BRE-648 - Change image location from DockerHub to ghcr.io (#353)

.github/workflows/build-unified.yml

@@ -81,13 +81,6 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Setup Docker Trust
-        if: ${{ env.is_publish_branch == 'true' }}
-        uses: bitwarden/gh-actions/setup-docker-trust@main
-        with:
-          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-          azure-keyvault-name: "bitwarden-ci"
-
       ########## Generate image tag and build Docker image ##########
       - name: Generate Docker image tag
         id: tag
@@ -110,7 +103,7 @@ jobs:
           IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }}
         run: |
           if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "beta") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then
-            echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},bitwarden/self-host:${IMAGE_TAG},ghcr.io/bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+            echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},ghcr.io/bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
           else
             echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
           fi
@@ -183,11 +176,11 @@ jobs:
         with:
           sarif_file: ${{ steps.container-scan.outputs.sarif }}
 
-      - name: Log out of Docker and disable Docker Notary
+      - name: Log out of Docker
         if: ${{ env.is_publish_branch == 'true' }}
         run: |
-          docker logout
-          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV
+          docker logout ghcr.io
+          docker logout $_AZ_REGISTRY
 
 
   check-failures:

.github/workflows/release-digital-ocean.yml

@@ -13,7 +13,7 @@ on:
 jobs:
   build-image:
     name: Build Image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/release.yml

@@ -5,7 +5,7 @@ on:
   workflow_dispatch:
     inputs:
       release_version:
-        description: "Release Version"
+        description: "Release Version (example: '2025.2.1')"
         required: true
       release_type:
         description: "Release Options"
@@ -247,31 +247,6 @@ jobs:
             echo "_RELEASE_TAG=${{ matrix.release_tag }}" >> $GITHUB_ENV
           fi
 
-      ########## DockerHub ##########
-      - name: Setup DCT
-        id: setup-dct
-        uses: bitwarden/gh-actions/setup-docker-trust@main
-        with:
-          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-          azure-keyvault-name: "bitwarden-ci"
-
-      - name: Pull versioned image
-        run: docker pull $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG
-
-      - name: Tag release version and latest image
-        run: |
-          docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG bitwarden/$_PROJECT_NAME:$_RELEASE_TAG
-          docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG bitwarden/$_PROJECT_NAME:latest
-
-      - name: Push release version and latest image to DockerHub
-        if: ${{ inputs.release_type != 'Dry Run' }}
-        env:
-          DOCKER_CONTENT_TRUST: 1
-          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
-        run: |
-          docker push bitwarden/$_PROJECT_NAME:$_RELEASE_TAG
-          docker push bitwarden/$_PROJECT_NAME:latest
-
       ### ghcr.io section
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
@@ -279,6 +254,9 @@ jobs:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: Pull versioned image
+        run: docker pull $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_TAG
 
       - name: Tag release version and latest image
         run: |
@@ -310,7 +288,6 @@ jobs:
 
       - name: Log out of Docker
         run: |
-          docker logout
           docker logout ghcr.io
           docker logout $_AZ_REGISTRY
 
@@ -327,38 +304,48 @@ jobs:
       id-token: write
       packages: write
     steps:
-      ########## DockerHub ##########
-      - name: Setup DCT
-        id: setup-dct
-        uses: bitwarden/gh-actions/setup-docker-trust@main
-        with:
-          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-          azure-keyvault-name: "bitwarden-ci"
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
-
       - name: Login to Azure - PROD Subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
         with:
           creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Push version and latest image
         if: ${{ inputs.release_type != 'Dry Run' }}
-        env:
-          DOCKER_CONTENT_TRUST: 1
-          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
         run: |
           skopeo --version
           skopeo login $_AZ_REGISTRY -u 00000000-0000-0000-0000-000000000000 -p $(az acr login --expose-token --name ${_AZ_REGISTRY%.azurecr.io} | jq -r .accessToken)
-          skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://docker.io/bitwarden/self-host:$_RELEASE_VERSION
-          skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://docker.io/bitwarden/self-host:beta # TODO: Delete after GA
-          # skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://docker.io/bitwarden/self-host:latest # TODO: uncomment after GA
-
-      - name: Log out of Docker, skopeo and disable Docker Notary
+          skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:$_RELEASE_VERSION
+          skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:beta # TODO: Delete after GA
+          # skopeo copy --all docker://$_AZ_REGISTRY/self-host:beta docker://ghcr.io/bitwarden/self-host:latest # TODO: uncomment after GA
+      
+      - name: Sign image with Cosign
+        run: |
+          cosign sign --yes ghcr.io/bitwarden/self-host:$_RELEASE_TAG
+          cosign sign --yes ghcr.io/bitwarden/self-host:latest
+      
+      - name: Verify the signed image with Cosign
+        run: |
+          cosign verify \
+            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            ghcr.io/bitwarden/self-host:$_RELEASE_TAG
+
+          cosign verify \
+            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            ghcr.io/bitwarden/self-host:latest
+
+      - name: Log out of skopeo and ghcr.io
         run: |
-          docker logout
           skopeo logout --all
+          docker logout ghcr.io
 
