Simon/self-host
1
0
Fork 0
mirror of https://github.com/bitwarden/self-host.git synced 2026-06-28 14:25:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Bitwarden Lite Marketplace Images (#491)

Browse Source 
* lite marketplace listings

* reuse ufw
This commit is contained in:
Kyle Spearrin
2026-04-15 13:26:22 -04:00
committed by GitHub
parent e469a532f5
commit 2dd1ef7f7a
15 changed files with 1851 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

182
.github/workflows/release-aws-lite.yml vendored Normal file
View File

@@ -0,0 +1,182 @@
name: Release AWS Marketplace - Bitwarden Lite
on:
push:
paths:
- "AWSMarketplace/marketplace-image-lite.pkr.hcl"
- "AWSMarketplace/scripts/99-img-check-lite.sh"
- "CommonMarketplaceLite/**"
workflow_dispatch:
inputs:
release_version:
description: "Release version (e.g., 2026.3.2)"
required: false
type: string
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
permissions:
contents: read
jobs:
build-image:
name: Build Image
runs-on: ubuntu-24.04
timeout-minutes: 90
permissions:
contents: read
id-token: write
steps:
- name: Checkout repo
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "gh-self-host"
secrets: "aws-marketplace-access-key-id,
aws-marketplace-secret-access-key"
- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Set version
id: set-version
env:
RELEASE_VERSION: ${{ inputs.release_version }}
run: |
VERSION=$(jq -r '.versions.coreVersion' version.json)
if [[ -z "$VERSION" ]]; then
echo "ERROR: Failed to extract coreVersion from version.json"
exit 1
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
# Use the release version input when dispatched from the release
# pipeline. Fall back to coreVersion for other builds.
if [[ -n "$RELEASE_VERSION" ]]; then
echo "img_version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
else
echo "img_version=$VERSION" >> "$GITHUB_OUTPUT"
fi
- name: Set up Hashicorp Packer
uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 # v3.1.0
- name: Build AWS Lite Image
env:
AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.aws-marketplace-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.retrieve-secrets.outputs.aws-marketplace-secret-access-key }}
AWS_DEFAULT_REGION: "us-east-1"
AWS_IMG_VERSION: ${{ steps.set-version.outputs.img_version }}
working-directory: ./AWSMarketplace
run: |
packer version
packer init -upgrade marketplace-image-lite.pkr.hcl
packer build marketplace-image-lite.pkr.hcl
- name: Cleanup orphaned instances on cancellation or failure
if: cancelled() || failure()
env:
AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.aws-marketplace-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.retrieve-secrets.outputs.aws-marketplace-secret-access-key }}
AWS_DEFAULT_REGION: "us-east-1"
run: |
echo "Workflow cancelled - cleaning up any orphaned resources..."
echo "## :warning: Workflow Cancelled - Resource Cleanup" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Searching for orphaned instances with tag: \`github-run-${{ github.run_id }}\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Find and terminate EC2 instances tagged with this run
INSTANCE_IDS=$(aws ec2 describe-instances \
--filters "Name=tag:GitHub_Run,Values=github-run-${{ github.run_id }}" \
"Name=instance-state-name,Values=pending,running,stopping,stopped" \
--query "Reservations[].Instances[].InstanceId" \
--output text)
if [ -n "$INSTANCE_IDS" ]; then
echo "Found orphaned instances: $INSTANCE_IDS"
echo "### Orphaned Instances Found and Terminated" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Instance ID | Status |" >> $GITHUB_STEP_SUMMARY
echo "|-------------|--------|" >> $GITHUB_STEP_SUMMARY
for INSTANCE_ID in $INSTANCE_IDS; do
echo "Terminating instance: $INSTANCE_ID"
if aws ec2 terminate-instances --instance-ids "$INSTANCE_ID"; then
echo "| $INSTANCE_ID | :white_check_mark: Terminated |" >> $GITHUB_STEP_SUMMARY
else
echo "| $INSTANCE_ID | :x: Failed to terminate |" >> $GITHUB_STEP_SUMMARY
fi
done
else
echo "No orphaned instances found"
echo ":white_check_mark: No orphaned resources found - nothing to clean up" >> $GITHUB_STEP_SUMMARY
fi
- name: Add build summary
if: success()
env:
VERSION: ${{ steps.set-version.outputs.version }}
working-directory: ./AWSMarketplace
run: |
echo "## :rocket: AWS Marketplace Lite Image Build Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Version:** ${VERSION}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Get artifact details from manifest
if [ -f manifest-lite.json ]; then
AMI_ID=$(jq -r '.builds[-1].artifact_id' manifest-lite.json)
echo "**AMI ID:** \`$AMI_ID\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
fi
echo ":white_check_mark: Packer build instance was automatically cleaned up" >> $GITHUB_STEP_SUMMARY
- name: AWS Lite Image Cleanup
working-directory: ./AWSMarketplace
if: ${{ inputs.release_version == '' }}
env:
AWS_ACCESS_KEY_ID: ${{ steps.retrieve-secrets.outputs.aws-marketplace-access-key-id }}
AWS_SECRET_ACCESS_KEY: ${{ steps.retrieve-secrets.outputs.aws-marketplace-secret-access-key }}
AWS_DEFAULT_REGION: "us-east-1"
run: |
# Get the AMI ID from the manifest (format: "us-east-1:ami-xxxxxxxxx")
AMI_ID=$(jq -r '.builds[-1].artifact_id' manifest-lite.json | cut -d ":" -f2)
if [ -n "$AMI_ID" ]; then
# Find associated snapshots before deregistering
SNAPSHOT_IDS=$(aws ec2 describe-images --image-ids "$AMI_ID" \
--query "Images[].BlockDeviceMappings[].Ebs.SnapshotId" \
--output text 2>/dev/null || true)
# Deregister the AMI
aws ec2 deregister-image --image-id "$AMI_ID" 2>/dev/null || true
# Delete associated snapshots
for SNAPSHOT_ID in $SNAPSHOT_IDS; do
aws ec2 delete-snapshot --snapshot-id "$SNAPSHOT_ID" 2>/dev/null || true
done
fi
# Update summary for non-release builds
echo "" >> $GITHUB_STEP_SUMMARY
echo "---" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo ":wastebasket: **Non-release build:** AMI \`$AMI_ID\` and snapshots were automatically cleaned up" >> $GITHUB_STEP_SUMMARY

