--- name: Build on: workflow_dispatch: inputs: ref: description: 'Branch or tag to build' required: true default: 'refs/heads/main' type: string env: main_app_folder_path: src/App main_app_project_path: src/App/App.csproj target-net-version: net8.0 jobs: cloc: name: CLOC runs-on: ubuntu-22.04 steps: - name: Checkout repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up CLOC run: | sudo apt-get update sudo apt-get -y install cloc - name: Print lines of code run: cloc --vcs git --exclude-dir Resources,store,test,Properties --include-lang C#,XAML setup: name: Setup runs-on: ubuntu-22.04 outputs: rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }} hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }} steps: - name: Checkout repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: 'true' - name: Check if special branches exist id: branch-check run: | if [[ $(git ls-remote --heads origin rc) ]]; then echo "rc_branch_exists=1" >> $GITHUB_OUTPUT else echo "rc_branch_exists=0" >> $GITHUB_OUTPUT fi if [[ $(git ls-remote --heads origin hotfix-rc) ]]; then echo "hotfix_branch_exists=1" >> $GITHUB_OUTPUT else echo "hotfix_branch_exists=0" >> $GITHUB_OUTPUT fi ios: name: Apple iOS runs-on: macos-13 needs: setup env: ios_folder_path: src/App/Platforms/iOS app_output_name: App app_ci_output_filename: App_x64_Debug steps: - name: Set XCode version uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0 with: xcode-version: 15.1 - name: Setup NuGet uses: nuget/setup-nuget@296fd3ccf8528660c91106efefe2364482f86d6f # v1.2.0 with: nuget-version: 6.4.0 - name: Set up .NET uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0 with: dotnet-version: '8.0.x' # This step might be obsolete at some point as .NET MAUI workloads # are starting to come pre-installed on the GH Actions build agents. - name: Install MAUI Workload run: dotnet workload install maui --ignore-failed-sources - name: Print environment run: | nuget help | grep Version dotnet --info echo "GitHub ref: $GITHUB_REF" echo "GitHub event: $GITHUB_EVENT" - name: Checkout repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: 'true' ref: ${{ inputs.ref }} - name: Login to Azure - CI Subscription uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: "bitwarden-ci" secrets: "appcenter-ios-token" - name: Decrypt secrets env: DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} run: | mkdir -p ~/secrets gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output $HOME/secrets/bitwarden-mobile-key.p12 ./.github/secrets/bitwarden-mobile-key.p12.gpg gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output $HOME/secrets/iphone-distribution-cert.p12 ./.github/secrets/iphone-distribution-cert.p12.gpg gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output ./src/watchOS/bitwarden/GoogleService-Info.plist \ ./.github/secrets/GoogleService-Info.plist.gpg gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output $HOME/secrets/dist_beta_native_autofill.mobileprovision \ ./.github/secrets/dist_beta_native_autofill.mobileprovision.gpg gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output $HOME/secrets/dist_beta_native_bitwarden.mobileprovision \ ./.github/secrets/dist_beta_native_bitwarden.mobileprovision.gpg gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output $HOME/secrets/dist_beta_native_extension.mobileprovision \ ./.github/secrets/dist_beta_native_extension.mobileprovision.gpg gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output $HOME/secrets/dist_beta_native_share_extension.mobileprovision \ ./.github/secrets/dist_beta_native_share_extension.mobileprovision.gpg gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output $HOME/secrets/dist_beta_native_watch_app.mobileprovision \ ./.github/secrets/dist_beta_native_watch_app.mobileprovision.gpg gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output $HOME/secrets/dist_beta_native_watch_app_extension.mobileprovision \ ./.github/secrets/dist_beta_native_watch_app_extension.mobileprovision.gpg - name: Increment version run: | BUILD_NUMBER=$((100 + $GITHUB_RUN_NUMBER)) echo "########################################" echo "##### Setting CFBundleVersion $BUILD_NUMBER" echo "########################################" echo "### CFBundleVersion $BUILD_NUMBER" >> $GITHUB_STEP_SUMMARY perl -0777 -pi.bak -e 's/CFBundleVersion<\/key>\s*1<\/string>/CFBundleVersion<\/key>\n\t'"$BUILD_NUMBER"'<\/string>/' ./${{ env.ios_folder_path }}/Info.plist perl -0777 -pi.bak -e 's/CFBundleVersion<\/key>\s*1<\/string>/CFBundleVersion<\/key>\n\t'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Extension/Info.plist perl -0777 -pi.bak -e 's/CFBundleVersion<\/key>\s*1<\/string>/CFBundleVersion<\/key>\n\t'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Autofill/Info.plist perl -0777 -pi.bak -e 's/CFBundleVersion<\/key>\s*1<\/string>/CFBundleVersion<\/key>\n\t'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.ShareExtension/Info.plist cd src/watchOS/bitwarden agvtool new-version -all $BUILD_NUMBER - name: Update Entitlements run: | echo "########################################" echo "##### Updating Entitlements" echo "########################################" perl -0777 -pi.bak -e 's/aps-environment<\/key>\s*development<\/string>/aps-environment<\/key>\n\tproduction<\/string>/' ./${{ env.ios_folder_path }}/Entitlements.plist - name: Set up Keychain env: KEYCHAIN_PASSWORD: ${{ secrets.IOS_KEYCHAIN_PASSWORD }} MOBILE_KEY_PASSWORD: ${{ secrets.IOS_KEY_PASSWORD }} DIST_CERT_PASSWORD: ${{ secrets.IOS_DIST_CERT_PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain security import ~/secrets/bitwarden-mobile-key.p12 -k build.keychain -P $MOBILE_KEY_PASSWORD \ -T /usr/bin/codesign -T /usr/bin/security security import ~/secrets/iphone-distribution-cert.p12 -k build.keychain -P $DIST_CERT_PASSWORD \ -T /usr/bin/codesign -T /usr/bin/security security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Set up provisioning profiles run: | AUTOFILL_PROFILE_PATH=$HOME/secrets/dist_beta_native_autofill.mobileprovision BITWARDEN_PROFILE_PATH=$HOME/secrets/dist_beta_native_bitwarden.mobileprovision EXTENSION_PROFILE_PATH=$HOME/secrets/dist_beta_native_extension.mobileprovision SHARE_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_beta_native_share_extension.mobileprovision WATCH_APP_PROFILE_PATH=$HOME/secrets/dist_beta_native_watch_app.mobileprovision WATCH_APP_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_beta_native_watch_app_extension.mobileprovision PROFILES_DIR_PATH=$HOME/Library/MobileDevice/Provisioning\ Profiles mkdir -p "$PROFILES_DIR_PATH" AUTOFILL_UUID=$(grep UUID -A1 -a $AUTOFILL_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}") cp $AUTOFILL_PROFILE_PATH "$PROFILES_DIR_PATH/$AUTOFILL_UUID.mobileprovision" BITWARDEN_UUID=$(grep UUID -A1 -a $BITWARDEN_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}") cp $BITWARDEN_PROFILE_PATH "$PROFILES_DIR_PATH/$BITWARDEN_UUID.mobileprovision" EXTENSION_UUID=$(grep UUID -A1 -a $EXTENSION_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}") cp $EXTENSION_PROFILE_PATH "$PROFILES_DIR_PATH/$EXTENSION_UUID.mobileprovision" SHARE_EXTENSION_UUID=$(grep UUID -A1 -a $SHARE_EXTENSION_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}") cp $SHARE_EXTENSION_PROFILE_PATH "$PROFILES_DIR_PATH/$SHARE_EXTENSION_UUID.mobileprovision" WATCH_APP_UUID=$(grep UUID -A1 -a $WATCH_APP_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}") cp $WATCH_APP_PROFILE_PATH "$PROFILES_DIR_PATH/$WATCH_APP_UUID.mobileprovision" WATCH_APP_EXTENSION_UUID=$(grep