       ########## ACR PROD ##########
       - name: Login to Azure ACR
@@ -390,45 +377,6 @@ jobs:
       - name: Log out of Docker
         run: docker logout $_AZ_REGISTRY
 
-      ########## ghcr.io ##########
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Tag release version and latest image
-        run: |
-          docker tag $_AZ_REGISTRY/self-host:$_RELEASE_VERSION ghcr.io/bitwarden/self-host:$_RELEASE_VERSION
-          docker tag $_AZ_REGISTRY/self-host:$_RELEASE_VERSION ghcr.io/bitwarden/self-host:latest
-
-      - name: Push release version and latest image
-        if: ${{ inputs.release_type != 'Dry Run' }}
-        run: |
-          docker push ghcr.io/bitwarden/self-host:$_RELEASE_VERSION
-          docker push ghcr.io/bitwarden/self-host:latest
-
-      - name: Sign image with Cosign
-        run: |
-          cosign sign --yes ghcr.io/bitwarden/self-host:$_RELEASE_VERSION
-          cosign sign --yes ghcr.io/bitwarden/self-host:latest
-
-      - name: Verify the signed image with Cosign
-        run: |
-          cosign verify \
-            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            ghcr.io/bitwarden/self-host:$_RELEASE_VERSION
-
-          cosign verify \
-            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            ghcr.io/bitwarden/self-host:latest
-
-      - name: Log out of Docker
-        run: docker logout ghcr.io
-
 
   trigger-workflows:
     name: Trigger workflows

.github/workflows/scan.yml

@@ -15,13 +15,12 @@ jobs:
 
   sast:
     name: SAST scan
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: check-run
     permissions:
       contents: read
       pull-requests: write
       security-events: write
-
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -55,7 +54,6 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
-
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/update-versions.yml

@@ -7,7 +7,7 @@ jobs:
   setup:
     name: Setup
     if: github.ref_name == 'main'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     outputs:
       core_version: ${{ steps.get-core.outputs.version }}
       core_version_update: ${{ steps.core-update.outputs.update }}
@@ -15,7 +15,6 @@ jobs:
       web_version_update: ${{ steps.web-update.outputs.update }}
       key_connector_version: ${{ steps.get-key-connector.outputs.version }}
       key_connector_version_update: ${{ steps.key-connector-update.outputs.update }}
-
     steps:
       - name: Checkout Branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -95,46 +94,27 @@ jobs:
       needs.setup.outputs.core_version_update == 1 ||
       needs.setup.outputs.web_version_update == 1 ||
       needs.setup.outputs.key_connector_version_update == 1
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: setup
     steps:
-      - name: Log in to Azure - CI subscription
-        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
+        id: app-token
         with:
-          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-
-      - name: Retrieve secrets
-        id: retrieve-secrets
-        uses: bitwarden/gh-actions/get-keyvault-secrets@main
-        with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-gpg-private-key,
-            github-gpg-private-key-passphrase"
+          app-id: ${{ secrets.BW_GHAPP_ID }}
+          private-key: ${{ secrets.BW_GHAPP_KEY }}
+          owner: ${{ github.repository_owner }}
       
       - name: Checkout Branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: main
-
-      - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
-        with:
-          gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
-          passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
-
-      - name: Set up Git
+          token: ${{ steps.app-token.outputs.token }}
+      
+      - name: Configure Git
         run: |
-          git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com"
-          git config --local user.name "bitwarden-devops-bot"
-
-      - name: Create version branch
-        id: create-branch
-        run: |
-          NAME=version_bump_${{ github.ref_name }}_$(date +"%Y-%m-%d")
-          git switch -c $NAME
-          echo "name=$NAME" >> $GITHUB_OUTPUT
+          git config --local user.email "actions@github.com"
+          git config --local user.name "Github Actions"
 
