwardenprod.azurecr.io
jobs: jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
setup: setup:
name: Setup name: Setup
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs:
- check-run
outputs: outputs:
version: ${{ steps.version.outputs.value }} version: ${{ steps.version.outputs.value }}
node_version: ${{ steps.retrieve-node-version.outputs.node_version }} node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
steps: steps:
- name: Check out repo - name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -67,14 +70,6 @@ jobs:
NODE_VERSION=${NODE_NVMRC/v/''} NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
- name: Check secrets
id: check-secrets
env:
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
run: |
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
build-artifacts: build-artifacts:
name: Build artifacts name: Build artifacts
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
@ -133,7 +128,7 @@ jobs:
run: npm ci run: npm ci
- name: Download SDK Artifacts - name: Download SDK Artifacts
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }} if: ${{ inputs.sdk_branch != '' }}
uses: bitwarden/gh-actions/download-artifacts@main uses: bitwarden/gh-actions/download-artifacts@main
with: with:
github_token: ${{secrets.GITHUB_TOKEN}} github_token: ${{secrets.GITHUB_TOKEN}}
@ -146,7 +141,7 @@ jobs:
if_no_artifact_found: fail if_no_artifact_found: fail
- name: Override SDK - name: Override SDK
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }} if: ${{ inputs.sdk_branch != '' }}
working-directory: ./ working-directory: ./
run: | run: |
ls -l ../ ls -l ../
@ -215,23 +210,19 @@ jobs:
########## ACRs ########## ########## ACRs ##########
- name: Login to Prod Azure - name: Login to Prod Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with: with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Log into Prod container registry - name: Log into Prod container registry
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: az acr login -n bitwardenprod run: az acr login -n bitwardenprod
- name: Login to Azure - CI Subscription - name: Login to Azure - CI Subscription
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with: with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve github PAT secrets - name: Retrieve github PAT secrets
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
id: retrieve-secret-pat id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@main uses: bitwarden/gh-actions/get-keyvault-secrets@main
with: with:
@ -279,7 +270,6 @@ jobs:
run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
- name: Build Docker image - name: Build Docker image
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with: with:
context: apps/web context: apps/web

View File

@ -1,20 +1,12 @@
name: Lint name: Lint
on: on:
pull_request: push:
types: [opened, synchronize]
branches-ignore: branches-ignore:
- 'l10n_master' - 'l10n_master'
- 'cf-pages' - 'cf-pages'
paths-ignore: paths-ignore:
- '.github/workflows/**' - '.github/workflows/**'
push:
branches:
- 'main'
- 'rc'
- 'hotfix-rc-*'
paths-ignore:
- '.github/workflows/**'
workflow_dispatch: workflow_dispatch:
inputs: {} inputs: {}