bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2026-01-07 02:53:28 +00:00
Code Issues Releases Wiki Activity

Clean up workflow files from Zizmor output (#16690)

Browse Source
This commit is contained in:
Matt Andreko
2025-10-21 13:13:45 -04:00
committed by GitHub
parent 63cdae92be
commit 8beb1c6ab0
26 changed files with 536 additions and 382 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
.github/workflows/build-web.yml vendored
View File

@@ -67,23 +67,24 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: Get GitHub sha as version
id: version
run: echo "value=${GITHUB_SHA:0:7}" >> $GITHUB_OUTPUT
run: echo "value=${GITHUB_SHA:0:7}" >> "$GITHUB_OUTPUT"
- name: Get Node Version
id: retrieve-node-version
run: |
NODE_NVMRC=$(cat .nvmrc)
NODE_VERSION=${NODE_NVMRC/v/''}
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
echo "node_version=$NODE_VERSION" >> "$GITHUB_OUTPUT"
- name: Check secrets
id: check-secrets
run: |
has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }}
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
echo "has_secrets=$has_secrets" >> "$GITHUB_OUTPUT"
build-containers:
@@ -137,6 +138,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: Get Latest Server Version
id: latest-server-version
@@ -147,8 +149,10 @@ jobs:
- name: Set Server Ref
id: set-server-ref
env:
_SERVER_VERSION: ${{ steps.latest-server-version.outputs.version }}
run: |
SERVER_REF="${{ steps.latest-server-version.outputs.version }}"
SERVER_REF="$_SERVER_VERSION"
echo "Latest server release version: $SERVER_REF"
if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
SERVER_REF="$GITHUB_REF"
@@ -158,7 +162,7 @@ jobs:
SERVER_REF="refs/heads/main"
fi
echo "Server ref: $SERVER_REF"
echo "server_ref=$SERVER_REF" >> $GITHUB_OUTPUT
echo "server_ref=$SERVER_REF" >> "$GITHUB_OUTPUT"
- name: Check out Server repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -166,18 +170,19 @@ jobs:
path: server
repository: bitwarden/server
ref: ${{ steps.set-server-ref.outputs.server_ref }}
persist-credentials: false
- name: Check Branch to Publish
env:
PUBLISH_BRANCHES: "main,rc,hotfix-rc-web"
id: publish-branch-check
run: |
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
IFS="," read -a publish_branches <<< "$PUBLISH_BRANCHES"
if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
echo "is_publish_branch=true" >> $GITHUB_ENV
echo "is_publish_branch=true" >> "$GITHUB_ENV"
else
echo "is_publish_branch=false" >> $GITHUB_ENV
echo "is_publish_branch=false" >> "$GITHUB_ENV"
fi
- name: Add Git metadata to build version
@@ -217,11 +222,13 @@ jobs:
- name: Log into Prod container registry
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
run: az acr login -n "${_AZ_REGISTRY%.azurecr.io}"
########## Generate image tag and build Docker image ##########
- name: Generate container image tag
id: tag
env:
_TAG_EXTENSION: ${{ github.event.inputs.custom_tag_extension }}
run: |
if [[ "${GITHUB_EVENT_NAME}" == "pull_request" || "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then
IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s/[^a-zA-Z0-9]/-/g") # Sanitize branch name to alphanumeric only
@@ -231,7 +238,7 @@ jobs:
if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
SANITIZED_REPO_NAME=$(echo "$_GITHUB_PR_REPO_NAME" | sed "s/[^a-zA-Z0-9]/-/g") # Sanitize repo name to alphanumeric only
IMAGE_TAG=$SANITIZED_REPO_NAME-$IMAGE_TAG # Add repo name to the tag
IMAGE_TAG="$SANITIZED_REPO_NAME-$IMAGE_TAG" # Add repo name to the tag
IMAGE_TAG=${IMAGE_TAG:0:128} # Limit to 128 characters, as that's the max length for Docker image tags
fi
@@ -239,13 +246,13 @@ jobs:
IMAGE_TAG=dev
fi
TAG_EXTENSION=${{ github.event.inputs.custom_tag_extension }}
TAG_EXTENSION="$_TAG_EXTENSION"
if [[ $TAG_EXTENSION ]]; then
IMAGE_TAG=$IMAGE_TAG-$TAG_EXTENSION
IMAGE_TAG="$IMAGE_TAG-$TAG_EXTENSION"
fi
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
########## Build Image ##########
- name: Generate image full name
@@ -253,7 +260,7 @@ jobs:
env:
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
PROJECT_NAME: ${{ matrix.image_name }}
run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
- name: Build Docker image
id: build-container
@@ -276,7 +283,7 @@ jobs:
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env:
IMAGE_NAME: ${{ steps.image-name.outputs.name }}
run: docker push $IMAGE_NAME
run: docker push "$IMAGE_NAME"
- name: Zip project
working-directory: apps/web
@@ -284,10 +291,10 @@ jobs:
IMAGE_NAME: ${{ steps.image-name.outputs.name }}
run: |
mkdir build
docker run --rm --volume $(pwd)/build:/temp --entrypoint sh \
$IMAGE_NAME -c "cp -r ./ /temp"
docker run --rm --volume "$(pwd)/build":/temp --entrypoint sh \
"$IMAGE_NAME" -c "cp -r ./ /temp"
zip -r web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip build
zip -r web-$_VERSION-${{ matrix.artifact_name }}.zip build
- name: Upload ${{ matrix.artifact_name }} artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
@@ -306,12 +313,13 @@ jobs:
DIGEST: ${{ steps.build-container.outputs.digest }}
TAGS: ${{ steps.image-name.outputs.name }}
run: |
IFS="," read -a tags <<< "${TAGS}"
images=""
for tag in "${tags[@]}"; do
images+="${tag}@${DIGEST} "
IFS=',' read -r -a tags_array <<< "${TAGS}"
images=()
for tag in "${tags_array[@]}"; do
images+=("${tag}@${DIGEST}")
done
cosign sign --yes ${images}
cosign sign --yes "${images[@]}"
echo "images=${images[*]}" >> "$GITHUB_OUTPUT"
- name: Scan Docker image
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
@@ -324,14 +332,14 @@ jobs:
- name: Upload Grype results to GitHub
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
uses: github/codeql-action/upload-sarif@573acd9552f33577783abde4acb66a1058e762e5 # codeql-bundle-v2.23.1
with:
sarif_file: ${{ steps.container-scan.outputs.sarif }}
sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
- name: Log out of Docker
run: docker logout $_AZ_REGISTRY
run: docker logout "$_AZ_REGISTRY"
- name: Log out from Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
@@ -352,6 +360,7 @@ jobs:
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.pull_request.head.sha }}
persist-credentials: false
- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main