[BRE-1137] Polishing Release Process

.github/CODEOWNERS

@@ -4,11 +4,10 @@
 #
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
+# Default owners
+* @bitwarden/team-secrets-manager-dev
+
 # Workflows ownership
-.github/workflows/build_ghcr.yml @bitwarden/dept-bre
-.github/workflows/build.yml @bitwarden/dept-bre
-.github/workflows/bump_version.yml @bitwarden/dept-bre
-.github/workflows/release.yml @bitwarden/dept-bre
 .github/workflows/release.yml @bitwarden/dept-bre
 
 ## Dockerfile shared ownership

.github/workflows/build.yml

@@ -1,18 +1,32 @@
-name: Build
+name: Build and test
 
 on:
+  pull_request:
+  push:
+    branches:
+      - "main"
   workflow_dispatch:
+    inputs:
+      push_image:
+        description: "Push image to GitHub Container Registry (Always true on main)"
+        required: false
+        default: false
+        type: boolean
+
+env:
+  _PUSH_IMAGE: ${{ (inputs.push_image == true || github.ref == 'refs/heads/main') && 'true' || 'false' }}
 
 jobs:
-  build-docker:
-    name: Build Docker images
-    runs-on: ubuntu-22.04
+  build-and-test:
+    name: Build image and test
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
+      packages: write
+      security-events: write
       id-token: write
     env:
-      _AZ_REGISTRY: bitwardenprod.azurecr.io
-      _PROJECT_NAME: sm-operator
+      _IMAGE_NAME: ghcr.io/bitwarden/sm-operator
 
     steps:
       - name: Check out repo
@@ -24,15 +38,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Log in to ACR
-        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Test operator
         id: test
@@ -46,42 +57,87 @@ jobs:
 
       - name: Generate Docker image tag
         id: tag
+        env:
+          EVENT_TYPE: ${{ contains(github.event_name, 'pull_request') && 'pull_request' || '' }}
         run: |
-          IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
-          if [[ "$IMAGE_TAG" == "main" ]]; then
-            IMAGE_TAG=dev
+          if [[ "$EVENT_TYPE" == "pull_request" ]]; then
+            IMAGE_TAG="pr-${{ github.event.pull_request.number }}"
+          else
+            IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
+            if [[ "$IMAGE_TAG" == "main" ]]; then
+              IMAGE_TAG=dev
+            fi
           fi
           echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
 
-      - name: Generate image full name
-        id: image-name
+      - name: Generate image tag(s)
+        id: image-tags
         env:
           IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
-        run: echo "name=${_AZ_REGISTRY}/${_PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+          SHA: ${{ github.sha }}
+        run: |
+          TAGS="${{ env._IMAGE_NAME }}:${{ env.IMAGE_TAG }}"
+          echo "primary_tag=$TAGS" >> $GITHUB_OUTPUT
+          if [[ "$IMAGE_TAG" == "dev" ]]; then
+            SHORT_SHA="$(git rev-parse --short ${SHA})"
+            TAGS="$TAGS,${{ env._IMAGE_NAME }}:${{ env.IMAGE_TAG }}-${SHORT_SHA}"
+          fi
+          echo "tags=$TAGS" >> $GITHUB_OUTPUT
 
       - name: Build Docker image
-        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
+        id: build-docker
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           file: Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.image-name.outputs.name }}
+          platforms: ${{ env._PUSH_IMAGE == 'true' && 'linux/amd64,linux/arm64' || 'linux/amd64' }} # Can only do single arch when not pushing to support scan and testing locally
+          push: ${{ env._PUSH_IMAGE == 'true' }}
+          load: ${{ env._PUSH_IMAGE != 'true' }}
+          tags: ${{ steps.image-tags.outputs.tags }}
+
+      - name: Install Cosign
+        if: ${{ env._PUSH_IMAGE == 'true' }}
+        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
+
+      - name: Sign image with Cosign
+        if: ${{ env._PUSH_IMAGE == 'true' }}
+        id: cosign
+        env:
+          DIGEST: ${{ steps.build-docker.outputs.digest }}
+          TAGS: ${{ steps.image-tags.outputs.tags }}
+        run: |
+          IFS="," read -a tags <<< "${TAGS}"
+          images=""
+          for tag in "${tags[@]}"; do
+            images+="${tag}@${DIGEST} "
+          done
+          cosign sign --yes ${images}
+          echo "images=${images}" >> $GITHUB_OUTPUT
+
+      - name: Verify the signed image with Cosign
+        if: ${{ env._PUSH_IMAGE == 'true' }}
+        run: |
+          cosign verify \
+            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            ${{ steps.cosign.outputs.images }}
 
       - name: Create kind cluster
         uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
 