180
.github/workflows/release-azure-lite.yml vendored Normal file
View File

@@ -0,0 +1,180 @@
name: Release Azure Marketplace - Bitwarden Lite
on:
push:
paths:
- "AzureMarketplace/marketplace-image-lite.pkr.hcl"
- "AzureMarketplace/scripts/99-img-check-lite.sh"
- "CommonMarketplaceLite/**"
workflow_dispatch:
inputs:
release_version:
description: "Release version (e.g., 2026.3.2)"
required: false
type: string
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
permissions:
contents: read
jobs:
build-image:
name: Build Image
runs-on: ubuntu-24.04
timeout-minutes: 90
permissions:
contents: read
id-token: write
steps:
- name: Checkout repo
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "gh-self-host"
secrets: "azure-marketplace-subscription-id"
- name: Set version
id: set-version
env:
RELEASE_VERSION: ${{ inputs.release_version }}
RUN_NUMBER: ${{ github.run_number }}
run: |
VERSION=$(jq -r '.versions.coreVersion' version.json)
if [[ -z "$VERSION" ]]; then
echo "ERROR: Failed to extract coreVersion from version.json"
exit 1
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
# Use the release version input when dispatched from the release
# pipeline. Fall back to a dev version for push builds to avoid
# colliding with published gallery image versions.
if [[ -n "$RELEASE_VERSION" ]]; then
echo "img_version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
else
echo "img_version=0.0.$RUN_NUMBER" >> "$GITHUB_OUTPUT"
fi
- name: Set up Hashicorp Packer
uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 # v3.1.0
- name: Build Azure Lite Image
env:
AZURE_SUBSCRIPTION_ID: ${{ steps.retrieve-secrets.outputs.azure-marketplace-subscription-id }}
AZURE_RESOURCE_GROUP: rg-marketplace
AZURE_GALLERY_NAME: bitwarden_marketplace
AZURE_GALLERY_IMAGE_NAME: "bitwarden-lite-self-host"
AZURE_IMG_VERSION: ${{ steps.set-version.outputs.img_version }}
working-directory: ./AzureMarketplace
run: |
packer version
packer init -upgrade marketplace-image-lite.pkr.hcl
packer build marketplace-image-lite.pkr.hcl
- name: Cleanup orphaned resources on cancellation or failure
if: cancelled() || failure()
env:
RESOURCE_GROUP: rg-marketplace
run: |
echo "Workflow cancelled - cleaning up any orphaned resources..."
echo "## :warning: Workflow Cancelled - Resource Cleanup" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Searching for orphaned resources with tag: \`github-run-${{ github.run_id }}\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Find and delete VMs tagged with this run
VM_IDS=$(az vm list \
--resource-group "$RESOURCE_GROUP" \
--query "[?tags.github_run=='github-run-${{ github.run_id }}'].id" \
--output tsv)
if [ -n "$VM_IDS" ]; then
echo "Found orphaned VMs, deleting..."
echo "### Orphaned VMs Found and Deleted" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
for VM_ID in $VM_IDS; do
echo "Deleting VM: $VM_ID"
if az vm delete --ids "$VM_ID" --yes --force-deletion true; then
echo "| $VM_ID | :white_check_mark: Deleted |" >> $GITHUB_STEP_SUMMARY
else
echo "| $VM_ID | :x: Failed to delete |" >> $GITHUB_STEP_SUMMARY
fi
done
else
echo "No orphaned VMs found"
echo ":white_check_mark: No orphaned resources found - nothing to clean up" >> $GITHUB_STEP_SUMMARY
fi
- name: Add build summary
if: success()
env:
VERSION: ${{ steps.set-version.outputs.version }}
working-directory: ./AzureMarketplace
run: |
echo "## :rocket: Azure Marketplace Lite Image Build Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Version:** ${VERSION}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Get artifact details from manifest
if [ -f manifest-lite.json ]; then
IMAGE_ID=$(jq -r '.builds[-1].artifact_id' manifest-lite.json)
echo "**Image ID:** \`$IMAGE_ID\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
fi
echo ":white_check_mark: Packer build VM was automatically cleaned up" >> $GITHUB_STEP_SUMMARY
- name: Azure Lite Image Cleanup
working-directory: ./AzureMarketplace
if: ${{ inputs.release_version == '' }}
env:
RESOURCE_GROUP: rg-marketplace
GALLERY_NAME: bitwarden_marketplace
VERSION: ${{ steps.set-version.outputs.img_version }}
run: |
# Get the managed image name from manifest
IMAGE_NAME=$(jq -r '.builds[-1].custom_data.managed_image_name // empty' manifest-lite.json)
# Delete the gallery image version
az sig image-version delete \
--resource-group "$RESOURCE_GROUP" \
--gallery-name "$GALLERY_NAME" \
--gallery-image-definition "bitwarden-lite-self-host" \
--gallery-image-version "$VERSION" \
2>/dev/null || true
# Delete the managed image
if [ -n "$IMAGE_NAME" ]; then
az image delete \
--resource-group "$RESOURCE_GROUP" \
--name "$IMAGE_NAME" \
2>/dev/null || true
fi
# Update summary for non-release builds
echo "" >> $GITHUB_STEP_SUMMARY
echo "---" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo ":wastebasket: **Non-release build:** Image was automatically cleaned up" >> $GITHUB_STEP_SUMMARY
- name: Log out from Azure
if: always()
uses: bitwarden/gh-actions/azure-logout@main

