From 8beb1c6ab05f6c298d77e8345eded95be3ad27b8 Mon Sep 17 00:00:00 2001 From: Matt Andreko Date: Tue, 21 Oct 2025 13:13:45 -0400 Subject: [PATCH] Clean up workflow files from Zizmor output (#16690) --- .../workflows/alert-ddg-files-modified.yml | 5 +- .github/workflows/auto-branch-updater.yml | 11 +- .github/workflows/build-browser.yml | 62 +++-- .github/workflows/build-cli.yml | 76 ++++-- .github/workflows/build-desktop.yml | 243 ++++++++++-------- .github/workflows/build-web.yml | 59 +++-- .github/workflows/chromatic.yml | 3 +- .github/workflows/crowdin-pull.yml | 1 + .github/workflows/deploy-web.yml | 130 +++++----- .github/workflows/lint-crowdin-config.yml | 1 + .github/workflows/lint.yml | 6 +- .github/workflows/locales-lint.yml | 6 +- .github/workflows/nx.yml | 3 +- .github/workflows/publish-cli.yml | 28 +- .github/workflows/publish-desktop.yml | 72 ++++-- .github/workflows/publish-web.yml | 32 ++- .github/workflows/release-browser.yml | 22 +- .github/workflows/release-cli.yml | 2 + .github/workflows/release-desktop.yml | 14 +- .github/workflows/release-web.yml | 8 +- .github/workflows/repository-management.yml | 100 +++---- .../retrieve-current-desktop-rollout.yml | 4 +- .github/workflows/staged-rollout-desktop.yml | 12 +- .../workflows/test-browser-interactions.yml | 1 + .github/workflows/test.yml | 10 +- .github/workflows/version-auto-bump.yml | 7 +- 26 files changed, 536 insertions(+), 382 deletions(-) diff --git a/.github/workflows/alert-ddg-files-modified.yml b/.github/workflows/alert-ddg-files-modified.yml index d799cc2e248..84cd67ecd5b 100644 --- a/.github/workflows/alert-ddg-files-modified.yml +++ b/.github/workflows/alert-ddg-files-modified.yml @@ -17,6 +17,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Get changed files id: changed-files @@ -68,9 +69,11 @@ jobs: - name: Comment on PR if monitored files changed if: steps.changed-files.outputs.monitored == 'true' uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + _MONITORED_FILES: ${{ steps.changed-files.outputs.monitored_files }} with: script: | - const changedFiles = `${{ steps.changed-files.outputs.monitored_files }}`.split(' ').filter(file => file.trim() !== ''); + const changedFiles = `$_MONITORED_FILES`.split(' ').filter(file => file.trim() !== ''); const message = ` ⚠️🦆 **DuckDuckGo Integration files have been modified in this PR:** diff --git a/.github/workflows/auto-branch-updater.yml b/.github/workflows/auto-branch-updater.yml index 3f67388fd0c..ceebfb7e466 100644 --- a/.github/workflows/auto-branch-updater.yml +++ b/.github/workflows/auto-branch-updater.yml @@ -27,17 +27,20 @@ jobs: steps: - name: Setup id: setup - run: echo "branch=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT + run: echo "branch=${GITHUB_REF#refs/heads/}" >> "$GITHUB_OUTPUT" - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: 'eu-web-${{ steps.setup.outputs.branch }}' fetch-depth: 0 + persist-credentials: true - name: Merge ${{ steps.setup.outputs.branch }} + env: + _BRANCH: ${{ steps.setup.outputs.branch }} run: | - git config --local user.email "${{ env._BOT_EMAIL }}" - git config --local user.name "${{ env._BOT_NAME }}" - git merge origin/${{ steps.setup.outputs.branch }} + git config --local user.email "$_BOT_EMAIL" + git config --local user.name "$_BOT_NAME" + git merge "origin/$_BRANCH" git push diff --git a/.github/workflows/build-browser.yml b/.github/workflows/build-browser.yml index bece680b9d0..e3a49e414f9 100644 --- a/.github/workflows/build-browser.yml +++ b/.github/workflows/build-browser.yml @@ -58,15 +58,16 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Get Package Version id: gen_vars run: | - repo_url=https://github.com/$GITHUB_REPOSITORY.git + repo_url="https://github.com/$GITHUB_REPOSITORY.git" adj_build_num=${GITHUB_SHA:0:7} - echo "repo_url=$repo_url" >> $GITHUB_OUTPUT - echo "adj_build_number=$adj_build_num" >> $GITHUB_OUTPUT + echo "repo_url=$repo_url" >> "$GITHUB_OUTPUT" + echo "adj_build_number=$adj_build_num" >> "$GITHUB_OUTPUT" - name: Get Node Version id: retrieve-node-version @@ -74,13 +75,13 @@ jobs: run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Check secrets id: check-secrets run: | has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }} - echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT + echo "has_secrets=$has_secrets" >> "$GITHUB_OUTPUT" locales-test: @@ -96,6 +97,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Testing locales - extName length run: | @@ -105,12 +107,14 @@ jobs: echo "============" echo "extName string must be 40 characters or less" echo - for locale in $(ls src/_locales/); do - string_length=$(jq '.extName.message | length' src/_locales/$locale/messages.json) - if [[ $string_length -gt 40 ]]; then - echo "$locale: $string_length" - found_error=true - fi + + for locale_path in src/_locales/*/messages.json; do + locale=$(basename "$(dirname "$locale_path")") + string_length=$(jq '.extName.message | length' "$locale_path") + if [ "$string_length" -gt 40 ]; then + echo "$locale: $string_length" + found_error=true + fi done if $found_error; then @@ -145,6 +149,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -246,6 +251,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -301,13 +307,13 @@ jobs: TARGET_DIR='./browser-source/apps/browser' while IFS=' ' read -r RESULT; do FILES+=("$RESULT") - done < <(find $TARGET_DIR -size +5M) + done < <(find "$TARGET_DIR" -size +5M) # Validate results and provide messaging if [[ ${#FILES[@]} -ne 0 ]]; then echo "File(s) exceeds size limit: 5MB" - for FILE in ${FILES[@]}; do - echo "- $(du --si $FILE)" + for FILE in "${FILES[@]}"; do + echo "- $(du --si "$FILE")" done echo "ERROR Firefox rejects extension uploads that contain files larger than 5MB" # Invoke failure @@ -357,6 +363,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -389,34 +396,34 @@ jobs: ACCOUNT_NAME: bitwardenci CONTAINER_NAME: profiles run: | - mkdir -p $HOME/secrets + mkdir -p "$HOME/secrets" - az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name bitwarden_desktop_appstore.provisionprofile \ - --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --file "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ --output none - name: Get certificates run: | - mkdir -p $HOME/certificates + mkdir -p "$HOME/certificates" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | - jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + jq -r .value | base64 -d > "$HOME/certificates/bitwarden-desktop-key.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | - jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/appstore-app-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | - jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/appstore-installer-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-app-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-installer-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | - jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/macdev-cert.p12" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main @@ -425,9 +432,9 @@ jobs: env: KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | - security create-keychain -p $KEYCHAIN_PASSWORD build.keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security default-keychain -s build.keychain - security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain + security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security set-keychain-settings -lut 1200 build.keychain security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ @@ -448,7 +455,7 @@ jobs: security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain - name: NPM setup run: npm ci @@ -507,6 +514,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index d1df280f764..839181c6107 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -62,26 +62,27 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Get Package Version id: retrieve-package-version run: | PKG_VERSION=$(jq -r .version package.json) - echo "package_version=$PKG_VERSION" >> $GITHUB_OUTPUT + echo "package_version=$PKG_VERSION" >> "$GITHUB_OUTPUT" - name: Get Node Version id: retrieve-node-version working-directory: ./ run: | NODE_NVMRC=$(cat .nvmrc) - NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + NODE_VERSION="${NODE_NVMRC/v/''}" + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Check secrets id: check-secrets run: | has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }} - echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT + echo "has_secrets=$has_secrets" >> "$GITHUB_OUTPUT" cli: @@ -116,12 +117,17 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Setup Unix Vars run: | - echo "LOWER_RUNNER_OS=$(echo $RUNNER_OS | awk '{print tolower($0)}')" >> $GITHUB_ENV - echo "SHORT_RUNNER_OS=$(echo $RUNNER_OS | awk '{print substr($0, 1, 3)}' | \ - awk '{print tolower($0)}')" >> $GITHUB_ENV + LOWER_RUNNER_OS="$(printf '%s' "$RUNNER_OS" | awk '{print tolower($0)}')" + SHORT_RUNNER_OS="$(printf '%s' "$RUNNER_OS" | awk '{print substr($0, 1, 3)}' | awk '{print tolower($0)}')" + + { + echo "LOWER_RUNNER_OS=$LOWER_RUNNER_OS" + echo "SHORT_RUNNER_OS=$SHORT_RUNNER_OS" + } >> "$GITHUB_ENV" - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -155,7 +161,9 @@ jobs: npm link ../sdk-internal - name: Build & Package Unix - run: npm run dist:${{ matrix.license_type.build_prefix }}:${{ env.SHORT_RUNNER_OS }}${{ matrix.os.target_suffix }} --quiet + env: + _SHORT_RUNNER_OS: ${{ env.SHORT_RUNNER_OS }} + run: npm run "dist:${{ matrix.license_type.build_prefix }}:$_SHORT_RUNNER_OS${{ matrix.os.target_suffix }}" --quiet - name: Login to Azure if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} @@ -168,10 +176,10 @@ jobs: - name: Get certificates if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} run: | - mkdir -p $HOME/certificates + mkdir -p "$HOME/certificates" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-app-cert.p12" - name: Get Azure Key Vault secrets id: get-kv-secrets @@ -189,33 +197,39 @@ jobs: env: KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | - security create-keychain -p $KEYCHAIN_PASSWORD build.keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security default-keychain -s build.keychain - security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain + security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security set-keychain-settings -lut 1200 build.keychain security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain - name: Sign binary if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} env: MACOS_CERTIFICATE_NAME: "Developer ID Application: 8bit Solutions LLC" - run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --entitlements ./entitlements.plist --timestamp ./dist/${{ matrix.license_type.build_prefix }}/${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}/bw + _LOWER_RUNNER_OS: ${{ env.LOWER_RUNNER_OS }} + run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --entitlements ./entitlements.plist --timestamp "./dist/${{ matrix.license_type.build_prefix }}/$_LOWER_RUNNER_OS${{ matrix.os.target_suffix }}/bw" - name: