[Defect] In Chromium-based Browser Extensions, Establishing trust after authentication #7234
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build Desktop | |
on: | |
pull_request: | |
branches-ignore: | |
- 'l10n_master' | |
- 'cf-pages' | |
paths: | |
- 'apps/desktop/**' | |
- 'libs/**' | |
- '*' | |
- '!libs/importer' | |
- '!*.md' | |
- '!*.txt' | |
- '.github/workflows/build-desktop.yml' | |
push: | |
branches: | |
- 'master' | |
- 'rc' | |
- 'hotfix-rc-desktop' | |
paths: | |
- 'apps/desktop/**' | |
- 'libs/**' | |
- '*' | |
- '!libs/importer' | |
- '!*.md' | |
- '!*.txt' | |
- '.github/workflows/build-desktop.yml' | |
workflow_dispatch: | |
inputs: {} | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
cloc: | |
name: CLOC | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up cloc | |
run: | | |
sudo apt-get update | |
sudo apt-get -y install cloc | |
- name: Print lines of code | |
run: cloc --include-lang TypeScript,JavaScript,HTML,Sass,CSS --vcs git | |
electron-verify: | |
name: Verify Electron Version | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Verify | |
run: | | |
PACKAGE_VERSION=$(jq -r .devDependencies.electron package.json) | |
ELECTRON_BUILDER_VERSION=$(jq -r .electronVersion ./apps/desktop/electron-builder.json) | |
if [[ "$PACKAGE_VERSION" == "$ELECTRON_BUILDER_VERSION" ]]; then | |
echo "Versions matches" | |
else | |
echo "Version missmatch, package.json: $PACKAGE_VERSION, electron-builder.json: $ELECTRON_BUILDER_VERSION" | |
exit 1 | |
fi | |
setup: | |
name: Setup | |
runs-on: ubuntu-20.04 | |
outputs: | |
package_version: ${{ steps.retrieve-version.outputs.package_version }} | |
release_channel: ${{ steps.release-channel.outputs.channel }} | |
build_number: ${{ steps.increment-version.outputs.build_number }} | |
rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }} | |
hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }} | |
defaults: | |
run: | |
working-directory: apps/desktop | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Get Package Version | |
id: retrieve-version | |
run: | | |
PKG_VERSION=$(jq -r .version src/package.json) | |
echo "package_version=$PKG_VERSION" >> $GITHUB_OUTPUT | |
- name: Increment Version | |
id: increment-version | |
run: | | |
BUILD_NUMBER=$(expr 3000 + $GITHUB_RUN_NUMBER) | |
echo "Setting build number to $BUILD_NUMBER" | |
echo "build_number=$BUILD_NUMBER" >> $GITHUB_OUTPUT | |
- name: Get Version Channel | |
id: release-channel | |
run: | | |
case "${{ steps.retrieve-version.outputs.package_version }}" in | |
*"alpha"*) | |
echo "channel=alpha" >> $GITHUB_OUTPUT | |
echo "[!] We do not yet support 'alpha'" | |
exit 1 | |
;; | |
*"beta"*) | |
echo "channel=beta" >> $GITHUB_OUTPUT | |
;; | |
*) | |
echo "channel=latest" >> $GITHUB_OUTPUT | |
;; | |
esac | |
- name: Check if special branches exist | |
id: branch-check | |
run: | | |
if [[ $(git ls-remote --heads origin rc) ]]; then | |
echo "rc_branch_exists=1" >> $GITHUB_OUTPUT | |
else | |
echo "rc_branch_exists=0" >> $GITHUB_OUTPUT | |
fi | |
if [[ $(git ls-remote --heads origin hotfix-rc-desktop) ]]; then | |
echo "hotfix_branch_exists=1" >> $GITHUB_OUTPUT | |
else | |
echo "hotfix_branch_exists=0" >> $GITHUB_OUTPUT | |
fi | |
linux: | |
name: Linux Build | |
runs-on: ubuntu-20.04 | |
needs: | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
defaults: | |
run: | |
working-directory: apps/desktop | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up Node | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
with: | |
cache: 'npm' | |
cache-dependency-path: '**/package-lock.json' | |
node-version: '18' | |
- name: Set Node options | |
run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV | |
- name: Install node-gyp | |
run: | | |
npm install -g node-gyp | |
node-gyp install $(node -v) | |
- name: Set up environment | |
run: | | |
sudo apt-get update | |
sudo apt-get -y install pkg-config libxss-dev libsecret-1-dev rpm musl-dev musl-tools | |
- name: Set up Snap | |
run: sudo snap install snapcraft --classic | |
- name: Print environment | |
run: | | |
node --version | |
npm --version | |
snap --version | |
snapcraft --version || echo 'snapcraft unavailable' | |
- name: Install Node dependencies | |
run: npm ci | |
working-directory: ./ | |
- name: Cache Native Module | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
id: cache | |
with: | |
path: | | |
apps/desktop/desktop_native/*.node | |
${{ env.RUNNER_TEMP }}/.cargo/registry | |
${{ env.RUNNER_TEMP }}/.cargo/git | |
key: rust-${{ runner.os }}-${{ hashFiles('apps/desktop/desktop_native/**/*') }} | |
- name: Build Native Module | |
if: steps.cache.outputs.cache-hit != 'true' | |
working-directory: apps/desktop/desktop_native | |
env: | |
PKG_CONFIG_ALLOW_CROSS: true | |
PKG_CONFIG_ALL_STATIC: true | |
TARGET: musl | |
