mirror of
https://github.com/bitwarden/browser
synced 2026-02-15 16:05:03 +00:00
feat: add conditional permission requirement to build jobs
This commit is contained in:
Andreas Coroiu
34
.github/workflows/build-browser.yml
vendored
34
.github/workflows/build-browser.yml
vendored
@@ -38,14 +38,38 @@ defaults:
|
||||
shell: bash
|
||||
|
||||
jobs:
|
||||
check-secrets:
|
||||
name: Check Secrets
|
||||
runs-on: ubuntu-22.04
|
||||
outputs:
|
||||
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
|
||||
steps:
|
||||
- name: Check secrets
|
||||
id: check-secrets
|
||||
env:
|
||||
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
run: |
|
||||
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
|
||||
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
|
||||
|
||||
# Enforce permissions _if_ the workflow has access to secrets to avoid
|
||||
# bots having unsupervised access to secrets.
|
||||
check-run:
|
||||
name: Check PR run
|
||||
needs:
|
||||
- check-secrets
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
|
||||
|
||||
setup:
|
||||
name: Setup
|
||||
runs-on: ubuntu-22.04
|
||||
needs:
|
||||
- check-secrets
|
||||
outputs:
|
||||
repo_url: ${{ steps.gen_vars.outputs.repo_url }}
|
||||
adj_build_number: ${{ steps.gen_vars.outputs.adj_build_number }}
|
||||
node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
|
||||
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
|
||||
steps:
|
||||
- name: Check out repo
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
@@ -69,14 +93,6 @@ jobs:
|
||||
NODE_VERSION=${NODE_NVMRC/v/''}
|
||||
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Check secrets
|
||||
id: check-secrets
|
||||
env:
|
||||
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
run: |
|
||||
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
|
||||
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
|
||||
|
||||
|
||||
locales-test:
|
||||
name: Locales Test
|
||||
|
||||
42
.github/workflows/build-cli.yml
vendored
42
.github/workflows/build-cli.yml
vendored
@@ -41,13 +41,35 @@ defaults:
|
||||
working-directory: apps/cli
|
||||
|
||||
jobs:
|
||||
check-secrets:
|
||||
name: Check Secrets
|
||||
runs-on: ubuntu-22.04
|
||||
outputs:
|
||||
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
|
||||
steps:
|
||||
- name: Check secrets
|
||||
id: check-secrets
|
||||
env:
|
||||
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
run: |
|
||||
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
|
||||
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
|
||||
|
||||
# Enforce permissions _if_ the workflow has access to secrets to avoid
|
||||
# bots having unsupervised access to secrets.
|
||||
check-run:
|
||||
name: Check PR run
|
||||
needs:
|
||||
- check-secrets
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
|
||||
|
||||
setup:
|
||||
name: Setup
|
||||
runs-on: ubuntu-22.04
|
||||
outputs:
|
||||
package_version: ${{ steps.retrieve-package-version.outputs.package_version }}
|
||||
node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
|
||||
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
|
||||
steps:
|
||||
- name: Check out repo
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
@@ -68,14 +90,6 @@ jobs:
|
||||
NODE_VERSION=${NODE_NVMRC/v/''}
|
||||
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Check secrets
|
||||
id: check-secrets
|
||||
env:
|
||||
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
run: |
|
||||
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
|
||||
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
|
||||
|
||||
cli:
|
||||
name: CLI ${{ matrix.os.base }} - ${{ matrix.license_type.readable }}
|
||||
strategy:
|
||||
@@ -92,6 +106,7 @@ jobs:
|
||||
]
|
||||
runs-on: ${{ matrix.os.distro }}
|
||||
needs:
|
||||
- check-secrets
|
||||
- setup
|
||||
env:
|
||||
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
|
||||
@@ -122,7 +137,7 @@ jobs:
|
||||
working-directory: ./
|
||||
|
||||
- name: Download SDK Artifacts
|
||||
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: bitwarden/gh-actions/download-artifacts@main
|
||||
with:
|
||||
github_token: ${{secrets.GITHUB_TOKEN}}
|
||||
@@ -135,7 +150,7 @@ jobs:
|
||||
if_no_artifact_found: fail
|
||||
|
||||
- name: Override SDK
|
||||
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.` == 'true' }}
|
||||
working-directory: ./
|
||||
run: |
|
||||
ls -l ../
|
||||
@@ -192,6 +207,7 @@ jobs:
|
||||
]
|
||||
runs-on: windows-2022
|
||||
needs:
|
||||
- check-secrets
|
||||
- setup
|
||||
env:
|
||||
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
|
||||
@@ -277,7 +293,7 @@ jobs:
|
||||
working-directory: ./
