bitwarden-desktop/.github/workflows/release.yml

---
name: Release

on:
  workflow_dispatch:
    inputs:
      release_tag_name_input:
        description: 'Release Tag Name <X.X.X>'
        required: true
      browser_extension_ref:
        description: 'Browser Extension ref (defaults to `master`):'
        default: rc

jobs:
  setup:
    name: Setup
    runs-on: ubuntu-latest
    outputs:
      release_upload_url: ${{ steps.create_release.outputs.upload_url }}
    steps:
      - name: Branch check
        run: |
          if [[ "$GITHUB_REF" != "refs/heads/rc" ]]; then
            echo "==================================="
            echo "[!] Can only release from rc branch"
            echo "==================================="
            exit 1
          fi

      - name: Checkout repo
        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f  # v2.3.4

      - name: Create Release Vars
        id: create_tags
        run: |
          case "${RELEASE_TAG_NAME_INPUT:0:1}" in
            v)
              echo "RELEASE_NAME=${RELEASE_TAG_NAME_INPUT:1}" >> $GITHUB_ENV
              echo "RELEASE_TAG_NAME=$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV
              ;;
            [0-9])
              echo "RELEASE_NAME=$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV
              echo "RELEASE_TAG_NAME=v$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV
              ;;
            *)
              exit 1
              ;;
          esac
        env:
          RELEASE_TAG_NAME_INPUT: ${{ github.event.inputs.release_tag_name_input }}

      - name: Create Draft Release
        id: create_release
        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e  # v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ env.RELEASE_TAG_NAME }}
          release_name: Version ${{ env.RELEASE_NAME }}
          draft: true
          prerelease: false

  linux:
    name: Linux
    runs-on: ubuntu-latest
    needs: setup
    steps:
      - name: Checkout repo
        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f  # v2.3.4

      - name: Set up Node
        uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea  # v2.1.5
        with:
          node-version: '14'

      - name: Cache Node Modules
        id: node-modules-cache
        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353  # v2.1.6
        with:
          path: '**/node_modules'
          key: ${{ runner.os }}-${{ github.run_id }}-node-${{ hashFiles('**/package-lock.json') }}

      - name: Set Node options
        run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV

      - name: Update NPM
        run: |
          npm install -g npm@7
          npm install -g node-gyp
          node-gyp install $(node -v)

      - name: Set up environment
        run: |
          sudo apt-get update
          sudo apt-get -y install pkg-config libxss-dev libsecret-1-dev rpm

      - name: Print environment
        run: |
          node --version
          npm --version

      - name: Load package version
        run: ./.github/scripts/load-version.ps1
        shell: pwsh

      - name: Install Node dependencies
        if: steps.node-modules-cache.outputs.cache-hit != 'true'
        run: npm install

      - name: Run linter
        run: npm run lint

      - name: Build & Publish
        run: npm run publish:lin
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  windows-signed:
    name: Windows Signed
    runs-on: windows-latest
    needs: setup
    steps:
      - name: Checkout repo
        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f  # v2.3.4

      - name: Set up dotnet
        uses: actions/setup-dotnet@a71d1eb2c86af85faa8c772c03fb365e377e45ea  # v1.8.0
        with:
          dotnet-version: "3.1.x"

      - name: Set up Node
        uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea  # v2.1.5
        with:
          node-version: '14'

      - name: Cache Node Modules
        id: node-modules-cache
        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353  # v2.1.6
        with:
          path: '**/node_modules'
          key: ${{ runner.os }}-${{ github.run_id }}-node-${{ hashFiles('**/package-lock.json') }}

      - name: Set Node options
        run: echo "NODE_OPTIONS=--max_old_space_size=4096" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
        shell: pwsh

      - name: Update NPM
        run: |
          npm install -g npm@7
          npm install -g node-gyp
          node-gyp install $(node -v)

      - name: Install AST
        shell: pwsh
        run: |
          cd $HOME

          git clone https://github.com/vcsjones/AzureSignTool.git
          cd AzureSignTool
          $latest_head = $(git rev-parse HEAD)[0..9] -join ""
          $latest_version = "0.0.0-g$latest_head"

          Write-Host "--------"
          Write-Host "git commit - $(git rev-parse HEAD)"
          Write-Host "latest_head - $latest_head"
          Write-Host "PACKAGE VERSION TO BUILD - $latest_version"
          Write-Host "--------"

          dotnet restore
          dotnet pack --output ./nupkg
          dotnet tool install --global --ignore-failed-sources --add-source ./nupkg --version $latest_version azuresigntool

      - name: Set up environment
        shell: pwsh
        run: |
          choco install checksum --no-progress
          choco apikey --key $env:CHOCO_API_KEY --source https://push.chocolatey.org/
        env:
          CHOCO_API_KEY: ${{ secrets.CHOCO_API_KEY }}

      - name: Print environment
        run: |
          node --version
          npm --version
          choco --version

