Skip to content

Commit 26f9cc0

Browse files
authored
Merge branch 'main' into lint-workflow
2 parents 1ad53e1 + 3715df4 commit 26f9cc0

File tree

159 files changed

+345634
-9408
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

159 files changed

+345634
-9408
lines changed

.github/renovate.json

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,12 @@
77
"groupName": "gh minor",
88
"matchManagers": ["github-actions"],
99
"matchUpdateTypes": ["minor", "patch"]
10+
},
11+
{
12+
"groupName": "Google Libraries",
13+
"matchPackagePatterns": ["google-auth-library", "googleapis"],
14+
"matchManagers": ["npm"],
15+
"groupSlug": "google-libraries"
1016
}
1117
]
1218
}

.github/workflows/build.yml

Lines changed: 75 additions & 49 deletions
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,15 @@ on:
99
- "hotfix-rc"
1010
workflow_dispatch: {}
1111

12+
permissions:
13+
contents: read
14+
1215
jobs:
1316
cloc:
1417
name: CLOC
1518
runs-on: ubuntu-24.04
19+
permissions:
20+
contents: read
1621
steps:
1722
- name: Checkout repo
1823
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -29,6 +34,8 @@ jobs:
2934
setup:
3035
name: Setup
3136
runs-on: ubuntu-24.04
37+
permissions:
38+
contents: read
3239
outputs:
3340
package_version: ${{ steps.retrieve-version.outputs.package_version }}
3441
steps:
@@ -50,6 +57,8 @@ jobs:
5057
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
5158
_PKG_FETCH_NODE_VERSION: 18.5.0
5259
_PKG_FETCH_VERSION: 3.4
60+
permissions:
61+
contents: read
5362
steps:
5463
- name: Checkout repo
5564
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -95,11 +104,6 @@ jobs:
95104
- name: Zip
96105
run: zip -j dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip dist-cli/linux/bwdc keytar/linux/build/Release/keytar.node
97106

98-
- name: Create checksums
99-
run: |
100-
shasum -a 256 dist-cli/bwdc-linux-$_PACKAGE_VERSION.zip | \
101-
cut -d " " -f 1 > dist-cli/bwdc-linux-sha256-$_PACKAGE_VERSION.txt
102-
103107
- name: Version Test
104108
run: |
105109
sudo apt-get update
@@ -129,18 +133,13 @@ jobs:
129133
path: ./dist-cli/bwdc-linux-${{ env._PACKAGE_VERSION }}.zip
130134
if-no-files-found: error
131135

132-
- name: Upload Linux checksum to GitHub
133-
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
134-
with:
135-
name: bwdc-linux-sha256-${{ env._PACKAGE_VERSION }}.txt
136-
path: ./dist-cli/bwdc-linux-sha256-${{ env._PACKAGE_VERSION }}.txt
137-
if-no-files-found: error
138-
139136

140137
macos-cli:
141138
name: Build Mac CLI
142139
runs-on: macos-13
143140
needs: setup
141+
permissions:
142+
contents: read
144143
env:
145144
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
146145
_PKG_FETCH_NODE_VERSION: 18.5.0
@@ -190,11 +189,6 @@ jobs:
190189
- name: Zip
191190
run: zip -j dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip dist-cli/macos/bwdc keytar/macos/build/Release/keytar.node
192191

193-
- name: Create checksums
194-
run: |
195-
shasum -a 256 dist-cli/bwdc-macos-$_PACKAGE_VERSION.zip | \
196-
cut -d " " -f 1 > dist-cli/bwdc-macos-sha256-$_PACKAGE_VERSION.txt
197-
198192
- name: Version Test
199193
run: |
200194
mkdir -p test/macos
@@ -217,17 +211,13 @@ jobs:
217211
path: ./dist-cli/bwdc-macos-${{ env._PACKAGE_VERSION }}.zip
218212
if-no-files-found: error
219213

220-
- name: Upload Mac checksum to GitHub
221-
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
222-
with:
223-
name: bwdc-macos-sha256-${{ env._PACKAGE_VERSION }}.txt
224-
path: ./dist-cli/bwdc-macos-sha256-${{ env._PACKAGE_VERSION }}.txt
225-
if-no-files-found: error
226214

227215
windows-cli:
228216
name: Build Windows CLI
229217
runs-on: windows-2022
230218
needs: setup
219+
permissions:
220+
contents: read
231221
env:
232222
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
233223
_WIN_PKG_FETCH_VERSION: 18.5.0
@@ -349,30 +339,21 @@ jobs:
349339
Throw "Version test failed."
350340
}
351341
352-
- name: Create checksums
353-
run: |
354-
checksum -f="./dist-cli/bwdc-windows-${env:_PACKAGE_VERSION}.zip" `
355-
-t sha256 | Out-File ./dist-cli/bwdc-windows-sha256-${env:_PACKAGE_VERSION}.txt
356-
357342
- name: Upload Windows Zip to GitHub
358343
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
359344
with:
360345
name: bwdc-windows-${{ env._PACKAGE_VERSION }}.zip
361346
path: ./dist-cli/bwdc-windows-${{ env._PACKAGE_VERSION }}.zip
362347
if-no-files-found: error
363348