|
||||
|
||||
- name: Download SDK Artifacts
|
||||
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: bitwarden/gh-actions/download-artifacts@main
|
||||
with:
|
||||
github_token: ${{secrets.GITHUB_TOKEN}}
|
||||
@@ -290,7 +306,7 @@ jobs:
|
||||
if_no_artifact_found: fail
|
||||
|
||||
- name: Override SDK
|
||||
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
working-directory: ./
|
||||
run: |
|
||||
ls -l ../
|
||||
|
||||
109
.github/workflows/build-desktop.yml
vendored
109
.github/workflows/build-desktop.yml
vendored
@@ -39,6 +39,29 @@ defaults:
|
||||
shell: bash
|
||||
|
||||
jobs:
|
||||
check-secrets:
|
||||
name: Check Secrets
|
||||
runs-on: ubuntu-22.04
|
||||
outputs:
|
||||
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
|
||||
steps:
|
||||
- name: Check secrets
|
||||
id: check-secrets
|
||||
env:
|
||||
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
run: |
|
||||
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
|
||||
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
|
||||
|
||||
# Enforce permissions _if_ the workflow has access to secrets to avoid
|
||||
# bots having unsupervised access to secrets.
|
||||
check-run:
|
||||
name: Check PR run
|
||||
needs:
|
||||
- check-secrets
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
|
||||
|
||||
electron-verify:
|
||||
name: Verify Electron Version
|
||||
runs-on: ubuntu-22.04
|
||||
@@ -70,7 +93,6 @@ jobs:
|
||||
rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }}
|
||||
hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }}
|
||||
node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
|
||||
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
|
||||
defaults:
|
||||
run:
|
||||
working-directory: apps/desktop
|
||||
@@ -133,14 +155,6 @@ jobs:
|
||||
NODE_VERSION=${NODE_NVMRC/v/''}
|
||||
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Check secrets
|
||||
id: check-secrets
|
||||
env:
|
||||
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
run: |
|
||||
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
|
||||
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
|
||||
|
||||
linux:
|
||||
name: Linux Build
|
||||
# Note, before updating the ubuntu version of the workflow, ensure the snap base image
|
||||
@@ -294,6 +308,7 @@ jobs:
|
||||
name: Windows Build
|
||||
runs-on: windows-2022
|
||||
needs:
|
||||
- check-secrets
|
||||
- setup
|
||||
defaults:
|
||||
run:
|
||||
@@ -336,14 +351,14 @@ jobs:
|
||||
rustup show
|
||||
|
||||
- name: Login to Azure
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
|
||||
- name: Retrieve secrets
|
||||
id: retrieve-secrets
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: bitwarden/gh-actions/get-keyvault-secrets@main
|
||||
with:
|
||||
keyvault: "bitwarden-ci"
|
||||
@@ -358,7 +373,7 @@ jobs:
|
||||
working-directory: ./
|
||||
|
||||
- name: Download SDK Artifacts
|
||||
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: bitwarden/gh-actions/download-artifacts@main
|
||||
with:
|
||||
github_token: ${{secrets.GITHUB_TOKEN}}
|
||||
@@ -371,7 +386,7 @@ jobs:
|
||||
if_no_artifact_found: fail
|
||||
|
||||
- name: Override SDK
|
||||
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
working-directory: ./
|
||||
run: |
|
||||
ls -l ../
|
||||
@@ -396,12 +411,12 @@ jobs:
|
||||
npm run build
|
||||
|
||||
- name: Pack
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'false' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'false' }}
|
||||
run: |
|
||||
npm run pack:win
|
||||
|
||||
- name: Pack & Sign (dev)
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
env:
|
||||
ELECTRON_BUILDER_SIGN: 1
|
||||
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }}
|
||||
@@ -413,7 +428,7 @@ jobs:
|
||||
npm run pack:win
|
||||
|
||||
- name: Rename appx files for store
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
run: |
|
||||
Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx" `
|
||||
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx"
|
||||
@@ -423,7 +438,7 @@ jobs:
|
||||
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx"
|
||||
|
||||
- name: Package for Chocolatey
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
run: |
|
||||
Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse
|
||||
Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe `
|
||||
@@ -435,7 +450,7 @@ jobs:
|
||||
choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:_PACKAGE_VERSION" --out ./dist/chocolatey
|
||||
|
||||
- name: Fix NSIS artifact names for auto-updater
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
run: |
|
||||
Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z `
