bitwarden-server/.github/workflows/release.yml

name: Release

on:
  workflow_dispatch:
    inputs:
      release_tag_name_input:
        description: "Release Tag Name <X.X.X>"
        required: true

jobs:
  setup:
    runs-on: ubuntu-latest
    outputs:
      release_upload_url: ${{ steps.create_release.outputs.upload_url }}
      release_version: ${{ steps.create_tags.outputs.package_version }}
      tag_version: ${{ steps.create_tags.outputs.tag_version }}
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2

      - name: Create Release Vars
        id: create_tags
        run: |
          case "${RELEASE_TAG_NAME_INPUT:0:1}" in
            v)
              echo "RELEASE_NAME=${RELEASE_TAG_NAME_INPUT:1}" >> $GITHUB_ENV
              echo "RELEASE_TAG_NAME=$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV
              echo "::set-output name=package_version::${RELEASE_TAG_NAME_INPUT:1}"
              echo "::set-output name=tag_version::$RELEASE_TAG_NAME_INPUT"
              ;;
            [0-9])
              echo "RELEASE_NAME=$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV
              echo "RELEASE_TAG_NAME=v$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV
              echo "::set-output name=package_version::$RELEASE_TAG_NAME_INPUT"
              echo "::set-output name=tag_version::v$RELEASE_TAG_NAME_INPUT"
              ;;
            *)
              exit 1
              ;;
          esac          
        env:
          RELEASE_TAG_NAME_INPUT: ${{ github.event.inputs.release_tag_name_input }}

      - name: Create Draft Release
        id: create_release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ env.RELEASE_TAG_NAME }}
          release_name: ${{ env.RELEASE_NAME }}
          draft: true
          prerelease: false

  release:
    runs-on: ubuntu-latest
    needs: setup
    env:
      RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
      TAG_VERSION: ${{ needs.setup.outputs.tag_version }}
    steps:
      - name: Print environment
        run: |
          whoami
          docker --version
          Write-Output "GitHub ref: $env:GITHUB_REF"
          Write-Output "GitHub event: $env:GITHUB_EVENT"          
        shell: pwsh
        env:
          GITHUB_REF: ${{ github.ref }}
          GITHUB_EVENT: ${{ github.event_name }}

      - name: Login to Azure
        uses: Azure/login@77f1b2e3fb80c0e8645114159d17008b8a2e475a
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: Azure/get-keyvault-secrets@80ccd3fafe5662407cc2e55f202ee34bfff8c403
        with:
          keyvault: "bitwarden-prod-kv"
          secrets: "docker-password, 
                    docker-username,
                    dct-delegate-repo-passphrase,
                    dct-delegate-key,
                    dct-repo-server-key,
                    dct-repo-attachments-key,
                    dct-repo-admin-key,
                    dct-repo-nginx-key,
                    dct-repo-k8sproxy-key,
                    dct-repo-sso-key,
                    dct-repo-api-key,
                    dct-repo-portal-key,
                    dct-repo-setup-key,
                    dct-repo-notifications-key,
                    dct-repo-events-key,
                    dct-repo-web-key,
                    dct-repo-icons-key,
                    dct-repo-identity-key"

      - name: Log into docker
        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc'
        run: echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
        env:
          DOCKER_USERNAME: ${{ steps.retrieve-secrets.outputs.docker-username }}
          DOCKER_PASSWORD: ${{ steps.retrieve-secrets.outputs.docker-password }}

      - name: Setup Docker Trust
        run: |
          mkdir -p ~/.docker/trust/private

