[DEVOPS-1528] - Update clients to point build and release to Prod ACR (#6026)

* update clients to point build and release to Prod ACR

* FIX: typo

* FIX: run block

* UPDATE: add suggestions

* UPDATE: workflow runners and job needs

* UPDATE: registry env in build

* UPDATE: suggestion
This commit is contained in:
Opeyemi 2023-08-16 16:41:02 +01:00 committed by GitHub
parent e016ed001e
commit d2bff7eb8b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 54 additions and 108 deletions

View File

@ -31,6 +31,9 @@ on:
description: "Custom image tag extension"
required: false
env:
_AZ_REGISTRY: bitwardenprod.azurecr.io
jobs:
cloc:
name: CLOC
@ -65,8 +68,7 @@ jobs:
build-artifacts:
name: Build artifacts
runs-on: ubuntu-22.04
needs:
- setup
needs: setup
env:
_VERSION: ${{ needs.setup.outputs.version }}
strategy:
@ -146,13 +148,10 @@ jobs:
matrix:
include:
- artifact_name: cloud-QA
registries: [bitwardenprod.azurecr.io, bitwardenqa.azurecr.io]
image_name: web-qa-cloud
- artifact_name: ee
registries: [bitwardenprod.azurecr.io, bitwardenqa.azurecr.io]
image_name: web-ee
- artifact_name: selfhosted-COMMERCIAL
registries: [bitwarden, bitwardenprod.azurecr.io, bitwardenqa.azurecr.io]
image_name: web
env:
_VERSION: ${{ needs.setup.outputs.version }}
@ -174,15 +173,7 @@ jobs:
fi
########## ACRs ##########
- name: Login to Azure - QA
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}
- name: Log into QA container registry
run: az acr login -n bitwardenqa
- name: Login to Azure - Prod
- name: Login to Prod Azure
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
@ -190,6 +181,18 @@ jobs:
- name: Log into Prod container registry
run: az acr login -n bitwardenprod
- name: Login to Azure - CI Subscription
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve github PAT secrets
id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@f096207b7a2f31723165aee6ad03e91716686e78
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Download ${{ matrix.artifact_name }} artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
@ -218,37 +221,17 @@ jobs:
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Generate tag list
id: tag-list
env:
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
PROJECT_NAME: ${{ matrix.image_name }}
run: echo "tags=bitwardenqa.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG},bitwardenprod.azurecr.io/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
########## Build Image ##########
- name: Extract artifact
working-directory: apps/web
run: unzip web-${{ env._VERSION }}-${{ matrix.artifact_name }}.zip
- name: Login to Azure
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve github PAT secrets
id: retrieve-secret-pat
uses: bitwarden/gh-actions/get-keyvault-secrets@a30e9c3d658dc97c4c2e61ec749fdab64b83386c
with:
keyvault: "bitwarden-ci"
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
- name: Setup DCT
if: ${{ env.is_publish_branch == 'true' }}
id: setup-dct
uses: bitwarden/gh-actions/setup-docker-trust@a30e9c3d658dc97c4c2e61ec749fdab64b83386c
with:
azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
azure-keyvault-name: "bitwarden-ci"
- name: Generate image full name
id: image-name
env:
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
PROJECT_NAME: ${{ matrix.image_name }}
run: echo "name=$_AZ_REGISTRY/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
- name: Build Docker image
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
@ -257,21 +240,10 @@ jobs:
file: apps/web/Dockerfile
platforms: linux/amd64
push: true
tags: ${{ steps.tag-list.outputs.tags }}
tags: ${{ steps.image-name.outputs.name }}
secrets: |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
- name: Push to DockerHub
if: contains(matrix.registries, 'bitwarden') && env.is_publish_branch == 'true'
env:
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
PROJECT_NAME: ${{ matrix.image_name }}
DOCKER_CONTENT_TRUST: 1
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
run: |
docker tag bitwardenprod.azurecr.io/$PROJECT_NAME:$IMAGE_TAG bitwarden/$PROJECT_NAME:$IMAGE_TAG
docker push bitwarden/$PROJECT_NAME:$IMAGE_TAG
- name: Log out of Docker
run: docker logout
@ -279,8 +251,7 @@ jobs:
crowdin-push:
name: Crowdin Push
if: github.ref == 'refs/heads/master'
needs:
- build-artifacts
needs: build-artifacts
runs-on: ubuntu-22.04
steps:
- name: Checkout repo

