[deps]: Pin dependencies #3228
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| release: | |
| types: | |
| - published | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: Application version to use when publishing the project | |
| required: false | |
| image-tag: | |
| description: Additional Docker image tag to apply on deployment | |
| required: false | |
| jobs: | |
| # Determine version | |
| version: | |
| name: Determine version | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Determine stable version | |
| id: stable-version | |
| if: ${{ inputs.version || github.event_name == 'release' }} | |
| env: | |
| VERSION: ${{ inputs.version || github.event.release.tag_name }} | |
| run: | | |
| if ! [[ $VERSION =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z].*)?$ ]]; then | |
| echo "Invalid version: $VERSION" | |
| exit 1 | |
| fi | |
| echo "version=$VERSION" >> "$GITHUB_OUTPUT" | |
| - name: Determine prerelease version | |
| id: pre-version | |
| run: | | |
| hash="${{ github.event.pull_request.head.sha || github.sha }}" | |
| echo "version=0.0.0-ci-${hash:0:7}" >> "$GITHUB_OUTPUT" | |
| outputs: | |
| version: ${{ steps.stable-version.outputs.version || steps.pre-version.outputs.version }} | |
| # Build the image without deploying just to make sure the dockerfile is valid | |
| pack: | |
| name: Build image | |
| needs: version | |
| strategy: | |
| matrix: | |
| app: | |
| - Api | |
| #- AdminConsole | |
| - Self-Host | |
| include: | |
| - app: Api | |
| dockerfile: Api.dockerfile | |
| #- app: AdminConsole | |
| # dockerfile: AdminConsole.dockerfile | |
| - app: Self-Host | |
| dockerfile: self-host/Dockerfile | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Install Docker Buildx | |
| uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 | |
| - name: Build image | |
| env: | |
| VERSION: ${{ needs.version.outputs.version }} | |
| run: > | |
| docker buildx build . | |
| --file ${{ matrix.dockerfile }} | |
| --platform linux/amd64,linux/arm64 | |
| --build-arg VERSION="${VERSION}" | |
| --output type=tar,dest=image.tar | |
| # Build and deploy the image | |
| deploy: | |
| name: Deploy image | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: version | |
| strategy: | |
| matrix: | |
| app: | |
| - Api | |
| #- AdminConsole | |
| - Self-Host | |
| include: | |
| - app: Api | |
| dockerfile: Api.dockerfile | |
| name: passwordless-test-api | |
| #- app: AdminConsole | |
| # dockerfile: AdminConsole.dockerfile | |
| # repository: passwordless-test-admin-console | |
| - app: Self-Host | |
| dockerfile: self-host/Dockerfile | |
| name: passwordless-self-host | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Install Docker Buildx | |
| uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 | |
| - name: Log in to Azure | |
| uses: bitwarden/gh-actions/azure-login@main | |
| with: | |
| subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
| client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
| - name: Setup Docker Content Trust | |
| id: setup-dct | |
| uses: bitwarden/gh-actions/setup-docker-trust@main | |
| with: | |
| azure-keyvault-name: "bitwarden-ci" | |
| - name: Log out from Azure | |
| uses: bitwarden/gh-actions/azure-logout@main | |
| - name: Build & push image | |
| env: | |
| _DOCKER_CONTAINER_NAMESPACE: bitwarden | |
| _DOCKER_CONTENT_TRUST: 1 | |
| _DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }} | |
| _VERSION: ${{ needs.version.outputs.version }} | |
| _DOCKERFILE: ${{ matrix.dockerfile }} | |
| _IMAGE_NAME: ${{ matrix.name }} | |
| _EVENT_NAME: ${{ github.event_name }} | |
| _IS_PRERELEASE: ${{ github.event.release.prerelease }} | |
| _REF_NAME: ${{ github.ref_name }} | |
| _INPUT_TAG: ${{ inputs.image-tag }} | |
| run: | | |
| set -euo pipefail | |
| args=( | |
| --file "$_DOCKERFILE" | |
| --platform "linux/amd64,linux/arm64" | |
| --build-arg "VERSION=$_VERSION" | |
| --push | |
| "$PWD" | |
| ) | |
| # Always tag with dev | |
| args+=( --tag "$_DOCKER_CONTAINER_NAMESPACE/$_IMAGE_NAME:dev" ) | |
| if [[ "$_EVENT_NAME" == "release" ]]; then | |
| args+=( --tag "$_DOCKER_CONTAINER_NAMESPACE/$_IMAGE_NAME:qa" ) | |
| if [[ "$_IS_PRERELEASE" != "true" ]]; then | |
| args+=( --tag "$_DOCKER_CONTAINER_NAMESPACE/$_IMAGE_NAME:latest" ) | |
| args+=( --tag "$_DOCKER_CONTAINER_NAMESPACE/$_IMAGE_NAME:stable" ) | |
| fi | |
| args+=( --tag "$_DOCKER_CONTAINER_NAMESPACE/$_IMAGE_NAME:$_REF_NAME" ) | |
| fi | |
| if [[ -n "${_INPUT_TAG:-}" ]]; then | |
| args+=( --tag "$_DOCKER_CONTAINER_NAMESPACE/$_IMAGE_NAME:$_INPUT_TAG" ) | |
| fi | |
| docker buildx build "${args[@]}" | |
| - name: Log out of Docker and disable Docker Notary | |
| run: | | |
| docker logout | |
| echo "DOCKER_CONTENT_TRUST=0" >> "$GITHUB_ENV" |