          echo "$DCT_DELEGATE_KEY" > ~/.docker/trust/private/$DCT_DELEGATION_KEY_ID.key
          echo "$DCT_REPO_API_KEY" > ~/.docker/trust/private/$DCT_REPO_API_ID.key
          echo "$DCT_REPO_IDENTITY_KEY" > ~/.docker/trust/private/$DCT_REPO_IDENTITY_ID.key
          echo "$DCT_REPO_SERVER_KEY" > ~/.docker/trust/private/$DCT_REPO_SERVER_ID.key
          echo "$DCT_REPO_ATTACHMENTS_KEY" > ~/.docker/trust/private/$DCT_REPO_ATTACHMENTS_ID.key
          echo "$DCT_REPO_ICONS_KEY" > ~/.docker/trust/private/$DCT_REPO_ICONS_ID.key
          echo "$DCT_REPO_NOTIFICATIONS_KEY" > ~/.docker/trust/private/$DCT_REPO_NOTIFICATIONS_ID.key
          echo "$DCT_REPO_EVENTS_KEY" > ~/.docker/trust/private/$DCT_REPO_EVENTS_ID.key
          echo "$DCT_REPO_ADMIN_KEY" > ~/.docker/trust/private/$DCT_REPO_ADMIN_ID.key
          echo "$DCT_REPO_NGINX_KEY" > ~/.docker/trust/private/$DCT_REPO_NGINX_ID.key
          echo "$DCT_REPO_K8SPROXY_KEY" > ~/.docker/trust/private/$DCT_REPO_K8SPROXY_ID.key
          echo "$DCT_REPO_SSO_KEY" > ~/.docker/trust/private/$DCT_REPO_SSO_ID.key
          echo "$DCT_REPO_PORTAL_KEY" > ~/.docker/trust/private/$DCT_REPO_PORTAL_ID.key
          echo "$DCT_REPO_MSSQL_KEY" > ~/.docker/trust/private/$DCT_REPO_MSSQL_ID.key
          echo "$DCT_REPO_SETUP_KEY" > ~/.docker/trust/private/$DCT_REPO_SETUP_ID.key          
        env:
          DCT_DELEGATION_KEY_ID: "5702b22123e058cbd96a7a43000cb981ae98ef3f2f4aa34138ab3dc1d011e446"
          DCT_REPO_API_ID: "525fa3e70b84669c9fe489c5a3d0974898d14c0807b19447242c60ed8d4ca766"
          DCT_REPO_IDENTITY_ID: "084da6ea47ba1c4f34c2870a78a17739cd5df50359d2c2c7616822632df726d3"
          DCT_REPO_SERVER_ID: "ffbee21a1a71854a1c1310df4f5aded41726dd90d61050a6256168cd9268b1ee"
          DCT_REPO_ATTACHMENTS_ID: "e40fbcb5b273ad601c00ea905ca326ab68b395f17a46a8530e0ddd7d12bd4240"
          DCT_REPO_ICONS_ID: "0d3f5c6854610bd3d9b9c0a6851fe525b057976b46cb0f47de3942cf3b0be394"
          DCT_REPO_NOTIFICATIONS_ID: "1bf8d22352ec65a6c9b9282c454462240e0a1eb78bff03b65b5a4b7887599ab2"
          DCT_REPO_EVENTS_ID: "1020320052e6247f3c5fbfc2a3bfb0efc7e247f8a5a187dc03f60848359ac7c9"
          DCT_REPO_ADMIN_ID: "c5d80db8745fcd7a1510c3fba5c65582cfc2453d2b1eeb292abe79eb1351cf5c"
          DCT_REPO_NGINX_ID: "bf3d3247f5c2be73bbe830cddbae445c29e4fcc9e2fb4b4d39abf86a2740098b"
          DCT_REPO_K8SPROXY_ID: "bdad34c1202b2bbf8a460b66da08b2c1c1eea5864b29508782c00da145eb1fcd"
          DCT_REPO_SSO_ID: "97a5f6d29b255ff709ec63faad27c2f76246f006563bf3ecbb71547325c05815"
          DCT_REPO_PORTAL_ID: "4f358aa0a41c9a6650f5d2f907c2de418df34ddf3ee45e0994be7cc2dcd0b56e"
          DCT_REPO_MSSQL_ID: "30a44d7efbe48d30ed06abef003d2d8990205dad6a034617cddc03548f8c084e"
          DCT_REPO_SETUP_ID: "2932fb9c39b7eacf4418c7c9ee4c823f973c426412ddd64d7f9f0b6f940b8428"
          DCT_DELEGATE_KEY: ${{ steps.retrieve-secrets.outputs.dct-delegate-key }}
          DCT_REPO_API_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-api-key }}
          DCT_REPO_IDENTITY_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-identity-key }}
          DCT_REPO_SERVER_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-server-key }}
          DCT_REPO_ATTACHMENTS_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-attachments-key }}
          DCT_REPO_ICONS_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-icons-key }}
          DCT_REPO_NOTIFICATIONS_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-notifications-key }}
          DCT_REPO_EVENTS_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-events-key }}
          DCT_REPO_ADMIN_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-admin-key }}
          DCT_REPO_NGINX_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-nginx-key }}
          DCT_REPO_K8SPROXY_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-k8sproxy-key }}
          DCT_REPO_SSO_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-sso-key }}
          DCT_REPO_PORTAL_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-portal-key }}
          DCT_REPO_MSSQL_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-mssql-key }}
          DCT_REPO_SETUP_KEY: ${{ steps.retrieve-secrets.outputs.dct-repo-setup-key }}
          
