Build

[PM-22696] send enumeration protection #29428

Workflow file for this run

	name: Build

	on:
	workflow_dispatch:
	push:
	branches:
	- "main"
	- "rc"
	- "hotfix-rc"
	pull_request:
	types: [opened, synchronize]
	workflow_call:
	inputs: {}

	permissions:
	contents: read

	env:
	_AZ_REGISTRY: "bitwardenprod.azurecr.io"
	_GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }}

	jobs:
	lint:
	name: Lint
	runs-on: ubuntu-24.04
	steps:
	- name: Check out repo
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	ref: ${{ github.event.pull_request.head.sha }}

	- name: Set up .NET
	uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1

	- name: Verify format
	run: dotnet format --verify-no-changes

	build-artifacts:
	name: Build Docker images
	runs-on: ubuntu-24.04
	needs:
	- lint
	outputs:
	has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
	permissions:
	security-events: write
	id-token: write
	strategy:
	fail-fast: false
	matrix:
	include:
	- project_name: Admin
	base_path: ./src
	dotnet: true
	node: true
	- project_name: Api
	base_path: ./src
	dotnet: true
	- project_name: Attachments
	base_path: ./util
	- project_name: Billing
	base_path: ./src
	dotnet: true
	- project_name: Events
	base_path: ./src
	dotnet: true
	- project_name: EventsProcessor
	base_path: ./src
	dotnet: true
	- project_name: Icons
	base_path: ./src
	dotnet: true
	- project_name: Identity
	base_path: ./src
	dotnet: true
	- project_name: MsSql
	base_path: ./util
	- project_name: MsSqlMigratorUtility
	base_path: ./util
	dotnet: true
	- project_name: Nginx
	base_path: ./util
	- project_name: Notifications
	base_path: ./src
	dotnet: true
	- project_name: Scim
	base_path: ./bitwarden_license/src
	dotnet: true
	- project_name: Setup
	base_path: ./util
	dotnet: true
	- project_name: Sso
	base_path: ./bitwarden_license/src
	dotnet: true
	steps:
	- name: Check secrets
	id: check-secrets
	run: \|
	has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }}
	echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT

	- name: Check out repo
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	ref: ${{ github.event.pull_request.head.sha }}

	- name: Check branch to publish
	env:
	PUBLISH_BRANCHES: "main,rc,hotfix-rc"
	id: publish-branch-check
	run: \|
	IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
	if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
	echo "is_publish_branch=true" >> $GITHUB_ENV
	else
	echo "is_publish_branch=false" >> $GITHUB_ENV
	fi

	- name: Set up .NET
	uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1

	- name: Set up Node
	uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
	with:
	cache: "npm"
	cache-dependency-path: "**/package-lock.json"
	node-version: "16"

	- name: Print environment
	run: \|
	whoami
	dotnet --info
	node --version
	npm --version
	echo "GitHub ref: $GITHUB_REF"
	echo "GitHub event: $GITHUB_EVENT"

	- name: Build node
	if: ${{ matrix.node }}
	working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
	run: \|
	npm ci
	npm run build

	- name: Publish project
	working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
	if: ${{ matrix.dotnet }}
	run: \|
	echo "Publish"
	dotnet publish -c "Release" -o obj/build-output/publish

	cd obj/build-output/publish
	zip -r ${{ matrix.project_name }}.zip .
	mv ${{ matrix.project_name }}.zip ../../../

	pwd
	ls -atlh ../../../

	- name: Upload project artifact
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	if: ${{ matrix.dotnet }}
	with:
	name: ${{ matrix.project_name }}.zip
	path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
	if-no-files-found: error

	########## Set up Docker ##########
	- name: Set up QEMU emulators
	uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

	########## ACRs ##########
	- name: Log in to Azure
	uses: bitwarden/gh-actions/azure-login@main
	with:
	subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	tenant_id: ${{ secrets.AZURE_TENANT_ID }}
	client_id: ${{ secrets.AZURE_CLIENT_ID }}

	- name: Log in to ACR - production subscription
	run: az acr login -n bitwardenprod

	- name: Retrieve GitHub PAT secrets
	id: retrieve-secret-pat
	uses: bitwarden/gh-actions/get-keyvault-secrets@main
	with:
	keyvault: "bitwarden-ci"
	secrets: "github-pat-bitwarden-devops-bot-repo-scope"