      - name: Load package version
        run: ./.github/scripts/load-version.ps1
        shell: pwsh

      - name: Install Node dependencies
        if: steps.node-modules-cache.outputs.cache-hit != 'true'
        run: npm install

      - name: Run linter
        run: npm run lint

      - name: Build, Sign & Release
        run: npm run publish:win
        env:
          ELECTRON_BUILDER_SIGN: 1
          SIGNING_VAULT_URL: ${{ secrets.SIGNING_VAULT_URL }}
          SIGNING_CLIENT_ID: ${{ secrets.SIGNING_CLIENT_ID }}
          SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }}
          SIGNING_CLIENT_SECRET: ${{ secrets.SIGNING_CLIENT_SECRET }}
          SIGNING_CERT_NAME: ${{ secrets.SIGNING_CERT_NAME }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Package Chocolatey
        shell: pwsh
        run: |
          Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse
          Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env.PACKAGE_VERSION }}.exe -Destination ./dist/chocolatey

          $checksum = checksum -t sha256 ./dist/chocolatey/Bitwarden-Installer-${{ env.PACKAGE_VERSION }}.exe
          $chocoInstall = "./dist/chocolatey/tools/chocolateyinstall.ps1"
          (Get-Content $chocoInstall).replace('__version__', "$env:PACKAGE_VERSION").replace('__checksum__', $checksum) | Set-Content $chocoInstall
          ls dist/chocolatey
          choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:PACKAGE_VERSION" --out ./dist/chocolatey
          cd ./dist/chocolatey

      - name: Upload Chocolatey nupkg release asset
        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5  # v1.0.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.setup.outputs.release_upload_url }}
          asset_name: bitwarden.${{ env.PACKAGE_VERSION }}.nupkg
          asset_path: ./dist/chocolatey/bitwarden.${{ env.PACKAGE_VERSION }}.nupkg
          asset_content_type: application

  windows-store:
    name: Windows Store
    runs-on: windows-latest
    needs: setup
    steps:
      - name: Checkout repo
        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f  # v2.3.4

      - name: Set up Node
        uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea  # v2.1.5
        with:
          node-version: '14'

      - name: Cache Node Modules
        id: node-modules-cache
        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353  # v2.1.6
        with:
          path: '**/node_modules'
          key: ${{ runner.os }}-${{ github.run_id }}-node-${{ hashFiles('**/package-lock.json') }}

      - name: Set Node options
        run: echo "NODE_OPTIONS=--max_old_space_size=4096" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
        shell: pwsh

      - name: Update NPM
        run: |
          npm install -g npm@7
          npm install -g node-gyp
          node-gyp install $(node -v)

      - name: Set up environment
        shell: pwsh
        run: |
          choco install checksum --no-progress

      - name: Print environment
        run: |
          node --version
          npm --version
          choco --version

      - name: Load package version
        run: ./.github/scripts/load-version.ps1
        shell: pwsh

      - name: Install Node dependencies
        if: steps.node-modules-cache.outputs.cache-hit != 'true'
        run: npm install

      - name: Run linter
        run: npm run lint

      - name: Build, Sign & Release
        run: npm run dist:win:ci

      - name: Upload unsigned ia32 Windows Store release asset
        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5  # v1.0.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.setup.outputs.release_upload_url }}
          asset_name: Bitwarden-${{ env.PACKAGE_VERSION }}-ia32-store.appx
          asset_path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-ia32.appx
          asset_content_type: application

      - name: Upload unsigned x64 Windows Store release asset
        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5  # v1.0.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.setup.outputs.release_upload_url }}
          asset_name: Bitwarden-${{ env.PACKAGE_VERSION }}-x64-store.appx
          asset_path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x64.appx
          asset_content_type: application

      - name: Upload unsigned ARM64 Windows Store release asset
        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5  # v1.0.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.setup.outputs.release_upload_url }}
          asset_name: Bitwarden-${{ env.PACKAGE_VERSION }}-arm64-store.appx
          asset_path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-arm64.appx
          asset_content_type: application

  macos:
    name: MacOS
    runs-on: macos-latest
    needs: setup
    steps:
      - name: Checkout repo
        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f  # v2.3.4

      - name: Set up Node
        uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea  # v2.1.5
        with:
          node-version: '14'

      - name: Cache Node Modules
        id: node-modules-cache
        uses: actions/cache@c64c572235d810460d0d6876e9c705ad5002b353  # v2.1.6
        with:
          path: '**/node_modules'
          key: ${{ runner.os }}-${{ github.run_id }}-node-${{ hashFiles('**/package-lock.json') }}

      - name: Set Node options
        run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV

      - name: Update NPM
        run: |
          npm install -g npm@7
          npm install -g node-gyp
          node-gyp install $(node -v)

