name: Publish Desktop run-name: Publish Desktop ${{ inputs.publish_type }} on: workflow_dispatch: inputs: publish_type: description: 'Publish Options' required: true default: 'Publish' type: choice options: - Publish - Dry Run version: description: 'Version to publish (default: latest desktop release)' required: true type: string default: latest electron_rollout_percentage: description: 'Staged Rollout Percentage for Electron (ignored if Electron publish disabled)' required: false default: '10' type: string electron_publish: description: 'Publish to Electron (auto-updater)' required: true default: true type: boolean snap_publish: description: 'Publish to Snap store' required: true default: true type: boolean choco_publish: description: 'Publish to Chocolatey store' required: true default: true type: boolean mas_publish: description: 'Publish to Mac App Store' required: true default: true type: boolean release_notes: description: 'Release Notes' required: false type: string jobs: setup: name: Setup runs-on: ubuntu-22.04 outputs: release_version: ${{ steps.version.outputs.version }} release_channel: ${{ steps.release_channel.outputs.channel }} tag_name: ${{ steps.version.outputs.tag_name }} deployment_id: ${{ steps.deployment.outputs.deployment_id }} permissions: contents: read deployments: write steps: - name: Branch check if: ${{ inputs.publish_type != 'Dry Run' }} run: | if [[ "$GITHUB_REF" != "refs/heads/rc" ]] && [[ "$GITHUB_REF" != "refs/heads/hotfix-rc-desktop" ]]; then echo "===================================" echo "[!] Can only publish from the 'rc' or 'hotfix-rc-desktop' branches" echo "===================================" exit 1 fi - name: Check Publish Version id: version run: | if [[ "${{ inputs.version }}" == "latest" || "${{ inputs.version }}" == "" ]]; then TAG_NAME=$(curl "https://api.github.com/repos/bitwarden/clients/releases" | jq -c '.[] | select(.tag_name | contains("desktop")) | .tag_name' | head -1 | cut -d '"' -f 2) VERSION=$(echo $TAG_NAME | sed "s/desktop-v//") echo "Latest Released Version: $VERSION" echo "version=$VERSION" >> $GITHUB_OUTPUT echo "Tag name: $TAG_NAME" echo "tag_name=$TAG_NAME" >> $GITHUB_OUTPUT else echo "Release Version: ${{ inputs.version }}" echo "version=${{ inputs.version }}" TAG_NAME="desktop-v${{ inputs.version }}" echo "Tag name: $TAG_NAME" echo "tag_name=$TAG_NAME" >> $GITHUB_OUTPUT fi - name: Get Version Channel id: release_channel run: | case "${{ steps.version.outputs.version }}" in *"alpha"*) echo "channel=alpha" >> $GITHUB_OUTPUT echo "[!] We do not yet support 'alpha'" exit 1 ;; *"beta"*) echo "channel=beta" >> $GITHUB_OUTPUT ;; *) echo "channel=latest" >> $GITHUB_OUTPUT ;; esac - name: Create GitHub deployment if: ${{ inputs.publish_type != 'Dry Run' }} uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.7 id: deployment with: token: '${{ secrets.GITHUB_TOKEN }}' initial-status: 'in_progress' environment: 'Desktop - Production' description: 'Deployment ${{ steps.version.outputs.version }} to channel ${{ steps.release_channel.outputs.channel }} from branch ${{ github.ref_name }}' task: release electron-blob: name: Electron blob publish runs-on: ubuntu-22.04 needs: setup if: inputs.electron_publish permissions: contents: read packages: read id-token: write deployments: write env: _PKG_VERSION: ${{ needs.setup.outputs.release_version }} _RELEASE_TAG: ${{ needs.setup.outputs.tag_name }} steps: - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main with: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: "bitwarden-ci" secrets: "aws-electron-access-id, aws-electron-access-key, aws-electron-bucket-name" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main - name: Create artifacts directory run: mkdir -p apps/desktop/artifacts - name: Download artifacts env: GH_TOKEN: ${{ github.token }} working-directory: apps/desktop/artifacts run: gh release download ${{ env._RELEASE_TAG }} -R bitwarden/clients - name: Set staged rollout percentage env: RELEASE_CHANNEL: ${{ needs.setup.outputs.release_channel }} ROLLOUT_PCT: ${{ inputs.electron_rollout_percentage }} run: | echo "stagingPercentage: ${ROLLOUT_PCT}" >> apps/desktop/artifacts/${RELEASE_CHANNEL}.yml echo "stagingPercentage: ${ROLLOUT_PCT}" >> apps/desktop/artifacts/${RELEASE_CHANNEL}-linux.yml echo "stagingPercentage: ${ROLLOUT_PCT}" >> apps/desktop/artifacts/${RELEASE_CHANNEL}-mac.yml - name: Publish artifacts to S3 if: ${{ inputs.publish_type != 'Dry Run' }} env: AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.aws-electron-access-id }} AWS_SECRET_ACCESS_KEY: ${{ steps.retrieve-secrets.outputs.aws-electron-access-key }} AWS_DEFAULT_REGION: 'us-west-2' AWS_S3_BUCKET_NAME: ${{ steps.retrieve-secrets.outputs.aws-electron-bucket-name }} working-directory: apps/desktop/artifacts run: | aws s3 cp ./ $AWS_S3_BUCKET_NAME/desktop/ \ --acl "public-read" \ --recursive \ --quiet - name: Update deployment status to Success if: ${{ inputs.publish_type != 'Dry Run' && success() }} uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3 with: token: '${{ secrets.GITHUB_TOKEN }}' state: 'success' deployment-id: ${{ needs.setup.outputs.deployment_id }} - name: Update deployment status to Failure if: ${{ inputs.publish_type != 'Dry Run' && failure() }} uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3 with: token: '${{ secrets.GITHUB_TOKEN }}' state: 'failure' deployment-id: ${{ needs.setup.outputs.deployment_id }} snap: name: Deploy Snap runs-on: ubuntu-22.04 needs: setup permissions: contents: read id-token: write if: inputs.snap_publish env: _PKG_VERSION: ${{ needs.setup.outputs.release_version }} _RELEASE_TAG: ${{ needs.setup.outputs.tag_name }} steps: - name: Checkout Repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main with: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: "bitwarden-ci" secrets: "snapcraft-store-token" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main - name: Install Snap uses: samuelmeuli/action-snapcraft@d33c176a9b784876d966f80fb1b461808edc0641 # v2.1.1 - name: Setup run: mkdir dist working-directory: apps/desktop - name: Download artifacts working-directory: apps/desktop/dist run: wget https://github.com/bitwarden/clients/releases/download/${{ env._RELEASE_TAG }}/bitwarden_${{ env._PKG_VERSION }}_amd64.snap - name: Deploy to Snap Store if: ${{ inputs.publish_type != 'Dry Run' }} env: SNAPCRAFT_STORE_CREDENTIALS: ${{ steps.retrieve-secrets.outputs.snapcraft-store-token }} run: | snapcraft upload bitwarden_${{ env._PKG_VERSION }}_amd64.snap --release stable snapcraft logout working-directory: apps/desktop/dist choco: name: Deploy Choco runs-on: windows-2022 needs: setup permissions: contents: read id-token: write if: inputs.choco_publish env: _PKG_VERSION: ${{ needs.setup.outputs.release_version }} _RELEASE_TAG: ${{ needs.setup.outputs.tag_name }} steps: - name: Checkout Repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Print Environment run: | dotnet --version dotnet nuget --version - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main with: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: "bitwarden-ci" secrets: "cli-choco-api-key" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main - name: Setup Chocolatey run: choco apikey --key $env:CHOCO_API_KEY --source https://push.chocolatey.org/ env: CHOCO_API_KEY: ${{ steps.retrieve-secrets.outputs.cli-choco-api-key }} - name: Make dist dir run: New-Item -ItemType directory -Path ./dist working-directory: apps/desktop - name: Download artifacts working-directory: apps/desktop/dist run: Invoke-WebRequest -Uri "https://github.com/bitwarden/clients/releases/download/${{ env._RELEASE_TAG }}/bitwarden.