[PM-14347][PM-14348] New Device Verification Logic #34187
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Web | |
on: | |
pull_request_target: | |
types: [opened, synchronize] | |
branches-ignore: | |
- 'l10n_master' | |
- 'cf-pages' | |
paths: | |
- 'apps/web/**' | |
- 'libs/**' | |
- '*' | |
- '!*.md' | |
- '!*.txt' | |
- '.github/workflows/build-web.yml' | |
push: | |
branches: | |
- 'main' | |
- 'rc' | |
- 'hotfix-rc-web' | |
paths: | |
- 'apps/web/**' | |
- 'libs/**' | |
- '*' | |
- '!*.md' | |
- '!*.txt' | |
- '.github/workflows/build-web.yml' | |
release: | |
types: [published] | |
workflow_dispatch: | |
inputs: | |
custom_tag_extension: | |
description: "Custom image tag extension" | |
required: false | |
sdk_branch: | |
description: "Custom SDK branch" | |
required: false | |
type: string | |
env: | |
_AZ_REGISTRY: bitwardenprod.azurecr.io | |
jobs: | |
check-run: | |
name: Check PR run | |
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main | |
setup: | |
name: Setup | |
runs-on: ubuntu-22.04 | |
needs: | |
- check-run | |
outputs: | |
version: ${{ steps.version.outputs.value }} | |
node_version: ${{ steps.retrieve-node-version.outputs.node_version }} | |
steps: | |
- name: Check out repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Get GitHub sha as version | |
id: version | |
run: echo "value=${GITHUB_SHA:0:7}" >> $GITHUB_OUTPUT | |
- name: Get Node Version | |
id: retrieve-node-version | |
run: | | |
NODE_NVMRC=$(cat .nvmrc) | |
NODE_VERSION=${NODE_NVMRC/v/''} | |
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT | |
build-artifacts: | |
name: Build artifacts | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
env: | |
_VERSION: ${{ needs.setup.outputs.version }} | |
_NODE_VERSION: ${{ needs.setup.outputs.node_version }} | |
strategy: | |
matrix: | |
include: | |
- name: "selfhosted-open-source" | |
npm_command: "dist:oss:selfhost" | |
- name: "cloud-COMMERCIAL" | |
npm_command: "dist:bit:cloud" | |
- name: "selfhosted-COMMERCIAL" | |
npm_command: "dist:bit:selfhost" | |
- name: "cloud-QA" | |
npm_command: "build:bit:qa" | |
git_metadata: true | |
- name: "ee" | |
npm_command: "build:bit:ee" | |
git_metadata: true | |
- name: "cloud-euprd" | |
npm_command: "build:bit:euprd" | |
- name: "cloud-euqa" | |
npm_command: "build:bit:euqa" | |
git_metadata: true | |
- name: "cloud-usdev" | |
npm_command: "build:bit:usdev" | |
git_metadata: true | |
steps: | |
- name: Check out repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Set up Node | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
cache: 'npm' | |
cache-dependency-path: '**/package-lock.json' | |
node-version: ${{ env._NODE_VERSION }} | |
- name: Print environment | |
run: | | |
whoami | |
node --version | |
npm --version | |
docker --version | |
echo "GitHub ref: $GITHUB_REF" | |
echo "GitHub event: $GITHUB_EVENT" | |
- name: Install dependencies | |
run: npm ci | |
- name: Download SDK Artifacts | |
if: ${{ inputs.sdk_branch != '' }} | |
uses: bitwarden/gh-actions/download-artifacts@main | |
with: | |
github_token: ${{secrets.GITHUB_TOKEN}} | |
workflow: build-wasm-internal.yml | |
workflow_conclusion: success | |
branch: ${{ inputs.sdk_branch }} | |
artifacts: sdk-internal | |
repo: bitwarden/sdk-internal | |
path: ../sdk-internal | |
if_no_artifact_found: fail | |
- name: Override SDK | |
if: ${{ inputs.sdk_branch != '' }} | |
working-directory: ./ | |
run: | | |
ls -l ../ | |
npm link ../sdk-internal | |
- name: Add Git metadata to build version | |
working-directory: apps/web | |
if: matrix.git_metadata | |
run: | | |
VERSION=$( jq -r ".version" package.json) | |
jq --arg version "$VERSION+${GITHUB_SHA:0:7}" '.version = $version' package.json > package.json.tmp | |
mv package.json.tmp package.json | |
- name: Build ${{ matrix.name }} | |
working-directory: apps/web | |
run: npm run ${{ matrix.npm_command }} | |
- name: Package artifact | |
working-directory: apps/web | |
run: zip -r web-${{ env._VERSION }}-${{ matrix.name }}.zip build | |
- name: Upload ${{ matrix.name }} artifact | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: web-${{ env._VERSION }}-${{ matrix.name }}.zip | |
path: apps/web/web-${{ env._VERSION }}-${{ matrix.name }}.zip | |
if-no-files-found: error | |
build-containers: | |
name: Build Docker images | |
runs-on: ubuntu-22.04 | |
permissions: | |
security-events: write | |
id-token: write | |
needs: | |
- setup | |
- build-artifacts | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- artifact_name: cloud-QA | |
image_name: web-qa-cloud | |
- artifact_name: ee | |
image_name: web-ee | |
- artifact_name: selfhosted-COMMERCIAL | |
image_name: web | |
env: | |
_VERSION: ${{ needs.setup.outputs.version }} | |
steps: | |
- name: Check out repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Check Branch to Publish | |
env: | |
PUBLISH_BRANCHES: "main,rc,hotfix-rc-web" | |
id: publish-branch-check | |
run: | | |
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES | |
if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then | |
echo "is_publish_branch=true" >> $GITHUB_ENV | |
else | |
echo "is_publish_branch=false" >> $GITHUB_ENV | |
fi | |
