Release Dry Run #126
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Release | |
run-name: Release ${{ github.event.inputs.release_type }} | |
on: | |
workflow_dispatch: | |
inputs: | |
release_type: | |
description: "Release Options" | |
required: true | |
default: "Release" | |
type: choice | |
options: | |
- Release | |
- Dry Run | |
env: | |
_AZ_REGISTRY: bitwardenprod.azurecr.io | |
jobs: | |
setup: | |
name: Setup | |
runs-on: ubuntu-22.04 | |
outputs: | |
_WEB_RELEASE_TAG: ${{ steps.set-tags.outputs.WEB_RELEASE_TAG }} | |
_CORE_RELEASE_TAG: ${{ steps.set-tags.outputs.CORE_RELEASE_TAG }} | |
_VERSION: ${{ steps.get-next-version.outputs.version }} | |
steps: | |
- name: Branch check | |
if: ${{ github.event.inputs.release_type != 'Dry Run' }} | |
run: | | |
if [[ "$GITHUB_REF" != "refs/heads/main" ]]; then | |
echo "===================================" | |
echo "[!] Can only release from the 'main' branch" | |
echo "===================================" | |
exit 1 | |
fi | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Get Latest Self-Host Version | |
id: get-self-host | |
uses: bitwarden/gh-actions/get-release-version@main | |
with: | |
repository: bitwarden/self-host | |
- name: Strip version | |
env: | |
VERSION: ${{ steps.get-self-host.outputs.version }} | |
run: echo "VERSION=${VERSION:1}" >> $GITHUB_ENV | |
- name: Get Next Release Version | |
id: get-next-version | |
uses: bitwarden/gh-actions/version-next@main | |
with: | |
version: $VERSION | |
- name: Set Release Tags | |
id: set-tags | |
run: | | |
WEB=$(jq -r '.versions.webVersion' < version.json) | |
CORE=$(jq -r '.versions.coreVersion' < version.json) | |
echo "WEB_RELEASE_TAG=$WEB" >> $GITHUB_OUTPUT | |
echo "CORE_RELEASE_TAG=$CORE" >> $GITHUB_OUTPUT | |
release: | |
name: Create GitHub Release | |
runs-on: ubuntu-22.04 | |
needs: setup | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: main | |
- name: Create release | |
if: ${{ github.event.inputs.release_type != 'Dry Run' }} | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
artifacts: 'bitwarden.sh, | |
run.sh, | |
bitwarden.ps1, | |
run.ps1, | |
version.json' | |
commit: ${{ github.sha }} | |
tag: "v${{ needs.setup.outputs._VERSION }}" | |
name: "Version ${{ needs.setup.outputs._VERSION }}" | |
body: "<insert release notes here>" | |
token: ${{ secrets.GITHUB_TOKEN }} | |
draft: true | |
release-version: | |
name: Upload version.json | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
- release | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: main | |
- name: Login to Azure - CI Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "aws-selfhost-version-access-id, | |
aws-selfhost-version-access-key, | |
aws-selfhost-version-bucket-name" | |
- name: Upload version.json to S3 bucket | |
if: ${{ github.event.inputs.release_type != 'Dry Run' }} | |
env: | |
AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.aws-selfhost-version-access-id }} | |
AWS_SECRET_ACCESS_KEY: ${{ steps.retrieve-secrets.outputs.aws-selfhost-version-access-key }} | |
AWS_DEFAULT_REGION: 'us-east-1' | |
AWS_S3_BUCKET_NAME: ${{ steps.retrieve-secrets.outputs.aws-selfhost-version-bucket-name }} | |
run: | | |
aws s3 cp version.json $AWS_S3_BUCKET_NAME \ | |
--acl "public-read" \ | |
--quiet | |
tag-docker-latest: | |
name: Tag Docker Hub images with release version and latest | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
- release | |
env: | |
_CORE_RELEASE_TAG: ${{ needs.setup.outputs._CORE_RELEASE_TAG }} | |
_BRANCH_NAME: main | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- project_name: Admin | |
- project_name: Api | |
- project_name: Attachments | |
- project_name: Events | |
- project_name: Icons | |
- project_name: Identity | |
- project_name: MsSql | |
- project_name: MsSqlMigratorUtility | |
- project_name: Nginx | |
- project_name: Notifications | |
- project_name: Scim | |
- project_name: Server | |
- project_name: Setup | |
- project_name: Sso | |
- project_name: Web | |
release_tag: ${{ needs.setup.outputs._WEB_RELEASE_TAG }} | |
steps: | |
- name: Print environment | |
run: | | |
whoami | |
docker --version | |
echo "GitHub ref: $GITHUB_REF" | |
echo "GitHub event: $GITHUB_EVENT" | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: main | |
- name: Login to Azure - Prod Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} | |