UUID -A1 -a $WATCH_APP_EXTENSION_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}") cp $WATCH_APP_EXTENSION_PROFILE_PATH "$PROFILES_DIR_PATH/$WATCH_APP_EXTENSION_UUID.mobileprovision" - name: Restore packages run: dotnet restore - name: Bulid WatchApp run: | echo "########################################" echo "##### Build WatchApp with Release Configuration" echo "########################################" xcodebuild archive -workspace ./src/watchOS/bitwarden/bitwarden.xcodeproj/project.xcworkspace -configuration Release -scheme bitwarden\ WatchKit\ App -archivePath ./src/watchOS/bitwarden echo "########################################" echo "##### Done" echo "########################################" - name: Archive Build for App Store run: | Write-Output "########################################" Write-Output "##### Archive for Release ios-arm64 Write-Output "########################################" dotnet publish ${{ env.main_app_project_path }} -c Release -f ${{ env.target-net-version }}-ios /p:RuntimeIdentifier=ios-arm64 /p:ArchiveOnBuild=true /p:MtouchUseLlvm=false Write-Output "########################################" Write-Output "##### Done" Write-Output "########################################" shell: pwsh - name: Archive Build for Mobile Automation run: | Write-Output "########################################" Write-Output "##### Archive Debug for iossimulator-x64 Write-Output "########################################" dotnet build ${{ env.main_app_project_path }} -c Debug -f ${{ env.target-net-version }}-ios /p:RuntimeIdentifier=iossimulator-x64 /p:ArchiveOnBuild=true /p:MtouchUseLlvm=false Write-Output "########################################" Write-Output "##### Done" Write-Output "########################################" ls ~/Library/Developer/Xcode/Archives shell: pwsh - name: Export .ipa for App Store run: | EXPORT_OPTIONS_PATH="./.github/resources/export-options-app-store.plist" ARCHIVE_PATH="$HOME/Library/Developer/Xcode/Archives/*/*.xcarchive" EXPORT_PATH="./bitwarden-export" xcodebuild -exportArchive -archivePath $ARCHIVE_PATH -exportPath $EXPORT_PATH \ -exportOptionsPlist $EXPORT_OPTIONS_PATH - name: Export .app for Automation CI run: | ARCHIVE_PATH="./${{ env.main_app_folder_path }}/bin/Debug/${{ env.target-net-version }}-ios/iossimulator-x64" EXPORT_PATH="./bitwarden-export" zip -r -q ${{ env.app_ci_output_filename }}.app.zip $ARCHIVE_PATH mv ${{ env.app_ci_output_filename }}.app.zip $EXPORT_PATH - name: Copy all dSYMs files to upload run: | ARCHIVE_DSYMS_PATH="$HOME/Library/Developer/Xcode/Archives/*/*.xcarchive/dSYMs" EXPORT_PATH="./bitwarden-export" WATCH_ARCHIVE_DSYMS_PATH="./src/watchOS/bitwarden.xcarchive/dSYMs/" WATCH_DSYMS_EXPORT_PATH="$EXPORT_PATH/Watch_dSYMs" cp -r -v $ARCHIVE_DSYMS_PATH $EXPORT_PATH mkdir $WATCH_DSYMS_EXPORT_PATH cp -r -v $WATCH_ARCHIVE_DSYMS_PATH $WATCH_DSYMS_EXPORT_PATH - name: Upload App Store .ipa & dSYMs artifacts uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: Bitwarden iOS path: | ./bitwarden-export/Bitwarden.ipa ./bitwarden-export/dSYMs/*.* if-no-files-found: error - name: Upload .app file for Automation CI uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ env.app_ci_output_filename }}.app.zip path: ./bitwarden-export/${{ env.app_ci_output_filename }}.app.zip if-no-files-found: error - name: Install AppCenter CLI # if: | # (github.ref == 'refs/heads/main' # && needs.setup.outputs.rc_branch_exists == 0 # && needs.setup.outputs.hotfix_branch_exists == 0) # || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0) # || github.ref == 'refs/heads/hotfix-rc' run: npm install -g appcenter-cli - name: Upload dSYMs to App Center # if: | # (github.ref == 'refs/heads/main' # && needs.setup.outputs.rc_branch_exists == 0 # && needs.setup.outputs.hotfix_branch_exists == 0) # || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0) # || github.ref == 'refs/heads/hotfix-rc' env: APPCENTER_IOS_TOKEN: ${{ steps.retrieve-secrets.outputs.appcenter-ios-token }} run: appcenter crashes upload-symbols -a bitwarden/bitwarden -s "./bitwarden-export/dSYMs" --token $APPCENTER_IOS_TOKEN - name: Upload Watch dSYMs to Firebase Crashlytics # if: | # (github.ref == 'refs/heads/main' # && needs.setup.outputs.rc_branch_exists == 0 # && needs.setup.outputs.hotfix_branch_exists == 0) # || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0) # || github.ref == 'refs/heads/hotfix-rc' run: | echo "########################################" echo "##### Uploading Watch dSYMs to Firebase" echo "########################################" find "$HOME/Library/Developer/XCode/DerivedData" -name "upload-symbols" -exec chmod +x {} \; -exec {} -gsp "./src/watchOS/bitwarden/GoogleService-Info.plist" -p ios "./bitwarden-export/Watch_dSYMs" \; - name: Validate app in App Store # if: | # (github.ref == 'refs/heads/master' # && needs.setup.outputs.rc_branch_exists == 0 # && needs.setup.outputs.hotfix_branch_exists == 0) # || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0) # || github.ref == 'refs/heads/hotfix-rc' env: APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | xcrun altool --validate-app --type ios --file "./bitwarden-export/Bitwarden.ipa" \ --username "$APPLE_ID_USERNAME" --password "$APPLE_ID_PASSWORD" shell: bash - name: Deploy to App Store # if: | # (github.ref == 'refs/heads/main' # && needs.setup.outputs.rc_branch_exists == 0 # && needs.setup.outputs.hotfix_branch_exists == 0) # || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0) # || github.ref == 'refs/heads/hotfix-rc' env: APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | xcrun altool --upload-app --type ios --file "./bitwarden-export/Bitwarden.ipa" \ --username "$APPLE_ID_USERNAME" --password "$APPLE_ID_PASSWORD" crowdin-push: name: Crowdin Push if: github.ref == 'refs/heads/main' needs: - android - f-droid - ios runs-on: ubuntu-22.04 env: _CROWDIN_PROJECT_ID: "269690" steps: - name: Checkout repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Login to Azure - CI Subscription uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: "bitwarden-ci" secrets: "crowdin-api-token" - name: Upload Sources uses: crowdin/github-action@198daeb2d30636c4608d6a6bb96c009dbefc02a2 # v1.18.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }} with: config: crowdin.yml crowdin_branch_name: main upload_sources: true upload_translations: false check-failures: name: Check for failures if: always() runs-on: ubuntu-22.04 needs: - cloc - android - f-droid - ios - crowdin-push steps: - name: Check if any job failed if: | (github.ref == 'refs/heads/main') || (github.ref == 'refs/heads/rc') || (github.ref == 'refs/heads/hotfix-rc') env: CLOC_STATUS: ${{ needs.cloc.result }} ANDROID_STATUS: ${{ needs.android.result }} F_DROID_STATUS: ${{ needs.f-droid.result }} IOS_STATUS: ${{ needs.ios.result }} CROWDIN_PUSH_STATUS: ${{ needs.crowdin-push.result }} run: | if [ "$CLOC_STATUS" = "failure" ]; then exit 1 elif [ "$ANDROID_STATUS" = "failure" ]; then exit 1 elif [ "$F_DROID_STATUS" = "failure" ]; then exit 1 elif [ "$IOS_STATUS" = "failure" ]; then exit 1 elif [ "$CROWDIN_PUSH_STATUS" = "failure" ]; then exit 1 fi - name: Login to Azure - CI Subscription uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 if: failure() with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main if: failure() with: keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 if: failure() env: SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} with: status: ${{ job.status }}