########## ACRs ########## | |
- name: Login to Prod Azure | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} | |
- name: Log into Prod container registry | |
run: az acr login -n bitwardenprod | |
- name: Login to Azure - CI Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve github PAT secrets | |
id: retrieve-secret-pat | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "github-pat-bitwarden-devops-bot-repo-scope" | |
- name: Download ${{ matrix.artifact_name }} artifact | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip | |
path: apps/web | |
########## Generate image tag and build Docker image ########## | |
- name: Generate Docker image tag | |
id: tag | |
run: | | |
if [[ "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then | |
IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" | sed "s#/#-#g") | |
else | |
IMAGE_TAG=$(echo "${GITHUB_REF_NAME}" | sed "s#/#-#g") | |
fi | |
if [[ "$IMAGE_TAG" == "main" ]]; then | |
IMAGE_TAG=dev | |
fi | |
TAG_EXTENSION=${{ github.event.inputs.custom_tag_extension }} | |
if [[ $TAG_EXTENSION ]]; then | |
IMAGE_TAG=$IMAGE_TAG-$TAG_EXTENSION | |
fi | |
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT | |
########## Build Image ########## | |
- name: Extract artifact | |
working-directory: apps/web | |
run: unzip web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip | |
- name: Generate image full name | |
id: image-name | |
env: | |
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} | |
PROJECT_NAME: ${{ matrix.image_name }} | |
run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
- name: Build Docker image | |
id: build-docker | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
context: apps/web | |
file: apps/web/Dockerfile | |
platforms: linux/amd64 | |
push: true | |
tags: ${{ steps.image-name.outputs.name }} | |
secrets: | | |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" | |
- name: Install Cosign | |
if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- name: Sign image with Cosign | |
if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' | |
env: | |
DIGEST: ${{ steps.build-docker.outputs.digest }} | |
TAGS: ${{ steps.image-name.outputs.name }} | |
run: | | |
IFS="," read -a tags <<< "${TAGS}" | |
images="" | |
for tag in "${tags[@]}"; do | |
images+="${tag}@${DIGEST} " | |
done | |
cosign sign --yes ${images} | |
- name: Scan Docker image | |
id: container-scan | |
uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0 | |
with: | |
image: ${{ steps.image-name.outputs.name }} | |
fail-build: false | |
output-format: sarif | |
- name: Upload Grype results to GitHub | |
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 | |
with: | |
sarif_file: ${{ steps.container-scan.outputs.sarif }} | |
- name: Log out of Docker | |
run: docker logout | |
crowdin-push: | |
name: Crowdin Push | |
if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' | |
needs: | |
- build-artifacts | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Check out repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ github.event.pull_request.head.sha }} | |
- name: Login to Azure | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "crowdin-api-token" | |
- name: Upload Sources | |
uses: crowdin/github-action@30849777a3cba6ee9a09e24e195272b8287a0a5b # v1.20.4 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }} | |
CROWDIN_PROJECT_ID: "308189" | |
with: | |
config: apps/web/crowdin.yml | |
crowdin_branch_name: main | |
upload_sources: true | |
upload_translations: false | |
trigger-web-vault-deploy: | |
name: Trigger web vault deploy | |
if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' | |
runs-on: ubuntu-22.04 | |
needs: | |
- build-artifacts | |
steps: | |
- name: Login to Azure - CI Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve github PAT secrets | |
id: retrieve-secret-pat | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "github-pat-bitwarden-devops-bot-repo-scope" | |
- name: Trigger web vault deploy using GitHub Run ID | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }} | |
script: | | |
await github.rest.actions.createWorkflowDispatch({ | |
owner: 'bitwarden', | |
repo: 'clients', | |
workflow_id: 'deploy-web.yml', | |
ref: 'main', | |
inputs: { | |
'environment': 'USDEV', | |
'build-web-run-id': '${{ github.run_id }}' | |
} | |
}) | |
check-failures: | |
name: Check for failures | |
if: always() | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
- build-artifacts | |
- build-containers | |
- crowdin-push | |
- trigger-web-vault-deploy | |
steps: | |
- name: Check if any job failed | |
if: | | |
github.event_name != 'pull_request_target' | |
&& (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc-web') | |
&& contains(needs.*.result, 'failure') | |
run: exit 1 | |
- name: Login to Azure - Prod Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
if: failure() | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
if: failure() | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "devops-alerts-slack-webhook-url" | |
- name: Notify Slack on failure | |
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} | |
with: | |
status: ${{ job.status }} |