Revert workflow changes (#12376)

* Revert "fix: target workflows not triggering on pull_request_target (#12370)" This reverts commit 645d36f465. * Revert "[PM-15126] Tighten scope of our client build pipelines to remove reliance on secrets (#12243)" This reverts commit f8c33ea04b.
2025-12-30 23:23:52 +00:00 · 2024-12-12 12:22:55 -05:00
parent 3ce89f9945
commit 7c8b9db58f
10 changed files with 43 additions and 269 deletions
--- a/.github/workflows/build-web.yml
+++ b/.github/workflows/build-web.yml
@@ -1,7 +1,7 @@
 name: Build Web

 on:
-  pull_request:
+  pull_request_target:
    types: [opened, synchronize]
    branches-ignore:
      - 'l10n_master'
@@ -27,8 +27,6 @@ on:
      - '.github/workflows/build-web.yml'
  release:
    types: [published]
-  workflow_call:
-    inputs: {}
  workflow_dispatch:
    inputs:
      custom_tag_extension:
@@ -43,13 +41,18 @@ env:
  _AZ_REGISTRY: bitwardenprod.azurecr.io

 jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
  setup:
    name: Setup
    runs-on: ubuntu-22.04
+    needs:
+      - check-run
    outputs:
      version: ${{ steps.version.outputs.value }}
      node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
-      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
    steps:
      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -67,14 +70,6 @@ jobs:
          NODE_VERSION=${NODE_NVMRC/v/''}
          echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT

-      - name: Check secrets
-        id: check-secrets
-        env:
-          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-        run: |
-          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
-          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
-
  build-artifacts:
    name: Build artifacts
    runs-on: ubuntu-22.04
@@ -133,7 +128,7 @@ jobs:
        run: npm ci

      - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' }}
        uses: bitwarden/gh-actions/download-artifacts@main
        with:
          github_token: ${{secrets.GITHUB_TOKEN}}
@@ -146,7 +141,7 @@ jobs:
          if_no_artifact_found: fail

      - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
+        if: ${{ inputs.sdk_branch != '' }}
        working-directory: ./
        run: |
          ls -l ../
@@ -215,23 +210,19 @@ jobs:

      ########## ACRs ##########
      - name: Login to Prod Azure
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Log into Prod container registry
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
        run: az acr login -n bitwardenprod

      - name: Login to Azure - CI Subscription
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve github PAT secrets
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
@@ -279,7 +270,6 @@ jobs:
        run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT

      - name: Build Docker image
-        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          context: apps/web