1
0
mirror of https://github.com/bitwarden/server.git synced 2024-12-10 15:13:29 +01:00
bitwarden-server/.github/workflows/prod-deploy.yml
Joseph Flinn 2419bc2928
Protecting Versioned Docker Images in the CI Pipeline (#1462)
* moving the docker versioning into the deploy since it is an actual deploy push

* removing the unneeded branch constraints

* adding in different branch constraint to deploy
2021-07-19 12:16:06 -07:00

476 lines
15 KiB
YAML

name: Prod Deploy
on:
workflow_dispatch:
inputs:
release_tag_name_input:
description: "Release Tag Name <X.X.X>"
required: true
release:
types:
- published
jobs:
setup:
runs-on: ubuntu-latest
outputs:
package_version: ${{ steps.create_tags.outputs.package_version }}
tag_version: ${{ steps.create_tags.outputs.tag_version }}
steps:
- name: Branch check
run: |
if [[ "$GITHUB_REF" != "refs/heads/rc" ]]; then
echo "==================================="
echo "[!] Can only deploy from rc branch"
echo "==================================="
exit 1
fi
- name: Checkout Repo
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Create Deploy version vars
id: create_tags
run: |
if [ "${{ github.event_name }}" != "release" ]; then
case "${RELEASE_TAG_NAME_INPUT:0:1}" in
v)
echo "RELEASE_NAME=${RELEASE_TAG_NAME_INPUT:1}" >> $GITHUB_ENV
echo "RELEASE_TAG_NAME=$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV
echo "::set-output name=package_version::${RELEASE_TAG_NAME_INPUT:1}"
echo "::set-output name=tag_version::$RELEASE_TAG_NAME_INPUT"
;;
[0-9])
echo "RELEASE_NAME=$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV
echo "RELEASE_TAG_NAME=v$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV
echo "::set-output name=package_version::$RELEASE_TAG_NAME_INPUT"
echo "::set-output name=tag_version::v$RELEASE_TAG_NAME_INPUT"
;;
*)
exit 1
;;
esac
else
TAG_VERSION=$(echo ${{ github.ref }} | cut -d "/" -f 3)
PKG_VERSION=${TAG_VERSION:1}
echo "::set-output name=package_version::$PKG_VERSION"
echo "::set-output name=tag_version::$TAG_VERSION"
fi
env:
RELEASE_TAG_NAME_INPUT: ${{ github.event.inputs.release_tag_name_input }}
- name: test outputs
run: |
echo "Package Version: ${{ steps.create_tags.outputs.package_version }}"
echo "Tag Version: ${{ steps.create_tags.outputs.tag_version }}"
deploy-docker:
name: Tag & push Docker
runs-on: ubuntu-latest
needs: setup
strategy:
fail-fast: false
matrix:
service_name:
- admin
- api
- attachments
- events
- icons
- identity
- k8s-proxy
- mssql
- nginx
- notifications
- portal
- server
- setup
- sso
env:
PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
TAG_VERSION: ${{ needs.setup.outputs.tag_version }}
steps:
- name: Print environment
run: |
whoami
docker --version
echo "GitHub ref: $GITHUB_REF"
echo "GitHub event: $GITHUB_EVENT"
- name: Login to Azure
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Retrieve secrets
id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with:
keyvault: "bitwarden-prod-kv"
secrets: "docker-password,
docker-username,
dct-delegate-2-repo-passphrase,
dct-delegate-2-key"
- name: Log into Docker
run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
env:
DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}
- name: Setup Docker Trust
run: |
mkdir -p ~/.docker/trust/private
echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
env:
DCT_DELEGATION_KEY_ID: "c9bde8ec820701516491e5e03d3a6354e7bd66d05fa3df2b0062f68b116dc59c"
DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-key }}
- name: Checkout repo
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
- name: Pull Docker images
run: |
docker pull bitwarden/${{ matrix.service_name }}:rc
env:
DOCKER_CONTENT_TRUST: 1
- name: Re-tag Docker images
run: |
docker tag bitwarden/${{ matrix.service_name }}:rc bitwarden/${{ matrix.service_name }}:latest
docker tag bitwarden/${{ matrix.service_name }}:rc bitwarden/${{ matrix.service_name }}:$PACKAGE_VERSION
- name: List Docker images
run: docker images
- name: Push Docker images
run: |
docker push bitwarden/${{ matrix.service_name }}:latest
docker push bitwarden/${{ matrix.service_name }}:$PACKAGE_VERSION
env:
DOCKER_CONTENT_TRUST: 1
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-2-repo-passphrase }}
- name: Log out of Docker
run: docker logout
build:
runs-on: ubuntu-latest
needs: setup
strategy:
fail-fast: false
matrix:
include:
- name: Api
base_path: .