View File

@ -15,6 +15,9 @@ on:
- Redeploy
- Dry Run
env:
_AZ_REGISTRY: bitwardenprod.azurecr.io
jobs:
setup:
name: Setup
@ -46,7 +49,6 @@ jobs:
monorepo: true
monorepo-project: web
self-host:
name: Release self-host docker
runs-on: ubuntu-22.04
@ -67,42 +69,6 @@ jobs:
- name: Checkout repo
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
########## DockerHub ##########
- name: Setup DCT
id: setup-dct
uses: bitwarden/gh-actions/setup-docker-trust@a30e9c3d658dc97c4c2e61ec749fdab64b83386c
with:
azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
azure-keyvault-name: "bitwarden-ci"
- name: Pull branch image
run: |
if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
docker pull bitwarden/web:latest
else
docker pull bitwarden/web:$_BRANCH_NAME
fi
- name: Docker Tag version
run: |
if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
docker tag bitwarden/web:latest bitwarden/web:$_RELEASE_VERSION
else
docker tag bitwarden/web:$_BRANCH_NAME bitwarden/web:$_RELEASE_VERSION
fi
- name: Docker Push version
if: ${{ github.event.inputs.release_type != 'Dry Run' }}
env:
DOCKER_CONTENT_TRUST: 1
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: ${{ steps.setup-dct.outputs.dct-delegate-repo-passphrase }}
run: docker push bitwarden/web:$_RELEASE_VERSION
- name: Log out of Docker and disable Docker Notary
run: |
docker logout
echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV
########## ACR ##########
- name: Login to Azure - PROD Subscription
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
@ -112,28 +78,37 @@ jobs:
- name: Login to Azure ACR
run: az acr login -n bitwardenprod
- name: Tag version
env:
REGISTRY: bitwardenprod.azurecr.io
- name: Pull branch image
run: |
if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
docker tag bitwarden/web:latest $REGISTRY/web:$_RELEASE_VERSION
docker tag bitwarden/web:latest $REGISTRY/web-sh:$_RELEASE_VERSION
docker pull $_AZ_REGISTRY/web:latest
else
docker tag bitwarden/web:$_BRANCH_NAME $REGISTRY/web:$_RELEASE_VERSION
docker pull $_AZ_REGISTRY/web:$_BRANCH_NAME
fi
docker tag bitwarden/web:$_BRANCH_NAME $REGISTRY/web-sh:$_RELEASE_VERSION
- name: Tag version
run: |
if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
docker tag $_AZ_REGISTRY/web:latest $_AZ_REGISTRY/web:dryrun
docker tag $_AZ_REGISTRY/web:latest $_AZ_REGISTRY/web-sh:dryrun
else
docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web:$_RELEASE_VERSION
docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web-sh:$_RELEASE_VERSION
docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web:latest
docker tag $_AZ_REGISTRY/web:$_BRANCH_NAME $_AZ_REGISTRY/web-sh:latest
fi
- name: Push version
if: ${{ github.event.inputs.release_type != 'Dry Run' }}
env:
REGISTRY: bitwardenprod.azurecr.io
run: |
docker push $REGISTRY/web:$_RELEASE_VERSION
docker push $REGISTRY/web-sh:$_RELEASE_VERSION
if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then
docker push $_AZ_REGISTRY/web:dryrun
docker push $_AZ_REGISTRY/web-sh:dryrun
else
docker push $_AZ_REGISTRY/web:$_RELEASE_VERSION
docker push $_AZ_REGISTRY/web-sh:$_RELEASE_VERSION
docker push $_AZ_REGISTRY/web:latest
docker push $_AZ_REGISTRY/web-sh:latest
fi
- name: Log out of Docker
run: docker logout