Update build and release workflows (#91)

vgrassia · vgrassia · commit 9cc8f9c1f2ad · 2023-11-30T13:46:18.000-05:00
(cherry picked from commit b57e7c2)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,7 +4,7 @@ name: Build
 on:
   push:
     paths-ignore:
-      - '.github/workflows/**'
+      - ".github/workflows/**"
   workflow_dispatch:
 
 jobs:
@@ -16,13 +16,10 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Install cloc
-        run: sudo apt update && sudo apt install cloc -y
+        run: sudo apt update && sudo apt install -y cloc
 
       - name: Print lines of code
-        run: |
-          cloc --include-lang \
-          C#,SQL,Razor,"Bourne Shell",PowerShell,HTML,CSS,Sass,JavaScript,TypeScript \
-          --vcs git
+        run: cloc --include-lang C#,SQL,Razor,"Bourne Shell",PowerShell,HTML,CSS,Sass,JavaScript,TypeScript --vcs git
 
 
   build-artifacts:
@@ -40,15 +37,15 @@ jobs:
           echo "GitHub event: $GITHUB_EVENT"
 
       - name: Restore/Clean service
-        working-directory: ./src/KeyConnector
+        working-directory: src/KeyConnector
         run: |
           echo "Restore"
           dotnet restore
           echo "Clean"
           dotnet clean -c "Release" -o obj/build-output/publish
 
       - name: Publish service
-        working-directory: ./src/KeyConnector
+        working-directory: src/KeyConnector
         run: |
           echo "Publish"
           dotnet publish -c "Release" -o obj/build-output/publish
@@ -62,7 +59,7 @@ jobs:
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: KeyConnector.zip
-          path: ./src/KeyConnector/KeyConnector.zip
+          path: src/KeyConnector/KeyConnector.zip
           if-no-files-found: error
 
 
@@ -71,18 +68,34 @@ jobs:
     runs-on: ubuntu-22.04
     needs: build-artifacts
     env:
-      _SERVICE_NAME: key-connector
+      _AZ_REGISTRY: bitwardenprod.azurecr.io
+      _PROJECT_NAME: key-connector
     steps:
       - name: Checkout repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - name: Setup DCT
-        id: setup-dct
-        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc'
-        uses: bitwarden/gh-actions/setup-docker-trust@main
+      - name: Login to Azure - PROD Subscription
+        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
         with:
-          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
-          azure-keyvault-name: "bitwarden-ci"
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Login to PROD ACR
+        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
+
+      - name: Generate Docker image tag
+        id: tag
+        run: |
+          IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
+          if [[ "$IMAGE_TAG" == "master" ]]; then
+            IMAGE_TAG=dev
+          fi
+          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Generate image full name
+        id: image-name
+        env:
+          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
+        run: echo "name=${_AZ_REGISTRY}/${_PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
 
       - name: Get build artifact
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
@@ -91,47 +104,14 @@ jobs:
 
       - name: Setup build artifact
         run: |
-          mkdir -p ./src/KeyConnector/obj/build-output/publish
-          unzip KeyConnector.zip \
-            -d ./src/KeyConnector/obj/build-output/publish
-
-      - name: Build Docker images
-        run: |
-          docker build -t ${{ env._SERVICE_NAME }} \
-            ./src/KeyConnector
-
-      - name: Tag and Push RC to Docker Hub
-        if: (github.ref == 'refs/heads/rc')
-        env:
-          DOCKER_CONTENT_TRUST: 1
-          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
-        run: |
-          docker tag ${{ env._SERVICE_NAME }} \
-            bitwarden/${{ env._SERVICE_NAME }}:rc
-          docker push bitwarden/${{ env._SERVICE_NAME }}:rc
+          mkdir -p src/KeyConnector/obj/build-output/publish
+          unzip KeyConnector.zip -d src/KeyConnector/obj/build-output/publish
 
-      - name: Tag and Push Hotfix to Docker Hub
-        if: (github.ref == 'refs/heads/hotfix-rc')
-        env:
-          DOCKER_CONTENT_TRUST: 1
-          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
-        run: |
-          docker tag ${{ env._SERVICE_NAME }} \
-            bitwarden/${{ env._SERVICE_NAME }}:hotfix
-          docker push bitwarden/${{ env._SERVICE_NAME }}:hotfix
-
-      - name: Tag and Push Dev to Docker Hub
-        if: (github.ref == 'refs/heads/master')
-        env:
-          DOCKER_CONTENT_TRUST: 1
-          DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
-        run: |
-          docker tag ${{ env._SERVICE_NAME }} \
-            bitwarden/${{ env._SERVICE_NAME }}:dev
-          docker push bitwarden/${{ env._SERVICE_NAME }}:dev
-
-      - name: Log out of Docker and disable Docker Notary
-        if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc'
-        run: |
-          docker logout
-          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV
+      - name: Build Docker image
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
+        with:
+          context: src/KeyConnector
+          file: src/KeyConnector/Dockerfile
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.image-name.outputs.name }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,12 +1,12 @@
 ---
 name: Release
+run-name: Release - ${{ github.event.inputs.release_type }}
 
 on:
   workflow_dispatch:
     inputs:
       release_type:
         description: 'Release Options'
-        required: true
         default: 'Initial Release'
         type: choice
         options:
@@ -31,6 +31,7 @@ jobs:
             echo "==================================="
             exit 1
           fi
+
       - name: Checkout repo
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
@@ -48,12 +49,31 @@ jobs:
           BRANCH_NAME=$(basename ${{ github.ref }})
           echo "::set-output name=branch-name::$BRANCH_NAME"
 