- name: Login to Azure ACR | |
run: az acr login -n ${_AZ_REGISTRY%.azurecr.io} | |
- name: Setup project name and release tag | |
id: setup | |
run: | | |
PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}') | |
echo "Matrix name: ${{ matrix.project_name }}" | |
echo "PROJECT_NAME: $PROJECT_NAME" | |
echo "_PROJECT_NAME=$PROJECT_NAME" >> $GITHUB_ENV | |
if [ -z "${{ matrix.release_tag }}" ]; then | |
# Use core release tag by default. | |
echo "_RELEASE_TAG=$_CORE_RELEASE_TAG" >> $GITHUB_ENV | |
else | |
echo "_RELEASE_TAG=${{ matrix.release_tag }}" >> $GITHUB_ENV | |
fi | |
########## DockerHub ########## | |
- name: Setup DCT | |
id: setup-dct | |
uses: bitwarden/gh-actions/setup-docker-trust@main | |
with: | |
azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
azure-keyvault-name: "bitwarden-ci" | |
- name: Pull versioned image | |
run: docker pull $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG | |
- name: Tag release version and latest image | |
run: | | |
docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG bitwarden/$_PROJECT_NAME:$_RELEASE_TAG | |
docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG bitwarden/$_PROJECT_NAME:latest | |
- name: Push release version and latest image | |
if: ${{ github.event.inputs.release_type != 'Dry Run' }} | |
env: | |
DOCKER_CONTENT_TRUST: 1 | |
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }} | |
run: | | |
docker push bitwarden/$_PROJECT_NAME:$_RELEASE_TAG | |
docker push bitwarden/$_PROJECT_NAME:latest | |
- name: Log out of Docker and disable Docker Notary | |
run: | | |
docker logout | |
echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV | |
release-unified: | |
name: Release Self-host unified | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
- release | |
env: | |
_RELEASE_VERSION: ${{ needs.setup.outputs._VERSION }}-beta # TODO: remove `-beta` after GA | |
steps: | |
########## DockerHub ########## | |
- name: Setup DCT | |
id: setup-dct | |
uses: bitwarden/gh-actions/setup-docker-trust@main | |
with: | |
azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
azure-keyvault-name: "bitwarden-ci" | |
- name: Install Skopeo | |
run: | | |
wget https://github.com/lework/skopeo-binary/releases/download/v1.13.3/skopeo-linux-amd64 | |
mv skopeo-linux-amd64 skopeo | |
chmod +x skopeo | |
- name: Login to Azure - PROD Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} | |
- name: Push version and latest image | |
if: ${{ github.event.inputs.release_type != 'Dry Run' }} | |
env: | |
DOCKER_CONTENT_TRUST: 1 | |
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }} | |
run: | | |
./skopeo --version | |
./skopeo login $_AZ_REGISTRY -u 00000000-0000-0000-0000-000000000000 -p $(az acr login --expose-token --name ${_AZ_REGISTRY%.azurecr.io} | jq -r .accessToken) | |
./skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://docker.io/bitwarden/self-host:$_RELEASE_VERSION | |
./skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://docker.io/bitwarden/self-host:beta # TODO: Delete after GA | |
# ./skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://docker.io/bitwarden/self-host:latest # TODO: uncomment after GA | |
- name: Log out of Docker, skopeo and disable Docker Notary | |
run: | | |
docker logout | |
./skopeo logout --all | |
echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV | |
########## ACR PROD ########## | |
- name: Login to Azure ACR | |
run: az acr login -n ${_AZ_REGISTRY%.azurecr.io} | |
- name: Pull latest project image | |
run: | | |
if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then | |
docker pull $_AZ_REGISTRY/self-host:dev | |
else | |
docker pull $_AZ_REGISTRY/self-host:beta | |
fi | |
- name: Tag version and latest | |
run: | | |
if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then | |
docker tag $_AZ_REGISTRY/self-host:dev $_AZ_REGISTRY/self-host:dryrun | |
else | |
docker tag $_AZ_REGISTRY/self-host:beta $_AZ_REGISTRY/self-host:$_RELEASE_VERSION | |
docker tag $_AZ_REGISTRY/self-host:beta $_AZ_REGISTRY/self-host:latest | |
fi | |
- name: Push version and latest image | |
if: ${{ github.event.inputs.release_type != 'Dry Run' }} | |
run: | | |
docker push $_AZ_REGISTRY/self-host:$_RELEASE_VERSION | |
docker push $_AZ_REGISTRY/self-host:latest | |
- name: Log out of Docker | |
run: docker logout |