run: | | |
rustup target add x86_64-unknown-linux-musl | |
npm run build:cross-platform | |
- name: Build application | |
run: npm run dist:lin | |
- name: Upload .deb artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-amd64.deb | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-amd64.deb | |
if-no-files-found: error | |
- name: Upload .rpm artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x86_64.rpm | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-x86_64.rpm | |
if-no-files-found: error | |
- name: Upload .freebsd artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64.freebsd | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-x64.freebsd | |
if-no-files-found: error | |
- name: Upload .snap artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: bitwarden_${{ env._PACKAGE_VERSION }}_amd64.snap | |
path: apps/desktop/dist/bitwarden_${{ env._PACKAGE_VERSION }}_amd64.snap | |
if-no-files-found: error | |
- name: Upload .AppImage artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x86_64.AppImage | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-x86_64.AppImage | |
if-no-files-found: error | |
- name: Upload auto-update artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: ${{ needs.setup.outputs.release_channel }}-linux.yml | |
path: apps/desktop/dist/${{ needs.setup.outputs.release_channel }}-linux.yml | |
if-no-files-found: error | |
windows: | |
name: Windows Build | |
runs-on: windows-2019 | |
needs: | |
- setup | |
defaults: | |
run: | |
shell: pwsh | |
working-directory: apps/desktop | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up Node | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
with: | |
cache: 'npm' | |
cache-dependency-path: '**/package-lock.json' | |
node-version: '18' | |
- name: Set Node options | |
run: echo "NODE_OPTIONS=--max_old_space_size=4096" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append | |
- name: Install node-gyp | |
run: | | |
npm install -g node-gyp | |
node-gyp install $(node -v) | |
- name: Install AST | |
uses: bitwarden/gh-actions/install-ast@a30e9c3d658dc97c4c2e61ec749fdab64b83386c | |
- name: Set up environmentF | |
run: choco install checksum --no-progress | |
- name: Rust | |
shell: pwsh | |
run: | | |
rustup target install i686-pc-windows-msvc | |
rustup target install aarch64-pc-windows-msvc | |
- name: Print environment | |
run: | | |
node --version | |
npm --version | |
choco --version | |
rustup show | |
- name: Login to Azure | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
uses: bitwarden/gh-actions/get-keyvault-secrets@a30e9c3d658dc97c4c2e61ec749fdab64b83386c | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "code-signing-vault-url, | |
code-signing-client-id, | |
code-signing-tenant-id, | |
code-signing-client-secret, | |
code-signing-cert-name" | |
- name: Install Node dependencies | |
run: npm ci | |
working-directory: ./ | |
- name: Cache Native Module | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
id: cache | |
with: | |
path: apps/desktop/desktop_native/*.node | |
key: rust-${{ runner.os }}-${{ hashFiles('apps/desktop/desktop_native/**/*') }} | |
- name: Build Native Module | |
if: steps.cache.outputs.cache-hit != 'true' | |
working-directory: apps/desktop/desktop_native | |
run: npm run build:cross-platform | |
- name: Build & Sign (dev) | |
env: | |
ELECTRON_BUILDER_SIGN: 1 | |
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }} | |
SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets.outputs.code-signing-client-id }} | |
SIGNING_TENANT_ID: ${{ steps.retrieve-secrets.outputs.code-signing-tenant-id }} | |
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets.outputs.code-signing-client-secret }} | |
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets.outputs.code-signing-cert-name }} | |
run: | | |
npm run build | |
npm run pack:win | |
- name: Rename appx files for store | |
run: | | |
Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx" ` | |
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx" | |
Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx" ` | |
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx" | |
Copy-Item "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx" ` | |
-Destination "./dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx" | |
- name: Package for Chocolatey | |
run: | | |
Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse | |
Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe ` | |
-Destination ./dist/chocolatey | |
$checksum = checksum -t sha256 ./dist/chocolatey/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe | |
$chocoInstall = "./dist/chocolatey/tools/chocolateyinstall.ps1" | |
(Get-Content $chocoInstall).replace('__version__', "$env:_PACKAGE_VERSION").replace('__checksum__', $checksum) | Set-Content $chocoInstall | |
choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:_PACKAGE_VERSION" --out ./dist/chocolatey | |
- name: Fix NSIS artifact names for auto-updater | |
run: | | |
Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z ` | |
-NewName bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z | |
Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z ` | |
-NewName bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z | |
Rename-Item -Path .\dist\nsis-web\Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z ` | |
-NewName bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z | |
- name: Upload portable exe artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-Portable-${{ env._PACKAGE_VERSION }}.exe | |
path: apps/desktop/dist/Bitwarden-Portable-${{ env._PACKAGE_VERSION }}.exe | |
if-no-files-found: error | |
- name: Upload installer exe artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe | |
path: apps/desktop/dist/nsis-web/Bitwarden-Installer-${{ env._PACKAGE_VERSION }}.exe | |
if-no-files-found: error | |
- name: Upload appx ia32 artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32.appx | |
if-no-files-found: error | |
- name: Upload store appx ia32 artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-ia32-store.appx | |
if-no-files-found: error | |
- name: Upload NSIS ia32 artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z | |
path: apps/desktop/dist/nsis-web/bitwarden-${{ env._PACKAGE_VERSION }}-ia32.nsis.7z | |
if-no-files-found: error | |
- name: Upload appx x64 artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-x64.appx | |
if-no-files-found: error | |
- name: Upload store appx x64 artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-x64-store.appx | |
if-no-files-found: error | |
- name: Upload NSIS x64 artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z | |
path: apps/desktop/dist/nsis-web/bitwarden-${{ env._PACKAGE_VERSION }}-x64.nsis.7z | |
if-no-files-found: error | |
- name: Upload appx ARM64 artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64.appx | |
if-no-files-found: error | |
- name: Upload store appx ARM64 artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-arm64-store.appx | |
if-no-files-found: error | |
- name: Upload NSIS ARM64 artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z | |
path: apps/desktop/dist/nsis-web/bitwarden-${{ env._PACKAGE_VERSION }}-arm64.nsis.7z | |
if-no-files-found: error | |
- name: Upload nupkg artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: bitwarden.${{ env._PACKAGE_VERSION }}.nupkg | |
path: apps/desktop/dist/chocolatey/bitwarden.${{ env._PACKAGE_VERSION }}.nupkg | |
if-no-files-found: error | |
- name: Upload auto-update artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: ${{ needs.setup.outputs.release_channel }}.yml | |
path: apps/desktop/dist/nsis-web/${{ needs.setup.outputs.release_channel }}.yml | |
if-no-files-found: error | |
macos-build: | |
name: MacOS Build | |
runs-on: macos-11 | |
needs: | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
defaults: | |
run: | |
working-directory: apps/desktop | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up Node | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
with: | |
cache: 'npm' | |
cache-dependency-path: '**/package-lock.json' | |
node-version: '18' | |
- name: Set Node options | |
run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV | |
- name: Install node-gyp | |
run: | | |
npm install -g node-gyp | |
node-gyp install $(node -v) | |
- name: Rust | |
shell: pwsh | |
run: rustup target install aarch64-apple-darwin | |
- name: Print environment | |
run: | | |
node --version | |
npm --version | |
rustup show | |
echo "GitHub ref: $GITHUB_REF" | |
echo "GitHub event: $GITHUB_EVENT" | |
- name: Cache Build | |
id: build-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
with: | |
path: apps/desktop/build | |
key: ${{ runner.os }}-${{ github.run_id }}-build | |
- name: Cache Safari | |
id: safari-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
with: | |
path: apps/browser/dist/Safari | |
key: ${{ runner.os }}-${{ github.run_id }}-safari-extension | |
- name: Decrypt secrets | |
env: | |
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
run: | | |
mkdir -p $HOME/secrets | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/bitwarden-desktop-key.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/appstore-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/appstore-installer-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-installer-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/macdev-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ | |
"$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" | |
- name: Set up keychain | |
env: | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} | |