169
.github/workflows/release-digital-ocean-lite.yml vendored Normal file
View File

@@ -0,0 +1,169 @@
name: Release Digital Ocean 1-Click - Bitwarden Lite
on:
push:
paths:
- "DigitalOceanMarketplace/marketplace-image-lite.pkr.hcl"
- "DigitalOceanMarketplace/scripts/99-img-check-lite.sh"
- "CommonMarketplaceLite/**"
workflow_dispatch:
inputs:
release_version:
description: "Release version (e.g., 2026.3.2)"
required: false
type: string
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
permissions:
contents: read
jobs:
build-image:
name: Build Image
runs-on: ubuntu-24.04
timeout-minutes: 90
permissions:
contents: read
id-token: write
steps:
- name: Checkout repo
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "digital-ocean-api-key"
- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Set version
id: set-version
env:
RELEASE_VERSION: ${{ inputs.release_version }}
run: |
VERSION=$(jq -r '.versions.coreVersion' version.json)
if [[ -z "$VERSION" ]]; then
echo "ERROR: Failed to extract coreVersion from version.json"
exit 1
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
# Use the release version input when dispatched from the release
# pipeline. Fall back to coreVersion for other builds.
if [[ -n "$RELEASE_VERSION" ]]; then
echo "img_version=$RELEASE_VERSION" >> "$GITHUB_OUTPUT"
else
echo "img_version=$VERSION" >> "$GITHUB_OUTPUT"
fi
- name: Set up Hashicorp Packer
uses: hashicorp/setup-packer@1aa358be5cf73883762b302a3a03abd66e75b232 # v3.1.0
- name: Build Digital Ocean Lite Image
env:
DIGITALOCEAN_TOKEN: ${{ steps.retrieve-secrets.outputs.digital-ocean-api-key }}
DIGITALOCEAN_IMG_VERSION: ${{ steps.set-version.outputs.img_version }}
working-directory: ./DigitalOceanMarketplace
run: |
packer version
packer init -upgrade marketplace-image-lite.pkr.hcl
packer build marketplace-image-lite.pkr.hcl
- name: Install doctl
uses: digitalocean/action-doctl@135ac0aa0eed4437d547c6f12c364d3006b42824 # v2.5.1
with:
token: ${{ steps.retrieve-secrets.outputs.digital-ocean-api-key }}
- name: Cleanup orphaned droplets on cancellation
if: cancelled()
run: |
echo "Workflow cancelled - cleaning up any orphaned droplets..."
# Write to workflow summary
echo "## :warning: Workflow Cancelled - Droplet Cleanup" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Searching for orphaned droplets with tag: \`github-run-${{ github.run_id }}\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Find droplets with our workflow run tag
DROPLET_IDS=$(doctl compute droplet list \
--tag-name "github-run-${{ github.run_id }}" \
--format ID \
--no-header)
if [ -n "$DROPLET_IDS" ]; then
echo "Found orphaned droplets: $DROPLET_IDS"
echo "### Orphaned Droplets Found and Deleted" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Droplet ID | Status |" >> $GITHUB_STEP_SUMMARY
echo "|------------|--------|" >> $GITHUB_STEP_SUMMARY
for DROPLET_ID in $DROPLET_IDS; do
echo "Deleting droplet $DROPLET_ID..."
if doctl compute droplet delete "$DROPLET_ID" --force; then
echo "| $DROPLET_ID | :white_check_mark: Deleted |" >> $GITHUB_STEP_SUMMARY
else
echo "| $DROPLET_ID | :x: Failed to delete |" >> $GITHUB_STEP_SUMMARY
fi
done
echo "" >> $GITHUB_STEP_SUMMARY