Zip Unix + env: + _LOWER_RUNNER_OS: ${{ env.LOWER_RUNNER_OS }} + _PACKAGE_VERSION: ${{ env._PACKAGE_VERSION }} run: | - cd ./dist/${{ matrix.license_type.build_prefix }}/${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }} - zip ../../bw${{ matrix.license_type.artifact_prefix }}-${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}-${{ env._PACKAGE_VERSION }}.zip ./bw + cd "./dist/${{ matrix.license_type.build_prefix }}/$_LOWER_RUNNER_OS${{ matrix.os.target_suffix }}" + zip "../../bw${{ matrix.license_type.artifact_prefix }}-$_LOWER_RUNNER_OS${{ matrix.os.target_suffix }}-$_PACKAGE_VERSION.zip" ./bw - name: Set up private auth key if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} + env: + _APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} run: | mkdir ~/private_keys cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 - ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} + $_APP_STORE_CONNECT_AUTH_KEY EOF - name: Notarize app @@ -224,22 +238,26 @@ jobs: APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8 + _LOWER_RUNNER_OS: ${{ env.LOWER_RUNNER_OS }} run: | echo "Create keychain profile" xcrun notarytool store-credentials "notarytool-profile" --key-id "$APP_STORE_CONNECT_AUTH_KEY" --key "$APP_STORE_CONNECT_AUTH_KEY_PATH" --issuer "$APP_STORE_CONNECT_TEAM_ISSUER" - codesign --sign "Developer ID Application: 8bit Solutions LLC" --verbose=3 --force --options=runtime --timestamp ./dist/bw${{ matrix.license_type.artifact_prefix }}-${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}-${{ env._PACKAGE_VERSION }}.zip + codesign --sign "Developer ID Application: 8bit Solutions LLC" --verbose=3 --force --options=runtime --timestamp "./dist/bw${{ matrix.license_type.artifact_prefix }}-$_LOWER_RUNNER_OS${{ matrix.os.target_suffix }}-$_PACKAGE_VERSION.zip" echo "Notarize app" - xcrun notarytool submit ./dist/bw${{ matrix.license_type.artifact_prefix }}-${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait + xcrun notarytool submit "./dist/bw${{ matrix.license_type.artifact_prefix }}-$_LOWER_RUNNER_OS${{ matrix.os.target_suffix }}-$_PACKAGE_VERSION.zip" --keychain-profile "notarytool-profile" --wait - name: Version Test + env: + _PACKAGE_VERSION: ${{ env._PACKAGE_VERSION }} + _LOWER_RUNNER_OS: ${{ env.LOWER_RUNNER_OS }} run: | - unzip "./dist/bw${{ matrix.license_type.artifact_prefix }}-${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}-${{ env._PACKAGE_VERSION }}.zip" -d "./test" + unzip "./dist/bw${{ matrix.license_type.artifact_prefix }}-$_LOWER_RUNNER_OS${{ matrix.os.target_suffix }}-$_PACKAGE_VERSION.zip" -d "./test" testVersion=$(./test/bw -v) echo "version: $_PACKAGE_VERSION" echo "testVersion: $testVersion" - if [[ $testVersion != $_PACKAGE_VERSION ]]; then + if [[ $testVersion != "$_PACKAGE_VERSION" ]]; then echo "Version test failed." exit 1 fi @@ -291,6 +309,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Install AST run: dotnet tool install --global AzureSignTool --version 4.0.1 @@ -429,11 +448,13 @@ jobs: - name: Package Chocolatey shell: pwsh if: ${{ matrix.license_type.build_prefix == 'bit' }} + env: + _PACKAGE_VERSION: ${{ env._PACKAGE_VERSION }} run: | Copy-Item -Path stores/chocolatey -Destination dist/chocolatey -Recurse Copy-Item dist/${{ matrix.license_type.build_prefix }}/windows/bw.exe -Destination dist/chocolatey/tools Copy-Item ${{ github.workspace }}/LICENSE.txt -Destination dist/chocolatey/tools - choco pack dist/chocolatey/bitwarden-cli.nuspec --version ${{ env._PACKAGE_VERSION }} --out dist/chocolatey + choco pack dist/chocolatey/bitwarden-cli.nuspec --version "$env:_PACKAGE_VERSION" --out dist/chocolatey - name: Zip Windows shell: cmd @@ -466,7 +487,9 @@ jobs: if-no-files-found: error - name: Zip NPM Build Artifact - run: Get-ChildItem -Path .\build | Compress-Archive -DestinationPath .\bitwarden-cli-${{ env._PACKAGE_VERSION }}-npm-build.zip + env: + _PACKAGE_VERSION: ${{ env._PACKAGE_VERSION }} + run: Get-ChildItem -Path .\build | Compress-Archive -DestinationPath ".\bitwarden-cli-${env:_PACKAGE_VERSION}-npm-build.zip" - name: Upload NPM Build Directory asset if: matrix.license_type.build_prefix == 'bit' @@ -490,8 +513,11 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Print environment + env: + _PACKAGE_VERSION: ${{ env._PACKAGE_VERSION }} run: | whoami echo "GitHub ref: $GITHUB_REF" @@ -505,9 +531,11 @@ jobs: path: apps/cli/dist/snap - name: Setup Snap Package + env: + _PACKAGE_VERSION: ${{ env._PACKAGE_VERSION }} run: | cp -r stores/snap/* -t dist/snap - sed -i s/__version__/${{ env._PACKAGE_VERSION }}/g dist/snap/snapcraft.yaml + sed -i "s/__version__/$_PACKAGE_VERSION/g" "dist/snap/snapcraft.yaml" cd dist/snap ls -alth diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml index 8ba5f981453..51a0938552c 100644 --- a/.github/workflows/build-desktop.yml +++ b/.github/workflows/build-desktop.yml @@ -58,6 +58,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Verify run: | @@ -90,35 +91,38 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: true - name: Get Package Version id: retrieve-version run: | PKG_VERSION=$(jq -r .version src/package.json) echo "Setting version number to $PKG_VERSION" - echo "package_version=$PKG_VERSION" >> $GITHUB_OUTPUT + echo "package_version=$PKG_VERSION" >> "$GITHUB_OUTPUT" - name: Increment Version id: increment-version run: | - BUILD_NUMBER=$(expr 3000 + $GITHUB_RUN_NUMBER) + BUILD_NUMBER=$((3000 + GITHUB_RUN_NUMBER)) echo "Setting build number to $BUILD_NUMBER" - echo "build_number=$BUILD_NUMBER" >> $GITHUB_OUTPUT + echo "build_number=$BUILD_NUMBER" >> "$GITHUB_OUTPUT" - name: Get Version Channel id: release-channel + env: + _PACKAGE_VERSION: ${{ steps.retrieve-version.outputs.package_version }} run: | - case "${{ steps.retrieve-version.outputs.package_version }}" in + case "$_PACKAGE_VERSION" in *"alpha"*) - echo "channel=alpha" >> $GITHUB_OUTPUT + echo "channel=alpha" >> "$GITHUB_OUTPUT" echo "[!] We do not yet support 'alpha'" exit 1 ;; *"beta"*) - echo "channel=beta" >> $GITHUB_OUTPUT + echo "channel=beta" >> "$GITHUB_OUTPUT" ;; *) - echo "channel=latest" >> $GITHUB_OUTPUT + echo "channel=latest" >> "$GITHUB_OUTPUT" ;; esac @@ -126,15 +130,15 @@ jobs: id: branch-check run: | if [[ $(git ls-remote --heads origin rc) ]]; then - echo "rc_branch_exists=1" >> $GITHUB_OUTPUT + echo "rc_branch_exists=1" >> "$GITHUB_OUTPUT" else - echo "rc_branch_exists=0" >> $GITHUB_OUTPUT + echo "rc_branch_exists=0" >> "$GITHUB_OUTPUT" fi if [[ $(git ls-remote --heads origin hotfix-rc-desktop) ]]; then - echo "hotfix_branch_exists=1" >> $GITHUB_OUTPUT + echo "hotfix_branch_exists=1" >> "$GITHUB_OUTPUT" else - echo "hotfix_branch_exists=0" >> $GITHUB_OUTPUT + echo "hotfix_branch_exists=0" >> "$GITHUB_OUTPUT" fi - name: Get Node Version @@ -143,13 +147,13 @@ jobs: run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Check secrets id: check-secrets run: | has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }} - echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT + echo "has_secrets=$has_secrets" >> "$GITHUB_OUTPUT" linux: name: Linux Build @@ -172,6 +176,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -321,6 +326,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -427,6 +433,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -533,21 +540,21 @@ jobs: - name: Rename appx files for store if: ${{ needs.setup.outputs.has_secrets == 'true' }} run: | - Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx" ` - -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx" - Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx" ` - -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx" - Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx" ` - -Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx" + Copy-Item "./dist/Bitwarden-$env:_PACKAGE_VERSION-ia32.appx" ` + -Destination "./dist/Bitwarden-$env:_PACKAGE_VERSION-ia32-store.appx" + Copy-Item "./dist/Bitwarden-$env:_PACKAGE_VERSION-x64.appx" ` + -Destination "./dist/Bitwarden-$env:_PACKAGE_VERSION-x64-store.appx" + Copy-Item "./dist/Bitwarden-$env:_PACKAGE_VERSION-arm64.appx" ` + -Destination "./dist/Bitwarden-$env:_PACKAGE_VERSION-arm64-store.appx" - name: Package for Chocolatey if: ${{ needs.setup.outputs.has_secrets == 'true' }} run: | Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse - Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe ` + Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-$env:_PACKAGE_VERSION.exe ` -Destination ./dist/chocolatey - $checksum = checksum -t sha256 ./dist/chocolatey/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe + $checksum = checksum -t sha256 ./dist/chocolatey/Bitwarden-Installer-$env:_PACKAGE_VERSION.exe $chocoInstall = "./dist/chocolatey/tools/chocolateyinstall.ps1" (Get-Content $chocoInstall).replace('__version__', "$env:_PACKAGE_VERSION").replace('__checksum__', $checksum) | Set-Content $chocoInstall choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:_PACKAGE_VERSION" --out ./dist/chocolatey @@ -555,12 +562,12 @@ jobs: - name: Fix NSIS artifact names for auto-updater if: ${{ needs.setup.outputs.has_secrets == 'true' }} run: | - Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z ` - -NewName bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z - Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z ` - -NewName bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z - Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z ` - -NewName bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z + Rename-Item -Path .\dist\nsis-web\Bitwarden-$env:_PACKAGE_VERSION-ia32.nsis.7z ` + -NewName bitwarden-$env:_PACKAGE_VERSION-ia32.nsis.7z + Rename-Item -Path .\dist\nsis-web\Bitwarden-$env:_PACKAGE_VERSION-x64.nsis.7z ` + -NewName bitwarden-$env:_PACKAGE_VERSION-x64.nsis.7z + Rename-Item -Path .\dist\nsis-web\Bitwarden-$env:_PACKAGE_VERSION-arm64.nsis.7z ` + -NewName bitwarden-$env:_PACKAGE_VERSION-arm64.nsis.7z - name: Upload portable exe artifact uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 @@ -573,7 +580,7 @@ jobs: if: ${{ needs.setup.outputs.has_secrets == 'true' }} uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: - name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe + name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}..exe path: apps/desktop/dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe if-no-files-found: error @@ -919,6 +926,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -974,40 +982,40 @@ jobs: ACCOUNT_NAME: bitwardenci CONTAINER_NAME: profiles run: | - mkdir -p $HOME/secrets + mkdir -p "$HOME/secrets" - az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name bitwarden_desktop_appstore.provisionprofile \ - --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --file "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ --output none - az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name bitwarden_desktop_autofill_app_store_2024.provisionprofile \ - --file $HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile \ + --file "$HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile" \ --output none - name: Get certificates if: ${{ needs.setup.outputs.has_secrets == 'true' }} run: | - mkdir -p $HOME/certificates + mkdir -p "$HOME/certificates" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | - jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + jq -r .value | base64 -d > "$HOME/certificates/bitwarden-desktop-key.