364-
- name: Upload Windows checksum to GitHub
365-
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
366-
with:
367-
name: bwdc-windows-sha256-${{ env._PACKAGE_VERSION }}.txt
368-
path: ./dist-cli/bwdc-windows-sha256-${{ env._PACKAGE_VERSION }}.txt
369-
if-no-files-found: error
370-
371349

372350
windows-gui:
373351
name: Build Windows GUI
374352
runs-on: windows-2022
375353
needs: setup
354+
permissions:
355+
contents: read
356+
id-token: write
376357
env:
377358
NODE_OPTIONS: --max_old_space_size=4096
378359
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
@@ -404,15 +385,36 @@ jobs:
404385
- name: Install Node dependencies
405386
run: npm install
406387

388+
- name: Log in to Azure
389+
uses: bitwarden/gh-actions/azure-login@main
390+
with:
391+
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
392+
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
393+
client_id: ${{ secrets.AZURE_CLIENT_ID }}
394+
395+
- name: Retrieve secrets
396+
id: retrieve-secrets
397+
uses: bitwarden/gh-actions/get-keyvault-secrets@main
398+
with:
399+
keyvault: "bitwarden-ci"
400+
secrets: "code-signing-vault-url,
401+
code-signing-client-id,
402+
code-signing-tenant-id,
403+
code-signing-client-secret,
404+
code-signing-cert-name"
405+
406+
- name: Log out from Azure
407+
uses: bitwarden/gh-actions/azure-logout@main
408+
407409
- name: Build & Sign
408410
run: npm run dist:win
409411
env:
410412
ELECTRON_BUILDER_SIGN: 1
411-
SIGNING_VAULT_URL: ${{ secrets.SIGNING_VAULT_URL }}
412-
SIGNING_CLIENT_ID: ${{ secrets.SIGNING_CLIENT_ID }}
413-
SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }}
414-
SIGNING_CLIENT_SECRET: ${{ secrets.SIGNING_CLIENT_SECRET }}
415-
SIGNING_CERT_NAME: ${{ secrets.SIGNING_CERT_NAME }}
413+
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }}
414+
SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets.outputs.code-signing-client-id }}
415+
SIGNING_TENANT_ID: ${{ steps.retrieve-secrets.outputs.code-signing-tenant-id }}
416+
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets.outputs.code-signing-client-secret }}
417+
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets.outputs.code-signing-cert-name }}
416418

417419
- name: Upload Portable Executable to GitHub
418420
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
@@ -447,6 +449,8 @@ jobs:
447449
name: Build Linux GUI
448450
runs-on: ubuntu-24.04
449451
needs: setup
452+
permissions:
453+
contents: read
450454
env:
451455
NODE_OPTIONS: --max_old_space_size=4096
452456
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
@@ -501,6 +505,9 @@ jobs:
501505
name: Build MacOS GUI
502506
runs-on: macos-13
503507
needs: setup
508+
permissions:
509+
contents: read
510+
id-token: write
504511
env:
505512
NODE_OPTIONS: --max_old_space_size=4096
506513
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
@@ -528,10 +535,19 @@ jobs:
528535
echo "GitHub ref: $GITHUB_REF"
529536
echo "GitHub event: $GITHUB_EVENT"
530537
531-
- name: Login to Azure
532-
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
538+
- name: Log in to Azure
539+
uses: bitwarden/gh-actions/azure-login@main
540+
with:
541+
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
542+
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
543+
client_id: ${{ secrets.AZURE_CLIENT_ID }}
544+
545+
- name: Get Azure Key Vault secrets
546+
id: get-kv-secrets
547+
uses: bitwarden/gh-actions/get-keyvault-secrets@main
533548
with:
534-
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
549+
keyvault: gh-directory-connector
550+
secrets: "KEYCHAIN-PASSWORD,APP-STORE-CONNECT-AUTH-KEY,APP-STORE-CONNECT-TEAM-ISSUER"
535551

