mirror of
https://github.com/bitwarden/server
synced 2025-12-16 00:03:54 +00:00
8c238ce08d
- Specify permissions needed for the repo_management job - Add required permissions (actions: read, contents: write, id-token: write, pull-requests: write) to the move_edd_db_scripts job
243 lines
7.8 KiB
YAML
243 lines
7.8 KiB
YAML
name: Repository management
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
task:
|
|
default: "Version Bump"
|
|
description: "Task to execute"
|
|
options:
|
|
- "Version Bump"
|
|
- "Version Bump and Cut rc"
|
|
- "Version Bump and Cut hotfix-rc"
|
|
required: true
|
|
type: choice
|
|
target_ref:
|
|
default: "main"
|
|
description: "Branch/Tag to target for cut"
|
|
required: true
|
|
type: string
|
|
version_number_override:
|
|
description: "New version override (leave blank for automatic calculation, example: '2024.1.0')"
|
|
required: false
|
|
type: string
|
|
|
|
permissions:
|
|
pull-requests: write
|
|
contents: write
|
|
|
|
jobs:
|
|
setup:
|
|
name: Setup
|
|
runs-on: ubuntu-24.04
|
|
outputs:
|
|
branch: ${{ steps.set-branch.outputs.branch }}
|
|
steps:
|
|
- name: Set branch
|
|
id: set-branch
|
|
env:
|
|
TASK: ${{ inputs.task }}
|
|
run: |
|
|
if [[ "$TASK" == "Version Bump" ]]; then
|
|
BRANCH="none"
|
|
elif [[ "$TASK" == "Version Bump and Cut rc" ]]; then
|
|
BRANCH="rc"
|
|
elif [[ "$TASK" == "Version Bump and Cut hotfix-rc" ]]; then
|
|
BRANCH="hotfix-rc"
|
|
fi
|
|
|
|
echo "branch=$BRANCH" >> $GITHUB_OUTPUT
|
|
|
|
bump_version:
|
|
name: Bump Version
|
|
if: ${{ always() }}
|
|
runs-on: ubuntu-24.04
|
|
needs:
|
|
- setup
|
|
outputs:
|
|
version: ${{ steps.set-final-version-output.outputs.version }}
|
|
permissions:
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: Log in to Azure
|
|
uses: bitwarden/gh-actions/azure-login@main
|
|
with:
|
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
|
|
client_id: ${{ secrets.AZURE_CLIENT_ID }}
|
|
|
|
- name: Get Azure Key Vault secrets
|
|
id: get-kv-secrets
|
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main
|
|
with:
|
|
keyvault: gh-org-bitwarden
|
|
secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
|
|
|
|
- name: Log out from Azure
|
|
uses: bitwarden/gh-actions/azure-logout@main
|
|
|
|
- name: Validate version input format
|
|
if: ${{ inputs.version_number_override != '' }}
|
|
uses: bitwarden/gh-actions/version-check@main
|
|
with:
|
|
version: ${{ inputs.version_number_override }}
|
|
|
|
- name: Generate GH App token
|
|
uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
|
|
id: app-token
|
|
with:
|
|
app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
|
|
private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
|
|
|
|
- name: Check out branch
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: main
|
|
token: ${{ steps.app-token.outputs.token }}
|
|
|
|
- name: Configure Git
|
|
run: |
|
|
git config --local user.email "actions@github.com"
|
|
git config --local user.name "Github Actions"
|
|
|
|
- name: Install xmllint
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y libxml2-utils
|
|
|
|
- name: Get current version
|
|
id: current-version
|
|
run: |
|
|
CURRENT_VERSION=$(xmllint -xpath "/Project/PropertyGroup/Version/text()" Directory.Build.props)
|
|
echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
|
|
|
|
- name: Verify input version
|
|
if: ${{ inputs.version_number_override != '' }}
|
|
env:
|
|
CURRENT_VERSION: ${{ steps.current-version.outputs.version }}
|
|
NEW_VERSION: ${{ inputs.version_number_override }}
|
|
run: |
|
|
# Error if version has not changed.
|
|
if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
|
|
echo "Specified override version is the same as the current version." >> $GITHUB_STEP_SUMMARY
|
|
exit 1
|
|
fi
|
|
|
|
# Check if version is newer.
|
|
printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V
|
|
if [ $? -eq 0 ]; then
|
|
echo "Version is newer than the current version."