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | - jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/appstore-app-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | - jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/appstore-installer-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-app-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-installer-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | - jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/macdev-cert.p12" - name: Log out from Azure if: ${{ needs.setup.outputs.has_secrets == 'true' }} @@ -1018,9 +1026,9 @@ jobs: env: KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | - security create-keychain -p $KEYCHAIN_PASSWORD build.keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security default-keychain -s build.keychain - security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain + security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security set-keychain-settings -lut 1200 build.keychain security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ @@ -1041,22 +1049,22 @@ jobs: security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain - name: Set up provisioning profiles if: ${{ needs.setup.outputs.has_secrets == 'true' }} run: | - cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ - $GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile + cp "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ + "$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile" - mkdir -p $HOME/Library/MobileDevice/Provisioning\ Profiles - export APP_UUID=`grep UUID -A1 -a $HOME/secrets/bitwarden_desktop_appstore.provisionprofile | grep -io "[-A-Z0-9]\{36\}"` - export AUTOFILL_UUID=`grep UUID -A1 -a $HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile | grep -io "[-A-Z0-9]\{36\}"` + mkdir -p "$HOME/Library/MobileDevice/Provisioning Profiles" + APP_UUID=$(grep UUID -A1 -a "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" | grep -io "[-A-Z0-9]\{36\}") + AUTOFILL_UUID=$(grep UUID -A1 -a "$HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile" | grep -io "[-A-Z0-9]\{36\}") - cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ - $HOME/Library/MobileDevice/Provisioning\ Profiles/$APP_UUID.provisionprofile - cp $HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile \ - $HOME/Library/MobileDevice/Provisioning\ Profiles/$AUTOFILL_UUID.provisionprofile + cp "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ + "$HOME/Library/MobileDevice/Provisioning Profiles/$APP_UUID.provisionprofile" + cp "$HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile" \ + "$HOME/Library/MobileDevice/Provisioning Profiles/$AUTOFILL_UUID.provisionprofile" - name: Increment version shell: pwsh @@ -1145,6 +1153,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -1197,39 +1206,39 @@ jobs: ACCOUNT_NAME: bitwardenci CONTAINER_NAME: profiles run: | - mkdir -p $HOME/secrets + mkdir -p "$HOME/secrets" - az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name bitwarden_desktop_developer_id.provisionprofile \ - --file $HOME/secrets/bitwarden_desktop_developer_id.provisionprofile \ + --file "$HOME/secrets/bitwarden_desktop_developer_id.provisionprofile" \ --output none - az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name bitwarden_desktop_autofill_developer_id.provisionprofile \ - --file $HOME/secrets/bitwarden_desktop_autofill_developer_id.provisionprofile \ + --file "$HOME/secrets/bitwarden_desktop_autofill_developer_id.provisionprofile" \ --output none - name: Get certificates run: | - mkdir -p $HOME/certificates + mkdir -p "$HOME/certificates" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | - jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + jq -r .value | base64 -d > "$HOME/certificates/bitwarden-desktop-key.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | - jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/appstore-app-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | - jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/appstore-installer-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-app-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-installer-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | - jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/macdev-cert.p12" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main @@ -1238,9 +1247,9 @@ jobs: env: KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | - security create-keychain -p $KEYCHAIN_PASSWORD build.keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security default-keychain -s build.keychain - security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain + security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security set-keychain-settings -lut 1200 build.keychain security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ @@ -1252,21 +1261,21 @@ jobs: security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain - name: Set up provisioning profiles run: | - cp $HOME/secrets/bitwarden_desktop_developer_id.provisionprofile \ - $GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_developer_id.provisionprofile + cp "$HOME/secrets/bitwarden_desktop_developer_id.provisionprofile" \ + "$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_developer_id.provisionprofile" - mkdir -p $HOME/Library/MobileDevice/Provisioning\ Profiles - export APP_UUID=`grep UUID -A1 -a $HOME/secrets/bitwarden_desktop_developer_id.provisionprofile | grep -io "[-A-Z0-9]\{36\}"` - export AUTOFILL_UUID=`grep UUID -A1 -a $HOME/secrets/bitwarden_desktop_autofill_developer_id.provisionprofile | grep -io "[-A-Z0-9]\{36\}"` + mkdir -p "$HOME/Library/MobileDevice/Provisioning Profiles" + APP_UUID=$(grep UUID -A1 -a "$HOME/secrets/bitwarden_desktop_developer_id.provisionprofile" | grep -io "[-A-Z0-9]\{36\}") + AUTOFILL_UUID=$(grep UUID -A1 -a "$HOME/secrets/bitwarden_desktop_autofill_developer_id.provisionprofile" | grep -io "[-A-Z0-9]\{36\}") - cp $HOME/secrets/bitwarden_desktop_developer_id.provisionprofile \ - $HOME/Library/MobileDevice/Provisioning\ Profiles/$APP_UUID.provisionprofile - cp $HOME/secrets/bitwarden_desktop_autofill_developer_id.provisionprofile \ - $HOME/Library/MobileDevice/Provisioning\ Profiles/$AUTOFILL_UUID.provisionprofile + cp "$HOME/secrets/bitwarden_desktop_developer_id.provisionprofile" \ + "$HOME/Library/MobileDevice/Provisioning Profiles/$APP_UUID.provisionprofile" + cp "$HOME/secrets/bitwarden_desktop_autofill_developer_id.provisionprofile" \ + "$HOME/Library/MobileDevice/Provisioning Profiles/$AUTOFILL_UUID.provisionprofile" - name: Increment version shell: pwsh @@ -1327,20 +1336,22 @@ jobs: - name: Unzip Safari artifact run: | - SAFARI_DIR=$(find $GITHUB_WORKSPACE/browser-build-artifacts -name 'dist-safari-*.zip') - echo $SAFARI_DIR - unzip $SAFARI_DIR/dist-safari.zip -d $GITHUB_WORKSPACE/browser-build-artifacts + SAFARI_DIR=$(find "$GITHUB_WORKSPACE/browser-build-artifacts" -name 'dist-safari-*.zip') + echo "$SAFARI_DIR" + unzip "$SAFARI_DIR/dist-safari.zip" -d "$GITHUB_WORKSPACE/browser-build-artifacts" - name: Load Safari extension for .dmg run: | mkdir PlugIns - cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/dmg/build/Release/safari.appex PlugIns/safari.appex + cp -r "$GITHUB_WORKSPACE/browser-build-artifacts/Safari/dmg/build/Release/safari.appex" PlugIns/safari.appex - name: Set up private auth key + env: + _APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} run: | mkdir ~/private_keys cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 - ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} + $_APP_STORE_CONNECT_AUTH_KEY EOF - name: Build application (dist) @@ -1403,6 +1414,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -1462,39 +1474,39 @@ jobs: ACCOUNT_NAME: bitwardenci CONTAINER_NAME: profiles run: | - mkdir -p $HOME/secrets + mkdir -p "$HOME/secrets" - az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name bitwarden_desktop_appstore.provisionprofile \ - --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --file "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ --output none - az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + az storage blob download --account-name "$ACCOUNT_NAME" --container-name "$CONTAINER_NAME" \ --name bitwarden_desktop_autofill_app_store_2024.provisionprofile \ - --file $HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile \ + --file "$HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile" \ --output none - name: Get certificates run: | - mkdir -p $HOME/certificates + mkdir -p "$HOME/certificates" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | - jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + jq -r .value | base64 -d > "$HOME/certificates/bitwarden-desktop-key.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | - jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/appstore-app-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | - jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/appstore-installer-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-app-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | - jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/devid-installer-cert.p12" az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | - jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 + jq -r .value | base64 -d > "$HOME/certificates/macdev-cert.p12" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main @@ -1503,9 +1515,9 @@ jobs: env: KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }} run: | - security create-keychain -p $KEYCHAIN_PASSWORD build.keychain + security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security default-keychain -s build.keychain - security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain + security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security set-keychain-settings -lut 1200 build.keychain security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ @@ -1517,21 +1529,21 @@ jobs: security import "$HOME/certificates/appstore-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain - name: Set up provisioning profiles run: | - cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ - $GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile + cp "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ + "$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile" - mkdir -p $HOME/Library/MobileDevice/Provisioning\ Profiles - export APP_UUID=`grep UUID -A1 -a $HOME/secrets/bitwarden_desktop_appstore.provisionprofile | grep -io "[-A-Z0-9]\{36\}"` - export AUTOFILL_UUID=`grep UUID -A1 -a $HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile | grep -io "[-A-Z0-9]\{36\}"` + mkdir -p "$HOME/Library/MobileDevice/Provisioning Profiles" + APP_UUID=$(grep UUID -A1 -a "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" | grep -io "[-A-Z0-9]\{36\}") + AUTOFILL_UUID=$(grep UUID -A1 -a "$HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile" | grep -io "[-A-Z0-9]\{36\}") - cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ - $HOME/Library/MobileDevice/Provisioning\ Profiles/$APP_UUID.provisionprofile - cp $HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile \ - $HOME/Library/MobileDevice/Provisioning\ Profiles/$AUTOFILL_UUID.provisionprofile + cp "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ + "$HOME/Library/MobileDevice/Provisioning Profiles/$APP_UUID.provisionprofile" + cp "$HOME/secrets/bitwarden_desktop_autofill_app_store_2024.provisionprofile" \ + "$HOME/Library/MobileDevice/Provisioning Profiles/$AUTOFILL_UUID.provisionprofile" - name: Increment version shell: pwsh @@ -1593,20 +1605,22 @@ jobs: - name: Unzip Safari artifact run: | - SAFARI_DIR=$(find $GITHUB_WORKSPACE/browser-build-artifacts -name 'dist-safari-*.zip') - echo $SAFARI_DIR - unzip $SAFARI_DIR/dist-safari.zip -d $GITHUB_WORKSPACE/browser-build-artifacts + SAFARI_DIR=$(find "$GITHUB_WORKSPACE/browser-build-artifacts" -name 'dist-safari-*.zip') + echo "$SAFARI_DIR" + unzip "$SAFARI_DIR/dist-safari.zip" -d "$GITHUB_WORKSPACE/browser-build-artifacts" - name: Load Safari extension for App Store run: | mkdir PlugIns - cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/mas/build/Release/safari.appex PlugIns/safari.appex + cp -r "$GITHUB_WORKSPACE/browser-build-artifacts/Safari/mas/build/Release/safari.appex" "PlugIns/safari.appex" - name: Set up private auth key + env: + _APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} run: | mkdir ~/private_keys cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 - ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} + $_APP_STORE_CONNECT_AUTH_KEY EOF - name: Build application for App Store @@ -1645,6 +1659,8 @@ jobs: if: | github.event_name != 'pull_request_target' && (inputs.testflight_distribute || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc-desktop') + env: + _APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} run: | brew install gsed @@ -1652,7 +1668,7 @@ jobs: cat << EOF > ~/secrets/appstoreconnect-fastlane.json { - "issuer_id": "${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }}", + "issuer_id": "$_APP_STORE_CONNECT_TEAM_ISSUER", "key_id": "6TV9MKN3GP", "key": "$KEY_WITHOUT_NEWLINES" } @@ -1671,14 +1687,14 @@ jobs: GIT_CHANGE="$(git show -s --format=%s)" - BRANCH=$(echo $BRANCH | sed 's/refs\/heads\///') + BRANCH=$(echo "$BRANCH" | sed 's/refs\/heads\///') CHANGELOG="$BRANCH: $GIT_CHANGE" fastlane pilot upload \ --app_identifier "com.bitwarden.desktop" \ --changelog "$CHANGELOG" \ - --api_key_path $HOME/secrets/appstoreconnect-fastlane.json \ + --api_key_path "$HOME/secrets/appstoreconnect-fastlane.json" \ --pkg "$(find ./dist/mas-universal/Bitwarden*.pkg)" - name: Post message to a Slack channel @@ -1724,6 +1740,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml index d623f08ebac..6733eeca1b4 100644 --- a/.github/workflows/build-web.yml +++ b/.github/workflows/build-web.yml @@ -67,23 +67,24 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Get GitHub sha as version id: version - run: echo "value=${GITHUB_SHA:0:7}" >> $GITHUB_OUTPUT + run: echo "value=${GITHUB_SHA:0:7}" >> "$GITHUB_OUTPUT" - name: Get Node Version id: retrieve-node-version run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Check secrets id: check-secrets run: | has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }} - echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT + echo "has_secrets=$has_secrets" >> "$GITHUB_OUTPUT" build-containers: @@ -137,6 +138,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Get Latest Server Version id: latest-server-version @@ -147,8 +149,10 @@ jobs: - name: Set Server Ref id: set-server-ref + env: + _SERVER_VERSION: ${{ steps.latest-server-version.outputs.version }} run: | - SERVER_REF="${{ steps.latest-server-version.outputs.version }}" + SERVER_REF="$_SERVER_VERSION" echo "Latest server release version: $SERVER_REF" if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then SERVER_REF="$GITHUB_REF" @@ -158,7 +162,7 @@ jobs: SERVER_REF="refs/heads/main" fi echo "Server ref: $SERVER_REF" - echo "server_ref=$SERVER_REF" >> $GITHUB_OUTPUT + echo "server_ref=$SERVER_REF" >> "$GITHUB_OUTPUT" - name: Check out Server repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -166,18 +170,19 @@ jobs: path: server repository: bitwarden/server ref: ${{ steps.set-server-ref.outputs.server_ref }} + persist-credentials: false - name: Check Branch to Publish env: PUBLISH_BRANCHES: "main,rc,hotfix-rc-web" id: publish-branch-check run: | - IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES + IFS="," read -a publish_branches <<< "$PUBLISH_BRANCHES" if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then - echo "is_publish_branch=true" >> $GITHUB_ENV + echo "is_publish_branch=true" >> "$GITHUB_ENV" else - echo "is_publish_branch=false" >> $GITHUB_ENV + echo "is_publish_branch=false" >> "$GITHUB_ENV" fi - name: Add Git metadata to build version @@ -217,11 +222,13 @@ jobs: - name: Log into Prod container registry if: ${{ needs.setup.outputs.has_secrets == 'true' }} - run: az acr login -n ${_AZ_REGISTRY%.azurecr.io} + run: az acr login -n "${_AZ_REGISTRY%.azurecr.io}" ########## Generate image tag and build Docker image ########## - name: Generate container image tag id: tag + env: + _TAG_EXTENSION: ${{ github.event.inputs.custom_tag_extension }} run: | if [[ "${GITHUB_EVENT_NAME}" == "pull_request" || "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s/[^a-zA-Z0-9]/-/g") # Sanitize branch name to alphanumeric only @@ -231,7 +238,7 @@ jobs: if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then SANITIZED_REPO_NAME=$(echo "$_GITHUB_PR_REPO_NAME" | sed "s/[^a-zA-Z0-9]/-/g") # Sanitize repo name to alphanumeric only - IMAGE_TAG=$SANITIZED_REPO_NAME-$IMAGE_TAG # Add repo name to the tag + IMAGE_TAG="$SANITIZED_REPO_NAME-$IMAGE_TAG" # Add repo name to the tag IMAGE_TAG=${IMAGE_TAG:0:128} # Limit to 128 characters, as that's the max length for Docker image tags fi @@ -239,13 +246,13 @@ jobs: IMAGE_TAG=dev fi - TAG_EXTENSION=${{ github.event.inputs.custom_tag_extension }} + TAG_EXTENSION="$_TAG_EXTENSION" if [[ $TAG_EXTENSION ]]; then - IMAGE_TAG=$IMAGE_TAG-$TAG_EXTENSION + IMAGE_TAG="$IMAGE_TAG-$TAG_EXTENSION" fi - echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT + echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT" ########## Build Image ########## - name: Generate image full name @@ -253,7 +260,7 @@ jobs: env: IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} PROJECT_NAME: ${{ matrix.image_name }} - run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT + run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> "$GITHUB_OUTPUT" - name: Build Docker image id: build-container @@ -276,7 +283,7 @@ jobs: if: ${{ needs.setup.outputs.has_secrets == 'true' }} env: IMAGE_NAME: ${{ steps.image-name.outputs.name }} - run: docker push $IMAGE_NAME + run: docker push "$IMAGE_NAME" - name: Zip project working-directory: apps/web @@ -284,10 +291,10 @@ jobs: IMAGE_NAME: ${{ steps.image-name.outputs.name }} run: | mkdir build - docker run --rm --volume $(pwd)/build:/temp --entrypoint sh \ - $IMAGE_NAME -c "cp -r ./ /temp" + docker run --rm --volume "$(pwd)/build":/temp --entrypoint sh \ + "$IMAGE_NAME" -c "cp -r ./ /temp" - zip -r web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip build + zip -r web-$_VERSION-${{ matrix.artifact_name }}.zip build - name: Upload ${{ matrix.artifact_name }} artifact uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 @@ -306,12 +313,13 @@ jobs: DIGEST: ${{ steps.build-container.outputs.digest }} TAGS: ${{ steps.image-name.outputs.name }} run: | - IFS="," read -a tags <<< "${TAGS}" - images="" - for tag in "${tags[@]}"; do - images+="${tag}@${DIGEST} " + IFS=',' read -r -a tags_array <<< "${TAGS}" + images=() + for tag in "${tags_array[@]}"; do + images+=("${tag}@${DIGEST}") done - cosign sign --yes ${images} + cosign sign --yes "${images[@]}" + echo "images=${images[*]}" >> "$GITHUB_OUTPUT" - name: Scan Docker image if: ${{ needs.setup.outputs.has_secrets == 'true' }} @@ -324,14 +332,14 @@ jobs: - name: Upload Grype results to GitHub if: ${{ needs.setup.outputs.has_secrets == 'true' }} - uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2 + uses: github/codeql-action/upload-sarif@573acd9552f33577783abde4acb66a1058e762e5 # codeql-bundle-v2.23.1 with: sarif_file: ${{ steps.container-scan.outputs.sarif }} sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }} ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }} - name: Log out of Docker - run: docker logout $_AZ_REGISTRY + run: docker logout "$_AZ_REGISTRY" - name: Log out from Azure if: ${{ needs.setup.outputs.has_secrets == 'true' }} @@ -352,6 +360,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.head.sha }} + persist-credentials: false - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main diff --git a/.github/workflows/chromatic.yml b/.github/workflows/chromatic.yml index 2b7b6394f24..133f5b730b8 100644 --- a/.github/workflows/chromatic.yml +++ b/.github/workflows/chromatic.yml @@ -35,6 +35,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 + persist-credentials: false - name: Get changed files id: get-changed-files-for-chromatic @@ -54,7 +55,7 @@ jobs: run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 diff --git a/.github/workflows/crowdin-pull.yml b/.github/workflows/crowdin-pull.yml index 0b891203855..3be294145ec 100644 --- a/.github/workflows/crowdin-pull.yml +++ b/.github/workflows/crowdin-pull.yml @@ -59,6 +59,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ steps.app-token.outputs.token }} + persist-credentials: false - name: Download translations uses: bitwarden/gh-actions/crowdin@main diff --git a/.github/workflows/deploy-web.yml b/.github/workflows/deploy-web.yml index d3788dc77b9..26a83e89773 100644 --- a/.github/workflows/deploy-web.yml +++ b/.github/workflows/deploy-web.yml @@ -74,56 +74,58 @@ jobs: steps: - name: Configure id: config + env: + _ENVIRONMENT: ${{ inputs.environment }} run: | - ENV_NAME_LOWER=$(echo "${{ inputs.environment }}" | awk '{print tolower($0)}') - echo "configuring the Web deploy for ${{ inputs.environment }}" - echo "environment=${{ inputs.environment }}" >> $GITHUB_OUTPUT + ENV_NAME_LOWER=$(echo "$_ENVIRONMENT" | awk '{print tolower($0)}') + echo "configuring the Web deploy for _ENVIRONMENT" + echo "environment=$_ENVIRONMENT" >> "$GITHUB_OUTPUT" - case ${{ inputs.environment }} in + case $_ENVIRONMENT in "USQA") - echo "azure_login_client_key_name=AZURE_CLIENT_ID_USQA" >> $GITHUB_OUTPUT - echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_USQA" >> $GITHUB_OUTPUT - echo "retrieve_secrets_keyvault=bw-webvault-rlktusqa-kv" >> $GITHUB_OUTPUT - echo "environment_artifact=web-*-cloud-QA.zip" >> $GITHUB_OUTPUT - echo "environment_name=Web Vault - US QA Cloud" >> $GITHUB_OUTPUT - echo "environment_url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> $GITHUB_OUTPUT - echo "slack_channel_name=alerts-deploy-qa" >> $GITHUB_OUTPUT + echo "azure_login_client_key_name=AZURE_CLIENT_ID_USQA" >> "$GITHUB_OUTPUT" + echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_USQA" >> "$GITHUB_OUTPUT" + echo "retrieve_secrets_keyvault=bw-webvault-rlktusqa-kv" >> "$GITHUB_OUTPUT" + echo "environment_artifact=web-*-cloud-QA.zip" >> "$GITHUB_OUTPUT" + echo "environment_name=Web Vault - US QA Cloud" >> "$GITHUB_OUTPUT" + echo "environment_url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> "$GITHUB_OUTPUT" + echo "slack_channel_name=alerts-deploy-qa" >> "$GITHUB_OUTPUT" ;; "EUQA") - echo "azure_login_client_key_name=AZURE_CLIENT_ID_EUQA" >> $GITHUB_OUTPUT - echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_EUQA" >> $GITHUB_OUTPUT - echo "retrieve_secrets_keyvault=webvaulteu-westeurope-qa" >> $GITHUB_OUTPUT - echo "environment_artifact=web-*-cloud-euqa.zip" >> $GITHUB_OUTPUT - echo "environment_name=Web Vault - EU QA Cloud" >> $GITHUB_OUTPUT - echo "environment_url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> $GITHUB_OUTPUT - echo "slack_channel_name=alerts-deploy-qa" >> $GITHUB_OUTPUT + echo "azure_login_client_key_name=AZURE_CLIENT_ID_EUQA" >> "$GITHUB_OUTPUT" + echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_EUQA" >> "$GITHUB_OUTPUT" + echo "retrieve_secrets_keyvault=webvaulteu-westeurope-qa" >> "$GITHUB_OUTPUT" + echo "environment_artifact=web-*-cloud-euqa.zip" >> "$GITHUB_OUTPUT" + echo "environment_name=Web Vault - EU QA Cloud" >> "$GITHUB_OUTPUT" + echo "environment_url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> "$GITHUB_OUTPUT" + echo "slack_channel_name=alerts-deploy-qa" >> "$GITHUB_OUTPUT" ;; "USPROD") - echo "azure_login_client_key_name=AZURE_CLIENT_ID_USPROD" >> $GITHUB_OUTPUT - echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_USPROD" >> $GITHUB_OUTPUT - echo "retrieve_secrets_keyvault=bw-webvault-klrt-kv" >> $GITHUB_OUTPUT - echo "environment_artifact=web-*-cloud-COMMERCIAL.zip" >> $GITHUB_OUTPUT - echo "environment_name=Web Vault - US Production Cloud" >> $GITHUB_OUTPUT - echo "environment_url=http://vault.bitwarden.com" >> $GITHUB_OUTPUT - echo "slack_channel_name=alerts-deploy-prd" >> $GITHUB_OUTPUT + echo "azure_login_client_key_name=AZURE_CLIENT_ID_USPROD" >> "$GITHUB_OUTPUT" + echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_USPROD" >> "$GITHUB_OUTPUT" + echo "retrieve_secrets_keyvault=bw-webvault-klrt-kv" >> "$GITHUB_OUTPUT" + echo "environment_artifact=web-*-cloud-COMMERCIAL.zip" >> "$GITHUB_OUTPUT" + echo "environment_name=Web Vault - US Production Cloud" >> "$GITHUB_OUTPUT" + echo "environment_url=http://vault.bitwarden.com" >> "$GITHUB_OUTPUT" + echo "slack_channel_name=alerts-deploy-prd" >> "$GITHUB_OUTPUT" ;; "EUPROD") - echo "azure_login_client_key_name=AZURE_CLIENT_ID_EUPROD" >> $GITHUB_OUTPUT - echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_EUPROD" >> $GITHUB_OUTPUT - echo "retrieve_secrets_keyvault=webvault-westeurope-prod" >> $GITHUB_OUTPUT - echo "environment_artifact=web-*-cloud-euprd.zip" >> $GITHUB_OUTPUT - echo "environment_name=Web Vault - EU Production Cloud" >> $GITHUB_OUTPUT - echo "environment_url=http://vault.bitwarden.eu" >> $GITHUB_OUTPUT - echo "slack_channel_name=alerts-deploy-prd" >> $GITHUB_OUTPUT + echo "azure_login_client_key_name=AZURE_CLIENT_ID_EUPROD" >> "$GITHUB_OUTPUT" + echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_EUPROD" >> "$GITHUB_OUTPUT" + echo "retrieve_secrets_keyvault=webvault-westeurope-prod" >> "$GITHUB_OUTPUT" + echo "environment_artifact=web-*-cloud-euprd.zip" >> "$GITHUB_OUTPUT" + echo "environment_name=Web Vault - EU Production Cloud" >> "$GITHUB_OUTPUT" + echo "environment_url=http://vault.bitwarden.eu" >> "$GITHUB_OUTPUT" + echo "slack_channel_name=alerts-deploy-prd" >> "$GITHUB_OUTPUT" ;; "USDEV") - echo "azure_login_client_key_name=AZURE_CLIENT_ID_USDEV" >> $GITHUB_OUTPUT - echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_USDEV" >> $GITHUB_OUTPUT - echo "retrieve_secrets_keyvault=webvault-eastus-dev" >> $GITHUB_OUTPUT - echo "environment_artifact=web-*-cloud-usdev.zip" >> $GITHUB_OUTPUT - echo "environment_name=Web Vault - US Development Cloud" >> $GITHUB_OUTPUT - echo "environment_url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> $GITHUB_OUTPUT - echo "slack_channel_name=alerts-deploy-dev" >> $GITHUB_OUTPUT + echo "azure_login_client_key_name=AZURE_CLIENT_ID_USDEV" >> "$GITHUB_OUTPUT" + echo "azure_login_subscription_id_key_name=AZURE_SUBSCRIPTION_ID_USDEV" >> "$GITHUB_OUTPUT" + echo "retrieve_secrets_keyvault=webvault-eastus-dev" >> "$GITHUB_OUTPUT" + echo "environment_artifact=web-*-cloud-usdev.zip" >> "$GITHUB_OUTPUT" + echo "environment_name=Web Vault - US Development Cloud" >> "$GITHUB_OUTPUT" + echo "environment_url=http://vault.$ENV_NAME_LOWER.bitwarden.pw" >> "$GITHUB_OUTPUT" + echo "slack_channel_name=alerts-deploy-dev" >> "$GITHUB_OUTPUT" ;; esac @@ -131,12 +133,14 @@ jobs: env: BUILD_WEB_RUN_ID: ${{ inputs.build-web-run-id }} GH_TOKEN: ${{ github.token }} + _ENVIRONMENT: ${{ inputs.environment }} + _BRANCH_OR_TAG: ${{ inputs.branch-or-tag }} run: | BRANCH_OR_TAG_LOWER="" if [[ "$BUILD_WEB_RUN_ID" == "" ]]; then - BRANCH_OR_TAG_LOWER=$(echo ${{ inputs.branch-or-tag }} | awk '{print tolower($0)}') + BRANCH_OR_TAG_LOWER=$(echo "$_BRANCH_OR_TAG" | awk '{print tolower($0)}') else - BRANCH_OR_TAG_LOWER=$(gh api /repos/bitwarden/clients/actions/runs/$BUILD_WEB_RUN_ID/artifacts --jq '.artifacts[0].workflow_run.head_branch' | awk '{print tolower($0)}') + BRANCH_OR_TAG_LOWER=$(gh api "/repos/bitwarden/clients/actions/runs/$BUILD_WEB_RUN_ID/artifacts" --jq '.artifacts[0].workflow_run.head_branch' | awk '{print tolower($0)}') fi echo "Branch/Tag: $BRANCH_OR_TAG_LOWER" @@ -151,23 +155,23 @@ jobs: DEV_ALLOWED_TAGS_PATTERN='main' if [[ \ - ${{ inputs.environment }} =~ \.*($PROD_ENV_PATTERN)\.* && \ + $_ENVIRONMENT =~ \.*($PROD_ENV_PATTERN)\.* && \ ! "$BRANCH_OR_TAG_LOWER" =~ ^($PROD_ALLOWED_TAGS_PATTERN).* \ ]] || [[ \ - ${{ inputs.environment }} =~ \.*($QA_ENV_PATTERN)\.* && \ + $_ENVIRONMENT =~ \.*($QA_ENV_PATTERN)\.* && \ ! "$BRANCH_OR_TAG_LOWER" =~ ^($QA_ALLOWED_TAGS_PATTERN).* \ ]] || [[ \ - ${{ inputs.environment }} =~ \.*($DEV_ENV_PATTERN)\.* && \ - $BRANCH_OR_TAG_LOWER != $DEV_ALLOWED_TAGS_PATTERN \ + $_ENVIRONMENT =~ \.*($DEV_ENV_PATTERN)\.* && \ + $BRANCH_OR_TAG_LOWER != "$DEV_ALLOWED_TAGS_PATTERN" \ ]]; then echo "!Deployment blocked!" - echo "Attempting to deploy a tag that is not allowed in ${{ inputs.environment }} environment" + echo "Attempting to deploy a tag that is not allowed in $_ENVIRONMENT environment" echo - echo "Environment: ${{ inputs.environment }}" + echo "Environment: $_ENVIRONMENT" echo "Tag: $BRANCH_OR_TAG_LOWER" exit 1 else - echo "The input Branch/Tag: '$BRANCH_OR_TAG_LOWER' is allowed to deploy on ${{ inputs.environment }} environment" + echo "The input Branch/Tag: '$BRANCH_OR_TAG_LOWER' is allowed to deploy on $_ENVIRONMENT environment" fi approval: @@ -251,19 +255,24 @@ jobs: id: set-artifact-commit env: GH_TOKEN: ${{ github.token }} + _BUILD_WEB_RUN_ID: ${{ inputs.build-web-run-id }} + _ARTIFACT_BUILD_COMMIT: ${{ steps.download-latest-artifacts-run-id.outputs.artifact-build-commit }} + _DOWNLOAD_LATEST_ARTIFACTS_OUTCOME: ${{ steps.download-latest-artifacts.outcome }} + _WORKFLOW_ID: ${{ steps.trigger-build-web.outputs.workflow_id}} + _ARTIFACT_COMMIT: ${{ steps.download-latest-artifacts.outputs.artifact-build-commit }} run: | # If run-id was used, get the commit from the download-latest-artifacts-run-id step - if [ "${{ inputs.build-web-run-id }}" ]; then - echo "commit=${{ steps.download-latest-artifacts-run-id.outputs.artifact-build-commit }}" >> $GITHUB_OUTPUT + if [ "$_BUILD_WEB_RUN_ID" ]; then + echo "commit=$_ARTIFACT_BUILD_COMMIT" >> "$GITHUB_OUTPUT" - elif [ "${{ steps.download-latest-artifacts.outcome }}" == "failure" ]; then + elif [ "$_DOWNLOAD_LATEST_ARTIFACTS_OUTCOME" == "failure" ]; then # If the download-latest-artifacts step failed, query the GH API to get the commit SHA of the artifact that was just built with trigger-build-web. - commit=$(gh api /repos/bitwarden/clients/actions/runs/${{ steps.trigger-build-web.outputs.workflow_id }}/artifacts --jq '.artifacts[0].workflow_run.head_sha') - echo "commit=$commit" >> $GITHUB_OUTPUT + commit=$(gh api "/repos/bitwarden/clients/actions/runs/$_WORKFLOW_ID/artifacts" --jq '.artifacts[0].workflow_run.head_sha') + echo "commit=$commit" >> "$GITHUB_OUTPUT" else # Set the commit to the output of step download-latest-artifacts. - echo "commit=${{ steps.download-latest-artifacts.outputs.artifact-build-commit }}" >> $GITHUB_OUTPUT + echo "commit=$_ARTIFACT_COMMIT" >> "$GITHUB_OUTPUT" fi notify-start: @@ -299,12 +308,14 @@ jobs: name: Display commit needs: artifact-check runs-on: ubuntu-22.04 + env: + _ARTIFACT_BUILD_COMMIT_SHA: ${{ needs.artifact-check.outputs.artifact_build_commit }} steps: - name: Display commit SHA run: | REPO_URL="https://github.com/bitwarden/clients/commit" - COMMIT_SHA="${{ needs.artifact-check.outputs.artifact_build_commit }}" - echo ":steam_locomotive: View [commit]($REPO_URL/$COMMIT_SHA)" >> $GITHUB_STEP_SUMMARY + COMMIT_SHA="$_ARTIFACT_BUILD_COMMIT_SHA" + echo ":steam_locomotive: View [commit]($REPO_URL/$COMMIT_SHA)" >> "$GITHUB_STEP_SUMMARY" azure-deploy: name: Deploy Web Vault to ${{ inputs.environment }} Storage Account @@ -358,7 +369,7 @@ jobs: - name: Unzip build asset working-directory: apps/web - run: unzip ${{ env._ENVIRONMENT_ARTIFACT }} + run: unzip "$_ENVIRONMENT_ARTIFACT" - name: Login to Azure uses: bitwarden/gh-actions/azure-login@main @@ -379,9 +390,10 @@ jobs: env: AZCOPY_AUTO_LOGIN_TYPE: AZCLI AZCOPY_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + _VAULT_NAME: ${{ steps.retrieve-secrets-azcopy.outputs.sa-bitwarden-web-vault-name }}. run: | - azcopy sync ./build 'https://${{ steps.retrieve-secrets-azcopy.outputs.sa-bitwarden-web-vault-name }}.blob.core.windows.net/$web/' \ - --delete-destination=${{ inputs.force-delete-destination }} --compare-hash="MD5" + azcopy sync ./build "https://$_VAULT_NAME.blob.core.windows.net/$web/" \ + --delete-destination="${{ inputs.force-delete-destination }}" --compare-hash="MD5" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main diff --git a/.github/workflows/lint-crowdin-config.yml b/.github/workflows/lint-crowdin-config.yml index 38a3ef59ea7..40f73f7fc5a 100644 --- a/.github/workflows/lint-crowdin-config.yml +++ b/.github/workflows/lint-crowdin-config.yml @@ -25,6 +25,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 + persist-credentials: false - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 14b5d51d9ef..0136bd2f70f 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -32,6 +32,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Lint filenames (no capital characters) run: | @@ -58,7 +60,7 @@ jobs: run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -90,6 +92,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Check Rust version run: rustup --version diff --git a/.github/workflows/locales-lint.yml b/.github/workflows/locales-lint.yml index 0c8148d4c28..26c910f955e 100644 --- a/.github/workflows/locales-lint.yml +++ b/.github/workflows/locales-lint.yml @@ -18,17 +18,19 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Checkout base branch repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ github.event.pull_request.base.sha }} path: base + persist-credentials: false - name: Install dependencies run: npm ci - name: Compare run: | - npm run test:locales - if [ $? -eq 0 ]; then + if npm run test:locales; then echo "Lint check successful." else echo "Lint check failed." diff --git a/.github/workflows/nx.yml b/.github/workflows/nx.yml index 526c2b5d864..3e14169a065 100644 --- a/.github/workflows/nx.yml +++ b/.github/workflows/nx.yml @@ -15,6 +15,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Get Node Version id: retrieve-node-version @@ -22,7 +23,7 @@ jobs: run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 diff --git a/.github/workflows/publish-cli.yml b/.github/workflows/publish-cli.yml index 1287970ccf6..9bbd982d32f 100644 --- a/.github/workflows/publish-cli.yml +++ b/.github/workflows/publish-cli.yml @@ -65,14 +65,16 @@ jobs: - name: Version output id: version-output + env: + _INPUT_VERSION: ${{ inputs.version }} run: | - if [[ "${{ inputs.version }}" == "latest" || "${{ inputs.version }}" == "" ]]; then + if [[ "$_INPUT_VERSION" == "latest" || "$_INPUT_VERSION" == "" ]]; then VERSION=$(curl "https://api.github.com/repos/bitwarden/clients/releases" | jq -c '.[] | select(.tag_name | contains("cli")) | .tag_name' | head -1 | grep -ohE '20[0-9]{2}\.([1-9]|1[0-2])\.[0-9]+') echo "Latest Released Version: $VERSION" - echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "version=$VERSION" >> "$GITHUB_OUTPUT" else - echo "Release Version: ${{ inputs.version }}" - echo "version=${{ inputs.version }}" >> $GITHUB_OUTPUT + echo "Release Version: $_INPUT_VERSION" + echo "version=$_INPUT_VERSION" >> "$GITHUB_OUTPUT" fi - name: Create GitHub deployment @@ -100,6 +102,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main @@ -122,14 +126,14 @@ jobs: uses: samuelmeuli/action-snapcraft@fceeb3c308e76f3487e72ef608618de625fb7fe8 # v3.0.1 - name: Download artifacts - run: wget https://github.com/bitwarden/clients/releases/download/cli-v${{ env._PKG_VERSION }}/bw_${{ env._PKG_VERSION }}_amd64.snap + run: wget "https://github.com/bitwarden/clients/releases/download/cli-v$_PKG_VERSION/bw_$_PKG_VERSION_amd64.snap" - name: Publish Snap & logout if: ${{ inputs.publish_type != 'Dry Run' }} env: SNAPCRAFT_STORE_CREDENTIALS: ${{ steps.retrieve-secrets.outputs.snapcraft-store-token }} run: | - snapcraft upload bw_${{ env._PKG_VERSION }}_amd64.snap --release stable + snapcraft upload "bw_$_PKG_VERSION_amd64.snap" --release stable snapcraft logout choco: @@ -146,6 +150,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main @@ -173,7 +179,7 @@ jobs: run: New-Item -ItemType directory -Path ./dist - name: Download artifacts - run: Invoke-WebRequest -Uri "https://github.com/bitwarden/clients/releases/download/cli-v${{ env._PKG_VERSION }}/bitwarden-cli.${{ env._PKG_VERSION }}.nupkg" -OutFile bitwarden-cli.${{ env._PKG_VERSION }}.nupkg + run: Invoke-WebRequest -Uri "https://github.com/bitwarden/clients/releases/download/cli-v$_PKG_VERSION/bitwarden-cli.$_PKG_VERSION.nupkg" -OutFile bitwarden-cli.$_PKG_VERSION.nupkg working-directory: apps/cli/dist - name: Push to Chocolatey @@ -196,6 +202,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get Node version id: retrieve-node-version @@ -203,7 +211,7 @@ jobs: run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -219,8 +227,8 @@ jobs: - name: Download and set up artifact run: | mkdir -p build - wget https://github.com/bitwarden/clients/releases/download/cli-v${{ env._PKG_VERSION }}/bitwarden-cli-${{ env._PKG_VERSION }}-npm-build.zip - unzip bitwarden-cli-${{ env._PKG_VERSION }}-npm-build.zip -d build + wget "https://github.com/bitwarden/clients/releases/download/cli-v$_PKG_VERSION/bitwarden-cli-$_PKG_VERSION-npm-build.zip" + unzip "bitwarden-cli-$_PKG_VERSION-npm-build.zip" -d build - name: Publish NPM if: ${{ inputs.publish_type != 'Dry Run' }} diff --git a/.github/workflows/publish-desktop.yml b/.github/workflows/publish-desktop.yml index f0de331431c..a747012467e 100644 --- a/.github/workflows/publish-desktop.yml +++ b/.github/workflows/publish-desktop.yml @@ -72,39 +72,47 @@ jobs: - name: Check Publish Version id: version + env: + _INPUT_VERSION: ${{ inputs.version }} run: | - if [[ "${{ inputs.version }}" == "latest" || "${{ inputs.version }}" == "" ]]; then - TAG_NAME=$(curl "https://api.github.com/repos/bitwarden/clients/releases" | jq -c '.[] | select(.tag_name | contains("desktop")) | .tag_name' | head -1 | cut -d '"' -f 2) - VERSION=$(echo $TAG_NAME | sed "s/desktop-v//") + if [[ "$_INPUT_VERSION" == "latest" || "$_INPUT_VERSION" == "" ]]; then + TAG_NAME=$(curl "https://api.github.com/repos/bitwarden/clients/releases" \ + | jq -c '.[] | select(.tag_name | contains("desktop")) | .tag_name' \ + | head -1 | cut -d '"' -f 2) + VERSION="${TAG_NAME#desktop-v}" + echo "Latest Released Version: $VERSION" - echo "version=$VERSION" >> $GITHUB_OUTPUT + echo "version=$VERSION" >> "$GITHUB_OUTPUT" echo "Tag name: $TAG_NAME" - echo "tag_name=$TAG_NAME" >> $GITHUB_OUTPUT + echo "tag_name=$TAG_NAME" >> "$GITHUB_OUTPUT" else - echo "Release Version: ${{ inputs.version }}" - echo "version=${{ inputs.version }}" + VERSION="$_INPUT_VERSION" + TAG_NAME="desktop-v$VERSION" - TAG_NAME="desktop-v${{ inputs.version }}" + echo "Release Version: $VERSION" + echo "version=$VERSION" >> "$GITHUB_OUTPUT" echo "Tag name: $TAG_NAME" - echo "tag_name=$TAG_NAME" >> $GITHUB_OUTPUT + echo "tag_name=$TAG_NAME" >> "$GITHUB_OUTPUT" fi - name: Get Version Channel id: release_channel + env: + _VERSION: ${{ steps.version.outputs.version }} run: | - case "${{ steps.version.outputs.version }}" in + case "${_VERSION}" in *"alpha"*) - echo "channel=alpha" >> $GITHUB_OUTPUT + echo "channel=alpha" >> "$GITHUB_OUTPUT" echo "[!] We do not yet support 'alpha'" exit 1 ;; *"beta"*) - echo "channel=beta" >> $GITHUB_OUTPUT + echo "channel=beta" >> "$GITHUB_OUTPUT" ;; *) - echo "channel=latest" >> $GITHUB_OUTPUT + echo "channel=latest" >> "$GITHUB_OUTPUT" ;; esac @@ -159,16 +167,16 @@ jobs: env: GH_TOKEN: ${{ github.token }} working-directory: apps/desktop/artifacts - run: gh release download ${{ env._RELEASE_TAG }} -R bitwarden/clients + run: gh release download "$_RELEASE_TAG" -R bitwarden/clients - name: Set staged rollout percentage env: RELEASE_CHANNEL: ${{ needs.setup.outputs.release_channel }} ROLLOUT_PCT: ${{ inputs.electron_rollout_percentage }} run: | - echo "stagingPercentage: ${ROLLOUT_PCT}" >> apps/desktop/artifacts/${RELEASE_CHANNEL}.yml - echo "stagingPercentage: ${ROLLOUT_PCT}" >> apps/desktop/artifacts/${RELEASE_CHANNEL}-linux.yml - echo "stagingPercentage: ${ROLLOUT_PCT}" >> apps/desktop/artifacts/${RELEASE_CHANNEL}-mac.yml + echo "stagingPercentage: ${ROLLOUT_PCT}" >> "apps/desktop/artifacts/${RELEASE_CHANNEL}.yml" + echo "stagingPercentage: ${ROLLOUT_PCT}" >> "apps/desktop/artifacts/${RELEASE_CHANNEL}-linux.yml" + echo "stagingPercentage: ${ROLLOUT_PCT}" >> "apps/desktop/artifacts/${RELEASE_CHANNEL}-mac.yml" - name: Publish artifacts to S3 if: ${{ inputs.publish_type != 'Dry Run' }} @@ -179,7 +187,7 @@ jobs: AWS_S3_BUCKET_NAME: ${{ steps.retrieve-secrets.outputs.aws-electron-bucket-name }} working-directory: apps/desktop/artifacts run: | - aws s3 cp ./ $AWS_S3_BUCKET_NAME/desktop/ \ + aws s3 cp ./ "$AWS_S3_BUCKET_NAME/desktop/" \ --acl "public-read" \ --recursive \ --quiet @@ -214,6 +222,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main @@ -241,14 +251,14 @@ jobs: - name: Download artifacts working-directory: apps/desktop/dist - run: wget https://github.com/bitwarden/clients/releases/download/${{ env._RELEASE_TAG }}/bitwarden_${{ env._PKG_VERSION }}_amd64.snap + run: wget "https://github.com/bitwarden/clients/releases/download/$_RELEASE_TAG/bitwarden_$_PKG_VERSION_amd64.snap" - name: Deploy to Snap Store if: ${{ inputs.publish_type != 'Dry Run' }} env: SNAPCRAFT_STORE_CREDENTIALS: ${{ steps.retrieve-secrets.outputs.snapcraft-store-token }} run: | - snapcraft upload bitwarden_${{ env._PKG_VERSION }}_amd64.snap --release stable + snapcraft upload "bitwarden_$_PKG_VERSION_amd64.snap" --release stable snapcraft logout working-directory: apps/desktop/dist @@ -266,6 +276,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Print Environment run: | @@ -300,7 +312,7 @@ jobs: - name: Download artifacts working-directory: apps/desktop/dist - run: Invoke-WebRequest -Uri "https://github.com/bitwarden/clients/releases/download/${{ env._RELEASE_TAG }}/bitwarden.${{ env._PKG_VERSION }}.nupkg" -OutFile bitwarden.${{ env._PKG_VERSION }}.nupkg + run: Invoke-WebRequest -Uri "https://github.com/bitwarden/clients/releases/download/$_RELEASE_TAG/bitwarden.$_PKG_VERSION.nupkg" -OutFile "bitwarden.$_PKG_VERSION.nupkg" - name: Push to Chocolatey if: ${{ inputs.publish_type != 'Dry Run' }} @@ -321,6 +333,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Validate release notes for MAS if: inputs.mas_publish && (inputs.release_notes == '' || inputs.release_notes == null) @@ -331,7 +345,7 @@ jobs: - name: Download MacOS App Store build number working-directory: apps/desktop - run: wget https://github.com/bitwarden/clients/releases/download/${{ env._RELEASE_TAG }}/macos-build-number.json + run: wget "https://github.com/bitwarden/clients/releases/download/$_RELEASE_TAG/macos-build-number.json" - name: Setup Ruby and Install Fastlane uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0 @@ -365,12 +379,14 @@ jobs: env: APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} + _RELEASE_NOTES: ${{ inputs.release_notes }} + _PUBLISH_TYPE: ${{ inputs.publish_type }} working-directory: apps/desktop run: | BUILD_NUMBER=$(jq -r '.buildNumber' macos-build-number.json) - CHANGELOG="${{ inputs.release_notes }}" - IS_DRY_RUN="${{ inputs.publish_type == 'Dry Run' }}" - + CHANGELOG="$_RELEASE_NOTES" + IS_DRY_RUN="$_PUBLISH_TYPE == 'Dry Run'" + if [ "$IS_DRY_RUN" = "true" ]; then echo "🧪 DRY RUN MODE - Testing without actual App Store submission" echo "📦 Would publish build $BUILD_NUMBER to Mac App Store" @@ -388,10 +404,10 @@ jobs: fi fastlane publish --verbose \ - app_version:"${{ env._PKG_VERSION }}" \ - build_number:$BUILD_NUMBER \ + app_version:"$PKG_VERSION" \ + build_number:"$BUILD_NUMBER" \ changelog:"$CHANGELOG" \ - dry_run:$IS_DRY_RUN + dry_run:"$IS_DRY_RUN" update-deployment: name: Update Deployment Status diff --git a/.github/workflows/publish-web.yml b/.github/workflows/publish-web.yml index 6446e625156..9f9cbd5c58e 100644 --- a/.github/workflows/publish-web.yml +++ b/.github/workflows/publish-web.