${{ env._PKG_VERSION }}.nupkg" -OutFile bitwarden.${{ env._PKG_VERSION }}.nupkg - name: Push to Chocolatey if: ${{ inputs.publish_type != 'Dry Run' }} run: choco push --source=https://push.chocolatey.org/ working-directory: apps/desktop/dist mas: name: Deploy Mac App Store runs-on: macos-15 needs: setup permissions: contents: read id-token: write if: inputs.mas_publish env: _PKG_VERSION: ${{ needs.setup.outputs.release_version }} _RELEASE_TAG: ${{ needs.setup.outputs.tag_name }} steps: - name: Checkout repo uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Validate release notes for MAS if: inputs.mas_publish && (inputs.release_notes == '' || inputs.release_notes == null) run: | echo "โŒ Release notes are required when publishing to Mac App Store" echo "Please provide release notes using the 'Release Notes' input field" exit 1 - name: Download MacOS App Store build number working-directory: apps/desktop run: wget https://github.com/bitwarden/clients/releases/download/${{ env._RELEASE_TAG }}/macos-build-number.json - name: Setup Ruby and Install Fastlane uses: ruby/setup-ruby@ca041f971d66735f3e5ff1e21cc13e2d51e7e535 # v1.233.0 with: ruby-version: '3.0' bundler-cache: false working-directory: apps/desktop - name: Install Fastlane working-directory: apps/desktop run: gem install fastlane - name: Log in to Azure uses: bitwarden/gh-actions/azure-login@main with: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} tenant_id: ${{ secrets.AZURE_TENANT_ID }} client_id: ${{ secrets.AZURE_CLIENT_ID }} - name: Get Azure Key Vault secrets id: get-kv-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: gh-clients secrets: "APP-STORE-CONNECT-AUTH-KEY,APP-STORE-CONNECT-TEAM-ISSUER" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main - name: Publish to App Store env: APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} working-directory: apps/desktop run: | BUILD_NUMBER=$(jq -r '.buildNumber' macos-build-number.json) CHANGELOG="${{ inputs.release_notes }}" IS_DRY_RUN="${{ inputs.publish_type == 'Dry Run' }}" if [ "$IS_DRY_RUN" = "true" ]; then echo "๐Ÿงช DRY RUN MODE - Testing without actual App Store submission" echo "๐Ÿ“ฆ Would publish build $BUILD_NUMBER to Mac App Store" else echo "๐Ÿš€ PRODUCTION MODE - Publishing to Mac App Store" echo "๐Ÿ“ฆ Publishing build $BUILD_NUMBER to Mac App Store" fi echo "๐Ÿ“ Release notes (${#CHANGELOG} chars): ${CHANGELOG:0:100}..." # Validate changelog length (App Store limit is 4000 chars) if [ ${#CHANGELOG} -gt 4000 ]; then echo "โŒ Release notes too long: ${#CHANGELOG} characters (max 4000)" exit 1 fi fastlane publish --verbose \ app_version:"${{ env._PKG_VERSION }}" \ build_number:$BUILD_NUMBER \ changelog:"$CHANGELOG" \ dry_run:$IS_DRY_RUN update-deployment: name: Update Deployment Status runs-on: ubuntu-22.04 needs: - setup - electron-blob - snap - choco - mas permissions: contents: read deployments: write if: ${{ always() && inputs.publish_type != 'Dry Run' }} steps: - name: Check if any job failed if: contains(needs.*.result, 'failure') run: exit 1 - name: Update deployment status to Success if: ${{ inputs.publish_type != 'Dry Run' && success() }} uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3 with: token: '${{ secrets.GITHUB_TOKEN }}' state: 'success' deployment-id: ${{ needs.setup.outputs.deployment_id }} - name: Update deployment status to Failure if: ${{ inputs.publish_type != 'Dry Run' && failure() }} uses: chrnorm/deployment-status@9a72af4586197112e0491ea843682b5dc280d806 # v2.0.3 with: token: '${{ secrets.GITHUB_TOKEN }}' state: 'failure' deployment-id: ${{ needs.setup.outputs.deployment_id }}