	########## Generate image tag and build Docker image ##########
	- name: Generate Docker image tag
	id: tag
	run: \|
	if [[ "${GITHUB_EVENT_NAME}" == "pull_request" \|\| "${GITHUB_EVENT_NAME}" == "pull_request_target" ]]; then
	IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" \| sed "s/[^a-zA-Z0-9]/-/g") # Sanitize branch name to alphanumeric only
	else
	IMAGE_TAG=$(echo "${GITHUB_REF:11}" \| sed "s#/#-#g")
	fi

	if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then
	SANITIZED_REPO_NAME=$(echo "$_GITHUB_PR_REPO_NAME" \| sed "s/[^a-zA-Z0-9]/-/g") # Sanitize repo name to alphanumeric only
	IMAGE_TAG=$SANITIZED_REPO_NAME-$IMAGE_TAG # Add repo name to the tag
	IMAGE_TAG=${IMAGE_TAG:0:128} # Limit to 128 characters, as that's the max length for Docker image tags
	fi

	if [[ "$IMAGE_TAG" == "main" ]]; then
	IMAGE_TAG=dev
	fi

	echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
	echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY

	- name: Set up project name
	id: setup
	run: \|
	PROJECT_NAME=$(echo "${{ matrix.project_name }}" \| awk '{print tolower($0)}')
	echo "Matrix name: ${{ matrix.project_name }}"
	echo "PROJECT_NAME: $PROJECT_NAME"
	echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT

	- name: Generate image tags(s)
	id: image-tags
	env:
	IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
	PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
	SHA: ${{ github.sha }}
	run: \|
	TAGS="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}"
	echo "primary_tag=$TAGS" >> $GITHUB_OUTPUT
	if [[ "${IMAGE_TAG}" == "dev" ]]; then
	SHORT_SHA=$(git rev-parse --short ${SHA})
	TAGS=$TAGS",${_AZ_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}"
	fi
	echo "tags=$TAGS" >> $GITHUB_OUTPUT

	- name: Build Docker image
	id: build-artifacts
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	with:
	context: .
	file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
	platforms: \|
	linux/amd64,
	linux/arm/v7,
	linux/arm64
	push: true
	tags: ${{ steps.image-tags.outputs.tags }}
	secrets: \|
	"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

	- name: Install Cosign
	if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
	uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2

	- name: Sign image with Cosign
	if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
	env:
	DIGEST: ${{ steps.build-artifacts.outputs.digest }}
	TAGS: ${{ steps.image-tags.outputs.tags }}
	run: \|
	IFS="," read -a tags <<< "${TAGS}"
	images=""
	for tag in "${tags[@]}"; do
	images+="${tag}@${DIGEST} "
	done
	cosign sign --yes ${images}

	- name: Scan Docker image
	id: container-scan
	uses: anchore/scan-action@2c901ab7378897c01b8efaa2d0c9bf519cc64b9e # v6.2.0
	with:
	image: ${{ steps.image-tags.outputs.primary_tag }}
	fail-build: false
	output-format: sarif

	- name: Upload Grype results to GitHub
	uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
	with:
	sarif_file: ${{ steps.container-scan.outputs.sarif }}
	sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha \|\| github.sha }}
	ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) \|\| github.ref }}

	- name: Log out from Azure
	uses: bitwarden/gh-actions/azure-logout@main

	upload:
	name: Upload
	runs-on: ubuntu-24.04
	needs: build-artifacts
	permissions:
	id-token: write
	actions: read
	steps:
	- name: Check out repo
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	ref: ${{ github.event.pull_request.head.sha }}

	- name: Set up .NET
	uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1

	- name: Log in to Azure
	uses: bitwarden/gh-actions/azure-login@main
	with:
	subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	tenant_id: ${{ secrets.AZURE_TENANT_ID }}
	client_id: ${{ secrets.AZURE_CLIENT_ID }}

	- name: Log in to ACR - production subscription
	run: az acr login -n $_AZ_REGISTRY --only-show-errors