536552
- name: Get certificates
537553
run: |
@@ -546,9 +562,12 @@ jobs:
546562
az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert |
547563
jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12
548564
565+
- name: Log out from Azure
566+
uses: bitwarden/gh-actions/azure-logout@main
567+
549568
- name: Set up keychain
550569
env:
551-
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
570+
KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.KEYCHAIN-PASSWORD }}
552571
run: |
553572
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
554573
security default-keychain -s build.keychain
@@ -582,13 +601,13 @@ jobs:
582601
run: |
583602
mkdir ~/private_keys
584603
cat << EOF > ~/private_keys/AuthKey_UFD296548T.p8
585-
${{ secrets.APP_STORE_CONNECT_AUTH_KEY }}
604+
${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }}
586605
EOF
587606
588607
- name: Build application
589608
run: npm run dist:mac
590609
env:
591-
APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }}
610+
APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }}
592611
APP_STORE_CONNECT_AUTH_KEY: UFD296548T
593612
APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_UFD296548T.p8
594613
CSC_FOR_PULL_REQUEST: true
@@ -634,6 +653,8 @@ jobs:
634653
- windows-gui
635654
- linux-gui
636655
- macos-gui
656+
permissions:
657+
id-token: write
637658
steps:
638659
- name: Check if any job failed
639660
if: |
@@ -643,11 +664,13 @@ jobs:
643664
&& contains(needs.*.result, 'failure')
644665
run: exit 1
645666

646-
- name: Login to Azure - CI subscription
647-
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
667+
- name: Log in to Azure
648668
if: failure()
669+
uses: bitwarden/gh-actions/azure-login@main
649670
with:
650-
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
671+
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
672+
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
673+
client_id: ${{ secrets.AZURE_CLIENT_ID }}
651674

652675
- name: Retrieve secrets
653676
id: retrieve-secrets
@@ -657,6 +680,9 @@ jobs:
657680
keyvault: "bitwarden-ci"
658681
secrets: "devops-alerts-slack-webhook-url"
659682

683+
- name: Log out from Azure
684+
uses: bitwarden/gh-actions/azure-logout@main
685+
660686
- name: Notify Slack on failure
661687
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
662688
if: failure()

.github/workflows/enforce-labels.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ name: Enforce PR labels
33
on:
44
pull_request:
55
types: [labeled, unlabeled, opened, edited, synchronize]
6+
permissions:
7+
contents: read
8+
pull-requests: read
69
jobs:
710
enforce-label:
811
name: EnforceLabel

.github/workflows/integration-test.yml

Lines changed: 6 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -8,43 +8,22 @@ on:
88
paths:
99
- ".github/workflows/integration-test.yml" # this file
1010
- "src/services/ldap-directory.service*" # we only have integration for LDAP testing at the moment
11-
- "./openldap*" # any change to test fixtures
11+
- "./openldap/**/*" # any change to test fixtures
1212
- "./docker-compose.yml" # any change to Docker configuration
1313
pull_request:
1414
paths:
1515
- ".github/workflows/integration-test.yml" # this file
1616
- "src/services/ldap-directory.service*" # we only have integration for LDAP testing at the moment
17-
- "./openldap*" # any change to test fixtures
17+
- "./openldap/**/*" # any change to test fixtures
1818
- "./docker-compose.yml" # any change to Docker configuration
19-
19+
permissions:
20+
contents: read
21+
checks: write # required by dorny/test-reporter to upload its results
2022
jobs:
21-
check-test-secrets:
22-
name: Check for test secrets
23-
runs-on: ubuntu-22.04
24-
outputs:
25-
available: ${{ steps.check-test-secrets.outputs.available }}
26-
permissions:
27-
contents: read
28-
29-
steps:
30-
- name: Check
31-
id: check-test-secrets
32-
run: |
33-
if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then
34-
echo "available=true" >> $GITHUB_OUTPUT;
35-
else
36-
echo "available=false" >> $GITHUB_OUTPUT;
37-
fi
38-
3923
testing:
4024
name: Run tests
4125
if: ${{ startsWith(github.head_ref, 'version_bump_') == false }}
4226
runs-on: ubuntu-22.04
43-
needs: check-test-secrets
44-
permissions:
45-
checks: write
46-
contents: read
47-
pull-requests: write
4827

4928
steps:
5029
- name: Check out repo
@@ -80,7 +59,7 @@ jobs:
8059

8160
- name: Report test results
8261
uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
83-
if: ${{ needs.check-test-secrets.outputs.available == 'true' && !cancelled() }}
62+
if: ${{ github.event.pull_request.head.repo.full_name == github.repository && !cancelled() }}
8463
with:
8564
name: Test Results
8665
path: "junit.xml"
@@ -92,6 +71,3 @@ jobs:
9271

9372
- name: Upload results to codecov.io
9473
uses: codecov/test-results-action@4e79e65778be1cecd5df25e14af1eafb6df80ea9 # v1.0.2
95-
if: ${{ needs.check-test-secrets.outputs.available == 'true' }}
96-
env:
97-
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

0 commit comments

Comments
 (0)