[BRE-1004] Add GHCR Support to Build/Publish workflows (#7263) (#7314)

vgrassia · web-flow · commit 967056150a59 · 2026-03-26T13:58:41.000-04:00
(cherry picked from commit 7f2bde3)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,22 +1,22 @@
 name: Build
 
 on:
-  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize]
   push:
     branches:
       - "main"
       - "rc"
       - "hotfix-rc"
-  pull_request:
-    types: [opened, synchronize]
   workflow_call:
-    inputs: {}
+  workflow_dispatch:
 
 permissions:
   contents: read
 
 env:
   _AZ_REGISTRY: "bitwardenprod.azurecr.io"
+  _GHCR_REGISTRY: "ghcr.io/bitwarden"
   _GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }}
 
 jobs:
@@ -45,6 +45,7 @@ jobs:
     permissions:
       security-events: write
       id-token: write
+      packages: write
     timeout-minutes: 45
     strategy:
       fail-fast: false
@@ -177,15 +178,22 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
-      ########## ACRs ##########
+      ########## Registries ##########
+      - name: Log in to GHCR
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
         with:
           subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
           tenant_id: ${{ secrets.AZURE_TENANT_ID }}
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
-      - name: Log in to ACR - production subscription
+      - name: Log in to ACR
         run: az acr login -n bitwardenprod
 
       ########## Generate image tag and build Docker image ##########
@@ -227,10 +235,13 @@ jobs:
           PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
           SHA: ${{ github.sha }}
         run: |
-          TAGS="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}"
-          echo "primary_tag=$TAGS" >> "$GITHUB_OUTPUT"
+          GHCR_TAG="${_GHCR_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}"
+          ACR_TAG="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}"
+          TAGS="${GHCR_TAG},${ACR_TAG}"
+          echo "primary_tag=${GHCR_TAG}" >> "$GITHUB_OUTPUT"
           if [[ "${IMAGE_TAG}" == "dev" ]]; then
             SHORT_SHA=$(git rev-parse --short "${SHA}")
+            TAGS=$TAGS",${_GHCR_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}"
             TAGS=$TAGS",${_AZ_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}"
           fi
           echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
@@ -255,11 +266,11 @@ jobs:
           tags: ${{ steps.image-tags.outputs.tags }}
 
       - name: Install Cosign
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
+        if: github.event_name != 'pull_request' && env.is_publish_branch == 'true'
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Sign image with Cosign
-        if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
+        if: github.event_name != 'pull_request' && env.is_publish_branch == 'true'
         env:
           DIGEST: ${{ steps.build-artifacts.outputs.digest }}
           TAGS: ${{ steps.image-tags.outputs.tags }}
@@ -287,6 +298,9 @@ jobs:
           sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
           ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
 
+      - name: Log out from GHCR
+        run: docker logout ghcr.io
+
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
@@ -307,15 +321,12 @@ jobs:
       - name: Set up .NET
         uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
+      - name: Log in to GHCR
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Log in to ACR - production subscription
-        run: az acr login -n "$_AZ_REGISTRY" --only-show-errors
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Make Docker stubs
         if: |
@@ -325,13 +336,13 @@ jobs:
           # Set proper setup image based on branch
           case "$GITHUB_REF" in
             "refs/heads/main")
-                SETUP_IMAGE="$_AZ_REGISTRY/setup:dev"
+                SETUP_IMAGE="${_GHCR_REGISTRY}/setup:dev"
                 ;;
             "refs/heads/rc")
-                SETUP_IMAGE="$_AZ_REGISTRY/setup:rc"
+                SETUP_IMAGE="${_GHCR_REGISTRY}/setup:rc"
                 ;;
             "refs/heads/hotfix-rc")
-                SETUP_IMAGE="$_AZ_REGISTRY/setup:hotfix-rc"
+                SETUP_IMAGE="${_GHCR_REGISTRY}/setup:hotfix-rc"
                 ;;
           esac
 
@@ -359,8 +370,8 @@ jobs:
           cd docker-stub/US; zip -r ../../docker-stub-US.zip ./*; cd ../..
           cd docker-stub/EU; zip -r ../../docker-stub-EU.zip ./*; cd ../..
 
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
+      - name: Log out from GHCR
+        run: docker logout ghcr.io
 
       - name: Upload Docker stub US artifact
         if: |
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -24,6 +24,7 @@ on:
 
 env:
   _AZ_REGISTRY: "bitwardenprod.azurecr.io"
+  _GHCR_REGISTRY: "ghcr.io/bitwarden"
 
 jobs:
   setup:
@@ -69,6 +70,7 @@ jobs:
     permissions:
       contents: read
       id-token: write
+      packages: write
     env:
       _RELEASE_VERSION: ${{ needs.setup.outputs.release-version }}
       _BRANCH_NAME: ${{ inputs.branch }}
@@ -107,7 +109,32 @@ jobs:
           echo "PROJECT_NAME: $PROJECT_NAME"
           echo "project_name=$PROJECT_NAME" >> "$GITHUB_OUTPUT"
 
-      ########## ACR PROD ##########
+      ########## GHCR ##########
+      - name: Log in to GHCR
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push version image
+        env:
+          PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
+        run: |
+          if [[ "${{ inputs.dry_run }}" == "true" ]]; then
+            skopeo copy --all \
+              "docker://$_GHCR_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" \
+              "docker://$_GHCR_REGISTRY/$PROJECT_NAME:dryrun"
+          else
+            skopeo copy --all \
+              "docker://$_GHCR_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" \
+              "docker://$_GHCR_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION"
+          fi
+
+      - name: Log out from GHCR
+        run: docker logout ghcr.io
+
+      ########## ACR ##########
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
         with:
