diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index af6b27a..aa932c3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,7 +9,7 @@ on: required: true env: - _AZ_REGISTRY: bitwardenprod.azurecr.io + _REGISTRY: ghcr.io/bitwarden concurrency: group: ${{ github.workflow }} @@ -40,8 +40,8 @@ jobs: RELEASE_VERSION: ${{ inputs.release_version }} PREVIOUS_RELEASE_VERSION: ${{ steps.get-self-host.outputs.version }} run: | - if [ "$RELEASE_VERSION" == "$PREVIOUS_RELEASE_VERSION" ]; then - echo "[!] Already released v$RELEASE_VERSION. Please bump version to continue" + if [ "${RELEASE_VERSION}" == "${PREVIOUS_RELEASE_VERSION}" ]; then + echo "[!] Already released v${RELEASE_VERSION}. Please bump the version to continue." exit 1 fi @@ -321,12 +321,14 @@ jobs: tag-push-latest-images: - name: Release ${{ matrix.project_name }} image + name: Release ${{ matrix.image_name }} image runs-on: ubuntu-24.04 timeout-minutes: 45 needs: - update-versions - release-github + env: + _PROJECT_NAME: ${{ matrix.image_name }} permissions: id-token: write packages: write @@ -334,54 +336,40 @@ jobs: fail-fast: false matrix: include: - - project_name: Admin - - project_name: Api - - project_name: Attachments - - project_name: Events - - project_name: Icons - - project_name: Identity - - project_name: MsSql - - project_name: MsSqlMigratorUtility - - project_name: Nginx - - project_name: Notifications - - project_name: Scim - - project_name: Setup - - project_name: Sso - - project_name: Web + - image_name: admin + - image_name: api + - image_name: attachments + - image_name: billing + - image_name: events + - image_name: eventsprocessor + - image_name: icons + - image_name: identity + - image_name: mssql + - image_name: mssqlmigratorutility + - image_name: nginx + - image_name: notifications + - image_name: scim + - image_name: setup + - image_name: sso + - image_name: web steps: - name: Checkout repo uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - - name: Install Cosign - uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - - - name: Log in to Azure - uses: bitwarden/gh-actions/azure-login@main - with: - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - client_id: ${{ secrets.AZURE_CLIENT_ID }} - - - name: Setup project name and release tag + - name: Set up release tag id: image-setup env: CORE_RELEASE_TAG: ${{ needs.update-versions.outputs.core_release_tag }} WEB_RELEASE_TAG: ${{ needs.update-versions.outputs.web_release_tag }} run: | - PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}') - echo "Matrix name: ${{ matrix.project_name }}" - echo "PROJECT_NAME: $PROJECT_NAME" - echo "project_name=$PROJECT_NAME" >> "$GITHUB_OUTPUT" - - if [[ "$PROJECT_NAME" == "web" ]]; then + if [[ "${_PROJECT_NAME}" == "web" ]]; then echo "release_tag=$WEB_RELEASE_TAG" >> "$GITHUB_OUTPUT" else echo "release_tag=$CORE_RELEASE_TAG" >> "$GITHUB_OUTPUT" fi - ### ghcr.io section - name: Login to GitHub Container Registry uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: @@ -389,39 +377,27 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Push version and latest image + - name: Push latest image id: push-image env: - PROJECT_NAME: ${{ steps.image-setup.outputs.project_name }} RELEASE_TAG: ${{ steps.image-setup.outputs.release_tag }} run: | - az acr login --name "${_AZ_REGISTRY%.azurecr.io}" - skopeo copy --all "docker://$_AZ_REGISTRY/$PROJECT_NAME:$RELEASE_TAG" "docker://ghcr.io/bitwarden/$PROJECT_NAME:$RELEASE_TAG" - skopeo copy --all "docker://$_AZ_REGISTRY/$PROJECT_NAME:latest" "docker://ghcr.io/bitwarden/$PROJECT_NAME:latest" + skopeo copy --all "docker://${_REGISTRY}/${_PROJECT_NAME}:${RELEASE_TAG}" "docker://${_REGISTRY}/${_PROJECT_NAME}:latest" # Get digests for signing - RELEASE_DIGEST=$(skopeo inspect "docker://ghcr.io/bitwarden/$PROJECT_NAME:$RELEASE_TAG" --format '{{.Digest}}') - LATEST_DIGEST=$(skopeo inspect "docker://ghcr.io/bitwarden/$PROJECT_NAME:latest" --format '{{.Digest}}') - - echo "release_digest=$RELEASE_DIGEST" >> "$GITHUB_OUTPUT" + LATEST_DIGEST=$(skopeo inspect "docker://${_REGISTRY}/${_PROJECT_NAME}:latest" --format '{{.Digest}}') echo "latest_digest=$LATEST_DIGEST" >> "$GITHUB_OUTPUT" + - name: Install Cosign + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + - name: Sign image with Cosign env: - PROJECT_NAME: ${{ steps.image-setup.outputs.project_name }} - RELEASE_DIGEST: ${{ steps.push-image.outputs.release_digest }} LATEST_DIGEST: ${{ steps.push-image.outputs.latest_digest }} - run: | - cosign sign --yes "ghcr.io/bitwarden/$PROJECT_NAME@$RELEASE_DIGEST" - cosign sign --yes "ghcr.io/bitwarden/$PROJECT_NAME@$LATEST_DIGEST" + run: cosign sign --yes "${_REGISTRY}/${_PROJECT_NAME}@$LATEST_DIGEST" - - name: Log out of Docker - run: | - docker logout ghcr.io - docker logout "$_AZ_REGISTRY" - - - name: Log out from Azure - uses: bitwarden/gh-actions/azure-logout@main + - name: Log out of GHCR + run: docker logout ghcr.io build-lite-image: @@ -466,17 +442,17 @@ jobs: - name: Copy version tag to latest id: copy-lite-image run: | - skopeo copy --all "docker://ghcr.io/bitwarden/lite:$_CORE_VERSION" "docker://ghcr.io/bitwarden/lite:latest" + skopeo copy --all "docker://${_REGISTRY}/lite:$_CORE_VERSION" "docker://${_REGISTRY}/lite:latest" echo ":white_check_mark: Promoted Bitwarden lite $_CORE_VERSION to latest" >> "$GITHUB_STEP_SUMMARY" # Get digest for signing - LATEST_DIGEST=$(skopeo inspect "docker://ghcr.io/bitwarden/lite:latest" --format '{{.Digest}}') + LATEST_DIGEST=$(skopeo inspect "docker://${_REGISTRY}/lite:latest" --format '{{.Digest}}') echo "latest_digest=$LATEST_DIGEST" >> "$GITHUB_OUTPUT" - name: Sign latest image with Cosign env: LATEST_DIGEST: ${{ steps.copy-lite-image.outputs.latest_digest }} - run: cosign sign --yes "ghcr.io/bitwarden/lite@$LATEST_DIGEST" + run: cosign sign --yes "${_REGISTRY}/lite@$LATEST_DIGEST" - name: Log out of ghcr.io run: docker logout ghcr.io