Skip to content

Build Self-Host Unified #7871

Build Self-Host Unified

Build Self-Host Unified #7871

Workflow file for this run

name: Build Self-Host Unified
on:
push:
paths:
- "docker-unified/**"
- ".github/workflows/build-unified.yml"
workflow_call:
inputs:
server_branch:
type: string
default: main
is_workflow_call:
type: boolean
default: true
workflow_dispatch:
inputs:
server_branch:
description: "Server branch name to deploy (examples: 'main', 'rc', 'feature/sm')"
type: string
default: main
pull_request:
paths:
- ".github/workflows/build-unified.yml"
- "docker-unified/**"
env:
_AZ_REGISTRY: bitwardenprod.azurecr.io
jobs:
build-docker:
name: Build Docker image
runs-on: ubuntu-22.04
steps:
- name: Checkout Repository - workflow_call
if: ${{ inputs.is_workflow_call == true }}
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: bitwarden/self-host
ref: main
- name: Checkout Repository - workflow_dispatch
if: ${{ inputs.is_workflow_call != true }}
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Get server branch to checkout
id: server-branch-name
env:
SERVER_BRANCH: ${{ inputs.server_branch }}
run: |
if [[ -z "${SERVER_BRANCH}" ]]; then
echo "server_branch=main" >> $GITHUB_OUTPUT
else
echo "server_branch=${SERVER_BRANCH#refs/heads/}" >> $GITHUB_OUTPUT
fi
- name: Check Branch to Publish
env:
PUBLISH_BRANCHES: "main,rc,hotfix-rc"
SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_branch }}
id: publish-branch-check
run: |
if [[ "${{ inputs.is_workflow_call }}" == "true" ]]; then
REF=main
else
REF=${GITHUB_REF#refs/heads/}
fi
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
if [[ "${publish_branches[*]}" =~ "${REF}" && "${publish_branches[*]}" =~ "${SERVER_BRANCH}" ]]; then
echo "is_publish_branch=true" >> $GITHUB_ENV
else
echo "is_publish_branch=false" >> $GITHUB_ENV
fi
########## Set up Docker ##########
- name: Set up QEMU emulators
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
########## Login to Docker registries ##########
- name: Login to Azure - Prod Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
- name: Login to Azure ACR
run: az acr login -n bitwardenprod
- name: Login to Azure - CI Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve github PAT secrets
id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Setup Docker Trust
if: ${{ env.is_publish_branch == 'true' }}
uses: bitwarden/gh-actions/setup-docker-trust@main
with:
azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
azure-keyvault-name: "bitwarden-ci"
########## Generate image tag and build Docker image ##########
- name: Generate Docker image tag
id: tag
env:
SERVER_BRANCH: ${{ steps.server-branch-name.outputs.server_branch }}
run: |
IMAGE_TAG=$(echo "${SERVER_BRANCH}" | sed "s#/#-#g") # slash safe branch name
if [[ "${IMAGE_TAG}" == "main" ]]; then
IMAGE_TAG=dev
elif [[ ("${IMAGE_TAG}" == "rc") || ("${IMAGE_TAG}" == "hotfix-rc") ]]; then
IMAGE_TAG=beta
fi
echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
- name: Generate tag list
id: tag-list
env:
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }}
run: |
if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "beta") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then
echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
else
echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
fi
- name: Checkout server repo
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: bitwarden/server
token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
ref: ${{ steps.server-branch-name.outputs.server_branch }}
path: 'server'
- name: Build and push Docker image
uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
with:
context: .
file: docker-unified/Dockerfile
platforms: |
linux/amd64,
linux/arm/v7,
linux/arm64/v8
push: true
tags: ${{ steps.tag-list.outputs.tags }}
secrets: |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
- name: Log out of Docker and disable Docker Notary
if: ${{ env.is_publish_branch == 'true' }}
run: |
docker logout
echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV
check-failures:
name: Check for failures
if: always()
runs-on: ubuntu-22.04
needs: build-docker
steps:
- name: Check if any job failed
if: |
(github.ref == 'refs/heads/main'
|| github.ref == 'refs/heads/rc'
|| github.ref == 'refs/heads/hotfix-rc')
&& contains(needs.*.result, 'failure')
run: exit 1
- name: Login to Azure - CI subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
if: failure()
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
if: failure()
with:
keyvault: "bitwarden-ci"
secrets: "devops-alerts-slack-webhook-url"
- name: Notify Slack on failure
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
if: failure()
env:
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
with:
status: ${{ job.status }}