	- name: Make Docker stubs
	if: \|
	github.event_name != 'pull_request'
	&& (github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/rc' \|\| github.ref == 'refs/heads/hotfix-rc')
	run: \|
	# Set proper setup image based on branch
	case "$GITHUB_REF" in
	"refs/heads/main")
	SETUP_IMAGE="$_AZ_REGISTRY/setup:dev"
	;;
	"refs/heads/rc")
	SETUP_IMAGE="$_AZ_REGISTRY/setup:rc"
	;;
	"refs/heads/hotfix-rc")
	SETUP_IMAGE="$_AZ_REGISTRY/setup:hotfix-rc"
	;;
	esac

	STUB_OUTPUT=$(pwd)/docker-stub

	# Run setup
	docker run -i --rm --name setup -v $STUB_OUTPUT/US:/bitwarden $SETUP_IMAGE \
	/app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region US
	docker run -i --rm --name setup -v $STUB_OUTPUT/EU:/bitwarden $SETUP_IMAGE \
	/app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region EU

	sudo chown -R $(whoami):$(whoami) $STUB_OUTPUT

	# Remove extra directories and files
	rm -rf $STUB_OUTPUT/US/letsencrypt
	rm -rf $STUB_OUTPUT/EU/letsencrypt
	rm $STUB_OUTPUT/US/env/uid.env $STUB_OUTPUT/US/config.yml
	rm $STUB_OUTPUT/EU/env/uid.env $STUB_OUTPUT/EU/config.yml

	# Create uid environment files
	touch $STUB_OUTPUT/US/env/uid.env
	touch $STUB_OUTPUT/EU/env/uid.env

	# Zip up the Docker stub files
	cd docker-stub/US; zip -r ../../docker-stub-US.zip *; cd ../..
	cd docker-stub/EU; zip -r ../../docker-stub-EU.zip *; cd ../..

	- name: Log out from Azure
	uses: bitwarden/gh-actions/azure-logout@main

	- name: Upload Docker stub US artifact
	if: \|
	github.event_name != 'pull_request'
	&& (github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/rc' \|\| github.ref == 'refs/heads/hotfix-rc')
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: docker-stub-US.zip
	path: docker-stub-US.zip
	if-no-files-found: error

	- name: Upload Docker stub EU artifact
	if: \|
	github.event_name != 'pull_request'
	&& (github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/rc' \|\| github.ref == 'refs/heads/hotfix-rc')
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: docker-stub-EU.zip
	path: docker-stub-EU.zip
	if-no-files-found: error

	- name: Build Swagger files
	run: \|
	cd ./dev
	pwsh ./generate_openapi_files.ps1

	- name: Upload Public API Swagger artifact
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: swagger.json
	path: api.public.json
	if-no-files-found: error

	- name: Upload Internal API Swagger artifact
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: internal.json
	path: api.json
	if-no-files-found: error

	- name: Upload Identity Swagger artifact
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: identity.json
	path: identity.json
	if-no-files-found: error

	build-mssqlmigratorutility:
	name: Build MSSQL migrator utility
	runs-on: ubuntu-24.04
	needs:
	- lint
	defaults:
	run:
	shell: bash
	working-directory: "util/MsSqlMigratorUtility"
	strategy:
	fail-fast: false
	matrix:
	target:
	- osx-x64
	- linux-x64
	- win-x64
	steps:
	- name: Check out repo
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	ref: ${{ github.event.pull_request.head.sha }}

	- name: Set up .NET
	uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1

	- name: Print environment
	run: \|
	whoami
	dotnet --info
	echo "GitHub ref: $GITHUB_REF"
	echo "GitHub event: $GITHUB_EVENT"

	- name: Publish project
	run: \|
	dotnet publish -c "Release" -o obj/build-output/publish -r ${{ matrix.target }} -p:PublishSingleFile=true \
	-p:IncludeNativeLibrariesForSelfExtract=true --self-contained true

	- name: Upload project artifact for Windows
	if: ${{ contains(matrix.target, 'win') == true }}
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: MsSqlMigratorUtility-${{ matrix.target }}
	path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe
	if-no-files-found: error

	- name: Upload project artifact
	if: ${{ contains(matrix.target, 'win') == false }}
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
	with:
	name: MsSqlMigratorUtility-${{ matrix.target }}
	path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility
	if-no-files-found: error

	self-host-build:
	name: Trigger self-host build
	if: \|
	github.event_name != 'pull_request'
	&& (github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/rc' \|\| github.ref == 'refs/heads/hotfix-rc')
	runs-on: ubuntu-24.04
	needs:
	- build-artifacts
	permissions:
	id-token: write
	steps:
	- name: Log in to Azure
	uses: bitwarden/gh-actions/azure-login@main
	with:
	subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	tenant_id: ${{ secrets.AZURE_TENANT_ID }}
	client_id: ${{ secrets.AZURE_CLIENT_ID }}

