2022-11-16 19:47:25 +01:00
|
|
|
---
|
|
|
|
name: Build Self-Host
|
|
|
|
|
|
|
|
on:
|
2022-11-18 20:39:01 +01:00
|
|
|
push:
|
|
|
|
branches-ignore:
|
|
|
|
- "l10n_master"
|
|
|
|
- "gh-pages"
|
|
|
|
paths-ignore:
|
|
|
|
- ".github/workflows/**"
|
2022-11-16 19:47:25 +01:00
|
|
|
workflow_dispatch:
|
|
|
|
|
|
|
|
jobs:
|
2022-11-18 20:39:01 +01:00
|
|
|
build-docker:
|
|
|
|
name: Build Docker image
|
2022-11-16 19:47:25 +01:00
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
steps:
|
|
|
|
- name: Checkout repo
|
|
|
|
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
|
2022-11-18 20:39:01 +01:00
|
|
|
|
2022-11-23 23:47:57 +01:00
|
|
|
- name: Check Branch to Publish
|
|
|
|
env:
|
|
|
|
PUBLISH_BRANCHES: "master,rc,hotfix-rc,rc-2022.12"
|
|
|
|
id: publish-branch-check
|
|
|
|
run: |
|
|
|
|
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
|
|
|
|
|
|
|
|
if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
|
|
|
|
echo "is_publish_branch=true" >> $GITHUB_ENV
|
|
|
|
else
|
|
|
|
echo "is_publish_branch=false" >> $GITHUB_ENV
|
|
|
|
fi
|
|
|
|
|
2022-11-18 20:39:01 +01:00
|
|
|
########## Set up Docker ##########
|
|
|
|
- name: Set up QEMU emulators
|
|
|
|
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18
|
|
|
|
|
|
|
|
- name: Set up Docker Buildx
|
|
|
|
uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325
|
|
|
|
|
2022-11-23 19:48:09 +01:00
|
|
|
########## Login to Docker registries ##########
|
2022-11-18 20:39:01 +01:00
|
|
|
- name: Login to Azure - QA Subscription
|
|
|
|
uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
|
|
|
|
with:
|
|
|
|
creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}
|
|
|
|
|
|
|
|
- name: Login to Azure ACR
|
|
|
|
run: az acr login -n bitwardenqa
|
|
|
|
|
|
|
|
- name: Login to Azure - Prod Subscription
|
2022-11-23 23:47:57 +01:00
|
|
|
if: ${{ env.is_publish_branch == 'true' }}
|
2022-11-18 20:39:01 +01:00
|
|
|
uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
|
|
|
|
with:
|
|
|
|
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
|
|
|
|
|
|
|
|
- name: Retrieve secrets
|
2022-11-23 23:47:57 +01:00
|
|
|
if: ${{ env.is_publish_branch == 'true' }}
|
2022-11-18 20:39:01 +01:00
|
|
|
id: retrieve-secrets
|
|
|
|
uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
|
|
|
|
with:
|
|
|
|
keyvault: "bitwarden-prod-kv"
|
|
|
|
secrets: "docker-password,
|
|
|
|
docker-username,
|
|
|
|
dct-delegate-2-repo-passphrase,
|
|
|
|
dct-delegate-2-key"
|
|
|
|
|
|
|
|
- name: Log into Docker
|
2022-11-23 23:47:57 +01:00
|
|
|
if: ${{ env.is_publish_branch == 'true' }}
|
2022-11-18 20:39:01 +01:00
|
|
|
env:
|
|
|
|
DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
|
|
|
|
DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}
|
|
|
|
run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
|
|
|
|
|
|
|
|
- name: Setup Docker Trust
|
|
|
|
if: |
|
2022-11-23 23:47:57 +01:00
|
|
|
false &&
|
|
|
|
${{ env.is_publish_branch == 'true' }}
|
2022-11-18 20:39:01 +01:00
|
|
|
env:
|
|
|
|
DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
|
|
|
|
DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
|
|
|
|
DCT_REPO_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
|
|
|