|
||||
-NewName bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
|
||||
@@ -452,7 +467,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload installer exe artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe
|
||||
@@ -460,7 +475,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload appx ia32 artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx
|
||||
@@ -468,7 +483,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload store appx ia32 artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx
|
||||
@@ -476,7 +491,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload NSIS ia32 artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z
|
||||
@@ -484,7 +499,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload appx x64 artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx
|
||||
@@ -492,7 +507,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload store appx x64 artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx
|
||||
@@ -500,7 +515,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload NSIS x64 artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z
|
||||
@@ -508,7 +523,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload appx ARM64 artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx
|
||||
@@ -516,7 +531,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload store appx ARM64 artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx
|
||||
@@ -524,7 +539,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload NSIS ARM64 artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z
|
||||
@@ -532,7 +547,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload nupkg artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: bitwarden.${{ env._PACKAGE_VERSION }}.nupkg
|
||||
@@ -540,7 +555,7 @@ jobs:
|
||||
if-no-files-found: error
|
||||
|
||||
- name: Upload auto-update artifact
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
||||
with:
|
||||
name: ${{ needs.setup.outputs.release_channel }}.yml
|
||||
@@ -552,6 +567,7 @@ jobs:
|
||||
name: MacOS Build
|
||||
runs-on: macos-13
|
||||
needs:
|
||||
- check-secrets
|
||||
- setup
|
||||
env:
|
||||
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
|
||||
@@ -603,13 +619,13 @@ jobs:
|
||||
key: ${{ runner.os }}-${{ github.run_id }}-safari-extension
|
||||
|
||||
- name: Login to Azure
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
|
||||
- name: Download Provisioning Profiles secrets
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
env:
|
||||
ACCOUNT_NAME: bitwardenci
|
||||
CONTAINER_NAME: profiles
|
||||
@@ -622,7 +638,7 @@ jobs:
|
||||
--output none
|
||||
|
||||
- name: Get certificates
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
run: |
|
||||
mkdir -p $HOME/certificates
|
||||
|
||||
@@ -645,7 +661,7 @@ jobs:
|
||||
jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12
|
||||
|
||||
- name: Set up keychain
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
env:
|
||||
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
|
||||
run: |
|
||||
@@ -675,7 +691,7 @@ jobs:
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
|
||||
|
||||
- name: Set up provisioning profiles
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
run: |
|
||||
cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \
|
||||
$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile
|
||||
@@ -695,7 +711,7 @@ jobs:
|
||||
working-directory: ./
|
||||
|
||||
- name: Download SDK Artifacts
|
||||
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: bitwarden/gh-actions/download-artifacts@main
|
||||
with:
|
||||
github_token: ${{secrets.GITHUB_TOKEN}}
|
||||
@@ -708,7 +724,7 @@ jobs:
|
||||
if_no_artifact_found: fail
|
||||
|
||||
- name: Override SDK
|
||||
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
working-directory: ./
|
||||
run: |
|
||||
ls -l ../
|
||||
@@ -734,8 +750,10 @@ jobs:
|
||||
|
||||
browser-build:
|
||||
name: Browser Build
|
||||
needs: setup
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
needs:
|
||||
- check-secrets
|
||||
- setup
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: ./.github/workflows/build-browser.yml
|
||||
secrets: inherit
|
||||
|
||||
@@ -743,11 +761,12 @@ jobs:
|
||||
macos-package-github:
|
||||
name: MacOS Package GitHub Release Assets
|
||||
runs-on: macos-13
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
needs:
|
||||
- check-secrets
|
||||
- browser-build
|
||||
- macos-build
|
||||
- setup
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
env:
|
||||
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
|
||||
_NODE_VERSION: ${{ needs.setup.outputs.node_version }}