      - name: Checkout repo
        uses: actions/checkout@v2

      - name: Restore
        run: dotnet tool restore

      - name: pull docker images
        run: |
          docker pull bitwarden/api:rc
          docker pull bitwarden/identity:rc
          docker pull bitwarden/server:rc
          docker pull bitwarden/attachments:rc
          docker pull bitwarden/icons:rc
          docker pull bitwarden/notifications:rc
          docker pull bitwarden/events:rc
          docker pull bitwarden/admin:rc
          docker pull bitwarden/nginx:rc
          docker pull bitwarden/nginx:rc
          docker pull bitwarden/sso:rc
          docker pull bitwarden/portal:rc
          docker pull bitwarden/mssql:rc
          docker pull bitwarden/setup:rc          
        env:
          DOCKER_CONTENT_TRUST: 1


      - name: re-tag docker images
        run: |
          tags=( latest beta ${RELEASE_VERSION} )
          for TAG in "${tags[@]}"
          do
            docker tag bitwarden/api:rc bitwarden/api:$TAG
            docker tag bitwarden/identity:rc bitwarden/identity:$TAG
            docker tag bitwarden/server:rc bitwarden/server:$TAG
            docker tag bitwarden/attachments:rc bitwarden/attachments:$TAG
            docker tag bitwarden/icons:rc bitwarden/icons:$TAG
            docker tag bitwarden/notifications:rc bitwarden/notifications:$TAG
            docker tag bitwarden/events:rc bitwarden/events:$TAG
            docker tag bitwarden/admin:rc bitwarden/admin:$TAG
            docker tag bitwarden/nginx:rc bitwarden/nginx:$TAG
            docker tag bitwarden/nginx:rc bitwarden/k8s-proxy:$TAG
            docker tag bitwarden/sso:rc bitwarden/sso:$TAG
            docker tag bitwarden/portal:rc bitwarden/portal:$TAG
            docker tag bitwarden/mssql:rc bitwarden/mssql:$TAG
            docker tag bitwarden/setup:rc bitwarden/setup:$TAG
          done           

      - name: List docker images
        run: docker images

      - name: Push beta images
        run: ./build.sh push beta
        env:
          DOCKER_CONTENT_TRUST: 1
          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-repo-passphrase }}

      - name: Push latest images
        run: ./build.sh push latest
        env:
          DOCKER_CONTENT_TRUST: 1
          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-repo-passphrase }}

      - name: Push version images
        run: ./build.sh push $($env:$RELEASE_VERSION)
        shell: pwsh
        env:
          DOCKER_CONTENT_TRUST: 1
          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.retrieve-secrets.outputs.dct-delegate-repo-passphrase }}

      - name: Make docker stub
        run: |
          STUB_OUTPUT=$(pwd)/docker-stub
          docker run -i --rm --name setup -v $STUB_OUTPUT:/bitwarden bitwarden/setup:dev \
            dotnet Setup.dll -stub 1 -install 1 -domain bitwarden.example.com -os lin
          sudo chown -R $(whoami):$(whoami) $STUB_OUTPUT
          rm -rf $STUB_OUTPUT/letsencrypt
          rm $STUB_OUTPUT/env/uid.env $STUB_OUTPUT/config.yml
          touch $STUB_OUTPUT/env/uid.env
          cd docker-stub; zip -r ../docker-stub.zip *; cd ..          

      - name: Upload docker stub artifact
        uses: actions/upload-artifact@v2
        with:
          name: docker-stub.zip
          path: ./docker-stub.zip

      - name: Build swagger
        run: |
          cd ./src/Api
          echo "Restore"
          dotnet restore "Api.csproj"
          echo "Clean"
          dotnet clean "Api.csproj" -c "Release" -o "obj/Docker/publish/Api"
          echo "Publish"
          dotnet publish "Api.csproj" -c "Release" -o "obj/Docker/publish/Api"

          dotnet swagger tofile --output ../../swagger.json --host https://api.bitwarden.com `
            ./obj/Docker/publish/Api/Api.dll public
          cd ../..          
        shell: pwsh
        env:
          ASPNETCORE_ENVIRONMENT: Production
          swaggerGen: 'True'

      - name: Upload swagger artifact
        uses: actions/upload-artifact@v2
        with:
          name: swagger.json
          path: ./swagger.json

      - name: Log out of docker
        run: docker logout

      - name: Upload release assets
        if: github.event_name == 'release'
        run: |
          hub release edit `
            -a ./swagger.json `
            -a ./docker-stub.zip `
            -m "Version $($env:RELEASE_VERSION)" `
            $env:RELEASE_TAG_NAME          
        shell: pwsh
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}