      - name: Print environment
        run: |
          node --version
          npm --version
          echo "GitHub ref: $GITHUB_REF"
          echo "GitHub event: $GITHUB_EVENT"

      - name: Decrypt secrets
        run: ./.github/scripts/macos/decrypt-secrets.ps1
        shell: pwsh
        env:
          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}

      - name: Set up keychain
        run: ./.github/scripts/macos/setup-keychain.ps1
        shell: pwsh
        env:
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
          DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }}
          DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}
          APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }}
          MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}

      - name: Set up provisioning profiles
        run: ./.github/scripts/macos/setup-profiles.ps1
        shell: pwsh

      - name: Increment version
        run: ./.github/scripts/macos/increment-version.ps1
        shell: pwsh

      - name: Load package version
        run: ./.github/scripts/load-version.ps1
        shell: pwsh

      - name: Install Node dependencies
        if: steps.node-modules-cache.outputs.cache-hit != 'true'
        run: npm install

      - name: Run linter
        run: npm run lint

      - name: Create Safari directory
        shell: pwsh
        run: New-Item ./dist-safari -ItemType Directory -ea 0

      - name: Checkout browser extension
        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f  # v2.3.4
        with:
          repository: 'bitwarden/browser'
          ref: ${{ github.event.inputs.browser_extension_ref }}
          path: 'dist-safari/browser'

      - name: Build Safari extension
        shell: pwsh
        run: ./scripts/safari-build.ps1 -skipcheckout -skipoutcopy

      - name: Load Safari extension for .dmg
        shell: pwsh
        run: ./scripts/safari-build.ps1 -copyonly

      - name: Build application (dist)
        run: npm run publish:mac
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}

      - name: Load Safari extension for App Store
        shell: pwsh
        run: ./scripts/safari-build.ps1 -mas -copyonly

      - name: Build application for App Store
        run: npm run dist:mac:mas
        env:
          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
          SDKROOT: /Library/Developer/CommandLineTools/SDKs/MacOSX11.1.sdk/
          SDK_DIR: /Library/Developer/CommandLineTools/SDKs/MacOSX11.1.sdk/

      - name: Upload Apple Store release asset
        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5  # v1.0.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.setup.outputs.release_upload_url }}
          asset_name: Bitwarden-${{ env.PACKAGE_VERSION }}-universal.pkg
          asset_path: ./dist/mas-universal/Bitwarden-${{ env.PACKAGE_VERSION }}-universal.pkg
          asset_content_type: application


  update-release-assets:
    name: Update Release Assets
    runs-on: ubuntu-latest
    needs:
      - setup
      - linux
      - windows-signed
      - macos
    env:
      _TAG_VERSION: ${{ needs.setup.outputs.tag_version }}
    steps:
      - name: Checkout repo
        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f  # v2.3.4

      - name: Rename publish asset
        run: |
          curl \
              -H "Authorization:token ${{ secrets.GITHUB_TOKEN }}" \
              -H "Accept:application/vnd.github.v3+json" \
              https://api.github.com/repos/$GITHUB_REPOSITORY/releases \
              | jq -r " .[] | select( .tag_name == \"$_TAG_VERSION\")" > release.json

          echo "=====RELEASE====="
          echo Release:
          #cat release.json

          RELEASE_UPLOAD_URL=$(cat release.json | jq -r ' .upload_url ' | cut -d { -f 1)
          cat release.json | jq -rc ' .assets[] | select( .name | test("latest.*[yml|json]")) | {name: .name,  url: .url, content_type: .content_type}' > release_assets.jsonl

          echo "=====ASSETS====="
          echo Release Upload URL: $RELEASE_UPLOAD_URL
          echo Release Assets:
          cat release_assets.jsonl

          while read -r asset; do
              FILE_NAME=$(echo $asset | jq -r '.name')
              FILE_URL=$(echo $asset | jq -r '.url')
              FILE_ID=$(echo $asset | jq -r '.id')
              echo "Asset name: $FILE_NAME"
              echo "Asset url: $FILE_URL"

              echo "Grabbing asset..."
              curl \
                  -L -H "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
                  -H "Accept: application/octet-stream" \
                  $FILE_URL --output  $FILE_NAME

              NEW_FILE_SIZE=$(wc -c < $FILE_NAME | xargs)
              echo "New file size: $NEW_FILE_SIZE"
              echo "New file name: $FILE_NAME"
              echo "================"

              echo "Deleting remote asset..."
              curl \
                  -X DELETE \
                  -H "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
                  -H "accept: application/vnd.github.v3+json" \
                  $FILE_URL

              echo "Pushing updated asset..."
              curl \
                  -X POST \
                  -H "authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
                  -H "content-type: text/yaml" \
                  -H "content-length: $NEW_FILE_SIZE" \
                  --data-binary @$FILE_NAME \
                  "$RELEASE_UPLOAD_URL?name=prerelease-$FILE_NAME" --http1.1
          done < release_assets.jsonl