mirror of
https://github.com/dani-garcia/vaultwarden
synced 2024-12-14 01:23:55 +01:00
e3541763fd
* Fix collections not editable by managers Since a newer version of the web-vault we use manager were not able to create sub collections anymore. This was because of some missing details in the response of some json objects. This commit fixes this by using the `to_json_details` instead of the `to_json` Fixes #5066 Fixes #5044 * Update crates and GitHub Actions - Updated all the crates - Updated all the GHA dependencies - Configured the trivy workflow to only run on the main repo and not on forks Also selected a random new scheduled date so it will not run at the same time as all other forks. The two changes should help running this scan every day without failing, and also prevent the same for new or updated forks.
252 lines
10 KiB
YAML
252 lines
10 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
tags:
|
|
- '*'
|
|
|
|
jobs:
|
|
# https://github.com/marketplace/actions/skip-duplicate-actions
|
|
# Some checks to determine if we need to continue with building a new docker.
|
|
# We will skip this check if we are creating a tag, because that has the same hash as a previous run already.
|
|
skip_check:
|
|
runs-on: ubuntu-24.04
|
|
if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
|
|
outputs:
|
|
should_skip: ${{ steps.skip_check.outputs.should_skip }}
|
|
steps:
|
|
- name: Skip Duplicates Actions
|
|
id: skip_check
|
|
uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
|
|
with:
|
|
cancel_others: 'true'
|
|
# Only run this when not creating a tag
|
|
if: ${{ github.ref_type == 'branch' }}
|
|
|
|
docker-build:
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 120
|
|
needs: skip_check
|
|
if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
|
|
# Start a local docker registry to extract the final Alpine static build binaries
|
|
services:
|
|
registry:
|
|
image: registry:2
|
|
ports:
|
|
- 5000:5000
|
|
env:
|
|
SOURCE_COMMIT: ${{ github.sha }}
|
|
SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
|
|
# The *_REPO variables need to be configured as repository variables
|
|
# Append `/settings/variables/actions` to your repo url
|
|
# DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
|
|
# Check for Docker hub credentials in secrets
|
|
HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
|
|
# GHCR_REPO needs to be 'ghcr.io/<user>/<repo>'
|
|
# Check for Github credentials in secrets
|
|
HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
|
|
# QUAY_REPO needs to be 'quay.io/<user>/<repo>'
|
|
# Check for Quay.io credentials in secrets
|
|
HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
|
|
strategy:
|
|
matrix:
|
|
base_image: ["debian","alpine"]
|
|
|
|
steps:
|
|
# Checkout the repo
|
|
- name: Checkout
|
|
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Initialize QEMU binfmt support
|
|
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
|
|
with:
|
|
platforms: "arm64,arm"
|
|
|
|
# Start Docker Buildx
|
|
- name: Setup Docker Buildx
|
|
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
|
|
# https://github.com/moby/buildkit/issues/3969
|
|
# Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
|
|
with:
|
|
buildkitd-config-inline: |
|
|
[worker.oci]
|
|
max-parallelism = 2
|
|
driver-opts: |
|
|
network=host
|
|
|
|
# Determine Base Tags and Source Version
|
|
- name: Determine Base Tags and Source Version
|
|
shell: bash
|
|
run: |
|
|
# Check which main tag we are going to build determined by github.ref_type
|
|
if [[ "${{ github.ref_type }}" == "tag" ]]; then
|
|
echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
|
|
elif [[ "${{ github.ref_type }}" == "branch" ]]; then
|
|
echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
|
|
fi
|
|
|
|
# Get the Source Version for this release
|
|
GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)"
|
|
if [[ -n "${GIT_EXACT_TAG}" ]]; then
|
|
echo "SOURCE_VERSION=${GIT_EXACT_TAG}" | tee -a "${GITHUB_ENV}"
|
|
else
|
|
GIT_LAST_TAG="$(git describe --tags --abbrev=0)"
|
|
echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
|
|
fi
|
|
# End Determine Base Tags
|
|
|
|
# Login to Docker Hub
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
|
|
|
|
- name: Add registry for DockerHub
|
|
if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
|
|
shell: bash
|
|
run: |
|
|
echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}"
