[Defect] In Chromium-based Browser Extensions, Establishing trust after authentication #8321

Workflow file for this run

.github/workflows/build-web.yml at 64fa810

	---
	name: Build Web

	on:
	pull_request:
	branches-ignore:
	- 'l10n_master'
	- 'cf-pages'
	paths:
	- 'apps/web/**'
	- 'libs/**'
	- '*'
	- '!*.md'
	- '!*.txt'
	- '.github/workflows/build-web.yml'
	push:
	branches:
	- 'master'
	- 'rc'
	- 'hotfix-rc-web'
	paths:
	- 'apps/web/**'
	- 'libs/**'
	- '*'
	- '!*.md'
	- '!*.txt'
	- '.github/workflows/build-web.yml'
	workflow_dispatch:
	inputs:
	custom_tag_extension:
	description: "Custom image tag extension"
	required: false

	jobs:
	cloc:
	name: CLOC
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout repo
	uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

	- name: Set up cloc
	run: \|
	sudo apt update
	sudo apt -y install cloc

	- name: Print lines of code
	working-directory: apps/web
	run: cloc --include-lang TypeScript,JavaScript,HTML,Sass,CSS --vcs git


	setup:
	name: Setup
	runs-on: ubuntu-22.04
	outputs:
	version: ${{ steps.version.outputs.value }}
	steps:
	- name: Checkout repo
	uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

	- name: Get GitHub sha as version
	id: version
	run: echo "value=${GITHUB_SHA:0:7}" >> $GITHUB_OUTPUT

	build-artifacts:
	name: Build artifacts
	runs-on: ubuntu-22.04
	needs:
	- setup
	env:
	_VERSION: ${{ needs.setup.outputs.version }}
	strategy:
	matrix:
	include:
	- name: "selfhosted-open-source"
	npm_command: "dist:oss:selfhost"
	- name: "cloud-COMMERCIAL"
	npm_command: "dist:bit:cloud"
	- name: "selfhosted-COMMERCIAL"
	npm_command: "dist:bit:selfhost"
	- name: "cloud-QA"
	npm_command: "build:bit:qa"
	- name: "ee"
	npm_command: "build:bit:ee"
	- name: "cloud-euprd"
	npm_command: "build:bit:euprd"
	- name: "cloud-euqa"
	npm_command: "build:bit:euqa"

	steps:
	- name: Checkout repo
	uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

	- name: Set up Node
	uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
	with:
	cache: 'npm'
	cache-dependency-path: '**/package-lock.json'
	node-version: "16"

	- name: Print environment
	run: \|
	whoami
	node --version
	npm --version
	gulp --version
	docker --version
	echo "GitHub ref: $GITHUB_REF"
	echo "GitHub event: $GITHUB_EVENT"

	- name: Install dependencies
	run: npm ci

	- name: Setup QA metadata
	working-directory: apps/web
	if: matrix.name == 'cloud-QA'
	run: \|
	VERSION=$( jq -r ".version" package.json)
	jq --arg version "$VERSION+${GITHUB_SHA:0:7}" '.version = $version' package.json > package.json.tmp
	mv package.json.tmp package.json

	- name: Build ${{ matrix.name }}
	working-directory: apps/web
	run: npm run ${{ matrix.npm_command }}

	- name: Package artifact
	working-directory: apps/web
	run: zip -r web-${{ env._VERSION }}-${{ matrix.name }}.zip build

	- name: Upload ${{ matrix.name }} artifact
	uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	with:
	name: web-${{ env._VERSION }}-${{ matrix.name }}.zip
	path: apps/web/web-${{ env._VERSION }}-${{ matrix.name }}.zip
	if-no-files-found: error


	build-containers:
	name: Build Docker images
	runs-on: ubuntu-22.04
	needs:
	- setup
	- build-artifacts
	strategy:
	fail-fast: false
	matrix:
	include:
	- artifact_name: cloud-QA
	registries: [bitwardenprod.azurecr.io, bitwardenqa.azurecr.io]
	image_name: web-qa-cloud
	- artifact_name: ee
	registries: [bitwardenprod.azurecr.io, bitwardenqa.azurecr.io]
	image_name: web-ee
	- artifact_name: selfhosted-COMMERCIAL
	registries: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io]
	image_name: web
	env:
	_VERSION: ${{ needs.setup.outputs.version }}
	steps:
	- name: Checkout repo
	uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

	- name: Check Branch to Publish
	env:
	PUBLISH_BRANCHES: "master,rc,hotfix-rc-web"
	id: publish-branch-check
	run: \|
	IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES

	if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
	echo "is_publish_branch=true" >> $GITHUB_ENV
	else
	echo "is_publish_branch=false" >> $GITHUB_ENV
	fi

	########## ACRs ##########
	- name: Login to Azure - QA
	uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
	with:
	creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}

	- name: Log into QA container registry
	run: az acr login -n bitwardenqa

	- name: Login to Azure - Prod
	uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
	with:
	creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

	- name: Log into Prod container registry
	run: az acr login -n bitwardenprod

	- name: Download ${{ matrix.artifact_name }} artifact
	uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
	with:
	name: web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip
	path: apps/web