- name: Admin
base_path: .
gulp: true
- name: Billing
base_path: .
- name: Events
base_path: .
- name: Notifications
base_path: .
- name: Sso
base_path: ./bitwarden_license
gulp: true
- name: Portal
base_path: ./bitwarden_license
gulp: true
- name: Identity
base_path: .
env:
PKG_VERSION: ${{ needs.setup.outputs.package_version }}
TAG_VERSION: ${{ needs.setup.outputs.tag_version }}
steps:
- name: Checkout repo
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
with:
ref: ${{ env.TAG_VERSION }}
- name: Set up Node
uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea
with:
node-version: '14'
- name: Print Environment
run: |
dotnet --info
node --version
npm --version
gulp --version
- name: load env vars
run: |
echo "Base Path: ${BASE_PATH}"
echo "Name: ${NAME}"
env:
BASE_PATH: ${{ matrix.base_path }}
NAME: ${{ matrix.name }}
- name: Build Service
run: |
work_dir=$(pwd)
dir=$BASE_PATH/src/$SERVICE_NAME
cd $dir
echo "Restore"
dotnet restore $SERVICE_NAME.csproj
echo "Clean"
dotnet clean $SERVICE_NAME.csproj -c "Release" -o obj/build-output/publish
if [ "$GULP" == "true" ]; then
npm install
npm install gulp
gulp --gulpfile gulpfile.js build
fi
echo "Publish"
dotnet publish $SERVICE_NAME.csproj -c "Release" -o obj/build-output/publish
cd obj/build-output/publish
zip -r $SERVICE_NAME.zip .
mv $SERVICE_NAME.zip ../../../
env:
SERVICE_NAME: ${{ matrix.name }}
BASE_PATH: ${{ matrix.base_path }}
GULP: ${{ matrix.gulp }}
- name: Upload build artifact
uses: actions/upload-artifact@ee69f02b3dfdecd58bb31b4d133da38ba6fe3700
with:
name: ${{ env.SERVICE_NAME }}.zip
path: ${{ env.BASE_PATH }}/src/${{ env.SERVICE_NAME }}/${{ env.SERVICE_NAME }}.zip
env:
BASE_PATH: ${{ matrix.base_path }}
SERVICE_NAME: ${{ matrix.name }}
- name: Test build dir
run: ls $BASE_PATH/src/$SERVICE_NAME
env:
SERVICE_NAME: ${{ matrix.name }}
BASE_PATH: ${{ matrix.base_path }}
deploy-identity:
runs-on: ubuntu-latest
needs: build
steps:
- name: Download aritifacts
uses: actions/download-artifact@158ca71f7c614ae705e79f25522ef4658df18253
with:
name: Identity.zip
- name: Login to Azure
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Retrieve secrets
id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with:
keyvault: "bitwarden-prod-kv"
secrets: "appservices-identity-webapp-name,
appservices-identity-webapp-publish-profile"
- name: Deploy Identity
uses: azure/webapps-deploy@798e43877120eda6a2a690a4f212c545e586ae31
with:
app-name: ${{ steps.retrieve-secrets.outputs.appservices-identity-webapp-name }}
slot-name: "staging"
publish-profile: ${{ steps.retrieve-secrets.outputs.appservices-identity-webapp-publish-profile }}
package: ./Identity.zip
deploy-api:
runs-on: ubuntu-latest
needs: build
steps:
- name: Download aritifacts
uses: actions/download-artifact@158ca71f7c614ae705e79f25522ef4658df18253
with:
name: Api.zip
- name: Login to Azure
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Retrieve secrets
id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with:
keyvault: "bitwarden-prod-kv"
secrets: "appservices-api-webapp-name,
appservices-api-webapp-publish-profile"
- name: Deploy Api
uses: azure/webapps-deploy@798e43877120eda6a2a690a4f212c545e586ae31
with:
app-name: ${{ steps.retrieve-secrets.outputs.appservices-api-webapp-name }}
slot-name: "staging"
publish-profile: ${{ steps.retrieve-secrets.outputs.appservices-api-webapp-publish-profile }}
package: ./Api.zip
deploy-billing:
runs-on: ubuntu-latest
needs: build
steps:
- name: Download aritifacts
uses: actions/download-artifact@158ca71f7c614ae705e79f25522ef4658df18253
with:
name: Billing.zip
- name: Login to Azure