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} | |
MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} | |
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
run: | | |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security set-keychain-settings -lut 1200 build.keychain | |
security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
- name: Set up provisioning profiles | |
run: | | |
cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ | |
$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile | |
- name: Increment version | |
shell: pwsh | |
env: | |
BUILD_NUMBER: ${{ needs.setup.outputs.build_number }} | |
run: | | |
$package = Get-Content -Raw -Path electron-builder.json | ConvertFrom-Json | |
$package | Add-Member -MemberType NoteProperty -Name buildVersion -Value "$env:BUILD_NUMBER" | |
$package | ConvertTo-Json -Depth 32 | Set-Content -Path electron-builder.json | |
- name: Install Node dependencies | |
run: npm ci | |
working-directory: ./ | |
- name: Cache Native Module | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
id: cache | |
with: | |
path: apps/desktop/desktop_native/*.node | |
key: rust-${{ runner.os }}-${{ hashFiles('apps/desktop/desktop_native/**/*') }} | |
- name: Build Native Module | |
if: steps.cache.outputs.cache-hit != 'true' | |
working-directory: apps/desktop/desktop_native | |
run: npm run build:cross-platform | |
- name: Build application (dev) | |
run: npm run build | |
browser-build: | |
name: Browser Build | |
needs: setup | |
uses: ./.github/workflows/build-browser.yml | |
secrets: inherit | |
macos-package-github: | |
name: MacOS Package GitHub Release Assets | |
runs-on: macos-11 | |
needs: | |
- browser-build | |
- macos-build | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
defaults: | |
run: | |
working-directory: apps/desktop | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up Node | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
with: | |
cache: 'npm' | |
cache-dependency-path: '**/package-lock.json' | |
node-version: '18' | |
- name: Set Node options | |
run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV | |
- name: Install node-gyp | |
run: | | |
npm install -g node-gyp | |
node-gyp install $(node -v) | |
- name: Rust | |
shell: pwsh | |
run: rustup target install aarch64-apple-darwin | |
- name: Print environment | |
run: | | |
node --version | |
npm --version | |
rustup show | |
echo "GitHub ref: $GITHUB_REF" | |
echo "GitHub event: $GITHUB_EVENT" | |
- name: Get Build Cache | |
id: build-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
with: | |
path: apps/desktop/build | |
key: ${{ runner.os }}-${{ github.run_id }}-build | |
- name: Setup Safari Cache | |
id: safari-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
with: | |
path: apps/browser/dist/Safari | |
key: ${{ runner.os }}-${{ github.run_id }}-safari-extension | |
- name: Decrypt secrets | |
env: | |
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
run: | | |
mkdir -p $HOME/secrets | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/bitwarden-desktop-key.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/appstore-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/appstore-installer-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-installer-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/macdev-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ | |
"$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" | |
- name: Set up keychain | |
env: | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} | |
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} | |
MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} | |
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
run: | | |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security set-keychain-settings -lut 1200 build.keychain | |
security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
- name: Set up provisioning profiles | |
run: | | |
cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ | |
$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile | |
- name: Increment version | |
shell: pwsh | |
env: | |
BUILD_NUMBER: ${{ needs.setup.outputs.build_number }} | |
run: | | |
$package = Get-Content -Raw -Path electron-builder.json | ConvertFrom-Json | |
$package | Add-Member -MemberType NoteProperty -Name buildVersion -Value "$env:BUILD_NUMBER" | |
$package | ConvertTo-Json -Depth 32 | Set-Content -Path electron-builder.json | |
- name: Install Node dependencies | |
run: npm ci | |
working-directory: ./ | |
- name: Cache Native Module | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
id: cache | |
with: | |
path: apps/desktop/desktop_native/*.node | |
key: rust-${{ runner.os }}-${{ hashFiles('apps/desktop/desktop_native/**/*') }} | |
- name: Build Native Module | |
