first commit

Author: masterkain

.github/workflows/build.yml

@@ -0,0 +1,106 @@
+name: Build and publish
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 1 * * *"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: AWS CLI v2
+        uses: imehedi/actions-awscli-v2@latest
+        continue-on-error: true
+        with:
+          args: s3 cp s3://${{ vars.SC_ARTIFACTS_BUCKET }}/bitwarden-cli-docker/REVISION . --endpoint-url ${{ vars.SC_AMS_AWS_ENDPOINT }}
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.SC_AWS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.SC_AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "nl-ams"
+
+      - name: Tag
+        id: tag
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+          # Find latest stable Bitwarden CLI (cli-v*) using GitHub API (authenticated)
+          REPO_TAG=$(curl -sS \
+            -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+            -H "Accept: application/vnd.github+json" \
+            "https://api.github.com/repos/bitwarden/clients/releases?per_page=100" \
+            | jq -r '
+                [ .[]
+                  | select(.tag_name | startswith("cli-v"))
+                  | select(.draft==false and .prerelease==false)
+                  | .tag_name ]
+                | sort_by( sub("^cli-v"; "") | split(".") | map(tonumber) )
+                | last
+                | sub("^cli-v"; "")
+              ')
+          if [ -z "${REPO_TAG:-}" ] || ! echo "$REPO_TAG" | grep -Eq '^[0-9]+(\.[0-9]+){2}$'; then
+            echo "Failed to resolve latest Bitwarden CLI version" >&2
+            exit 1
+          fi
+          echo "Latest Bitwarden CLI: $REPO_TAG"
+          PREVIOUS_TAG=$(cat REVISION || echo "")
+          mkdir -p temp/
+          if [ "$REPO_TAG" = "$PREVIOUS_TAG" ]; then
+            echo "No new tags. Skipping."
+            echo "skipped=true" >> $GITHUB_OUTPUT
+            echo $REPO_TAG > temp/REVISION
+            exit 0
+          fi
+          VERSION="$REPO_TAG"
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo $REPO_TAG > temp/REVISION
+
+      - name: AWS CLI v2
+        uses: imehedi/actions-awscli-v2@latest
+        with:
+          args: s3 cp temp/REVISION s3://${{ vars.SC_ARTIFACTS_BUCKET }}/bitwarden-cli-docker/REVISION --endpoint-url ${{ vars.SC_AMS_AWS_ENDPOINT }}
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.SC_AWS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.SC_AWS_SECRET_ACCESS_KEY }}
+          AWS_DEFAULT_REGION: "nl-ams"
+
+      # Buildx explicit setup not required for single-arch; build-push-action
+      # provisions a builder automatically.
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        if: ${{ steps.tag.outputs.skipped != 'true' }}
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/icoretech/bitwarden-cli-docker
+          labels: |
+            org.opencontainers.image.description=Bitwarden CLI
+            org.opencontainers.image.source=https://github.com/icoretech/bitwarden-cli-docker
+            org.opencontainers.image.title=bitwarden-cli
+            org.opencontainers.image.vendor=iCoreTech, Inc.
+          tags: |
+            type=raw,value=${{ env.VERSION }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        if: ${{ steps.tag.outputs.skipped != 'true' }}
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.PACKAGES_PAT }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        if: ${{ steps.tag.outputs.skipped != 'true' }}
+        with:
+          platforms: linux/amd64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          # No provenance attestation for simplicity and max compatibility
+          build-args: BW_VERSION=${{ env.VERSION }}

.github/workflows/keepalive.yml

@@ -0,0 +1,43 @@
+name: Keep Repository Active
+
+on:
+  # Run weekly to ensure we never hit GitHub's 60‑day inactivity window.
+  schedule:
+    - cron: "23 5 * * 1" # Mondays at 05:23 UTC
+  workflow_dispatch: {}
+
+permissions:
+  contents: write
+
+jobs:
+  keepalive:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Create keepalive commit if idle
+        shell: bash
+        run: |
+          set -euo pipefail
+          now=$(date +%s)
+          last=$(git log -1 --format=%ct || echo 0)
+          days=$(( ( now - last ) / 86400 ))
+          threshold_days=${THRESHOLD_DAYS:-50}
+
+          echo "Last commit: ${days} days ago; threshold: ${threshold_days} days"
+
+          if (( days > threshold_days )); then
+            echo "Creating keepalive commit to maintain repository activity..."
+            mkdir -p .github
+            date -u +%Y-%m-%dT%H:%M:%SZ > .github/.keepalive
+            git config user.name "github-actions[bot]"
+            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+            git add .github/.keepalive
+            git commit -m "chore(keepalive): repository activity"
+            git push
+          else
+            echo "No keepalive commit needed."
+          fi

.gitignore

@@ -0,0 +1,4 @@
+/bw
+.DS_Store
+push.sh
+scripts/

Dockerfile

@@ -0,0 +1,44 @@
+# Local build and run
+#
+# Build (choose Bitwarden CLI version via BW_VERSION):
+#   docker build -t bitwarden-cli-docker:local --build-arg BW_VERSION=2025.10.0 .
+#
+# Run (interactive):
+#   docker run --rm -it --name bw bitwarden-cli-docker:local --version
+#   docker run --rm -it --name bw bitwarden-cli-docker:local login --apikey
+
+# Downloader stage: fetch and verify Bitwarden CLI binary
+FROM alpine:3.22 AS downloader
+
+# Require the version from build args; do not auto-resolve
+ARG BW_VERSION
+
+RUN apk update --no-cache \
+ && apk add --no-cache curl jq unzip ca-certificates \
+ && VERSION="${BW_VERSION}" \
+ && if [ -z "$VERSION" ]; then echo "BW_VERSION build-arg is required" >&2; exit 1; fi \
+ && curl -sLo /tmp/bw.zip "https://github.com/bitwarden/clients/releases/download/cli-v${VERSION}/bw-oss-linux-${VERSION}.zip" \
+ && echo $( \
+    curl -sL "https://api.github.com/repos/bitwarden/clients/releases/tags/cli-v${VERSION}" | jq -r ".assets[] | select(.name == \"bw-oss-linux-${VERSION}.zip\") .digest" | cut -f2 -d: \
+  ) /tmp/bw.zip > /tmp/sum.txt \
+ && sha256sum -sc /tmp/sum.txt \
+ && unzip -d /tmp /tmp/bw.zip \
+ && chmod +x /tmp/bw
+
+# Runtime stage
+FROM debian:stable-slim
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends ca-certificates wget \
+ && rm -rf /var/lib/apt/lists/*
+
+COPY --from=downloader /tmp/bw /usr/local/bin/bw
+
+# Non-root execution setup
+USER 1000
+WORKDIR /bw
+ENV HOME=/bw
+
+# Entrypoint wraps the CLI so `docker run ... <args>` becomes `bw <args>`
+COPY entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 iCoreTech, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,40 @@
+# 🔐 Bitwarden CLI Docker Image
+
+This repository hosts an automated build system for creating 🐳 Docker images of the [Bitwarden CLI](https://help.bitwarden.com/article/cli/).
+The built AMD64 Docker images are published to GHCR with semantic tagging. amd64-only.
+
+## 📖 Overview
+
+The build system tracks upstream Bitwarden CLI releases (tags like `cli-v2025.10.0`). When a new CLI release is available, an image is built and published to GHCR. Image tags mirror the CLI version (for example, `2025.10.0`).
+
+## 💡 Usage
+
+Pull the image:
+
+```bash
+docker pull ghcr.io/icoretech/bitwarden-cli-docker:<tag>
+```
+
+Replace `<tag>` with a Bitwarden CLI version (for example, `2025.10.0`).
+
+You can find available tags on the [GitHub Packages page](https://github.com/icoretech/bitwarden-cli-docker/pkgs/container/bitwarden-cli-docker).
+
+This image runs the `bw` binary as a non‑root user (`uid 1000`) with `HOME` set to `/bw`. The entrypoint transparently proxies arguments to `bw`.
+
+```bash
+# Persist CLI config/session between runs
+mkdir -p ./bw
+
+docker run --rm -it \
+  -e BW_HOST=https://vault.bitwarden.com \
+  -e [email protected] \
+  -e BW_PASSWORD='your-master-password' \
+  -v $PWD/bw:/bw \
+  ghcr.io/icoretech/bitwarden-cli-docker:2025.10.0
+```
+
+## 📄 License
+
+The Docker images and the code in this repository are released under [MIT License](LICENSE).
+
+Please note that the Bitwarden project has its own license and terms, which you should review if you plan to use, distribute, or modify the software.

entrypoint.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env sh
+set -eu
+
+# If arguments are provided, run bw with them (passthrough mode)
+if [ "$#" -gt 0 ]; then
+  exec bw "$@"
+fi
+
+# Server mode
+
+if [ -z "${BW_HOST:-}" ]; then
+  echo "BW_HOST is required" >&2
+  exit 2
+fi
+
+# Point CLI to the desired server (US/EU/self-hosted)
+bw config server "${BW_HOST}"
+
+# Login/unlock
+if [ -n "${BW_CLIENTID:-}" ] && [ -n "${BW_CLIENTSECRET:-}" ]; then
+  echo "Using API key to log in"
+  # bw reads BW_CLIENTID and BW_CLIENTSECRET from env
+  bw login --apikey --raw >/dev/null 2>&1 || true
+  if [ -n "${BW_PASSWORD:-}" ]; then
+    export BW_SESSION="$(bw unlock --passwordenv BW_PASSWORD --raw)"
+  fi
+else
+  if [ -z "${BW_USER:-}" ] || [ -z "${BW_PASSWORD:-}" ]; then
+    echo "BW_USER and BW_PASSWORD are required when not using API key" >&2
+    exit 2
+  fi
+  echo "Using username/password to log in"
+  export BW_SESSION="$(bw login "${BW_USER}" --passwordenv BW_PASSWORD --raw)"
+fi
+
+# Ensure session is valid if possible
+bw unlock --check >/dev/null 2>&1 || true
+
+echo 'Running `bw serve` on 0.0.0.0:8087'
+exec bw serve --hostname 0.0.0.0