	########## Generate image tag and build Docker image ##########
	- name: Generate Docker image tag
	id: tag
	run: \|
	if [[ $(grep "pull" <<< "${GITHUB_REF}") ]]; then
	IMAGE_TAG=$(echo "${GITHUB_HEAD_REF}" \| sed "s#/#-#g")
	else
	IMAGE_TAG=$(echo "${GITHUB_REF:11}" \| sed "s#/#-#g")
	fi

	if [[ "$IMAGE_TAG" == "master" ]]; then
	IMAGE_TAG=dev
	fi

	TAG_EXTENSION=${{ github.event.inputs.custom_tag_extension }}

	if [[ $TAG_EXTENSION ]]; then
	IMAGE_TAG=$IMAGE_TAG-$TAG_EXTENSION
	fi

	echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT

	- name: Generate tag list
	id: tag-list
	env:
	IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
	PROJECT_NAME: ${{ matrix.image_name }}
	run: echo "tags=bitwardenqa.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG},bitwardenprod.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT

	########## Build Image ##########
	- name: Extract artifact
	working-directory: apps/web
	run: unzip web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip

	- name: Login to Azure
	uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
	with:
	creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

	- name: Retrieve github PAT secrets
	id: retrieve-secret-pat
	uses: bitwarden/gh-actions/get-keyvault-secrets@a30e9c3d658dc97c4c2e61ec749fdab64b83386c
	with:
	keyvault: "bitwarden-ci"
	secrets: "github-pat-bitwarden-devops-bot-repo-scope"

	- name: Setup DCT
	if: ${{ env.is_publish_branch == 'true' }}
	id: setup-dct
	uses: bitwarden/gh-actions/setup-docker-trust@a30e9c3d658dc97c4c2e61ec749fdab64b83386c
	with:
	azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
	azure-keyvault-name: "bitwarden-ci"

	- name: Build Docker image
	uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
	with:
	context: apps/web
	file: apps/web/Dockerfile
	platforms: linux/amd64
	push: true
	tags: ${{ steps.tag-list.outputs.tags }}
	secrets: \|
	"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

	- name: Push to DockerHub
	if: contains(matrix.registries, 'bitwarden') && env.is_publish_branch == 'true'
	env:
	IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
	PROJECT_NAME: ${{ matrix.image_name }}
	DOCKER_CONTENT_TRUST: 1
	DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
	run: \|
	docker tag bitwardenprod.azurecr.io/$PROJECT_NAME:$IMAGE_TAG bitwarden/$PROJECT_NAME:$IMAGE_TAG
	docker push bitwarden/$PROJECT_NAME:$IMAGE_TAG

	- name: Log out of Docker
	run: docker logout


	crowdin-push:
	name: Crowdin Push
	if: github.ref == 'refs/heads/master'
	needs:
	- build-artifacts
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout repo
	uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

	- name: Login to Azure
	uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
	with:
	creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

	- name: Retrieve secrets
	id: retrieve-secrets
	uses: bitwarden/gh-actions/get-keyvault-secrets@a30e9c3d658dc97c4c2e61ec749fdab64b83386c
	with:
	keyvault: "bitwarden-ci"
	secrets: "crowdin-api-token"

	- name: Upload Sources
	uses: crowdin/github-action@ee4ab4ea2feadc0fdc3b200729c7b1c4cf4b38f3 # v1.11.0
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }}
	CROWDIN_PROJECT_ID: "308189"
	with:
	config: apps/web/crowdin.yml
	crowdin_branch_name: master
	upload_sources: true
	upload_translations: false


	check-failures:
	name: Check for failures
	if: always()
	runs-on: ubuntu-22.04
	needs:
	- cloc
	- setup
	- build-artifacts
	- build-containers
	- crowdin-push
	steps:
	- name: Check if any job failed
	if: ${{ (github.ref == 'refs/heads/master') \|\| (github.ref == 'refs/heads/rc') }}
	env:
	CLOC_STATUS: ${{ needs.cloc.result }}
	SETUP_STATUS: ${{ needs.setup.result }}
	ARTIFACT_STATUS: ${{ needs.build-artifacts.result }}
	BUILD_CONTAINERS_STATUS: ${{ needs.build-containers.result }}
	CROWDIN_PUSH_STATUS: ${{ needs.crowdin-push.result }}
	run: \|
	if [ "$CLOC_STATUS" = "failure" ]; then
	exit 1
	elif [ "$SETUP_STATUS" = "failure" ]; then
	exit 1
	elif [ "$ARTIFACT_STATUS" = "failure" ]; then
	exit 1
	elif [ "$BUILD_SELFHOST_STATUS" = "failure" ]; then
	exit 1
	elif [ "$BUILD_CONTAINERS_STATUS" = "failure" ]; then
	exit 1
	elif [ "$CROWDIN_PUSH_STATUS" = "failure" ]; then
	exit 1
	fi

	- name: Login to Azure - Prod Subscription
	uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
	if: failure()
	with:
	creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

	- name: Retrieve secrets
	id: retrieve-secrets
	if: failure()
	uses: bitwarden/gh-actions/get-keyvault-secrets@a30e9c3d658dc97c4c2e61ec749fdab64b83386c
	with:
	keyvault: "bitwarden-ci"
	secrets: "devops-alerts-slack-webhook-url"

	- name: Notify Slack on failure
	uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
	if: failure()
	env:
	SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
	with:
	status: ${{ job.status }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Defect] In Chromium-based Browser Extensions, Establishing trust after authentication #8321

Workflow file

[Defect] In Chromium-based Browser Extensions, Establishing trust after authentication #8321

Jobs

Run details

Workflow file for this run