if: steps.cache.outputs.cache-hit != 'true' | |
working-directory: apps/desktop/desktop_native | |
run: npm run build:cross-platform | |
- name: Build | |
if: steps.build-cache.outputs.cache-hit != 'true' | |
run: npm run build | |
- name: Download Browser artifact | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
path: ${{ github.workspace }}/browser-build-artifacts | |
- name: Unzip Safari artifact | |
run: | | |
SAFARI_DIR=$(find $GITHUB_WORKSPACE/browser-build-artifacts -name 'dist-safari-*.zip') | |
echo $SAFARI_DIR | |
unzip $SAFARI_DIR/dist-safari.zip -d $GITHUB_WORKSPACE/browser-build-artifacts | |
- name: Load Safari extension for .dmg | |
run: | | |
mkdir PlugIns | |
cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/dmg/build/Release/safari.appex PlugIns/safari.appex | |
- name: Build application (dist) | |
env: | |
APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} | |
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
CSC_FOR_PULL_REQUEST: true | |
run: npm run pack:mac | |
- name: Upload .zip artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-universal-mac.zip | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-universal-mac.zip | |
if-no-files-found: error | |
- name: Upload .dmg artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-universal.dmg | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-universal.dmg | |
if-no-files-found: error | |
- name: Upload .dmg blockmap artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-universal.dmg.blockmap | |
path: apps/desktop/dist/Bitwarden-${{ env._PACKAGE_VERSION }}-universal.dmg.blockmap | |
if-no-files-found: error | |
- name: Upload auto-update artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: ${{ needs.setup.outputs.release_channel }}-mac.yml | |
path: apps/desktop/dist/${{ needs.setup.outputs.release_channel }}-mac.yml | |
if-no-files-found: error | |
macos-package-mas: | |
name: MacOS Package Prod Release Asset | |
runs-on: macos-11 | |
needs: | |
- browser-build | |
- macos-build | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
defaults: | |
run: | |
working-directory: apps/desktop | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up Node | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
with: | |
cache: 'npm' | |
cache-dependency-path: '**/package-lock.json' | |
node-version: '18' | |
- name: Set Node options | |
run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV | |
- name: Install node-gyp | |
run: | | |
npm install -g node-gyp | |
node-gyp install $(node -v) | |
- name: Rust | |
shell: pwsh | |
run: rustup target install aarch64-apple-darwin | |
- name: Print environment | |
run: | | |
node --version | |
npm --version | |
rustup show | |
echo "GitHub ref: $GITHUB_REF" | |
echo "GitHub event: $GITHUB_EVENT" | |
- name: Get Build Cache | |
id: build-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
with: | |
path: apps/desktop/build | |
key: ${{ runner.os }}-${{ github.run_id }}-build | |
- name: Setup Safari Cache | |
id: safari-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
with: | |
path: apps/browser/dist/Safari | |
key: ${{ runner.os }}-${{ github.run_id }}-safari-extension | |
- name: Decrypt secrets | |
env: | |
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
run: | | |
mkdir -p $HOME/secrets | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/bitwarden-desktop-key.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/appstore-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/appstore-installer-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-installer-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/macdev-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ | |
"$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" | |
- name: Set up keychain | |
env: | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} | |
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} | |
MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} | |
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
run: | | |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security set-keychain-settings -lut 1200 build.keychain | |
security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
- name: Set up provisioning profiles | |
run: | | |
cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ | |
$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile | |
- name: Increment version | |
shell: pwsh | |
env: | |
BUILD_NUMBER: ${{ needs.setup.outputs.build_number }} | |
run: | | |
$package = Get-Content -Raw -Path electron-builder.json | ConvertFrom-Json | |
$package | Add-Member -MemberType NoteProperty -Name buildVersion -Value "$env:BUILD_NUMBER" | |
$package | ConvertTo-Json -Depth 32 | Set-Content -Path electron-builder.json | |
- name: Install Node dependencies | |
