[PM-13371] Repository split - Avoid depdending on Bitwarden (#1124) #2346
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build bws Docker image | |
on: | |
push: | |
branches: | |
- "main" | |
workflow_dispatch: | |
pull_request: | |
env: | |
_AZ_REGISTRY: bitwardenprod.azurecr.io | |
jobs: | |
build-docker: | |
name: Build Docker image | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Check Branch to Publish | |
id: publish-branch-check | |
run: | | |
if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then | |
echo "is_publish_branch=true" >> $GITHUB_ENV | |
else | |
echo "is_publish_branch=false" >> $GITHUB_ENV | |
fi | |
########## Set up Docker ########## | |
- name: Set up QEMU emulators | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
########## Login to Docker registries ########## | |
- name: Login to Azure - Prod Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} | |
- name: Login to Azure ACR | |
run: az acr login -n ${_AZ_REGISTRY%.azurecr.io} | |
- name: Login to Azure - CI Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve github PAT secrets | |
id: retrieve-secret-pat | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "github-pat-bitwarden-devops-bot-repo-scope" | |
- name: Setup Docker Trust | |
if: ${{ env.is_publish_branch == 'true' }} | |
uses: bitwarden/gh-actions/setup-docker-trust@main | |
with: | |
azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
azure-keyvault-name: "bitwarden-ci" | |
########## Generate image tag and build Docker image ########## | |
- name: Generate Docker image tag | |
id: tag | |
run: | | |
REF=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}} | |
IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g") # slash safe branch name | |
if [[ "${IMAGE_TAG}" == "main" ]]; then | |
IMAGE_TAG=dev | |
fi | |
echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
- name: Generate tag list | |
id: tag-list | |
env: | |
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} | |
run: | | |
if [[ "${IMAGE_TAG}" == "dev" ]]; then | |
echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG},bitwarden/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
else | |
echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
fi | |
- name: Build and push Docker image | |
uses: docker/build-push-action@32945a339266b759abcbdc89316275140b0fc960 # v6.8.0 | |
with: | |
context: . | |
file: crates/bws/Dockerfile | |
platforms: | | |
linux/amd64, | |
linux/arm64/v8 | |
push: true | |
tags: ${{ steps.tag-list.outputs.tags }} | |
secrets: | | |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" | |
- name: Log out of Docker and disable Docker Notary | |
if: ${{ env.is_publish_branch == 'true' }} | |
run: | | |
docker logout | |
echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV | |
check-failures: | |
name: Check for failures | |
if: always() | |
runs-on: ubuntu-22.04 | |
needs: build-docker | |
steps: | |
- name: Check if any job failed | |
if: github.ref == 'refs/heads/main' | |
env: | |
BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }} | |
run: | | |
if [ "$BUILD_DOCKER_STATUS" = "failure" ]; then | |
exit 1 | |
fi | |
- name: Login to Azure - CI subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
if: failure() | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
if: failure() | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "devops-alerts-slack-webhook-url" | |
- name: Notify Slack on failure | |
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} | |
with: | |
status: ${{ job.status }} |