Build Self-Host Unified #8046
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Self-Host Unified | |
on: | |
push: | |
paths: | |
- "docker-unified/**" | |
- ".github/workflows/build-unified.yml" | |
workflow_call: | |
inputs: | |
server_branch: | |
type: string | |
default: main | |
is_workflow_call: | |
type: boolean | |
default: true | |
workflow_dispatch: | |
inputs: | |
server_branch: | |
description: "Server branch name to deploy (examples: 'main', 'rc', 'feature/sm')" | |
type: string | |
default: main | |
pull_request: | |
paths: | |
- ".github/workflows/build-unified.yml" | |
- "docker-unified/**" | |
env: | |
_AZ_REGISTRY: bitwardenprod.azurecr.io | |
jobs: | |
build-docker: | |
name: Build Docker image | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout Repository - workflow_call | |
if: ${{ inputs.is_workflow_call == true }} | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
repository: bitwarden/self-host | |
ref: main | |
- name: Checkout Repository - workflow_dispatch | |
if: ${{ inputs.is_workflow_call != true }} | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Get server branch to checkout | |
id: server-branch-name | |
env: | |
SERVER_BRANCH: ${{ inputs.server_branch }} | |
run: | | |
if [[ -z "${SERVER_BRANCH}" ]]; then | |
echo "server_branch=main" >> $GITHUB_OUTPUT | |
else | |
echo "server_branch=${SERVER_BRANCH#refs/heads/}" >> $GITHUB_OUTPUT | |
fi | |
- name: Check Branch to Publish | |
env: | |
PUBLISH_BRANCHES: "main,rc,hotfix-rc" | |
SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_branch }} | |
id: publish-branch-check | |
run: | | |
if [[ "${{ inputs.is_workflow_call }}" == "true" ]]; then | |
REF=main | |
else | |
REF=${GITHUB_REF#refs/heads/} | |
fi | |
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES | |
if [[ "${publish_branches[*]}" =~ "${REF}" && "${publish_branches[*]}" =~ "${SERVER_BRANCH}" ]]; then | |
echo "is_publish_branch=true" >> $GITHUB_ENV | |
else | |
echo "is_publish_branch=false" >> $GITHUB_ENV | |
fi | |
########## Set up Docker ########## | |
- name: Set up QEMU emulators | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
########## Login to Docker registries ########## | |
- name: Login to Azure - Prod Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} | |
- name: Login to Azure ACR | |
run: az acr login -n bitwardenprod | |
- name: Login to Azure - CI Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve github PAT secrets | |
id: retrieve-secret-pat | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "github-pat-bitwarden-devops-bot-repo-scope" | |
- name: Setup Docker Trust | |
if: ${{ env.is_publish_branch == 'true' }} | |
uses: bitwarden/gh-actions/setup-docker-trust@main | |
with: | |
azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
azure-keyvault-name: "bitwarden-ci" | |
########## Generate image tag and build Docker image ########## | |
- name: Generate Docker image tag | |
id: tag | |
env: | |
SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_branch }} | |
run: | | |
IMAGE_TAG=$(echo "${SERVER_BRANCH}" | sed "s#/#-#g") # slash safe branch name | |
if [[ "${IMAGE_TAG}" == "main" ]]; then | |
IMAGE_TAG=dev | |
elif [[ ("${IMAGE_TAG}" == "rc") || ("${IMAGE_TAG}" == "hotfix-rc") ]]; then | |
IMAGE_TAG=beta | |
fi | |
echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
- name: Generate tag list | |
id: tag-list | |
env: | |
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} | |
IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }} | |
run: | | |
if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "beta") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then | |
echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
else | |
echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
fi | |
- name: Checkout server repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
repository: bitwarden/server | |
token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }} | |
ref: ${{ steps.server-branch-name.outputs.server_branch }} | |
path: 'server' | |
- name: Build and push Docker image | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
context: . | |
file: docker-unified/Dockerfile | |
platforms: | | |
linux/amd64, | |
linux/arm/v7, | |
linux/arm64/v8 | |
push: true | |
tags: ${{ steps.tag-list.outputs.tags }} | |
secrets: | | |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" | |
- name: Log out of Docker and disable Docker Notary | |
if: ${{ env.is_publish_branch == 'true' }} | |
run: | | |
docker logout | |
echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV | |
check-failures: | |
name: Check for failures | |
if: always() | |
runs-on: ubuntu-22.04 | |
needs: build-docker | |
steps: | |
- name: Check if any job failed | |
if: | | |
(github.ref == 'refs/heads/main' | |
|| github.ref == 'refs/heads/rc' | |
|| github.ref == 'refs/heads/hotfix-rc') | |
&& contains(needs.*.result, 'failure') | |
run: exit 1 | |
- name: Login to Azure - CI subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
if: failure() | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
if: failure() | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "devops-alerts-slack-webhook-url" | |
- name: Notify Slack on failure | |
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} | |
with: | |
status: ${{ job.status }} |