	- name: Retrieve GitHub PAT secrets
	id: retrieve-secret-pat
	uses: bitwarden/gh-actions/get-keyvault-secrets@main
	with:
	keyvault: "bitwarden-ci"
	secrets: "github-pat-bitwarden-devops-bot-repo-scope"

	- name: Log out from Azure
	uses: bitwarden/gh-actions/azure-logout@main

	- name: Trigger self-host build
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
	with:
	github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
	script: \|
	await github.rest.actions.createWorkflowDispatch({
	owner: 'bitwarden',
	repo: 'self-host',
	workflow_id: 'build-unified.yml',
	ref: 'main',
	inputs: {
	server_branch: process.env.GITHUB_REF
	}
	});

	trigger-k8s-deploy:
	name: Trigger k8s deploy
	if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
	runs-on: ubuntu-22.04
	needs:
	- build-artifacts
	permissions:
	id-token: write
	steps:
	- name: Log in to Azure
	uses: bitwarden/gh-actions/azure-login@main
	with:
	subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	tenant_id: ${{ secrets.AZURE_TENANT_ID }}
	client_id: ${{ secrets.AZURE_CLIENT_ID }}

	- name: Retrieve GitHub PAT secrets
	id: retrieve-secret-pat
	uses: bitwarden/gh-actions/get-keyvault-secrets@main
	with:
	keyvault: "bitwarden-ci"
	secrets: "github-pat-bitwarden-devops-bot-repo-scope"

	- name: Log out from Azure
	uses: bitwarden/gh-actions/azure-logout@main

	- name: Trigger k8s deploy
	uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
	with:
	github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
	script: \|
	await github.rest.actions.createWorkflowDispatch({
	owner: 'bitwarden',
	repo: 'devops',
	workflow_id: 'deploy-k8s.yml',
	ref: 'main',
	inputs: {
	environment: 'US-DEV Cloud',
	tag: 'main'
	}
	})

	setup-ephemeral-environment:
	name: Setup Ephemeral Environment
	needs:
	- build-artifacts
	if: \|
	needs.build-artifacts.outputs.has_secrets == 'true'
	&& github.event_name == 'pull_request'
	&& contains(github.event.pull_request.labels.*.name, 'ephemeral-environment')
	uses: bitwarden/gh-actions/.github/workflows/_ephemeral_environment_manager.yml@main
	with:
	project: server
	pull_request_number: ${{ github.event.number \|\| 0 }}
	secrets: inherit
	permissions:
	contents: read
	id-token: write

	check-failures:
	name: Check for failures
	if: always()
	runs-on: ubuntu-22.04
	needs:
	- lint
	- build-artifacts
	- upload
	- build-mssqlmigratorutility
	- self-host-build
	- trigger-k8s-deploy
	permissions:
	id-token: write
	steps:
	- name: Check if any job failed
	if: \|
	github.event_name != 'pull_request'
	&& (github.ref == 'refs/heads/main' \|\| github.ref == 'refs/heads/rc' \|\| github.ref == 'refs/heads/hotfix-rc')
	&& contains(needs.*.result, 'failure')
	run: exit 1

	- name: Log in to Azure
	uses: bitwarden/gh-actions/azure-login@main
	with:
	subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
	tenant_id: ${{ secrets.AZURE_TENANT_ID }}
	client_id: ${{ secrets.AZURE_CLIENT_ID }}

	- name: Retrieve secrets
	id: retrieve-secrets
	uses: bitwarden/gh-actions/get-keyvault-secrets@main
	if: failure()
	with:
	keyvault: "bitwarden-ci"
	secrets: "devops-alerts-slack-webhook-url"

	- name: Log out from Azure
	uses: bitwarden/gh-actions/azure-logout@main

	- name: Notify Slack on failure
	uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0
	if: failure()
	env:
	SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
	with:
	status: ${{ job.status }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[PM-22696] send enumeration protection #29428

Workflow file

[PM-22696] send enumeration protection #29428

Uh oh!

Jobs

Run details

Workflow file for this run