mirror of
https://github.com/bitwarden/server.git
synced 2024-11-22 12:15:36 +01:00
Protecting Versioned Docker Images in the CI Pipeline (#1462)
* moving the docker versioning into the deploy since it is an actual deploy push * removing the unneeded branch constraints * adding in different branch constraint to deploy
This commit is contained in:
parent
19c2b025d1
commit
2419bc2928
102
.github/workflows/prod-deploy.yml
vendored
102
.github/workflows/prod-deploy.yml
vendored
@ -17,6 +17,15 @@ jobs:
|
||||
package_version: ${{ steps.create_tags.outputs.package_version }}
|
||||
tag_version: ${{ steps.create_tags.outputs.tag_version }}
|
||||
steps:
|
||||
- name: Branch check
|
||||
run: |
|
||||
if [[ "$GITHUB_REF" != "refs/heads/rc" ]]; then
|
||||
echo "==================================="
|
||||
echo "[!] Can only deploy from rc branch"
|
||||
echo "==================================="
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Checkout Repo
|
||||
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
|
||||
|
||||
@ -56,6 +65,99 @@ jobs:
|
||||
echo "Package Version: ${{ steps.create_tags.outputs.package_version }}"
|
||||
echo "Tag Version: ${{ steps.create_tags.outputs.tag_version }}"
|
||||
|
||||
|
||||
deploy-docker:
|
||||
name: Tag & push Docker
|
||||
runs-on: ubuntu-latest
|
||||
needs: setup
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
service_name:
|
||||
- admin
|
||||
- api
|
||||
- attachments
|
||||
- events
|
||||
- icons
|
||||
- identity
|
||||
- k8s-proxy
|
||||
- mssql
|
||||
- nginx
|
||||
- notifications
|
||||
- portal
|
||||
- server
|
||||
- setup
|
||||
- sso
|
||||
env:
|
||||
PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
|
||||
TAG_VERSION: ${{ needs.setup.outputs.tag_version }}
|
||||
steps:
|
||||
- name: Print environment
|
||||
run: |
|
||||
whoami
|
||||
docker --version
|
||||
echo "GitHub ref: $GITHUB_REF"
|
||||
echo "GitHub event: $GITHUB_EVENT"
|
||||
|
||||
- name: Login to Azure
|
||||
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
|
||||
|
||||
- name: Retrieve secrets
|
||||
id: retrieve-secrets
|
||||
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
|
||||
with:
|
||||
keyvault: "bitwarden-prod-kv"
|
||||
secrets: "docker-password,
|
||||
docker-username,
|
||||
dct-delegate-2-repo-passphrase,
|
||||
dct-delegate-2-key"
|
||||
|
||||
- name: Log into Docker
|
||||
run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
|
||||
env:
|
||||
DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
|
||||
DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}
|
||||
|
||||
- name: Setup Docker Trust
|
||||
run: |
|
||||
mkdir -p ~/.docker/trust/private
|
||||
|
||||
echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
|
||||
env:
|
||||
DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
|
||||
DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
|
||||
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
|
||||
|
||||
- name: Pull Docker images
|
||||
run: |
|
||||
docker pull bitwarden/${{ matrix.service_name }}:rc
|
||||
env:
|
||||
DOCKER_CONTENT_TRUST: 1
|
||||
|
||||
- name: Re-tag Docker images
|
||||
run: |
|
||||
docker tag bitwarden/${{ matrix.service_name }}:rc bitwarden/${{ matrix.service_name }}:latest
|
||||
docker tag bitwarden/${{ matrix.service_name }}:rc bitwarden/${{ matrix.service_name }}:$PACKAGE_VERSION
|
||||
|
||||
- name: List Docker images
|
||||
run: docker images
|
||||
|
||||
- name: Push Docker images
|
||||
run: |
|
||||
docker push bitwarden/${{ matrix.service_name }}:latest
|
||||
docker push bitwarden/${{ matrix.service_name }}:$PACKAGE_VERSION
|
||||
env:
|
||||
DOCKER_CONTENT_TRUST: 1
|
||||
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
|
||||
|
||||
- name: Log out of Docker
|
||||
run: docker logout
|
||||
|
||||
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
needs: setup
|
||||
|
95
.github/workflows/release.yml
vendored
95
.github/workflows/release.yml
vendored
@ -62,101 +62,6 @@ jobs:
|
||||
draft: true
|
||||
prerelease: false
|
||||
|
||||
release:
|
||||
name: Release
|
||||
runs-on: ubuntu-latest
|
||||
needs: setup
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
service_name:
|
||||
- admin
|
||||
- api
|
||||
- attachments
|
||||
- events
|
||||
- icons
|
||||
- identity
|
||||
- k8s-proxy
|
||||
- mssql
|
||||
- nginx
|
||||
- notifications
|
||||
- portal
|
||||
- server
|
||||
- setup
|
||||
- sso
|
||||
env:
|
||||
RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
|
||||
TAG_VERSION: ${{ needs.setup.outputs.tag_version }}
|
||||
steps:
|
||||
- name: Print environment
|
||||
run: |
|
||||
whoami
|
||||
docker --version
|
||||
echo "GitHub ref: $GITHUB_REF"
|
||||
echo "GitHub event: $GITHUB_EVENT"
|
||||
|
||||
- name: Login to Azure
|
||||
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
|
||||
|
||||
- name: Retrieve secrets
|
||||
id: retrieve-secrets
|
||||
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
|
||||
with:
|
||||
keyvault: "bitwarden-prod-kv"
|
||||
secrets: "docker-password,
|
||||
docker-username,
|
||||
dct-delegate-2-repo-passphrase,
|
||||
dct-delegate-2-key"
|
||||
|
||||
- name: Log into Docker
|
||||
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
|
||||
run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
|
||||
env:
|
||||
DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
|
||||
DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}
|
||||
|
||||
- name: Setup Docker Trust
|
||||
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
|
||||
run: |
|
||||
mkdir -p ~/.docker/trust/private
|
||||
|
||||
echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
|
||||
env:
|
||||
DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
|
||||
DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
|
||||
|
||||
- name: Checkout repo
|
||||
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
|
||||
|
||||
- name: Pull Docker images
|
||||
run: |
|
||||
docker pull bitwarden/${{ matrix.service_name }}:rc
|
||||
env:
|
||||
DOCKER_CONTENT_TRUST: 1
|
||||
|
||||
- name: Re-tag Docker images
|
||||
run: |
|
||||
docker tag bitwarden/${{ matrix.service_name }}:rc bitwarden/${{ matrix.service_name }}:latest
|
||||
docker tag bitwarden/${{ matrix.service_name }}:rc bitwarden/${{ matrix.service_name }}:$RELEASE_VERSION
|
||||
|
||||
- name: List Docker images
|
||||
run: docker images
|
||||
|
||||
- name: Push Docker images
|
||||
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
|
||||
run: |
|
||||
docker push bitwarden/${{ matrix.service_name }}:latest
|
||||
docker push bitwarden/${{ matrix.service_name }}:$RELEASE_VERSION
|
||||
env:
|
||||
DOCKER_CONTENT_TRUST: 1
|
||||
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
|
||||
|
||||
- name: Log out of Docker
|
||||
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
|
||||
run: docker logout
|
||||
|
||||
|
||||
upload:
|
||||
name: Upload
|
||||
|
Loading…
Reference in New Issue
Block a user