|
run: |
|
|
|
|
mkdir -p ~/.docker/trust/private
|
|
|
|
echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
|
|
|
|
echo "DOCKER_CONTENT_TRUST=1" >> $GITHUB_ENV
|
|
|
|
echo "DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=$DCT_REPO_PASSPHRASE" >> $GITHUB_ENV
|
|
|
|
|
2022-11-23 19:48:09 +01:00
|
|
|
########## Generate image tag and build Docker image ##########
|
|
|
|
- name: Generate Docker image tag
|
|
|
|
id: tag
|
|
|
|
run: |
|
|
|
|
IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") # slash safe branch name
|
|
|
|
if [[ "$IMAGE_TAG" == "master" ]]; then
|
|
|
|
IMAGE_TAG=dev
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
|
|
|
|
|
|
|
|
- name: Generate tag list
|
|
|
|
id: tag-list
|
2022-11-18 20:39:01 +01:00
|
|
|
env:
|
2022-11-23 16:21:22 +01:00
|
|
|
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
|
2022-11-18 20:39:01 +01:00
|
|
|
run: |
|
2022-11-24 02:04:19 +01:00
|
|
|
if [ "$IMAGE_TAG" = "dev" ] || [ "$IMAGE_TAG" = "rc-2022.12" ]; then
|
2022-11-23 19:48:09 +01:00
|
|
|
echo "tags=bitwardenqa.azurecr.io/self-host:${IMAGE_TAG},bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
|
|
|
|
else
|
|
|
|
echo "tags=bitwardenqa.azurecr.io/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
|
|
|
|
fi
|
|
|
|
|
|
|
|
- name: Build Docker image
|
|
|
|
uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5
|
|
|
|
with:
|
|
|
|
context: .
|
|
|
|
file: docker-unified/Dockerfile
|
|
|
|
platforms: |
|
|
|
|
linux/amd64,
|
|
|
|
linux/arm/v7,
|
|
|
|
linux/arm64/v8
|
|
|
|
push: true
|
|
|
|
tags: ${{ steps.tag-list.outputs.tags }}
|
2022-11-18 20:39:01 +01:00
|
|
|
|
|
|
|
- name: Log out of Docker and disable Docker Notary
|
2022-11-23 23:47:57 +01:00
|
|
|
if: ${{ env.is_publish_branch == 'true' }}
|
2022-11-18 20:39:01 +01:00
|
|
|
run: |
|
|
|
|
docker logout
|
|
|
|
echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV
|
|
|
|
|
|
|
|
check-failures:
|
|
|
|
name: Check for failures
|
|
|
|
if: always()
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
needs: build-docker
|
|
|
|
steps:
|
|
|
|
- name: Check if any job failed
|
|
|
|
if: |
|
|
|
|
github.ref == 'refs/heads/master'
|
|
|
|
|| github.ref == 'refs/heads/rc'
|
|
|
|
|| github.ref == 'refs/heads/hotfix-rc'
|
|
|
|
env:
|
|
|
|
BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }}
|
|
|
|
run: |
|
|
|
|
if [ "$BUILD_DOCKER_STATUS" = "failure" ]; then
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
- name: Login to Azure - Prod Subscription
|
|
|
|
uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
|
|
|
|
if: failure()
|
|
|
|
with:
|
|
|
|
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
|
|
|
|
|
|
|
|
- name: Retrieve secrets
|
|
|
|
id: retrieve-secrets
|
|
|
|
uses: bitwarden/gh-actions/get-keyvault-secrets@c3b3285993151c5af47cefcb3b9134c28ab479af
|
|
|
|
if: failure()
|
|
|
|
with:
|
|
|
|
keyvault: "bitwarden-prod-kv"
|
|
|
|
secrets: "devops-alerts-slack-webhook-url"
|
|
|
|
|
|
|
|
- name: Notify Slack on failure
|
|
|
|
uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33
|
|
|
|
if: failure()
|
|
|
|
env:
|
|
|
|
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
|
|
|
|
with:
|
|
|
|
status: ${{ job.status }}
|