run: npm ci | |
working-directory: ./ | |
- name: Cache Native Module | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
id: cache | |
with: | |
path: apps/desktop/desktop_native/*.node | |
key: rust-${{ runner.os }}-${{ hashFiles('apps/desktop/desktop_native/**/*') }} | |
- name: Build Native Module | |
if: steps.cache.outputs.cache-hit != 'true' | |
working-directory: apps/desktop/desktop_native | |
run: npm run build:cross-platform | |
- name: Build | |
if: steps.build-cache.outputs.cache-hit != 'true' | |
run: npm run build | |
- name: Download Browser artifact | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
path: ${{ github.workspace }}/browser-build-artifacts | |
- name: Unzip Safari artifact | |
run: | | |
SAFARI_DIR=$(find $GITHUB_WORKSPACE/browser-build-artifacts -name 'dist-safari-*.zip') | |
echo $SAFARI_DIR | |
unzip $SAFARI_DIR/dist-safari.zip -d $GITHUB_WORKSPACE/browser-build-artifacts | |
- name: Load Safari extension for App Store | |
run: | | |
mkdir PlugIns | |
cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/mas/build/Release/safari.appex PlugIns/safari.appex | |
- name: Build application for App Store | |
run: npm run pack:mac:mas | |
env: | |
APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} | |
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
CSC_FOR_PULL_REQUEST: true | |
- name: Upload .pkg artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-universal.pkg | |
path: apps/desktop/dist/mas-universal/Bitwarden-${{ env._PACKAGE_VERSION }}-universal.pkg | |
if-no-files-found: error | |
- name: Deploy to TestFlight | |
env: | |
APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} | |
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
if: | | |
(github.ref == 'refs/heads/master' | |
&& needs.setup.outputs.rc_branch_exists == 0 | |
&& needs.setup.outputs.hotfix_branch_exists == 0) | |
|| (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0) | |
|| github.ref == 'refs/heads/hotfix-rc-desktop' | |
run: npm run upload:mas | |
macos-package-dev: | |
name: MacOS Package Dev Release Asset | |
if: false # We need to look into how code signing works for dev | |
runs-on: macos-11 | |
needs: | |
- browser-build | |
- macos-build | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
defaults: | |
run: | |
working-directory: apps/desktop | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up Node | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
with: | |
cache: 'npm' | |
cache-dependency-path: '**/package-lock.json' | |
node-version: '18' | |
- name: Set Node options | |
run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV | |
- name: Install node-gyp | |
run: | | |
npm install -g node-gyp | |
node-gyp install $(node -v) | |
- name: Print environment | |
run: | | |
node --version | |
npm --version | |
echo "GitHub ref: $GITHUB_REF" | |
echo "GitHub event: $GITHUB_EVENT" | |
- name: Get Build Cache | |
id: build-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
with: | |
path: apps/desktop/build | |
key: ${{ runner.os }}-${{ github.run_id }}-build | |
- name: Setup Safari Cache | |
id: safari-cache | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
with: | |
path: apps/browser/dist/Safari | |
key: ${{ runner.os }}-${{ github.run_id }}-safari-extension | |
- name: Decrypt secrets | |
env: | |
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
run: | | |
mkdir -p $HOME/secrets | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/bitwarden-desktop-key.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/appstore-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/appstore-installer-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-installer-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/macdev-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ | |
"$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" | |
- name: Set up keychain | |
env: | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} | |
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} | |
MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} | |
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
run: | | |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security set-keychain-settings -lut 1200 build.keychain | |
security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
- name: Set up provisioning profiles | |
run: | | |
cp $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ | |
$GITHUB_WORKSPACE/apps/desktop/bitwarden_desktop_appstore.provisionprofile | |
- name: Increment version | |
shell: pwsh | |
env: | |
BUILD_NUMBER: ${{ needs.setup.outputs.build_number }} | |
run: | | |
$package = Get-Content -Raw -Path electron-builder.json | ConvertFrom-Json | |
$package | Add-Member -MemberType NoteProperty -Name buildVersion -Value "$env:BUILD_NUMBER" | |