       - name: Update Core Version
         env:
@@ -176,52 +156,4 @@ jobs:
 
       - name: Push changes
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        env:
-          PR_BRANCH: ${{ steps.create-branch.outputs.name }}
-        run: git push -u origin $PR_BRANCH
-
-      - name: Generate GH App token
-        uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
-        id: app-token
-        with:
-          app-id: ${{ secrets.BW_GHAPP_ID }}
-          private-key: ${{ secrets.BW_GHAPP_KEY }}
-          owner: ${{ github.repository_owner }}
-
-      - name: Create versions PR
-        if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        id: create-pr
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          PR_BRANCH: ${{ steps.create-branch.outputs.name }}
-          TITLE: "Update core, web, and key-connector versions"
-        run: |
-          PR_URL=$(gh pr create --title "$TITLE" \
-            --base "main" \
-            --head "$PR_BRANCH" \
-            --label "automated pr" \
-            --body "
-              ## Type of change
-              - [ ] Bug fix
-              - [ ] New feature development
-              - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
-              - [ ] Build/deploy pipeline (DevOps)
-              - [X] Other
-
-              ## Objective
-              Automated version updates to core, web, and key-connector versions in version.json, bitwarden.sh and bitwarden.ps1.")
-          echo "pr_number=${PR_URL##*/}" >> $GITHUB_OUTPUT
-
-      - name: Approve PR
-        if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }}
-        run: gh pr review $PR_NUMBER --approve
-
-      - name: Merge PR
-        if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        env:
-          GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }}
-        run: gh pr merge $PR_NUMBER --squash --auto --delete-branch
+        run: git push

DigitalOceanMarketplace/files/var/lib/cloud/scripts/per-instance/001_onboot

@@ -9,7 +9,7 @@
 # ref: https://help.bitwarden.com/article/install-on-premise/
 #
 
-docker pull bitwarden/setup
+docker pull ghcr.io/bitwarden/setup
 
 curl -L -s -o /root/bitwarden.sh "https://func.bitwarden.com/api/dl/?app=self-host&platform=linux"
 

bitwarden.ps1

@@ -99,7 +99,7 @@ Write-Line @'
 
 Write-Line "
 Open source password management solutions
-Copyright 2015-${year}, 8bit Solutions LLC
+Copyright 2015-${year}, Bitwarden, Inc.
 https://bitwarden.com, https://github.com/bitwarden
 
 ===================================================

bitwarden.sh

@@ -12,7 +12,7 @@ EOF
 
 cat << EOF
 Open source password management solutions
-Copyright 2015-$(date +'%Y'), 8bit Solutions LLC
+Copyright 2015-$(date +'%Y'), Bitwarden, Inc.
 https://bitwarden.com, https://github.com/bitwarden
 
 ===================================================

docker-unified/docker-compose.yml

@@ -6,7 +6,7 @@ services:
       - db
     env_file:
       - settings.env
-    image: ${REGISTRY:-bitwarden}/self-host:${TAG:-beta}
+    image: ${REGISTRY:-ghcr.io/bitwarden}/self-host:${TAG:-beta}
     restart: always
     ports:
       - "80:8080"

run.ps1

@@ -81,7 +81,7 @@ function Install() {
     }
 
     Pull-Setup
-    docker run -it --rm --name setup -v ${outputDir}:/bitwarden bitwarden/setup:$coreVersion `
+    docker run -it --rm --name setup -v ${outputDir}:/bitwarden ghcr.io/bitwarden/setup:$coreVersion `
         dotnet Setup.dll -install 1 -domain ${domain} -letsencrypt ${letsEncrypt} `
         -os win -corev $coreVersion -webv $webVersion -keyconnectorv $keyConnectorVersion -q $setupQuiet -dbname "$database"
 }
@@ -177,7 +177,7 @@ function Update-Database {
     }
 
