[BRE-1004] Publish web images to GHCR on release (#19679)

This commit is contained in:
Vince Grassia 2026-03-26 14:28:38 -04:00 committed by GitHub
parent cfc68eff69
commit f6f503ead8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 53 additions and 9 deletions

View File

@ -49,6 +49,7 @@ on:
env:
_AZ_REGISTRY: bitwardenprod.azurecr.io
_GHCR_REGISTRY: ghcr.io/bitwarden
_GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }}
permissions:
@ -98,6 +99,7 @@ jobs:
permissions:
security-events: write
id-token: write
packages: write
needs: setup
strategy:
fail-fast: false
@ -264,6 +266,14 @@ jobs:
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
run: az acr login -n "${_AZ_REGISTRY%.azurecr.io}"
- name: Log in to GHCR
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
########## Generate image tag and build Docker image ##########
- name: Generate container image tag
id: tag
@ -300,7 +310,12 @@ jobs:
env:
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
PROJECT_NAME: ${{ matrix.image_name }}
run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
run: |
ACR_NAME="$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}"
GHCR_NAME="$_GHCR_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}"
echo "name=$ACR_NAME" >> "$GITHUB_OUTPUT"
echo "ghcr_name=$GHCR_NAME" >> "$GITHUB_OUTPUT"
echo "tags=$ACR_NAME,$GHCR_NAME" >> "$GITHUB_OUTPUT"
- name: Build Docker image
id: build-container
@ -318,13 +333,17 @@ jobs:
linux/arm/v7,
linux/arm64
push: false
tags: ${{ steps.image-name.outputs.name }}
tags: ${{ steps.image-name.outputs.tags }}
- name: Push images
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
env:
IMAGE_NAME: ${{ steps.image-name.outputs.name }}
run: docker push "$IMAGE_NAME"
TAGS: ${{ steps.image-name.outputs.tags }}
run: |
IFS=',' read -r -a tags_array <<< "$TAGS"
for tag in "${tags_array[@]}"; do
docker push "$tag"
done
- name: Zip project
working-directory: apps/web
@ -345,14 +364,14 @@ jobs:
if-no-files-found: error
- name: Install Cosign
if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
if: github.event_name != 'pull_request_target' && env.is_publish_branch == 'true'
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: Sign image with Cosign
if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main'
if: github.event_name != 'pull_request_target' && env.is_publish_branch == 'true'
env:
DIGEST: ${{ steps.build-container.outputs.digest }}
TAGS: ${{ steps.image-name.outputs.name }}
TAGS: ${{ steps.image-name.outputs.tags }}
run: |
IFS=',' read -r -a tags_array <<< "${TAGS}"
images=()
@ -380,7 +399,9 @@ jobs:
ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
- name: Log out of Docker
run: docker logout "$_AZ_REGISTRY"
run: |
docker logout "$_AZ_REGISTRY"
docker logout ghcr.io
- name: Log out from Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}

View File

@ -16,6 +16,7 @@ on:
env:
_AZ_REGISTRY: bitwardenprod.azurecr.io
_GHCR_REGISTRY: ghcr.io/bitwarden
jobs:
setup:
@ -60,6 +61,7 @@ jobs:
id-token: write
contents: read
deployments: write
packages: write
env:
_BRANCH_NAME: ${{ github.ref_name }}
_RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
@ -89,6 +91,13 @@ jobs:
- name: Login to Azure ACR
run: az acr login -n bitwardenprod
- name: Log in to GHCR
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Create GitHub deployment
if: ${{ inputs.publish_type != 'Dry Run' }}
uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.7
@ -114,11 +123,17 @@ jobs:
if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
docker tag "$_AZ_REGISTRY/web:latest" "$_AZ_REGISTRY/web:dryrun"
docker tag "$_AZ_REGISTRY/web:latest" "$_AZ_REGISTRY/web-sh:dryrun"
docker tag "$_AZ_REGISTRY/web:latest" "$_GHCR_REGISTRY/web:dryrun"
docker tag "$_AZ_REGISTRY/web:latest" "$_GHCR_REGISTRY/web-sh:dryrun"
else
docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web:$_RELEASE_VERSION"
docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web-sh:$_RELEASE_VERSION"
docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web:latest"
docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web-sh:latest"
docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_GHCR_REGISTRY/web:$_RELEASE_VERSION"
docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_GHCR_REGISTRY/web-sh:$_RELEASE_VERSION"
docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_GHCR_REGISTRY/web:latest"
docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_GHCR_REGISTRY/web-sh:latest"
fi
- name: Push version
@ -126,11 +141,17 @@ jobs:
if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
docker push "$_AZ_REGISTRY/web:dryrun"
docker push "$_AZ_REGISTRY/web-sh:dryrun"
docker push "$_GHCR_REGISTRY/web:dryrun"
docker push "$_GHCR_REGISTRY/web-sh:dryrun"
else
docker push "$_AZ_REGISTRY/web:$_RELEASE_VERSION"
docker push "$_AZ_REGISTRY/web-sh:$_RELEASE_VERSION"
docker push "$_AZ_REGISTRY/web:latest"
docker push "$_AZ_REGISTRY/web-sh:latest"
docker push "$_GHCR_REGISTRY/web:$_RELEASE_VERSION"
docker push "$_GHCR_REGISTRY/web-sh:$_RELEASE_VERSION"
docker push "$_GHCR_REGISTRY/web:latest"
docker push "$_GHCR_REGISTRY/web-sh:latest"
fi
- name: Log out from Azure
@ -155,7 +176,9 @@ jobs:
deployment-id: ${{ steps.deployment.outputs.deployment_id }}
- name: Log out of Docker
run: docker logout
run: |
docker logout "$_AZ_REGISTRY"
docker logout ghcr.io
bitwarden-lite-build:
name: Trigger Bitwarden lite build