$package | ConvertTo-Json -Depth 32 | Set-Content -Path electron-builder.json | |
- name: Install Node dependencies | |
run: npm ci | |
working-directory: ./ | |
- name: Cache Native Module | |
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
id: cache | |
with: | |
path: apps/desktop/desktop_native/*.node | |
key: rust-${{ runner.os }}-${{ hashFiles('apps/desktop/desktop_native/**/*') }} | |
- name: Build Native Module | |
if: steps.cache.outputs.cache-hit != 'true' | |
working-directory: apps/desktop/desktop_native | |
run: npm run build:cross-platform | |
- name: Build | |
if: steps.build-cache.outputs.cache-hit != 'true' | |
run: npm run build | |
- name: Download Browser artifact | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
path: ${{ github.workspace }}/browser-build-artifacts | |
- name: Unzip Safari artifact | |
run: | | |
SAFARI_DIR=$(find $GITHUB_WORKSPACE/browser-build-artifacts -name 'dist-safari-*.zip') | |
echo $SAFARI_DIR | |
unzip $SAFARI_DIR/dist-safari.zip -d $GITHUB_WORKSPACE/browser-build-artifacts | |
- name: Load Safari extension for App Store | |
run: | | |
mkdir PlugIns | |
cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/masdev/build/Release/safari.appex PlugIns/safari.appex | |
- name: Build dev application for App Store | |
run: npm run pack:mac:masdev | |
env: | |
APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} | |
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
- name: Zip masdev asset | |
working-directory: ./dist/mas-dev-universal | |
run: zip -r Bitwarden-${{ env.PACKAGE_VERSION }}-masdev-universal.zip Bitwarden.app | |
- name: Upload masdev artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: Bitwarden-${{ env._PACKAGE_VERSION }}-masdev-universal.zip | |
path: apps/desktop/dist/mas-universal/Bitwarden-${{ env._PACKAGE_VERSION }}-masdev-universal.zip | |
if-no-files-found: error | |
crowdin-push: | |
name: Crowdin Push | |
if: github.ref == 'refs/heads/master' | |
needs: | |
- linux | |
- windows | |
- macos-package-github | |
- macos-package-mas | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Login to Azure | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
uses: bitwarden/gh-actions/get-keyvault-secrets@a30e9c3d658dc97c4c2e61ec749fdab64b83386c | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "crowdin-api-token" | |
- name: Upload Sources | |
uses: crowdin/github-action@ee4ab4ea2feadc0fdc3b200729c7b1c4cf4b38f3 # v1.11.0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }} | |
CROWDIN_PROJECT_ID: "299360" | |
with: | |
config: apps/desktop/crowdin.yml | |
crowdin_branch_name: master | |
upload_sources: true | |
upload_translations: false | |
check-failures: | |
name: Check for failures | |
if: always() | |
runs-on: ubuntu-20.04 | |
needs: | |
- cloc | |
- electron-verify | |
- browser-build | |
- setup | |
- linux | |
- windows | |
- macos-build | |
- macos-package-github | |
- macos-package-mas | |
- crowdin-push | |
steps: | |
- name: Check if any job failed | |
if: ${{ (github.ref == 'refs/heads/master') || (github.ref == 'refs/heads/rc') }} | |
env: | |
CLOC_STATUS: ${{ needs.cloc.result }} | |
ELECTRON_VERIFY_STATUS: ${{ needs.electron-verify.result }} | |
BROWSER_BUILD_STATUS: ${{ needs.browser-build.result }} | |
SETUP_STATUS: ${{ needs.setup.result }} | |
LINUX_STATUS: ${{ needs.linux.result }} | |
WINDOWS_STATUS: ${{ needs.windows.result }} | |
MACOS_BUILD_STATUS: ${{ needs.macos-build.result }} | |
MACOS_PKG_GITHUB_STATUS: ${{ needs.macos-package-github.result }} | |
MACOS_PKG_MAS_STATUS: ${{ needs.macos-package-mas.result }} | |
CROWDIN_PUSH_STATUS: ${{ needs.crowdin-push.result }} | |
run: | | |
if [ "$CLOC_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$ELECTRON_VERIFY_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$BROWSER_BUILD_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$SETUP_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$LINUX_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$WINDOWS_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$MACOS_BUILD_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$MACOS_PKG_GITHUB_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$MACOS_PKG_MAS_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$CROWDIN_PUSH_STATUS" = "failure" ]; then | |
exit 1 | |
fi | |
- name: Login to Azure - Prod Subscription | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
if: failure() | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
if: failure() | |
uses: bitwarden/gh-actions/get-keyvault-secrets@a30e9c3d658dc97c4c2e61ec749fdab64b83386c | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "devops-alerts-slack-webhook-url" | |
- name: Notify Slack on failure | |
uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} | |
with: | |
status: ${{ job.status }} |