Simon/self-host
1
0
Fork 0
mirror of https://github.com/bitwarden/self-host.git synced 2026-06-28 06:15:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

added lite workflow for fork PRs (#509)

Browse Source 
* added lite workflow for fork PRs

* sonarqube secrets fix

* specific read permissions on jobs
This commit is contained in:
keithhubner
2026-05-19 14:35:50 +01:00
committed by GitHub
parent 57bfc4763b
commit 49c8b9338f
2 changed files with 64 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
.github/workflows/build-bitwarden-lite-workflow-target.yml vendored Normal file
View File

@@ -0,0 +1,36 @@
name: Build Bitwarden lite (fork PR)
run-name: Build Bitwarden lite fork PR #${{ github.event.pull_request.number }}
on:
pull_request_target:
types: [opened, synchronize, reopened]
branches:
- main
paths:
- "bitwarden-lite/**"
- ".github/workflows/build-bitwarden-lite.yml"
- ".github/workflows/build-bitwarden-lite-workflow-target.yml"
jobs:
check-run:
name: Check PR run approval
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
permissions:
contents: read
build:
name: Build Docker image (fork PR)
needs: check-run
if: github.event.pull_request.head.repo.full_name != github.repository
uses: ./.github/workflows/build-bitwarden-lite.yml
permissions:
contents: read
id-token: write
packages: write
security-events: write
secrets:
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
with:
self_host_repo_ref: ${{ github.event.pull_request.head.sha }}

32
.github/workflows/build-bitwarden-lite.yml vendored
View File

@@ -55,22 +55,45 @@ on:
description: "Use the latest web version from version.json instead of branch" description: "Use the latest web version from version.json instead of branch"
type: boolean type: boolean
default: false default: false
secrets:
AZURE_CLIENT_ID:
description: "Azure client ID for ACR/Cosign auth"
required: false
AZURE_SUBSCRIPTION_ID:
description: "Azure subscription ID"
required: false
AZURE_TENANT_ID:
description: "Azure tenant ID"
required: false
pull_request: pull_request:
types: [opened, synchronize]
branches:
- main
paths: paths:
- ".github/workflows/build-bitwarden-lite.yml"
- "bitwarden-lite/**" - "bitwarden-lite/**"
- ".github/workflows/build-bitwarden-lite.yml"
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
check-event-source:
name: Check event and source
runs-on: ubuntu-24.04
permissions:
contents: read
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
steps:
- name: Check PR event and source
run: echo "Internal PR, push, dispatch, or workflow_call — proceeding"
setup: setup:
name: Setup name: Setup
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
needs: check-event-source
permissions:
contents: read
outputs: outputs:
server_ref: ${{ steps.set-server-variables.outputs.server_ref }} server_ref: ${{ steps.set-server-variables.outputs.server_ref }}
web_ref: ${{ steps.set-web-variables.outputs.web_ref }} web_ref: ${{ steps.set-web-variables.outputs.web_ref }}
@@ -131,6 +154,7 @@ jobs:
timeout-minutes: 60 timeout-minutes: 60
needs: setup needs: setup
permissions: permissions:
contents: read
id-token: write id-token: write
packages: write packages: write
security-events: write security-events: write