--- name: Build Web on: pull_request: branches-ignore: - 'l10n_master' - 'cf-pages' paths: - 'apps/web/**' - 'libs/**' - '*' - '!*.md' - '!*.txt' - '.github/workflows/build-web.yml' push: branches: - 'master' - 'rc' - 'hotfix-rc-web' paths: - 'apps/web/**' - 'libs/**' - '*' - '!*.md' - '!*.txt' - '.github/workflows/build-web.yml' workflow_dispatch: inputs: custom_tag_extension: description: "Custom image tag extension" required: false jobs: cloc: name: CLOC runs-on: ubuntu-22.04 steps: - name: Checkout repo uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Set up cloc run: | sudo apt update sudo apt -y install cloc - name: Print lines of code working-directory: apps/web run: cloc --include-lang TypeScript,JavaScript,HTML,Sass,CSS --vcs git setup: name: Setup runs-on: ubuntu-22.04 outputs: version: ${{ steps.version.outputs.value }} steps: - name: Checkout repo uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Get GitHub sha as version id: version run: echo "value=${GITHUB_SHA:0:7}" >> $GITHUB_OUTPUT build-artifacts: name: Build artifacts runs-on: ubuntu-22.04 needs: - setup env: _VERSION: ${{ needs.setup.outputs.version }} strategy: matrix: include: - name: "selfhosted-open-source" npm_command: "dist:oss:selfhost" - name: "cloud-COMMERCIAL" npm_command: "dist:bit:cloud" - name: "selfhosted-COMMERCIAL" npm_command: "dist:bit:selfhost" - name: "cloud-QA" npm_command: "build:bit:qa" - name: "cloud-POC2" npm_command: "build:bit:poc" - name: "ee" npm_command: "build:bit:ee" steps: - name: Checkout repo uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Set up Node uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: cache: 'npm' cache-dependency-path: '**/package-lock.json' node-version: "16" - name: Print environment run: | whoami node --version npm --version gulp --version docker --version echo "GitHub ref: $GITHUB_REF" echo "GitHub event: $GITHUB_EVENT" - name: Install dependencies run: npm ci - name: Setup QA metadata working-directory: apps/web if: matrix.name == 'cloud-QA' run: | VERSION=$( jq -r ".version" package.json) jq --arg version "$VERSION+${GITHUB_SHA:0:7}" '.version = $version' package.json > package.json.tmp mv package.json.tmp package.json - name: Build ${{ matrix.name }} working-directory: apps/web run: npm run ${{ matrix.npm_command }} - name: Package artifact working-directory: apps/web run: zip -r web-${{ env._VERSION }}-${{ matrix.name }}.zip build - name: Upload ${{ matrix.name }} artifact uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: web-${{ env._VERSION }}-${{ matrix.name }}.zip path: apps/web/web-${{ env._VERSION }}-${{ matrix.name }}.zip if-no-files-found: error build-containers: name: Build Docker images runs-on: ubuntu-22.04 needs: - setup - build-artifacts strategy: fail-fast: false matrix: include: - artifact_name: cloud-QA registries: [bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] image_name: web-qa-cloud - artifact_name: ee registries: [bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] image_name: web-ee - artifact_name: selfhosted-COMMERCIAL registries: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io] image_name: web env: _VERSION: ${{ needs.setup.outputs.version }} steps: - name: Checkout repo uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Check Branch to Publish env: PUBLISH_BRANCHES: "master,rc,hotfix-rc" id: publish-branch-check run: | IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then echo "is_publish_branch=true" >> $GITHUB_ENV else echo "is_publish_branch=false" >> $GITHUB_ENV fi ########## ACRs ########## - name: Login to Azure - QA uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 with: creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }} - name: Log into QA container registry run: az acr login -n bitwardenqa - name: Login to Azure - Prod uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 with: creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} - name: Log into Prod container registry run: az acr login -n bitwardenprod - name: Download ${{ matrix.artifact_name }} artifact uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip path: apps/web ########## Generate image