+  release-github:
+    name: Create GitHub Release
+    if: ${{ github.event.inputs.release_type != 'Dry Run' }}
+    runs-on: ubuntu-22.04
+    needs: setup
+    steps:
+      - name: Create release
+        uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5 # v1.13.0
+        with:
+          commit: ${{ github.sha }}
+          tag: "v${{ needs.setup.outputs.release_version }}"
+          name: "Version ${{ needs.setup.outputs.release_version }}"
+          body: "<insert release notes here>"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          draft: true
+
   release-docker:
     name: Build Docker images
     runs-on: ubuntu-22.04
-    needs: setup
+    needs:
+      - setup
+      - release-github
     env:
-      _SERVICE_NAME: key-connector
+      _AZ_REGISTRY: bitwardenprod.azurecr.io
+      _PROJECT_NAME: key-connector
       _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
       _BRANCH_NAME: ${{ needs.setup.outputs.branch-name }}
       _RELEASE_OPTION: ${{ github.event.inputs.release_type }}
@@ -66,66 +86,60 @@ jobs:
           echo "GitHub event: $GITHUB_EVENT"
           echo "Github Release Option: $_RELEASE_OPTION"
 
+      - name: Login to Azure - Prod Subscription
+        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        with:
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Login to Azure ACR
+        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
+
       - name: Setup DCT
         id: setup-dct
         uses: bitwarden/gh-actions/setup-docker-trust@main
         with:
           azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
           azure-keyvault-name: "bitwarden-ci"
 
-      - name: Checkout repo
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Pull latest selfhost image
+      - name: Pull image
         run: |
           if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
-            docker pull bitwarden/$_SERVICE_NAME:latest
+            docker pull $_AZ_REGISTRY/$_PROJECT_NAME:dev
           else
-            docker pull bitwarden/$_SERVICE_NAME:$_BRANCH_NAME
+            docker pull $_AZ_REGISTRY/$_PROJECT_NAME:$_BRANCH_NAME
           fi
 
       - name: Tag version and latest
         run: |
           if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
-            docker tag bitwarden/$_SERVICE_NAME:latest bitwarden/$_SERVICE_NAME:dryrun
+            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev bitwarden/$_PROJECT_NAME:dryrun
           else
-            docker tag bitwarden/$_SERVICE_NAME:$_BRANCH_NAME bitwarden/$_SERVICE_NAME:$_RELEASE_VERSION
-            docker tag bitwarden/$_SERVICE_NAME:$_BRANCH_NAME bitwarden/$_SERVICE_NAME:latest
+            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_BRANCH_NAME $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_VERSION
+            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_BRANCH_NAME $_AZ_REGISTRY/$_PROJECT_NAME:latest
+
+            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_BRANCH_NAME bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
+            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:$_BRANCH_NAME bitwarden/$_PROJECT_NAME:latest
           fi
 
-      - name: List Docker images
-        run: docker images
+      - name: Push release version and latest image to ACR
+        if: ${{ github.event.inputs.release_type != 'Dry Run' }}
+        run: |
+          docker push $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_VERSION
+          docker push $_AZ_REGISTRY/$_PROJECT_NAME:latest
 
-      - name: Push version and latest image
+      - name: Push release version and latest image to Docker Hub
         if: ${{ github.event.inputs.release_type != 'Dry Run' }}
         env:
           DOCKER_CONTENT_TRUST: 1
           DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
         run: |
-          docker push bitwarden/$_SERVICE_NAME:$_RELEASE_VERSION
-          docker push bitwarden/$_SERVICE_NAME:latest
+          docker push bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
+          docker push bitwarden/$_PROJECT_NAME:latest
 
       - name: Log out of Docker
         run: docker logout
 
 
-  release-github:
-    name: Create GitHub Release
-    if: ${{ github.event.inputs.release_type != 'Dry Run' }}
-    runs-on: ubuntu-22.04
-    needs: setup
-    steps:
-      - name: Create release
-        uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5 # v1.13.0
-        with:
-          commit: ${{ github.sha }}
-          tag: "v${{ needs.setup.outputs.release_version }}"
-          name: "Version ${{ needs.setup.outputs.release_version }}"
-          body: "<insert release notes here>"
-          token: ${{ secrets.GITHUB_TOKEN }}
-          draft: true
-
-
   check-failures:
     name: Check for failures
     if: always()