|
|
|
|
# Login to GitHub Container Registry
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.repository_owner }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
|
|
|
|
- name: Add registry for ghcr.io
|
|
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
|
|
shell: bash
|
|
run: |
|
|
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
|
|
|
|
# Login to Quay.io
|
|
- name: Login to Quay.io
|
|
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
|
|
with:
|
|
registry: quay.io
|
|
username: ${{ secrets.QUAY_USERNAME }}
|
|
password: ${{ secrets.QUAY_TOKEN }}
|
|
if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
|
|
|
|
- name: Add registry for Quay.io
|
|
if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
|
|
shell: bash
|
|
run: |
|
|
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}"
|
|
|
|
- name: Configure build cache from/to
|
|
shell: bash
|
|
run: |
|
|
#
|
|
# Check if there is a GitHub Container Registry Login and use it for caching
|
|
if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
|
|
echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}"
|
|
echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
|
|
else
|
|
echo "BAKE_CACHE_FROM="
|
|
echo "BAKE_CACHE_TO="
|
|
fi
|
|
#
|
|
|
|
- name: Add localhost registry
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
shell: bash
|
|
run: |
|
|
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
|
|
|
|
- name: Bake ${{ matrix.base_image }} containers
|
|
uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0
|
|
env:
|
|
BASE_TAGS: "${{ env.BASE_TAGS }}"
|
|
SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
|
|
SOURCE_VERSION: "${{ env.SOURCE_VERSION }}"
|
|
SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}"
|
|
CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
|
|
with:
|
|
pull: true
|
|
push: true
|
|
files: docker/docker-bake.hcl
|
|
targets: "${{ matrix.base_image }}-multi"
|
|
set: |
|
|
*.cache-from=${{ env.BAKE_CACHE_FROM }}
|
|
*.cache-to=${{ env.BAKE_CACHE_TO }}
|
|
|
|
|
|
# Extract the Alpine binaries from the containers
|
|
- name: Extract binaries
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
shell: bash
|
|
run: |
|
|
# Check which main tag we are going to build determined by github.ref_type
|
|
if [[ "${{ github.ref_type }}" == "tag" ]]; then
|
|
EXTRACT_TAG="latest"
|
|
elif [[ "${{ github.ref_type }}" == "branch" ]]; then
|
|
EXTRACT_TAG="testing"
|
|
fi
|
|
|
|
# After each extraction the image is removed.
|
|
# This is needed because using different platforms doesn't trigger a new pull/download
|
|
|
|
# Extract amd64 binary
|
|
docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
docker cp amd64:/vaultwarden vaultwarden-amd64
|
|
docker rm --force amd64
|
|
docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
|
|
# Extract arm64 binary
|
|
docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
docker cp arm64:/vaultwarden vaultwarden-arm64
|
|
docker rm --force arm64
|
|
docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
|
|
# Extract armv7 binary
|
|
docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
docker cp armv7:/vaultwarden vaultwarden-armv7
|
|
docker rm --force armv7
|
|
docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
|
|
# Extract armv6 binary
|
|
docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
docker cp armv6:/vaultwarden vaultwarden-armv6
|
|
docker rm --force armv6
|
|
docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
|
|
|
|
# Upload artifacts to Github Actions
|
|
- name: "Upload amd64 artifact"
|
|
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
with:
|
|
name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64
|
|
path: vaultwarden-amd64
|
|
|
|
- name: "Upload arm64 artifact"
|
|
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
with:
|
|
name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64
|
|
path: vaultwarden-arm64
|
|
|
|
- name: "Upload armv7 artifact"
|
|
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
with:
|
|
name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7
|
|
path: vaultwarden-armv7
|
|
|
|
- name: "Upload armv6 artifact"
|
|
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
|
|
if: ${{ matrix.base_image == 'alpine' }}
|
|
with:
|
|
name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6
|
|
path: vaultwarden-armv6
|
|
# End Upload artifacts to Github Actions
|