1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-25 12:45:18 +01:00

Protecting Versioned Docker Images in the CI Pipeline (#1462)

* moving the docker versioning into the deploy since it is an actual deploy push

* removing the unneeded branch constraints

* adding in different branch constraint to deploy
This commit is contained in:
Joseph Flinn 2021-07-19 12:16:06 -07:00 committed by GitHub
parent 19c2b025d1
commit 2419bc2928
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 102 additions and 95 deletions

View File

@ -17,6 +17,15 @@ jobs:
package_version: ${{ steps.create_tags.outputs.package_version }} package_version: ${{ steps.create_tags.outputs.package_version }}
tag_version: ${{ steps.create_tags.outputs.tag_version }} tag_version: ${{ steps.create_tags.outputs.tag_version }}
steps: steps:
- name: Branch check
run: |
if [[ "$GITHUB_REF" != "refs/heads/rc" ]]; then
echo "==================================="
echo "[!] Can only deploy from rc branch"
echo "==================================="
exit 1
fi
- name: Checkout Repo - name: Checkout Repo
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
@ -56,6 +65,99 @@ jobs:
echo "Package Version: ${{ steps.create_tags.outputs.package_version }}" echo "Package Version: ${{ steps.create_tags.outputs.package_version }}"
echo "Tag Version: ${{ steps.create_tags.outputs.tag_version }}" echo "Tag Version: ${{ steps.create_tags.outputs.tag_version }}"
deploy-docker:
name: Tag & push Docker
runs-on: ubuntu-latest
needs: setup
strategy:
fail-fast: false
matrix:
service_name:
- admin
- api
- attachments
- events
- icons
- identity
- k8s-proxy
- mssql
- nginx
- notifications
- portal
- server
- setup
- sso
env:
PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
TAG_VERSION: ${{ needs.setup.outputs.tag_version }}
steps:
- name: Print environment
run: |
whoami
docker --version
echo "GitHub ref: $GITHUB_REF"
echo "GitHub event: $GITHUB_EVENT"
- name: Login to Azure
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Retrieve secrets
id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with:
keyvault: "bitwarden-prod-kv"
secrets: "docker-password,
docker-username,
dct-delegate-2-repo-passphrase,
dct-delegate-2-key"
- name: Log into Docker
run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
env:
DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}
- name: Setup Docker Trust
run: |
mkdir -p ~/.docker/trust/private
echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
env:
DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
- name: Checkout repo
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Pull Docker images
run: |
docker pull bitwarden/${{ matrix.service_name }}:rc
env:
DOCKER_CONTENT_TRUST: 1
- name: Re-tag Docker images
run: |
docker tag bitwarden/${{ matrix.service_name }}:rc bitwarden/${{ matrix.service_name }}:latest
docker tag bitwarden/${{ matrix.service_name }}:rc bitwarden/${{ matrix.service_name }}:$PACKAGE_VERSION
- name: List Docker images
run: docker images
- name: Push Docker images
run: |
docker push bitwarden/${{ matrix.service_name }}:latest
docker push bitwarden/${{ matrix.service_name }}:$PACKAGE_VERSION
env:
DOCKER_CONTENT_TRUST: 1
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
- name: Log out of Docker
run: docker logout
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: setup needs: setup

View File

@ -62,101 +62,6 @@ jobs:
draft: true draft: true
prerelease: false prerelease: false
release:
name: Release
runs-on: ubuntu-latest
needs: setup
strategy:
fail-fast: false
matrix:
service_name:
- admin
- api
- attachments
- events
- icons
- identity
- k8s-proxy
- mssql
- nginx
- notifications
- portal
- server
- setup
- sso
env:
RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
TAG_VERSION: ${{ needs.setup.outputs.tag_version }}
steps:
- name: Print environment
run: |
whoami
docker --version
echo "GitHub ref: $GITHUB_REF"
echo "GitHub event: $GITHUB_EVENT"
- name: Login to Azure
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Retrieve secrets
id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with:
keyvault: "bitwarden-prod-kv"
secrets: "docker-password,
docker-username,
dct-delegate-2-repo-passphrase,
dct-delegate-2-key"
- name: Log into Docker
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
env:
DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}
- name: Setup Docker Trust
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
run: |
mkdir -p ~/.docker/trust/private
echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
env:
DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
- name: Checkout repo
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Pull Docker images
run: |
docker pull bitwarden/${{ matrix.service_name }}:rc
env:
DOCKER_CONTENT_TRUST: 1
- name: Re-tag Docker images
run: |
docker tag bitwarden/${{ matrix.service_name }}:rc bitwarden/${{ matrix.service_name }}:latest
docker tag bitwarden/${{ matrix.service_name }}:rc bitwarden/${{ matrix.service_name }}:$RELEASE_VERSION
- name: List Docker images
run: docker images
- name: Push Docker images
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
run: |
docker push bitwarden/${{ matrix.service_name }}:latest
docker push bitwarden/${{ matrix.service_name }}:$RELEASE_VERSION
env:
DOCKER_CONTENT_TRUST: 1
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
- name: Log out of Docker
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
run: docker logout
upload: upload:
name: Upload name: Upload