Refactor lite dockerfile to pull from existing compiled sources (#480)

* Refactor BW lite dockerfile to copy from already compiled sources * Consolidate RUN steps & add caching to GHA * Update supervisord configs * Improve web tag sanitization Found while testing branches: - 264-UI - AC-217-Migrate-Cards-To-Banners - Ac-1410/update_planresponsemodel_on_client We need to lowercase and replace "/". * Tune cache * Update bitwarden-lite/Dockerfile Alphabetical ordering Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com> * Update bitwarden-lite/Dockerfile Alphabetical ordering Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com> --------- Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com>
2026-06-27 22:05:45 +00:00 · 2026-04-01 00:58:12 -06:00
parent 36730f4e40
commit 08922d41f4
10 changed files with 74 additions and 259 deletions
--- a/.github/workflows/build-bitwarden-lite.yml
+++ b/.github/workflows/build-bitwarden-lite.yml
@@ -5,6 +5,8 @@ on:
    paths:
      - "bitwarden-lite/**"
      - ".github/workflows/build-bitwarden-lite.yml"
+    branches:
+      - main
  workflow_dispatch:
    inputs:
      self_host_repo_ref:
@@ -165,66 +167,31 @@ jobs:
          echo "Using $IMAGE_TAG for build"
          echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"

-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Get Azure Key Vault secrets
-        id: get-kv-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: gh-org-bitwarden
-          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
-      - name: Generate GH App token
-        uses: actions/create-github-app-token@0f859bf9e69e887678d5bbfbee594437cb440ffe # v2.1.0
-        id: app-token
-        with:
-          app-id: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-ID }}
-          private-key: ${{ steps.get-kv-secrets.outputs.BW-GHAPP-KEY }}
-          permission-actions: read # for downloading workflow run artifacts
-          permission-contents: read # for checking out repos
-
-      - name: Checkout server repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-        with:
-          repository: bitwarden/server
-          token: ${{ steps.app-token.outputs.token }}
-          ref: ${{ needs.setup.outputs.server_ref }}
-          path: "server"
-          persist-credentials: false
-
-      - name: Download web client branch artifacts for dev builds
-        if: ${{ !inputs.use_latest_web_version }}
-        uses: bitwarden/gh-actions/download-artifacts@main
-        with:
-          github_token: ${{ steps.app-token.outputs.token }}
-          workflow: build-web.yml
-          workflow_conclusion: success
-          branch: ${{ needs.setup.outputs.web_ref }}
-          repo: bitwarden/clients
-          artifacts: "web-*-selfhosted-DEV.zip"
-          if_no_artifact_found: fail
-
-      - name: Set web artifact path for dev builds
-        if: ${{ !inputs.use_latest_web_version }}
-        id: set-web-artifact-path
-        run: echo "path=$(find . -name "web-*-selfhosted-DEV.zip" | head -1)" >> "$GITHUB_OUTPUT"
+      - name: Generate web image tag
+        id: web-tag
+        env:
+          WEB_REF: ${{ needs.setup.outputs.web_ref }}
+        run: |
+          if [[ $WEB_REF =~ ^refs/tags/web-v(.+)$ ]]; then
+            WEB_TAG="${BASH_REMATCH[1]}"
+          else
+            WEB_TAG=$(echo "${WEB_REF#refs/heads/}" | \
+              tr '[:upper:]' '[:lower:]' | \
+              sed -E 's/[^a-z0-9._-]+/-/g; s/-+/-/g; s/^-+|-+$//g' | \
+              cut -c1-128 | \
+              sed -E 's/[.-]$//')
+            [[ "$WEB_TAG" == "main" ]] && WEB_TAG=dev
+          fi
+          echo "web_tag=${WEB_TAG}" >> "$GITHUB_OUTPUT"

      - name: Log build configuration
        env:
-          SERVER_REF: ${{ needs.setup.outputs.server_ref }}
-          WEB_REF: ${{ needs.setup.outputs.web_ref }}
+          SERVER_TAG: ${{ steps.tag.outputs.image_tag }}
+          WEB_TAG: ${{ steps.web-tag.outputs.web_tag }}
        run: |
          echo "### Build Configuration" >> $GITHUB_STEP_SUMMARY
-          echo "- Server: ${SERVER_REF}" >> $GITHUB_STEP_SUMMARY
-          echo "- Web: ${WEB_REF}" >> $GITHUB_STEP_SUMMARY
+          echo "- Server: ghcr.io/bitwarden/\*:${SERVER_TAG}" >> $GITHUB_STEP_SUMMARY
+          echo "- Web: ghcr.io/bitwarden/web:${WEB_TAG}" >> $GITHUB_STEP_SUMMARY

      - name: Build and push Docker image
        id: build-docker
@@ -239,7 +206,10 @@ jobs:
          push: true
          tags: ghcr.io/bitwarden/lite:${{ steps.tag.outputs.image_tag }}
          build-args: |
-            WEB_ARTIFACT_PATH=${{ steps.set-web-artifact-path.outputs.path }}
+            SERVER_TAG=${{ steps.tag.outputs.image_tag }}
+            WEB_TAG=${{ steps.web-tag.outputs.web_tag }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=min

      - name: Install Cosign
        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0