echo ":white_check_mark: Cleanup complete" >> $GITHUB_STEP_SUMMARY
else
echo "No orphaned droplets found"
echo ":white_check_mark: No orphaned droplets found - nothing to clean up" >> $GITHUB_STEP_SUMMARY
fi
- name: Add build summary
if: success()
env:
VERSION: ${{ steps.set-version.outputs.version }}
working-directory: ./DigitalOceanMarketplace
run: |
echo "## :rocket: Digital Ocean Lite Image Build Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Version:** ${VERSION}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Get artifact details from manifest
if [ -f manifest-lite.json ]; then
SNAPSHOT_ID=$(jq -r '.builds[-1].artifact_id' manifest-lite.json | cut -d ":" -f2)
SNAPSHOT_NAME=$(jq -r '.builds[-1].custom_data.snapshot_name // "N/A"' manifest-lite.json)
echo "**Snapshot ID:** \`$SNAPSHOT_ID\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Snapshot Name:** \`$SNAPSHOT_NAME\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
fi
echo ":white_check_mark: Packer build droplet was automatically cleaned up" >> $GITHUB_STEP_SUMMARY
- name: Digital Ocean Lite Image Cleanup
working-directory: ./DigitalOceanMarketplace
if: ${{ inputs.release_version == '' }}
run: |
# Get the ID from the snapshot build.
DO_ARTIFACT=$(jq -r '.builds[-1].artifact_id' manifest-lite.json | cut -d ":" -f2)
# Force remove the snapshot
doctl compute image delete "$DO_ARTIFACT" -f
# Update summary for non-release builds
echo "" >> $GITHUB_STEP_SUMMARY
echo "---" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo ":wastebasket: **Non-release build:** Snapshot \`$DO_ARTIFACT\` was automatically cleaned up" >> $GITHUB_STEP_SUMMARY

48
.github/workflows/release.yml vendored
View File

@@ -538,3 +538,51 @@ jobs:
ref: process.env.RELEASE_TAG,
inputs: { release_version: process.env.RELEASE_VERSION }
});
- name: Trigger release-digital-ocean-lite workflow
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
RELEASE_TAG: v${{ inputs.release_version }}
RELEASE_VERSION: ${{ inputs.release_version }}
with:
github-token: ${{ steps.app-token.outputs.token }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'bitwarden',
repo: 'self-host',
workflow_id: 'release-digital-ocean-lite.yml',
ref: process.env.RELEASE_TAG,
inputs: { release_version: process.env.RELEASE_VERSION }
});
- name: Trigger release-aws-lite workflow
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
RELEASE_TAG: v${{ inputs.release_version }}
RELEASE_VERSION: ${{ inputs.release_version }}
with:
github-token: ${{ steps.app-token.outputs.token }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'bitwarden',
repo: 'self-host',
workflow_id: 'release-aws-lite.yml',
ref: process.env.RELEASE_TAG,
inputs: { release_version: process.env.RELEASE_VERSION }
});
- name: Trigger release-azure-lite workflow
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
env:
RELEASE_TAG: v${{ inputs.release_version }}
RELEASE_VERSION: ${{ inputs.release_version }}
with:
github-token: ${{ steps.app-token.outputs.token }}
script: |
await github.rest.actions.createWorkflowDispatch({
owner: 'bitwarden',
repo: 'self-host',
workflow_id: 'release-azure-lite.yml',
ref: process.env.RELEASE_TAG,
inputs: { release_version: process.env.RELEASE_VERSION }
});