change private key wording to secret key (#580) #2035
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: docker | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
release: | |
types: | |
- published | |
workflow_dispatch: | |
inputs: | |
version: | |
description: Application version to use when publishing the project | |
required: false | |
image-tag: | |
description: Additional Docker image tag to apply on deployment | |
required: false | |
jobs: | |
# Determine version | |
version: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: Determine stable version | |
id: stable-version | |
if: ${{ inputs.version || github.event_name == 'release' }} | |
run: | | |
version="${{ inputs.version || github.event.release.tag_name }}" | |
if ! [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z].*)?$ ]]; then | |
echo "Invalid version: $version" | |
exit 1 | |
fi | |
echo "version=$version" >> $GITHUB_OUTPUT | |
- name: Determine prerelease version | |
id: pre-version | |
run: | | |
hash="${{ github.event.pull_request.head.sha || github.sha }}" | |
echo "version=0.0.0-ci-${hash:0:7}" >> $GITHUB_OUTPUT | |
outputs: | |
version: ${{ steps.stable-version.outputs.version || steps.pre-version.outputs.version }} | |
# Build the image without deploying just to make sure the dockerfile is valid | |
pack: | |
needs: version | |
strategy: | |
matrix: | |
app: | |
- Api | |
#- AdminConsole | |
- Self-Host | |
include: | |
- app: Api | |
dockerfile: Api.dockerfile | |
#- app: AdminConsole | |
# dockerfile: AdminConsole.dockerfile | |
- app: Self-Host | |
dockerfile: self-host/Dockerfile | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install Docker Buildx | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- name: Build image | |
run: > | |
docker buildx build . | |
--file ${{ matrix.dockerfile }} | |
--platform linux/amd64,linux/arm64 | |
--build-arg VERSION=${{ needs.version.outputs.version }} | |
--output type=tar,dest=image.tar | |
# Build and deploy the image | |
deploy: | |
if: ${{ github.event_name != 'pull_request' }} | |
needs: version | |
strategy: | |
matrix: | |
app: | |
- Api | |
#- AdminConsole | |
- Self-Host | |
include: | |
- app: Api | |
dockerfile: Api.dockerfile | |
name: passwordless-test-api | |
#- app: AdminConsole | |
# dockerfile: AdminConsole.dockerfile | |
# repository: passwordless-test-admin-console | |
- app: Self-Host | |
dockerfile: self-host/Dockerfile | |
name: passwordless-self-host | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install Docker Buildx | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
- name: Setup Docker Content Trust | |
id: setup-dct | |
uses: bitwarden/gh-actions/setup-docker-trust@main | |
with: | |
azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
azure-keyvault-name: "bitwarden-ci" | |
- name: Build & push image | |
env: | |
DOCKER_CONTAINER_NAMESPACE: bitwarden | |
DOCKER_CONTENT_TRUST: 1 | |
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }} | |
run: > | |
docker buildx build . | |
--file ${{ matrix.dockerfile }} | |
--platform linux/amd64,linux/arm64 | |
--build-arg VERSION=${{ needs.version.outputs.version }} | |
--push | |
${{ format('--tag {0}/{1}:latest', env.DOCKER_CONTAINER_NAMESPACE, matrix.name) }} | |
${{ github.event_name == 'release' && format('--tag {0}/{1}:stable', env.DOCKER_CONTAINER_NAMESPACE, matrix.name) || '' }} | |
${{ github.event_name == 'release' && format('--tag {0}/{1}:{2}', env.DOCKER_CONTAINER_NAMESPACE, matrix.name, github.ref_name) || '' }} | |
${{ inputs.image-tag && format('--tag {0}/{1}:{2}', env.DOCKER_CONTAINER_NAMESPACE, matrix.name, inputs.image-tag) || '' }} | |
- name: Log out of Docker and disable Docker Notary | |
run: | | |
docker logout | |
echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV |