feat: let web build without secrets

2026-02-12 14:34:02 +00:00 · 2024-12-09 12:24:57 +01:00
parent 495d528e2a
commit 9ce8632bb2
1 changed files with 17 additions and 9 deletions
--- a/.github/workflows/build-web.yml
+++ b/.github/workflows/build-web.yml
@@ -1,7 +1,7 @@
 name: Build Web

 on:
-  pull_request_target:
+  pull_request:
    types: [opened, synchronize]
    branches-ignore:
      - 'l10n_master'
@@ -41,18 +41,13 @@ env:
  _AZ_REGISTRY: bitwardenprod.azurecr.io

 jobs:
-  check-run:
-    name: Check PR run
-    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
-
  setup:
    name: Setup
    runs-on: ubuntu-22.04
-    needs:
-      - check-run
    outputs:
      version: ${{ steps.version.outputs.value }}
      node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
+      has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
    steps:
      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -70,6 +65,14 @@ jobs:
          NODE_VERSION=${NODE_NVMRC/v/''}
          echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT

+      - name: Check secrets
+        id: check-secrets
+        env:
+          AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+        run: |
+          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
+          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+
  build-artifacts:
    name: Build artifacts
    runs-on: ubuntu-22.04
@@ -128,7 +131,7 @@ jobs:
        run: npm ci

      - name: Download SDK Artifacts
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
        uses: bitwarden/gh-actions/download-artifacts@main
        with:
          github_token: ${{secrets.GITHUB_TOKEN}}
@@ -141,7 +144,7 @@ jobs:
          if_no_artifact_found: fail

      - name: Override SDK
-        if: ${{ inputs.sdk_branch != '' }}
+        if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
        working-directory: ./
        run: |
          ls -l ../
@@ -210,19 +213,23 @@ jobs:

      ########## ACRs ##########
      - name: Login to Prod Azure
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Log into Prod container registry
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
        run: az acr login -n bitwardenprod

      - name: Login to Azure - CI Subscription
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve github PAT secrets
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
@@ -270,6 +277,7 @@ jobs:
        run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT

      - name: Build Docker image
+        if: ${{ needs.setup.outputs.has_secrets == 'true' }}
        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
        with:
          context: apps/web