--- name: Build on: pull_request: {} push: branches: - "main" workflow_dispatch: {} jobs: cloc: name: CLOC runs-on: ubuntu-22.04 steps: - name: Checkout repo uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up CLOC run: | sudo apt update sudo apt -y install cloc - name: Print lines of code run: cloc --include-lang TypeScript,JavaScript,HTML,Sass,CSS --vcs git setup: name: Setup runs-on: ubuntu-22.04 outputs: package_version: ${{ steps.retrieve-version.outputs.package_version }} steps: - name: Checkout repo uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Get Package Version id: retrieve-version run: | PKG_VERSION=$(jq -r .version package.json) echo "package_version=$PKG_VERSION" >> $GITHUB_OUTPUT linux-cli: name: Build Linux CLI runs-on: ubuntu-22.04 needs: setup env: _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} _PKG_FETCH_NODE_VERSION: 18.5.0 _PKG_FETCH_VERSION: 3.4 steps: - name: Checkout repo uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Node uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: cache: 'npm' cache-dependency-path: '**/package-lock.json' node-version: '18' - name: Update NPM run: | npm install -g node-gyp node-gyp install $(node -v) - name: Get pkg-fetch run: | cd $HOME fetchedUrl="https://github.com/vercel/pkg-fetch/releases/download/v$_PKG_FETCH_VERSION/node-v$_PKG_FETCH_NODE_VERSION-linux-x64" mkdir -p .pkg-cache/v$_PKG_FETCH_VERSION wget $fetchedUrl -O "./.pkg-cache/v$_PKG_FETCH_VERSION/fetched-v$_PKG_FETCH_NODE_VERSION-linux-x64" - name: Keytar run: | keytarVersion=$(cat package.json | jq -r '.dependencies.keytar') keytarTar="keytar-v$keytarVersion-napi-v3-linux-x64.tar" keytarTarGz="$keytarTar.gz" keytarUrl="https://github.com/atom/node-keytar/releases/download/v$keytarVersion/$keytarTarGz" mkdir -p ./keytar/linux wget $keytarUrl -O ./keytar/linux/$keytarTarGz tar -xvf ./keytar/linux/$keytarTarGz -C ./keytar/linux - name: Install run: npm install - name: Package CLI run: npm run dist:cli:lin - name: Zip run: zip -j dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip dist-cli/linux/bwdc keytar/linux/build/Release/keytar.node - name: Create checksums run: | shasum -a 256 dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip | \ cut -d " " -f 1 > dist-cli/bwdc-linux-sha256-$_PACKAGE_VERSION.txt - name: Version Test run: | sudo apt-get update sudo apt install libsecret-1-0 dbus-x11 gnome-keyring eval $(dbus-launch --sh-syntax) eval $(echo -n "" | /usr/bin/gnome-keyring-daemon --login) eval $(/usr/bin/gnome-keyring-daemon --components=secrets --start) mkdir -p test/linux unzip ./dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip -d ./test/linux testVersion=$(./test/linux/bwdc -v) echo "version: $_PACKAGE_VERSION" echo "testVersion: $testVersion" if [ "$testVersion" != "$_PACKAGE_VERSION" ]; then echo "Version test failed." exit 1 fi - name: Upload Linux Zip to GitHub uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: bwdc-linux-${{ env._PACKAGE_VERSION }}.zip path: ./dist-cli/bwdc-linux-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error - name: Upload Linux checksum to GitHub uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: bwdc-linux-sha256-${{ env._PACKAGE_VERSION }}.txt path: ./dist-cli/bwdc-linux-sha256-${{ env._PACKAGE_VERSION }}.txt if-no-files-found: error macos-cli: name: Build Mac CLI runs-on: macos-13 needs: setup env: _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} _PKG_FETCH_NODE_VERSION: 18.5.0 _PKG_FETCH_VERSION: 3.4 steps: - name: Checkout repo uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Node uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: cache: 'npm' cache-dependency-path: '**/package-lock.json' node-version: '18' - name: Update NPM run: | npm install -g node-gyp node-gyp install $(node -v) - name: Get pkg-fetch run: | cd $HOME fetchedUrl="https://github.com/vercel/pkg-fetch/releases/download/v$_PKG_FETCH_VERSION/node-v$_PKG_FETCH_NODE_VERSION-macos-x64" mkdir -p .pkg-cache/v$_PKG_FETCH_VERSION wget $fetchedUrl -O "./.pkg-cache/v$_PKG_FETCH_VERSION/fetched-v$_PKG_FETCH_NODE_VERSION-macos-x64" - name: Keytar run: | keytarVersion=$(cat package.json | jq -r '.dependencies.keytar') keytarTar="keytar-v$keytarVersion-napi-v3-darwin-x64.tar" keytarTarGz="$keytarTar.gz" keytarUrl="https://github.com/atom/node-keytar/releases/download/v$keytarVersion/$keytarTarGz" mkdir -p ./keytar/macos wget $keytarUrl -O ./keytar/macos/$keytarTarGz tar -xvf ./keytar/macos/$keytarTarGz -C ./keytar/macos - name: Install run: npm install - name: Package CLI run: npm run dist:cli:mac - name: Zip run: zip -j dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip dist-cli/macos/bwdc keytar/macos/build/Release/keytar.node - name: Create checksums run: | shasum -a 256 dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip | \ cut -d " " -f 1 > dist-cli/bwdc-macos-sha256-$_PACKAGE_VERSION.txt - name: Version Test run: | mkdir -p test/macos unzip ./dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip -d ./test/macos testVersion=$(./test/macos/bwdc -v) echo "version: $_PACKAGE_VERSION" echo "testVersion: $testVersion" if [ "$testVersion" != "$_PACKAGE_VERSION" ]; then echo "Version test failed." exit 1 fi - name: Upload Mac Zip to GitHub uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: bwdc-macos-${{ env._PACKAGE_VERSION }}.zip path: ./dist-cli/bwdc-macos-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error - name: Upload Mac checksum to GitHub uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: bwdc-macos-sha256-${{ env._PACKAGE_VERSION }}.txt path: ./dist-cli/bwdc-macos-sha256-${{ env._PACKAGE_VERSION }}.txt if-no-files-found: error windows-cli: name: Build Windows CLI runs-on: windows-2022 needs: setup env: _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} _WIN_PKG_FETCH_VERSION: 18.5.0 _WIN_PKG_VERSION: 3.4 steps: - name: Checkout repo uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Setup Windows builder run: | choco install checksum --no-progress choco install reshack --no-progress - name: Set up Node uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: cache: 'npm' cache-dependency-path: '**/package-lock.json' node-version: '18' - name: Update NPM run: | npm install -g node-gyp node-gyp install $(node -v) - name: Get pkg-fetch shell: pwsh run: | cd $HOME $fetchedUrl = "https://github.com/vercel/pkg-fetch/releases/download/v$env:_WIN_PKG_VERSION/node-v$env:_WIN_PKG_FETCH_VERSION-win-x64" New-Item -ItemType directory -Path ./.pkg-cache New-Item -ItemType directory -Path ./.pkg-cache/v$env:_WIN_PKG_VERSION Invoke-RestMethod -Uri $fetchedUrl ` -OutFile "./.pkg-cache/v$env:_WIN_PKG_VERSION/fetched-v$env:_WIN_PKG_FETCH_VERSION-win-x64" - name: Keytar shell: pwsh run: | $keytarVersion = (Get-Content -Raw -Path ./package.json | ConvertFrom-Json).dependencies.keytar $keytarTar = "keytar-v${keytarVersion}-napi-v3-{0}-x64.tar" $keytarTarGz = "${keytarTar}.gz" $keytarUrl = "https://github.com/atom/node-keytar/releases/download/v${keytarVersion}/${keytarTarGz}" New-Item -ItemType directory -Path ./keytar/windows | Out-Null Invoke-RestMethod -Uri $($keytarUrl -f "win32") -OutFile "./keytar/windows/$($keytarTarGz -f "win32")" 7z e "./keytar/windows/$($keytarTarGz -f "win32")" -o"./keytar/windows" 7z e "./keytar/windows/$($keytarTar -f "win32")" -o"./keytar/windows" - name: Setup Version Info shell: pwsh run: | $major, $minor, $patch = $env:_PACKAGE_VERSION.split('.') $versionInfo = @" 1 VERSIONINFO FILEVERSION $major,$minor,$patch,0 PRODUCTVERSION $major,$minor,$patch,0 FILEOS 0x40004 FILETYPE 0x1 { BLOCK "StringFileInfo" { BLOCK "040904b0" { VALUE "CompanyName", "Bitwarden Inc." VALUE "ProductName", "Bitwarden" VALUE "FileDescription", "Bitwarden Directory Connector CLI" VALUE "FileVersion", "$env:_PACKAGE_VERSION" VALUE "ProductVersion", "$env:_PACKAGE_VERSION" VALUE "OriginalFilename", "bwdc.exe" VALUE "InternalName", "bwdc" VALUE "LegalCopyright", "Copyright Bitwarden Inc." } } BLOCK "VarFileInfo" { VALUE "Translation", 0x0409 0x04B0 } } "@ $versionInfo | Out-File ./version-info.rc - name: Resource Hacker shell: cmd run: | set PATH=%PATH%;C:\Program Files (x86)\Resource Hacker set WIN_PKG=C:\Users\runneradmin\.pkg-cache\v%_WIN_PKG_VERSION%\fetched-v%_WIN_PKG_FETCH_VERSION%-win-x64 set WIN_PKG_BUILT=C:\Users\runneradmin\.pkg-cache\v%_WIN_PKG_VERSION%\built-v%_WIN_PKG_FETCH_VERSION%-win-x64 ResourceHacker -open %WIN_PKG% -save %WIN_PKG% -action delete -mask ICONGROUP,1, ResourceHacker -open version-info.rc -save version-info.res -action compile ResourceHacker -open %WIN_PKG% -save %WIN_PKG% -action addoverwrite -resource version-info.res - name: Install run: npm install - name: Package CLI run: npm run dist:cli:win - name: Zip shell: cmd run: 7z a .\dist-cli\bwdc-windows-%_PACKAGE_VERSION%.zip .\dist-cli\windows\bwdc.exe .\keytar\windows\keytar.node - name: Version Test shell: pwsh run: | Expand-Archive -Path "dist-cli\bwdc-windows-${{ env._PACKAGE_VERSION }}.zip" -DestinationPath "test\windows" $testVersion = Invoke-Expression '& .\test\windows\bwdc.exe -v' echo "version: ${env:_PACKAGE_VERSION}" echo "testVersion: $testVersion" if ($testVersion -ne ${env:_PACKAGE_VERSION}) { Throw "Version test failed." } - name: Create checksums run: | checksum -f="./dist-cli/bwdc-windows-${env:_PACKAGE_VERSION}.zip" ` -t sha256 | Out-File ./dist-cli/bwdc-windows-sha256-${env:_PACKAGE_VERSION}.txt - name: Upload Windows Zip to GitHub uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: bwdc-windows-${{ env._PACKAGE_VERSION }}.zip path: ./dist-cli/bwdc-windows-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error - name: Upload Windows checksum to GitHub uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: bwdc-windows-sha256-${{ env._PACKAGE_VERSION }}.txt path: ./dist-cli/bwdc-windows-sha256-${{ env._PACKAGE_VERSION }}.txt if-no-files-found: error windows-gui: name: Build Windows GUI runs-on: windows-2022 needs: setup env: NODE_OPTIONS: --max_old_space_size=4096 _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} HUSKY: 0 steps: - name: Checkout repo uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Node uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: cache: 'npm' cache-dependency-path: '**/package-lock.json' node-version: '18' - name: Update NPM run: | npm install -g node-gyp node-gyp install $(node -v) - name: Print environment run: | node --version npm --version - name: Install AST run: dotnet tool install --global AzureSignTool --version 4.0.1 - name: Install Node dependencies run: npm install - name: Build & Sign run: npm run dist:win env: ELECTRON_BUILDER_SIGN: 1 SIGNING_VAULT_URL: ${{ secrets.SIGNING_VAULT_URL }} SIGNING_CLIENT_ID: ${{ secrets.SIGNING_CLIENT_ID }} SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }} SIGNING_CLIENT_SECRET: ${{ secrets.SIGNING_CLIENT_SECRET }} SIGNING_CERT_NAME: ${{ secrets.SIGNING_CERT_NAME }} - name: Upload Portable Executable to GitHub uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: Bitwarden-Connector-Portable-${{ env._PACKAGE_VERSION }}.exe path: ./dist/Bitwarden-Connector-Portable-${{ env._PACKAGE_VERSION }}.exe if-no-files-found: error - name: Upload Installer Executable to GitHub uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: Bitwarden-Connector-Installer-${{ env._PACKAGE_VERSION }}.exe path: ./dist/Bitwarden-Connector-Installer-${{ env._PACKAGE_VERSION }}.exe if-no-files-found: error - name: Upload Installer Executable Blockmap to GitHub uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: Bitwarden-Connector-Installer-${{ env._PACKAGE_VERSION }}.exe.blockmap path: ./dist/Bitwarden-Connector-Installer-${{ env._PACKAGE_VERSION }}.exe.blockmap if-no-files-found: error - name: Upload latest auto-update artifact uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: latest.yml path: ./dist/latest.yml if-no-files-found: error linux-gui: name: Build Linux GUI runs-on: ubuntu-22.04 needs: setup env: NODE_OPTIONS: --max_old_space_size=4096 _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} HUSKY: 0 steps: - name: Checkout repo uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Node uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: cache: 'npm' cache-dependency-path: '**/package-lock.json' node-version: '18' - name: Update NPM run: | npm install -g node-gyp node-gyp install $(node -v) - name: Set up environment run: | sudo apt-get update sudo apt-get -y install pkg-config libxss-dev libsecret-1-dev sudo apt-get -y install rpm - name: NPM Install run: npm install - name: NPM Rebuild run: npm run rebuild - name: NPM Package run: npm run dist:lin - name: Upload AppImage uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: Bitwarden-Connector-${{ env._PACKAGE_VERSION }}-x86_64.AppImage path: ./dist/Bitwarden-Connector-${{ env._PACKAGE_VERSION }}-x86_64.AppImage if-no-files-found: error - name: Upload latest auto-update artifact uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: latest-linux.yml path: ./dist/latest-linux.yml if-no-files-found: error macos-gui: name: Build MacOS GUI runs-on: macos-13 needs: setup env: NODE_OPTIONS: --max_old_space_size=4096 _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} HUSKY: 0 steps: - name: Checkout repo uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Node uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: cache: 'npm' cache-dependency-path: '**/package-lock.json' node-version: '18' - name: Update NPM run: | npm install -g node-gyp node-gyp install $(node -v) - name: Print environment run: | node --version npm --version echo "GitHub ref: $GITHUB_REF" echo "GitHub event: $GITHUB_EVENT" - name: Login to Azure uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Get certificates run: | mkdir -p $HOME/certificates az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Load package version run: | $rootPath = $env:GITHUB_WORKSPACE; $packageVersion = (Get-Content -Raw -Path $rootPath\package.json | ConvertFrom-Json).version; Write-Output "Setting package version to $packageVersion"; Write-Output "PACKAGE_VERSION=$packageVersion" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append; shell: pwsh - name: Install Node dependencies run: npm install - name: Set up private auth key run: | mkdir ~/private_keys cat << EOF > ~/private_keys/AuthKey_UFD296548T.p8 ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }} EOF - name: Build application run: npm run dist:mac env: APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }} APP_STORE_CONNECT_AUTH_KEY: UFD296548T APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_UFD296548T.p8 CSC_FOR_PULL_REQUEST: true - name: Upload .zip artifact uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: Bitwarden-Connector-${{ env._PACKAGE_VERSION }}-mac.zip path: ./dist/Bitwarden-Connector-${{ env._PACKAGE_VERSION }}-mac.zip if-no-files-found: error - name: Upload .dmg artifact uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: Bitwarden-Connector-${{ env._PACKAGE_VERSION }}.dmg path: ./dist/Bitwarden-Connector-${{ env._PACKAGE_VERSION }}.dmg if-no-files-found: error - name: Upload .dmg Blockmap artifact uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: Bitwarden-Connector-${{ env._PACKAGE_VERSION }}.dmg.blockmap path: ./dist/Bitwarden-Connector-${{ env._PACKAGE_VERSION }}.dmg.blockmap if-no-files-found: error - name: Upload latest auto-update artifact uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: latest-mac.yml path: ./dist/latest-mac.yml if-no-files-found: error check-failures: name: Check for failures runs-on: ubuntu-22.04 needs: - cloc - setup - linux-cli - macos-cli - windows-cli - windows-gui - linux-gui - macos-gui steps: - name: Check if any job failed if: github.ref == 'refs/heads/main' && contains(needs.*.result, 'failure') run: exit 1 - name: Login to Azure - CI subscription uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 if: failure() with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main if: failure() with: keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 if: failure() env: SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} with: status: ${{ job.status }}