|
|
else
|
|
echo "Version is older than the current version." >> $GITHUB_STEP_SUMMARY
|
|
exit 1
|
|
fi
|
|
|
|
- name: Calculate next release version
|
|
if: ${{ inputs.version_number_override == '' }}
|
|
id: calculate-next-version
|
|
uses: bitwarden/gh-actions/version-next@main
|
|
with:
|
|
version: ${{ steps.current-version.outputs.version }}
|
|
|
|
- name: Bump version props - Version Override
|
|
if: ${{ inputs.version_number_override != '' }}
|
|
id: bump-version-override
|
|
uses: bitwarden/gh-actions/version-bump@main
|
|
with:
|
|
file_path: "Directory.Build.props"
|
|
version: ${{ inputs.version_number_override }}
|
|
|
|
- name: Bump version props - Automatic Calculation
|
|
if: ${{ inputs.version_number_override == '' }}
|
|
id: bump-version-automatic
|
|
uses: bitwarden/gh-actions/version-bump@main
|
|
with:
|
|
file_path: "Directory.Build.props"
|
|
version: ${{ steps.calculate-next-version.outputs.version }}
|
|
|
|
- name: Set final version output
|
|
id: set-final-version-output
|
|
env:
|
|
VERSION: ${{ inputs.version_number_override }}
|
|
run: |
|
|
if [[ "${{ steps.bump-version-override.outcome }}" = "success" ]]; then
|
|
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
|
elif [[ "${{ steps.bump-version-automatic.outcome }}" = "success" ]]; then
|
|
echo "version=${{ steps.calculate-next-version.outputs.version }}" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: Commit files
|
|
run: git commit -m "Bumped version to ${{ steps.set-final-version-output.outputs.version }}" -a
|
|
|
|
- name: Push changes
|
|
run: git push
|
|
|
|
cut_branch:
|
|
name: Cut branch
|
|
if: ${{ needs.setup.outputs.branch != 'none' }}
|
|
needs:
|
|
- setup
|
|
- bump_version
|
|
runs-on: ubuntu-24.04
|
|
permissions:
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: Log in to Azure
|
|
uses: bitwarden/gh-actions/azure-login@main
|
|
with:
|
|
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
|
|
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
|
|
client_id: ${{ secrets.AZURE_CLIENT_ID }}
|
|
|
|
- name: Get Azure Key Vault secrets
|
|
id: get-kv-secrets
|
|
uses: bitwarden/gh-actions/get-keyvault-secrets@main
|
|
with:
|
|
keyvault: gh-org-bitwarden
|
|
secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
|
|
|
|
- name: Log out from Azure
|
|
uses: bitwarden/gh-actions/azure-logout@main
|
|
|
|
- name: Generate GH App token
|
|
uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
|
|
id: app-token
|
|
with:
|
|
app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
|
|
private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
|
|
|
|
- name: Check out target ref
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
with:
|
|
ref: ${{ inputs.target_ref }}
|
|
token: ${{ steps.app-token.outputs.token }}
|
|
|
|
- name: Check if ${{ needs.setup.outputs.branch }} branch exists
|
|
env:
|
|
BRANCH_NAME: ${{ needs.setup.outputs.branch }}
|
|
run: |
|
|
if [[ $(git ls-remote --heads origin $BRANCH_NAME) ]]; then
|
|
echo "$BRANCH_NAME already exists! Please delete $BRANCH_NAME before running again." >> $GITHUB_STEP_SUMMARY
|
|
exit 1
|
|
fi
|
|
|
|
- name: Cut branch
|
|
env:
|
|
BRANCH_NAME: ${{ needs.setup.outputs.branch }}
|
|
run: |
|
|
git switch --quiet --create $BRANCH_NAME
|
|
git push --quiet --set-upstream origin $BRANCH_NAME
|
|
|
|
move_edd_db_scripts:
|
|
name: Move EDD database scripts
|
|
needs: cut_branch
|
|
permissions:
|
|
actions: read
|
|
contents: write
|
|
id-token: write
|
|
pull-requests: write
|
|
uses: ./.github/workflows/_move_edd_db_scripts.yml
|
|
secrets: inherit
|