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Retrieve secrets
id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with:
keyvault: "bitwarden-prod-kv"
secrets: "appservices-billing-webapp-name,
appservices-billing-webapp-publish-profile"
- name: Deploy Billing
uses: azure/webapps-deploy@798e43877120eda6a2a690a4f212c545e586ae31
with:
app-name: ${{ steps.retrieve-secrets.outputs.appservices-billing-webapp-name }}
slot-name: "staging"
publish-profile: ${{ steps.retrieve-secrets.outputs.appservices-billing-webapp-publish-profile }}
package: ./Billing.zip
deploy-events:
runs-on: ubuntu-latest
needs: build
steps:
- name: Download aritifacts
uses: actions/download-artifact@158ca71f7c614ae705e79f25522ef4658df18253
with:
name: Events.zip
- name: Login to Azure
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Retrieve secrets
id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with:
keyvault: "bitwarden-prod-kv"
secrets: "appservices-events-webapp-name,
appservices-events-webapp-publish-profile"
- name: Deploy Events
uses: azure/webapps-deploy@798e43877120eda6a2a690a4f212c545e586ae31
with:
app-name: ${{ steps.retrieve-secrets.outputs.appservices-events-webapp-name }}
slot-name: "staging"
publish-profile: ${{ steps.retrieve-secrets.outputs.appservices-events-webapp-publish-profile }}
package: ./Events.zip
deploy-sso:
runs-on: ubuntu-latest
needs: build
steps:
- name: Download aritifacts
uses: actions/download-artifact@158ca71f7c614ae705e79f25522ef4658df18253
with:
name: Sso.zip
- name: Login to Azure
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Retrieve secrets
id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with:
keyvault: "bitwarden-prod-kv"
secrets: "appservices-sso-webapp-name,
appservices-sso-webapp-publish-profile"
- name: Deploy SSO
uses: azure/webapps-deploy@798e43877120eda6a2a690a4f212c545e586ae31
with:
app-name: ${{ steps.retrieve-secrets.outputs.appservices-sso-webapp-name }}
slot-name: "staging"
publish-profile: ${{ steps.retrieve-secrets.outputs.appservices-sso-webapp-publish-profile }}
package: ./Sso.zip
deploy-portal:
runs-on: ubuntu-latest
needs: build
steps:
- name: Download aritifacts
uses: actions/download-artifact@158ca71f7c614ae705e79f25522ef4658df18253
with:
name: Portal.zip
- name: Login to Azure
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Retrieve secrets
id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with:
keyvault: "bitwarden-prod-kv"
secrets: "appservices-portal-webapp-name,
appservices-portal-webapp-publish-profile"
- name: Deploy Portal
uses: azure/webapps-deploy@798e43877120eda6a2a690a4f212c545e586ae31
with:
app-name: ${{ steps.retrieve-secrets.outputs.appservices-portal-webapp-name }}
slot-name: "staging"
publish-profile: ${{ steps.retrieve-secrets.outputs.appservices-portal-webapp-publish-profile }}
package: ./Portal.zip
deploy-admin:
runs-on: ubuntu-latest
needs: build
steps:
- name: Download aritifacts
uses: actions/download-artifact@158ca71f7c614ae705e79f25522ef4658df18253
with:
name: Admin.zip
- name: Login to Azure
uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Retrieve secrets
id: retrieve-secrets
uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
with:
keyvault: "bitwarden-prod-kv"
secrets: "appservices-admin-webapp-name,
appservices-admin-webapp-publish-profile"
- name: Deploy Admin
uses: azure/webapps-deploy@798e43877120eda6a2a690a4f212c545e586ae31
with:
app-name: ${{ steps.retrieve-secrets.outputs.appservices-admin-webapp-name }}
slot-name: "staging"
publish-profile: ${{ steps.retrieve-secrets.outputs.appservices-admin-webapp-publish-profile }}
package: ./Admin.zip