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Branch check if: ${{ inputs.publish_type != 'Dry Run' }} @@ -73,6 +75,8 @@ jobs: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false ########## ACR ########## - name: Log in to Azure @@ -100,33 +104,33 @@ jobs: - name: Pull branch image run: | if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then - docker pull $_AZ_REGISTRY/web:latest + docker pull "$_AZ_REGISTRY/web:latest" else - docker pull $_AZ_REGISTRY/web:$_BRANCH_NAME + docker pull "$_AZ_REGISTRY/web:$_BRANCH_NAME" fi - name: Tag version run: | if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then - docker tag $_AZ_REGISTRY/web:latest $_AZ_REGISTRY/web:dryrun - docker tag $_AZ_REGISTRY/web:latest $_AZ_REGISTRY/web-sh:dryrun + docker tag "$_AZ_REGISTRY/web:latest" "$_AZ_REGISTRY/web:dryrun" + docker tag "$_AZ_REGISTRY/web:latest" "$_AZ_REGISTRY/web-sh:dryrun" else - docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web:$_RELEASE_VERSION - docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web-sh:$_RELEASE_VERSION - docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web:latest - docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web-sh:latest + docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web:$_RELEASE_VERSION" + docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web-sh:$_RELEASE_VERSION" + docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web:latest" + docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web-sh:latest" fi - name: Push version run: | if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then - docker push $_AZ_REGISTRY/web:dryrun - docker push $_AZ_REGISTRY/web-sh:dryrun + docker push "$_AZ_REGISTRY/web:dryrun" + docker push "$_AZ_REGISTRY/web-sh:dryrun" else - docker push $_AZ_REGISTRY/web:$_RELEASE_VERSION - docker push $_AZ_REGISTRY/web-sh:$_RELEASE_VERSION - docker push $_AZ_REGISTRY/web:latest - docker push $_AZ_REGISTRY/web-sh:latest + docker push "$_AZ_REGISTRY/web:$_RELEASE_VERSION" + docker push "$_AZ_REGISTRY/web-sh:$_RELEASE_VERSION" + docker push "$_AZ_REGISTRY/web:latest" + docker push "$_AZ_REGISTRY/web-sh:latest" fi - name: Log out from Azure diff --git a/.github/workflows/release-browser.yml b/.github/workflows/release-browser.yml index ac79287f84d..a2fda230491 100644 --- a/.github/workflows/release-browser.yml +++ b/.github/workflows/release-browser.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Branch check if: ${{ github.event.inputs.release_type != 'Dry Run' }} @@ -60,6 +62,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Testing locales - extName length run: | @@ -69,9 +73,11 @@ jobs: echo "============" echo "extName string must be 40 characters or less" echo - for locale in $(ls src/_locales/); do - string_length=$(jq '.extName.message | length' src/_locales/$locale/messages.json) - if [[ $string_length -gt 40 ]]; then + + for locale_path in src/_locales/*/messages.json; do + locale=$(basename "$(dirname "$locale_path")") + string_length=$(jq '.extName.message | length' "$locale_path") + if [ "$string_length" -gt 40 ]; then echo "$locale: $string_length" found_error=true fi @@ -126,11 +132,11 @@ jobs: env: PACKAGE_VERSION: ${{ needs.setup.outputs.release_version }} run: | - mv browser-source.zip browser-source-$PACKAGE_VERSION.zip - mv dist-chrome.zip dist-chrome-$PACKAGE_VERSION.zip - mv dist-opera.zip dist-opera-$PACKAGE_VERSION.zip - mv dist-firefox.zip dist-firefox-$PACKAGE_VERSION.zip - mv dist-edge.zip dist-edge-$PACKAGE_VERSION.zip + mv browser-source.zip "browser-source-$PACKAGE_VERSION.zip" + mv dist-chrome.zip "dist-chrome-$PACKAGE_VERSION.zip" + mv dist-opera.zip "dist-opera-$PACKAGE_VERSION.zip" + mv dist-firefox.zip "dist-firefox-$PACKAGE_VERSION.zip" + mv dist-edge.zip "dist-edge-$PACKAGE_VERSION.zip" - name: Create release if: ${{ github.event.inputs.release_type != 'Dry Run' }} diff --git a/.github/workflows/release-cli.yml b/.github/workflows/release-cli.yml index 2d7be2e186e..918f81e2723 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/release-cli.yml @@ -30,6 +30,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Branch check if: ${{ inputs.release_type != 'Dry Run' }} diff --git a/.github/workflows/release-desktop.yml b/.github/workflows/release-desktop.yml index bfd6115a1a9..a97d72a32b0 100644 --- a/.github/workflows/release-desktop.yml +++ b/.github/workflows/release-desktop.yml @@ -32,6 +32,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Branch check if: ${{ github.event.inputs.release_type != 'Dry Run' }} @@ -55,18 +57,20 @@ jobs: - name: Get Version Channel id: release_channel + env: + _VERSION: ${{ steps.version.outputs.version }} run: | - case "${{ steps.version.outputs.version }}" in + case "$_VERSION" in *"alpha"*) - echo "channel=alpha" >> $GITHUB_OUTPUT + echo "channel=alpha" >> "$GITHUB_OUTPUT" echo "[!] We do not yet support 'alpha'" exit 1 ;; *"beta"*) - echo "channel=beta" >> $GITHUB_OUTPUT + echo "channel=beta" >> "$GITHUB_OUTPUT" ;; *) - echo "channel=latest" >> $GITHUB_OUTPUT + echo "channel=latest" >> "$GITHUB_OUTPUT" ;; esac @@ -92,7 +96,7 @@ jobs: env: PKG_VERSION: ${{ steps.version.outputs.version }} working-directory: apps/desktop/artifacts - run: mv Bitwarden-${{ env.PKG_VERSION }}-universal.pkg Bitwarden-${{ env.PKG_VERSION }}-universal.pkg.archive + run: mv "Bitwarden-$PKG_VERSION-universal.pkg" "Bitwarden-$PKG_VERSION-universal.pkg.archive" - name: Create Release uses: ncipollo/release-action@cdcc88a9acf3ca41c16c37bb7d21b9ad48560d87 # v1.15.0 diff --git a/.github/workflows/release-web.yml b/.github/workflows/release-web.yml index 5a3c29d29fc..d616d7adb3f 100644 --- a/.github/workflows/release-web.yml +++ b/.github/workflows/release-web.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Branch check if: ${{ github.event.inputs.release_type != 'Dry Run' }} @@ -79,9 +81,11 @@ jobs: - name: Rename assets working-directory: apps/web/artifacts + env: + _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }} run: | - mv web-*-selfhosted-COMMERCIAL.zip web-${{ needs.setup.outputs.release_version }}-selfhosted-COMMERCIAL.zip - mv web-*-selfhosted-open-source.zip web-${{ needs.setup.outputs.release_version }}-selfhosted-open-source.zip + mv web-*-selfhosted-COMMERCIAL.zip "web-$_RELEASE_VERSION-selfhosted-COMMERCIAL.zip" + mv web-*-selfhosted-open-source.zip "web-$_RELEASE_VERSION-selfhosted-open-source.zip" - name: Create release if: ${{ github.event.inputs.release_type != 'Dry Run' }} diff --git a/.github/workflows/repository-management.yml b/.github/workflows/repository-management.yml index ecb8e448a8a..acfda4cdb11 100644 --- a/.github/workflows/repository-management.yml +++ b/.github/workflows/repository-management.yml @@ -57,7 +57,7 @@ jobs: BRANCH="rc" fi - echo "branch=$BRANCH" >> $GITHUB_OUTPUT + echo "branch=$BRANCH" >> "$GITHUB_OUTPUT" bump_version: name: Bump Version @@ -108,6 +108,7 @@ jobs: with: ref: main token: ${{ steps.app-token.outputs.token }} + persist-credentials: true - name: Configure Git run: | @@ -124,7 +125,7 @@ jobs: id: current-browser-version run: | CURRENT_VERSION=$(cat package.json | jq -r '.version') - echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT + echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT" working-directory: apps/browser - name: Browser - Verify input version @@ -140,8 +141,7 @@ jobs: fi # Check if version is newer. - printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V - if [ $? -eq 0 ]; then + if printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V; then echo "Version check successful." else echo "Version check failed." @@ -161,14 +161,14 @@ jobs: id: bump-browser-version-override env: VERSION: ${{ inputs.version_number_override }} - run: npm version --workspace=@bitwarden/browser $VERSION + run: npm version --workspace=@bitwarden/browser "$VERSION" - name: Bump Browser Version - Automatic Calculation if: ${{ inputs.bump_browser == true && inputs.version_number_override == '' }} id: bump-browser-version-automatic env: VERSION: ${{ steps.calculate-next-browser-version.outputs.version }} - run: npm version --workspace=@bitwarden/browser $VERSION + run: npm version --workspace=@bitwarden/browser "$VERSION" - name: Bump Browser Version - Manifest - Version Override if: ${{ inputs.bump_browser == true && inputs.version_number_override != '' }} @@ -211,7 +211,7 @@ jobs: id: current-cli-version run: | CURRENT_VERSION=$(cat package.json | jq -r '.version') - echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT + echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT" working-directory: apps/cli - name: CLI - Verify input version @@ -227,8 +227,7 @@ jobs: fi # Check if version is newer. - printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V - if [ $? -eq 0 ]; then + if printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V; then echo "Version check successful." else echo "Version check failed." @@ -248,14 +247,14 @@ jobs: id: bump-cli-version-override env: VERSION: ${{ inputs.version_number_override }} - run: npm version --workspace=@bitwarden/cli $VERSION + run: npm version --workspace=@bitwarden/cli "$VERSION" - name: Bump CLI Version - Automatic Calculation if: ${{ inputs.bump_cli == true && inputs.version_number_override == '' }} id: bump-cli-version-automatic env: VERSION: ${{ steps.calculate-next-cli-version.outputs.version }} - run: npm version --workspace=@bitwarden/cli $VERSION + run: npm version --workspace=@bitwarden/cli "$VERSION" ### Desktop - name: Get current Desktop version @@ -263,7 +262,7 @@ jobs: id: current-desktop-version run: | CURRENT_VERSION=$(cat package.json | jq -r '.version') - echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT + echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT" working-directory: apps/desktop - name: Desktop - Verify input version @@ -279,8 +278,7 @@ jobs: fi # Check if version is newer. - printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V - if [ $? -eq 0 ]; then + if printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V; then echo "Version check successful." else echo "Version check failed." @@ -300,27 +298,27 @@ jobs: id: bump-desktop-version-override env: VERSION: ${{ inputs.version_number_override }} - run: npm version --workspace=@bitwarden/desktop $VERSION + run: npm version --workspace=@bitwarden/desktop "$VERSION" - name: Bump Desktop Version - Root - Automatic Calculation if: ${{ inputs.bump_desktop == true && inputs.version_number_override == '' }} id: bump-desktop-version-automatic env: VERSION: ${{ steps.calculate-next-desktop-version.outputs.version }} - run: npm version --workspace=@bitwarden/desktop $VERSION + run: npm version --workspace=@bitwarden/desktop "$VERSION" - name: Bump Desktop Version - App - Version Override if: ${{ inputs.bump_desktop == true && inputs.version_number_override != '' }} env: VERSION: ${{ inputs.version_number_override }} - run: npm version $VERSION + run: npm version "$VERSION" working-directory: "apps/desktop/src" - name: Bump Desktop Version - App - Automatic Calculation if: ${{ inputs.bump_desktop == true && inputs.version_number_override == '' }} env: VERSION: ${{ steps.calculate-next-desktop-version.outputs.version }} - run: npm version $VERSION + run: npm version "$VERSION" working-directory: "apps/desktop/src" ### Web @@ -329,7 +327,7 @@ jobs: id: current-web-version run: | CURRENT_VERSION=$(cat package.json | jq -r '.version') - echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT + echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT" working-directory: apps/web - name: Web - Verify input version @@ -345,8 +343,7 @@ jobs: fi # Check if version is newer. - printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V - if [ $? -eq 0 ]; then + if printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V; then echo "Version check successful." else echo "Version check failed." @@ -366,14 +363,14 @@ jobs: id: bump-web-version-override env: VERSION: ${{ inputs.version_number_override }} - run: npm version --workspace=@bitwarden/web-vault $VERSION + run: npm version --workspace=@bitwarden/web-vault "$VERSION" - name: Bump Web Version - Automatic Calculation if: ${{ inputs.bump_web == true && inputs.version_number_override == '' }} id: bump-web-version-automatic env: VERSION: ${{ steps.calculate-next-web-version.outputs.version }} - run: npm version --workspace=@bitwarden/web-vault $VERSION + run: npm version --workspace=@bitwarden/web-vault "$VERSION" ######################## @@ -381,38 +378,50 @@ jobs: id: set-final-version-output env: VERSION: ${{ inputs.version_number_override }} + _BUMP_BROWSER_VERSION_OVERRIDE_OUTCOME: ${{ steps.bump-browser-version-override.outcome }} + _BUMP_BROWSER_VERSION_AUTOMATIC_OUTCOME: ${{ steps.bump-browser-version-automatic.outcome }} + _CALCULATE_NEXT_BROWSER_VERSION: ${{ steps.calculate-next-browser-version.outputs.version }} + _BUMP_CLI_VERSION_OVERRIDE_OUTCOME: ${{ steps.bump-cli-version-override.outcome }} + _BUMP_CLI_VERSION_AUTOMATIC_OUTCOME: ${{ steps.bump-cli-version-automatic.outcome }} + _CALCULATE_NEXT_CLI_VERSION: ${{ steps.calculate-next-cli-version.outputs.version }} + _BUMP_DESKTOP_VERSION_OVERRIDE_OUTCOME: ${{ steps.bump-desktop-version-override.outcome }} + _BUMP_DESKTOP_VERSION_AUTOMATIC_OUTCOME: ${{ steps.bump-desktop-version-automatic.outcome }} + _CALCULATE_NEXT_DESKTOP_VERSION: ${{ steps.calculate-next-desktop-version.outputs.version }} + _BUMP_WEB_VERSION_OVERRIDE_OUTCOME: ${{ steps.bump-web-version-override.outcome }} + _BUMP_WEB_VERSION_AUTOMATIC_OUTCOME: ${{ steps.bump-web-version-automatic.outcome }} + _CALCULATE_NEXT_WEB_VERSION: ${{ steps.calculate-next-web-version.outputs.version }} run: | - if [[ "${{ steps.bump-browser-version-override.outcome }}" = "success" ]]; then - echo "version_browser=$VERSION" >> $GITHUB_OUTPUT - elif [[ "${{ steps.bump-browser-version-automatic.outcome }}" = "success" ]]; then - echo "version_browser=${{ steps.calculate-next-browser-version.outputs.version }}" >> $GITHUB_OUTPUT + if [[ "$_BUMP_BROWSER_VERSION_OVERRIDE_OUTCOME" = "success" ]]; then + echo "version_browser=$VERSION" >> "$GITHUB_OUTPUT" + elif [[ "$_BUMP_BROWSER_VERSION_AUTOMATIC_OUTCOME" = "success" ]]; then + echo "version_browser=$_CALCULATE_NEXT_BROWSER_VERSION" >> "$GITHUB_OUTPUT" fi - if [[ "${{ steps.bump-cli-version-override.outcome }}" = "success" ]]; then - echo "version_cli=$VERSION" >> $GITHUB_OUTPUT - elif [[ "${{ steps.bump-cli-version-automatic.outcome }}" = "success" ]]; then - echo "version_cli=${{ steps.calculate-next-cli-version.outputs.version }}" >> $GITHUB_OUTPUT + if [[ "$_BUMP_CLI_VERSION_OVERRIDE_OUTCOME" = "success" ]]; then + echo "version_cli=$VERSION" >> "$GITHUB_OUTPUT" + elif [[ "$_BUMP_CLI_VERSION_AUTOMATIC_OUTCOME" = "success" ]]; then + echo "version_cli=$_CALCULATE_NEXT_CLI_VERSION" >> "$GITHUB_OUTPUT" fi - if [[ "${{ steps.bump-desktop-version-override.outcome }}" = "success" ]]; then - echo "version_desktop=$VERSION" >> $GITHUB_OUTPUT - elif [[ "${{ steps.bump-desktop-version-automatic.outcome }}" = "success" ]]; then - echo "version_desktop=${{ steps.calculate-next-desktop-version.outputs.version }}" >> $GITHUB_OUTPUT + if [[ "$_BUMP_DESKTOP_VERSION_OVERRIDE_OUTCOME" = "success" ]]; then + echo "version_desktop=$VERSION" >> "$GITHUB_OUTPUT" + elif [[ "$_BUMP_DESKTOP_VERSION_AUTOMATIC_OUTCOME" = "success" ]]; then + echo "version_desktop=$_CALCULATE_NEXT_DESKTOP_VERSION" >> "$GITHUB_OUTPUT" fi - if [[ "${{ steps.bump-web-version-override.outcome }}" = "success" ]]; then - echo "version_web=$VERSION" >> $GITHUB_OUTPUT - elif [[ "${{ steps.bump-web-version-automatic.outcome }}" = "success" ]]; then - echo "version_web=${{ steps.calculate-next-web-version.outputs.version }}" >> $GITHUB_OUTPUT + if [[ "$_BUMP_WEB_VERSION_OVERRIDE_OUTCOME" = "success" ]]; then + echo "version_web=$VERSION" >> "$GITHUB_OUTPUT" + elif [[ "$_BUMP_WEB_VERSION_AUTOMATIC_OUTCOME" = "success" ]]; then + echo "version_web=$_CALCULATE_NEXT_WEB_VERSION" >> "$GITHUB_OUTPUT" fi - name: Check if version changed id: version-changed run: | if [ -n "$(git status --porcelain)" ]; then - echo "changes_to_commit=TRUE" >> $GITHUB_OUTPUT + echo "changes_to_commit=TRUE" >> "$GITHUB_OUTPUT" else - echo "changes_to_commit=FALSE" >> $GITHUB_OUTPUT + echo "changes_to_commit=FALSE" >> "$GITHUB_OUTPUT" echo "No changes to commit!"; fi @@ -464,13 +473,14 @@ jobs: with: ref: ${{ inputs.target_ref }} token: ${{ steps.app-token.outputs.token }} + persist-credentials: true - name: Check if ${{ needs.setup.outputs.branch }} branch exists env: BRANCH_NAME: ${{ needs.setup.outputs.branch }} run: | - if [[ $(git ls-remote --heads origin $BRANCH_NAME) ]]; then - echo "$BRANCH_NAME already exists! Please delete $BRANCH_NAME before running again." >> $GITHUB_STEP_SUMMARY + if [[ $(git ls-remote --heads origin "$BRANCH_NAME") ]]; then + echo "$BRANCH_NAME already exists! Please delete $BRANCH_NAME before running again." >> "$GITHUB_STEP_SUMMARY" exit 1 fi @@ -478,5 +488,5 @@ jobs: env: BRANCH_NAME: ${{ needs.setup.outputs.branch }} run: | - git switch --quiet --create $BRANCH_NAME - git push --quiet --set-upstream origin $BRANCH_NAME + git switch --quiet --create "$BRANCH_NAME" + git push --quiet --set-upstream origin "$BRANCH_NAME" diff --git a/.github/workflows/retrieve-current-desktop-rollout.yml b/.github/workflows/retrieve-current-desktop-rollout.yml index c45453ed9d0..30aef41e649 100644 --- a/.github/workflows/retrieve-current-desktop-rollout.yml +++ b/.github/workflows/retrieve-current-desktop-rollout.yml @@ -39,10 +39,10 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ steps.retrieve-secrets.outputs.aws-electron-access-key }} AWS_DEFAULT_REGION: 'us-west-2' AWS_S3_BUCKET_NAME: ${{ steps.retrieve-secrets.outputs.aws-electron-bucket-name }} - run: aws s3 cp $AWS_S3_BUCKET_NAME/desktop/latest.yml . --quiet + run: aws s3 cp "$AWS_S3_BUCKET_NAME/desktop/latest.yml" . --quiet - name: Get current rollout percentage run: | CURRENT_PCT=$(sed -r -n "s/stagingPercentage:\s([0-9]+)/\1/p" latest.yml) CURRENT_VERSION=$(sed -r -n "s/version:\s(.*)/\1/p" latest.yml) - echo "Desktop ${CURRENT_VERSION} rollout percentage is ${CURRENT_PCT}%" >> $GITHUB_STEP_SUMMARY + echo "Desktop ${CURRENT_VERSION} rollout percentage is ${CURRENT_PCT}%" >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/staged-rollout-desktop.yml b/.github/workflows/staged-rollout-desktop.yml index 4adf81100bd..3d4f0376b39 100644 --- a/.github/workflows/staged-rollout-desktop.yml +++ b/.github/workflows/staged-rollout-desktop.yml @@ -47,11 +47,11 @@ jobs: AWS_DEFAULT_REGION: 'us-west-2' AWS_S3_BUCKET_NAME: ${{ steps.retrieve-secrets.outputs.aws-electron-bucket-name }} run: | - aws s3 cp $AWS_S3_BUCKET_NAME/desktop/latest.yml . \ + aws s3 cp "$AWS_S3_BUCKET_NAME/desktop/latest.yml" . \ --quiet - aws s3 cp $AWS_S3_BUCKET_NAME/desktop/latest-linux.yml . \ + aws s3 cp "$AWS_S3_BUCKET_NAME/desktop/latest-linux.yml" . \ --quiet - aws s3 cp $AWS_S3_BUCKET_NAME/desktop/latest-mac.yml . \ + aws s3 cp "$AWS_S3_BUCKET_NAME/desktop/latest-mac.yml" . \ --quiet - name: Check new rollout percentage @@ -86,11 +86,11 @@ jobs: AWS_DEFAULT_REGION: 'us-west-2' AWS_S3_BUCKET_NAME: ${{ steps.retrieve-secrets.outputs.aws-electron-bucket-name }} run: | - aws s3 cp latest.yml $AWS_S3_BUCKET_NAME/desktop/ \ + aws s3 cp latest.yml "$AWS_S3_BUCKET_NAME/desktop/" \ --acl "public-read" - aws s3 cp latest-linux.yml $AWS_S3_BUCKET_NAME/desktop/ \ + aws s3 cp latest-linux.yml "$AWS_S3_BUCKET_NAME/desktop/" \ --acl "public-read" - aws s3 cp latest-mac.yml $AWS_S3_BUCKET_NAME/desktop/ \ + aws s3 cp latest-mac.yml "$AWS_S3_BUCKET_NAME/desktop/" \ --acl "public-read" diff --git a/.github/workflows/test-browser-interactions.yml b/.github/workflows/test-browser-interactions.yml index 3af1a1a8e9d..a05f506d63f 100644 --- a/.github/workflows/test-browser-interactions.yml +++ b/.github/workflows/test-browser-interactions.yml @@ -21,6 +21,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Check for job requirements if: ${{ !github.event.workflow_run.pull_requests || !github.event.workflow_run.head_branch }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 680bfb87cfe..cf62df3180f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -25,13 +25,15 @@ jobs: steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Get Node Version id: retrieve-node-version run: | NODE_NVMRC=$(cat .nvmrc) NODE_VERSION=${NODE_NVMRC/v/''} - echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT" - name: Set up Node uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 @@ -102,6 +104,8 @@ jobs: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Build working-directory: ./apps/desktop/desktop_native @@ -134,6 +138,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Install rust uses: dtolnay/rust-toolchain@b3b07ba8b418998c39fb20f53e8b695cdcc8de1b # stable @@ -168,6 +174,8 @@ jobs: steps: - name: Check out repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: Download jest coverage uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 diff --git a/.github/workflows/version-auto-bump.yml b/.github/workflows/version-auto-bump.yml index 3cb5646886a..0f7f2c9f46d 100644 --- a/.github/workflows/version-auto-bump.yml +++ b/.github/workflows/version-auto-bump.yml @@ -42,6 +42,7 @@ jobs: with: ref: main token: ${{ steps.app-token.outputs.token }} + persist-credentials: true - name: Configure Git run: | @@ -52,7 +53,7 @@ jobs: id: current-desktop-version run: | CURRENT_VERSION=$(cat package.json | jq -r '.version') - echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT + echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT" working-directory: apps/desktop - name: Calculate next Desktop release version @@ -65,12 +66,12 @@ jobs: id: bump-desktop-version-automatic env: VERSION: ${{ steps.calculate-next-desktop-version.outputs.version }} - run: npm version --workspace=@bitwarden/desktop $VERSION + run: npm version --workspace=@bitwarden/desktop "$VERSION" - name: Bump Desktop Version - App - Automatic Calculation env: VERSION: ${{ steps.calculate-next-desktop-version.outputs.version }} - run: npm version $VERSION + run: npm version "$VERSION" working-directory: "apps/desktop/src" - name: Commit files