+      - name: Load image into kind
+        if: ${{ env._PUSH_IMAGE != 'true' }}
+        env:
+          IMAGE: ${{ steps.image-tags.outputs.primary_tag }}
+        run: |
+          kind load docker-image "$IMAGE" --name "$(kind get clusters)"
+
       - name: Smoke test image
         id: smoke-test
         env:
-          IMAGE: ${{ steps.image-name.outputs.name }}
+          IMAGE: ${{ steps.image-tags.outputs.primary_tag }}
         run: |
           make deploy IMG=$IMAGE
 
-          #Setup image pull secret (Until repo is made public)
-          kubectl create secret -n sm-operator-system docker-registry ghcr-login-secret --docker-server=ghcr.io --docker-username=bitwarden-devops-bot --docker-password=${{ secrets.GITHUB_TOKEN }} --docker-email=106330231+bitwarden-devops-bot@users.noreply.github.com
-
-          kubectl patch deployment sm-operator-controller-manager -n sm-operator-system --patch-file "$GITHUB_WORKSPACE/.github/workflows/test_files/deployment-patch.yaml"
-
           count=0
           while [[ $(kubectl get pods -n sm-operator-system -l control-plane=controller-manager -o jsonpath="{.items[*].status.containerStatuses[*].ready}") != "true" ]]; do
             sleep 1;
@@ -111,5 +167,5 @@ jobs:
           make undeploy
           kind delete cluster
 
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
+      - name: Log out of Docker
+        run: docker logout ghcr.io

.github/workflows/bump-version.yml

@@ -4,20 +4,30 @@ on:
   workflow_dispatch:
     inputs:
       version_number:
-        description: "New version number"
+        description: "New version number (Ex 1.2.3)"
         required: true
 
 jobs:
   bump_version:
     name: Bump version
     runs-on: ubuntu-22.04
-    environment: Production
     permissions:
       contents: write
       pull-requests: write
       id-token: write
+    env:
+      _VERSION_NUMBER: ${{ inputs.version_number }}
 
     steps:
+      - name: Setup and validate version number
+        id: setup
+        run: |
+          if ! [[ "$_VERSION_NUMBER" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "Error: Version number ($_VERSION_NUMBER) is not in semantic version format (X.Y.Z)"
+            exit 1
+          fi
+          echo "branch_name=version_bump_$_VERSION_NUMBER" >> $GITHUB_OUTPUT
+
       - name: Check out repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
@@ -47,11 +57,11 @@ jobs:
           git_commit_gpgsign: true
 
       - name: Create branch
-        run: git switch -c version_bump_${{ github.event.inputs.version_number }}
+        run: git switch -c "${{ steps.setup.outputs.branch_name }}"
 
       - name: Bump version
         run: |
-          sed -i -E '/^VERSION\s+\?=\s+[^\s]+/!b;cVERSION ?= ${{ github.event.inputs.version_number }}' Makefile
+          sed -i "s/^VERSION ?= .*/VERSION ?= $_VERSION_NUMBER/" Makefile
 
       - name: Set up Git
         run: |
@@ -63,33 +73,32 @@ jobs:
         run: |
           if [ -n "$(git status --porcelain)" ]; then
             echo "changes_to_commit=TRUE" >> $GITHUB_OUTPUT
+            git diff
           else
             echo "changes_to_commit=FALSE" >> $GITHUB_OUTPUT
             echo "No changes to commit!";
           fi
 
       - name: Commit files
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        run: git commit -m "Bumped version to ${{ github.event.inputs.version_number }}" -a
+        run: git commit -m "Bumped version to $_VERSION_NUMBER" -a
 
       - name: Push changes
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
-        run: git push -u origin version_bump_${{ github.event.inputs.version_number }}
+        run: git push -u origin "${{ steps.setup.outputs.branch_name }}"
 
       - name: Create version PR
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
         id: create-pr
         env:
-          PR_BRANCH: "version_bump_${{ github.event.inputs.version_number }}"
+          PR_BRANCH: "${{ steps.setup.outputs.branch_name }}"
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           BASE_BRANCH: main
-          TITLE: "Bump version to ${{ github.event.inputs.version_number }}"
+          TITLE: "Bump version to ${{ env._VERSION_NUMBER }}"
         run: |
           gh pr create --title "$TITLE" \
             --base "$BASE" \
             --head "$PR_BRANCH" \
-            --label "version update" \
-            --label "automated pr" \
             --body "
               ## Type of change
               - [ ] Bug fix
@@ -99,4 +108,4 @@ jobs:
               - [X] Other
 
               ## Objective
-              Automated version bump to ${{ github.event.inputs.version_number }}"
+              Automated version bump to $_VERSION_NUMBER"