|
||||
@@ -985,11 +1004,12 @@ jobs:
|
||||
macos-package-mas:
|
||||
name: MacOS Package Prod Release Asset
|
||||
runs-on: macos-13
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
needs:
|
||||
- check-secrets
|
||||
- setup
|
||||
- browser-build
|
||||
- macos-build
|
||||
- setup
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
env:
|
||||
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
|
||||
_NODE_VERSION: ${{ needs.setup.outputs.node_version }}
|
||||
@@ -1253,11 +1273,12 @@ jobs:
|
||||
macos-package-dev:
|
||||
name: MacOS Package Dev Release Asset
|
||||
runs-on: macos-13
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
needs:
|
||||
- check-secrets
|
||||
- setup
|
||||
- browser-build
|
||||
- macos-build
|
||||
- setup
|
||||
env:
|
||||
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
|
||||
_NODE_VERSION: ${{ needs.setup.outputs.node_version }}
|
||||
|
||||
48
.github/workflows/build-web.yml
vendored
48
.github/workflows/build-web.yml
vendored
@@ -43,13 +43,35 @@ env:
|
||||
_AZ_REGISTRY: bitwardenprod.azurecr.io
|
||||
|
||||
jobs:
|
||||
check-secrets:
|
||||
name: Check Secrets
|
||||
runs-on: ubuntu-22.04
|
||||
outputs:
|
||||
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
|
||||
steps:
|
||||
- name: Check secrets
|
||||
id: check-secrets
|
||||
env:
|
||||
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
run: |
|
||||
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
|
||||
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
|
||||
|
||||
# Enforce permissions _if_ the workflow has access to secrets to avoid
|
||||
# bots having unsupervised access to secrets.
|
||||
check-run:
|
||||
name: Check PR run
|
||||
needs:
|
||||
- check-secrets
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
|
||||
|
||||
setup:
|
||||
name: Setup
|
||||
runs-on: ubuntu-22.04
|
||||
outputs:
|
||||
version: ${{ steps.version.outputs.value }}
|
||||
node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
|
||||
has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
|
||||
steps:
|
||||
- name: Check out repo
|
||||
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||
@@ -67,18 +89,11 @@ jobs:
|
||||
NODE_VERSION=${NODE_NVMRC/v/''}
|
||||
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Check secrets
|
||||
id: check-secrets
|
||||
env:
|
||||
AZURE_KV_CI_SERVICE_PRINCIPAL: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
run: |
|
||||
has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
|
||||
echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
|
||||
|
||||
build-artifacts:
|
||||
name: Build artifacts
|
||||
runs-on: ubuntu-22.04
|
||||
needs:
|
||||
- check-secrets
|
||||
- setup
|
||||
env:
|
||||
_VERSION: ${{ needs.setup.outputs.version }}
|
||||
@@ -133,7 +148,7 @@ jobs:
|
||||
run: npm ci
|
||||
|
||||
- name: Download SDK Artifacts
|
||||
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: bitwarden/gh-actions/download-artifacts@main
|
||||
with:
|
||||
github_token: ${{secrets.GITHUB_TOKEN}}
|
||||
@@ -146,7 +161,7 @@ jobs:
|
||||
if_no_artifact_found: fail
|
||||
|
||||
- name: Override SDK
|
||||
if: ${{ inputs.sdk_branch != '' && needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ inputs.sdk_branch != '' && needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
working-directory: ./
|
||||
run: |
|
||||
ls -l ../
|
||||
@@ -180,6 +195,7 @@ jobs:
|
||||
name: Build Docker images
|
||||
runs-on: ubuntu-22.04
|
||||
needs:
|
||||
- check-secrets
|
||||
- setup
|
||||
- build-artifacts
|
||||
strategy:
|
||||
@@ -215,23 +231,23 @@ jobs:
|
||||
|
||||
########## ACRs ##########
|
||||
- name: Login to Prod Azure
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
|
||||
|
||||
- name: Log into Prod container registry
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
run: az acr login -n bitwardenprod
|
||||
|
||||
- name: Login to Azure - CI Subscription
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
|
||||
with:
|
||||
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
|
||||
|
||||
- name: Retrieve github PAT secrets
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
id: retrieve-secret-pat
|
||||
uses: bitwarden/gh-actions/get-keyvault-secrets@main
|
||||
with:
|
||||
@@ -279,7 +295,7 @@ jobs:
|
||||
run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
|
||||
|
||||
- name: Build Docker image
|
||||
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
|
||||
if: ${{ needs.check-secrets.outputs.has_secrets == 'true' }}
|
||||
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
|
||||
with:
|
||||
context: apps/web
|
||||
|
||||
Reference in New Issue
Block a user