     docker run -it --rm --name setup $dockerNetworkArgs `
-        -v ${outputDir}:/bitwarden bitwarden/setup:$coreVersion `
+        -v ${outputDir}:/bitwarden ghcr.io/bitwarden/setup:$coreVersion `
         dotnet Setup.dll -update 1 -db 1 -os win -corev $coreVersion -webv $webVersion `
         -keyconnectorv $keyConnectorVersion -q $setupQuiet
     Write-Line "Database update complete"
@@ -187,7 +187,7 @@ function Update([switch] $withpull) {
     if ($withpull) {
         Pull-Setup
     }
-    docker run -it --rm --name setup -v ${outputDir}:/bitwarden bitwarden/setup:$coreVersion `
+    docker run -it --rm --name setup -v ${outputDir}:/bitwarden ghcr.io/bitwarden/setup:$coreVersion `
         dotnet Setup.dll -update 1 -os win -corev $coreVersion -webv $webVersion `
         -keyconnectorv $keyConnectorVersion -q $setupQuiet
 }
@@ -226,7 +226,7 @@ function Uninstall() {
 
 function Print-Environment {
     Pull-Setup
-    docker run -it --rm --name setup -v ${outputDir}:/bitwarden bitwarden/setup:$coreVersion `
+    docker run -it --rm --name setup -v ${outputDir}:/bitwarden ghcr.io/bitwarden/setup:$coreVersion `
         dotnet Setup.dll -printenv 1 -os win -corev $coreVersion -webv $webVersion `
         -keyconnectorv $keyConnectorVersion -q $setupQuiet
 }
@@ -249,7 +249,7 @@ function Cert-Restart {
 
 
 function Pull-Setup {
-    Invoke-Expression ("docker pull{0} bitwarden/setup:${coreVersion}" -f "") #TODO: qFlag
+    Invoke-Expression ("docker pull{0} ghcr.io/bitwarden/setup:${coreVersion}" -f "") #TODO: qFlag
 }
 
 function Write-Line($str) {

run.sh

@@ -103,7 +103,7 @@ function install() {
 
     pullSetup
     docker run -it --rm --name setup -v $OUTPUT_DIR:/bitwarden \
-        --env-file $ENV_DIR/uid.env bitwarden/setup:$COREVERSION \
+        --env-file $ENV_DIR/uid.env ghcr.io/bitwarden/setup:$COREVERSION \
         dotnet Setup.dll -install 1 -domain $DOMAIN -letsencrypt $LETS_ENCRYPT -os $OS \
         -corev $COREVERSION -webv $WEBVERSION -dbname "$DATABASE" -keyconnectorv $KEYCONNECTORVERSION
 }
@@ -199,7 +199,7 @@ function updateDatabase() {
     fi
 
     docker run -i --rm --name setup $docker_network_args \
-        -v $OUTPUT_DIR:/bitwarden --env-file $ENV_DIR/uid.env bitwarden/setup:$COREVERSION \
+        -v $OUTPUT_DIR:/bitwarden --env-file $ENV_DIR/uid.env ghcr.io/bitwarden/setup:$COREVERSION \
         dotnet Setup.dll -update 1 -db 1 -os $OS -corev $COREVERSION -webv $WEBVERSION -keyconnectorv $KEYCONNECTORVERSION
     echo "Database update complete"
 }
@@ -241,7 +241,7 @@ function update() {
         pullSetup
     fi
     docker run -i --rm --name setup -v $OUTPUT_DIR:/bitwarden \
-        --env-file $ENV_DIR/uid.env bitwarden/setup:$COREVERSION \
+        --env-file $ENV_DIR/uid.env ghcr.io/bitwarden/setup:$COREVERSION \
         dotnet Setup.dll -update 1 -os $OS -corev $COREVERSION -webv $WEBVERSION -keyconnectorv $KEYCONNECTORVERSION
 }
 
@@ -286,7 +286,7 @@ function uninstall() {
 function printEnvironment() {
     pullSetup
     docker run -i --rm --name setup -v $OUTPUT_DIR:/bitwarden \
-        --env-file $ENV_DIR/uid.env bitwarden/setup:$COREVERSION \
+        --env-file $ENV_DIR/uid.env ghcr.io/bitwarden/setup:$COREVERSION \
         dotnet Setup.dll -printenv 1 -os $OS -corev $COREVERSION -webv $WEBVERSION -keyconnectorv $KEYCONNECTORVERSION
 }
 
@@ -307,7 +307,7 @@ function certRestart() {
 }
 
 function pullSetup() {
-    docker pull bitwarden/setup:$COREVERSION
+    docker pull ghcr.io/bitwarden/setup:$COREVERSION
 }
 
 # Commands