diff --git a/.github/workflows/build-web.yml b/.github/workflows/build-web.yml index e31f2845ffb..f1886a9ee09 100644 --- a/.github/workflows/build-web.yml +++ b/.github/workflows/build-web.yml @@ -49,6 +49,7 @@ on: env: _AZ_REGISTRY: bitwardenprod.azurecr.io + _GHCR_REGISTRY: ghcr.io/bitwarden _GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }} permissions: @@ -98,6 +99,7 @@ jobs: permissions: security-events: write id-token: write + packages: write needs: setup strategy: fail-fast: false @@ -264,6 +266,14 @@ jobs: if: ${{ needs.setup.outputs.has_secrets == 'true' }} run: az acr login -n "${_AZ_REGISTRY%.azurecr.io}" + - name: Log in to GHCR + if: ${{ needs.setup.outputs.has_secrets == 'true' }} + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + ########## Generate image tag and build Docker image ########## - name: Generate container image tag id: tag @@ -300,7 +310,12 @@ jobs: env: IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} PROJECT_NAME: ${{ matrix.image_name }} - run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> "$GITHUB_OUTPUT" + run: | + ACR_NAME="$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" + GHCR_NAME="$_GHCR_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" + echo "name=$ACR_NAME" >> "$GITHUB_OUTPUT" + echo "ghcr_name=$GHCR_NAME" >> "$GITHUB_OUTPUT" + echo "tags=$ACR_NAME,$GHCR_NAME" >> "$GITHUB_OUTPUT" - name: Build Docker image id: build-container @@ -318,13 +333,17 @@ jobs: linux/arm/v7, linux/arm64 push: false - tags: ${{ steps.image-name.outputs.name }} + tags: ${{ steps.image-name.outputs.tags }} - name: Push images if: ${{ needs.setup.outputs.has_secrets == 'true' }} env: - IMAGE_NAME: ${{ steps.image-name.outputs.name }} - run: docker push "$IMAGE_NAME" + TAGS: ${{ steps.image-name.outputs.tags }} + run: | + IFS=',' read -r -a tags_array <<< "$TAGS" + for tag in "${tags_array[@]}"; do + docker push "$tag" + done - name: Zip project working-directory: apps/web @@ -345,14 +364,14 @@ jobs: if-no-files-found: error - name: Install Cosign - if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' + if: github.event_name != 'pull_request_target' && env.is_publish_branch == 'true' uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Sign image with Cosign - if: github.event_name != 'pull_request_target' && github.ref == 'refs/heads/main' + if: github.event_name != 'pull_request_target' && env.is_publish_branch == 'true' env: DIGEST: ${{ steps.build-container.outputs.digest }} - TAGS: ${{ steps.image-name.outputs.name }} + TAGS: ${{ steps.image-name.outputs.tags }} run: | IFS=',' read -r -a tags_array <<< "${TAGS}" images=() @@ -380,7 +399,9 @@ jobs: ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }} - name: Log out of Docker - run: docker logout "$_AZ_REGISTRY" + run: | + docker logout "$_AZ_REGISTRY" + docker logout ghcr.io - name: Log out from Azure if: ${{ needs.setup.outputs.has_secrets == 'true' }} diff --git a/.github/workflows/publish-web.yml b/.github/workflows/publish-web.yml index c45e249d083..9e9208df3af 100644 --- a/.github/workflows/publish-web.yml +++ b/.github/workflows/publish-web.yml @@ -16,6 +16,7 @@ on: env: _AZ_REGISTRY: bitwardenprod.azurecr.io + _GHCR_REGISTRY: ghcr.io/bitwarden jobs: setup: @@ -60,6 +61,7 @@ jobs: id-token: write contents: read deployments: write + packages: write env: _BRANCH_NAME: ${{ github.ref_name }} _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }} @@ -89,6 +91,13 @@ jobs: - name: Login to Azure ACR run: az acr login -n bitwardenprod + - name: Log in to GHCR + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Create GitHub deployment if: ${{ inputs.publish_type != 'Dry Run' }} uses: chrnorm/deployment-action@55729fcebec3d284f60f5bcabbd8376437d696b1 # v2.0.7 @@ -114,11 +123,17 @@ jobs: if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then docker tag "$_AZ_REGISTRY/web:latest" "$_AZ_REGISTRY/web:dryrun" docker tag "$_AZ_REGISTRY/web:latest" "$_AZ_REGISTRY/web-sh:dryrun" + docker tag "$_AZ_REGISTRY/web:latest" "$_GHCR_REGISTRY/web:dryrun" + docker tag "$_AZ_REGISTRY/web:latest" "$_GHCR_REGISTRY/web-sh:dryrun" else docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web:$_RELEASE_VERSION" docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web-sh:$_RELEASE_VERSION" docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web:latest" docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_AZ_REGISTRY/web-sh:latest" + docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_GHCR_REGISTRY/web:$_RELEASE_VERSION" + docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_GHCR_REGISTRY/web-sh:$_RELEASE_VERSION" + docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_GHCR_REGISTRY/web:latest" + docker tag "$_AZ_REGISTRY/web:$_BRANCH_NAME" "$_GHCR_REGISTRY/web-sh:latest" fi - name: Push version @@ -126,11 +141,17 @@ jobs: if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then docker push "$_AZ_REGISTRY/web:dryrun" docker push "$_AZ_REGISTRY/web-sh:dryrun" + docker push "$_GHCR_REGISTRY/web:dryrun" + docker push "$_GHCR_REGISTRY/web-sh:dryrun" else docker push "$_AZ_REGISTRY/web:$_RELEASE_VERSION" docker push "$_AZ_REGISTRY/web-sh:$_RELEASE_VERSION" docker push "$_AZ_REGISTRY/web:latest" docker push "$_AZ_REGISTRY/web-sh:latest" + docker push "$_GHCR_REGISTRY/web:$_RELEASE_VERSION" + docker push "$_GHCR_REGISTRY/web-sh:$_RELEASE_VERSION" + docker push "$_GHCR_REGISTRY/web:latest" + docker push "$_GHCR_REGISTRY/web-sh:latest" fi - name: Log out from Azure @@ -155,7 +176,9 @@ jobs: deployment-id: ${{ steps.deployment.outputs.deployment_id }} - name: Log out of Docker - run: docker logout + run: | + docker logout "$_AZ_REGISTRY" + docker logout ghcr.io bitwarden-lite-build: name: Trigger Bitwarden lite build