tag and build Docker image ########## - name: Generate Docker image tag id: tag run: | if [[ $(grep "pull" <<< "${GITHUB_REF}") ]]; then IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g") else IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") fi if [[ "$IMAGE_TAG" == "master" ]]; then IMAGE_TAG=dev fi TAG_EXTENSION=${{ github.event.inputs.custom_tag_extension }} if [[ $TAG_EXTENSION ]]; then IMAGE_TAG=$IMAGE_TAG-$TAG_EXTENSION fi echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT - name: Generate tag list id: tag-list env: IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} PROJECT_NAME: ${{ matrix.image_name }} run: echo "tags=bitwardenqa.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG},bitwardenprod.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT ########## Build Image ########## - name: Extract artifact working-directory: apps/web run: unzip web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip - name: Login to Azure uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve github PAT secrets id: retrieve-secret-pat uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f with: keyvault: "bitwarden-ci" secrets: "github-pat-bitwarden-devops-bot-repo-scope" - name: Setup DCT if: ${{ env.is_publish_branch == 'true' }} id: setup-dct uses: bitwarden/gh-actions/setup-docker-trust@ea03b38348a42e18ac63c17f97004697f65e0dc6 with: azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} azure-keyvault-name: "bitwarden-ci" - name: Build Docker image uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 with: context: apps/web file: apps/web/Dockerfile platforms: linux/amd64 push: true tags: ${{ steps.tag-list.outputs.tags }} secrets: | "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" - name: Push to DockerHub if: contains(matrix.registries, 'bitwarden') && env.is_publish_branch == 'true' env: IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} PROJECT_NAME: ${{ matrix.image_name }} DOCKER_CONTENT_TRUST: 1 DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }} run: | docker tag bitwardenprod.azurecr.io/$PROJECT_NAME:$IMAGE_TAG bitwarden/$PROJECT_NAME:$IMAGE_TAG docker push bitwarden/$PROJECT_NAME:$IMAGE_TAG - name: Log out of Docker run: docker logout crowdin-push: name: Crowdin Push if: github.ref == 'refs/heads/master' needs: - build-artifacts runs-on: ubuntu-22.04 steps: - name: Checkout repo uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Login to Azure uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f with: keyvault: "bitwarden-ci" secrets: "crowdin-api-token" - name: Upload Sources uses: crowdin/github-action@3cabba4ddfd0579a1236b3fb68405236dc489ccc # v1.8.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }} CROWDIN_PROJECT_ID: "308189" with: config: apps/web/crowdin.yml crowdin_branch_name: master upload_sources: true upload_translations: false check-failures: name: Check for failures if: always() runs-on: ubuntu-22.04 needs: - cloc - setup - build-artifacts - build-containers - crowdin-push steps: - name: Check if any job failed if: ${{ (github.ref == 'refs/heads/master') || (github.ref == 'refs/heads/rc') }} env: CLOC_STATUS: ${{ needs.cloc.result }} SETUP_STATUS: ${{ needs.setup.result }} ARTIFACT_STATUS: ${{ needs.build-artifacts.result }} BUILD_CONTAINERS_STATUS: ${{ needs.build-containers.result }} CROWDIN_PUSH_STATUS: ${{ needs.crowdin-push.result }} run: | if [ "$CLOC_STATUS" = "failure" ]; then exit 1 elif [ "$SETUP_STATUS" = "failure" ]; then exit 1 elif [ "$ARTIFACT_STATUS" = "failure" ]; then exit 1 elif [ "$BUILD_SELFHOST_STATUS" = "failure" ]; then exit 1 elif [ "$BUILD_CONTAINERS_STATUS" = "failure" ]; then exit 1 elif [ "$CROWDIN_PUSH_STATUS" = "failure" ]; then exit 1 fi - name: Login to Azure - Prod Subscription uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 if: failure() with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets if: failure() uses: bitwarden/gh-actions/get-keyvault-secrets@34ecb67b2a357795dc893549df0795e7383ff50f with: keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 if: failure() env: SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} with: status: ${{ job.status }}