[SM-1129] Run command with secrets #5001
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build CLI | |
on: | |
pull_request: | |
push: | |
branches: | |
- "main" | |
- "rc" | |
- "hotfix-rc" | |
workflow_dispatch: | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
setup: | |
name: Setup | |
runs-on: ubuntu-22.04 | |
outputs: | |
package_version: ${{ steps.retrieve-version.outputs.package_version }} | |
sign: ${{ steps.sign.outputs.sign }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Get Package Version | |
id: retrieve-version | |
run: | | |
VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") | |
echo "package_version=$VERSION" >> $GITHUB_OUTPUT | |
- name: Sign if repo is owned by Bitwarden | |
id: sign | |
env: | |
REPO_OWNER: ${{ github.repository_owner }} | |
run: | | |
if [[ $REPO_OWNER == bitwarden ]]; then | |
echo "sign=true" >> $GITHUB_OUTPUT | |
fi | |
echo "sign=false" >> $GITHUB_OUTPUT | |
build-windows: | |
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} | |
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} | |
needs: setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
settings: | |
- os: windows-2022 | |
target: x86_64-pc-windows-msvc | |
- os: windows-2022 | |
target: aarch64-pc-windows-msvc | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable | |
with: | |
toolchain: stable | |
targets: ${{ matrix.settings.target }} | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | |
with: | |
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} | |
- name: Build | |
env: | |
TARGET: ${{ matrix.settings.target }} | |
run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
- name: Login to Azure | |
if: ${{ needs.setup.outputs.sign == 'true' }} | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
if: ${{ needs.setup.outputs.sign == 'true' }} | |
id: retrieve-secrets-windows | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "code-signing-vault-url, | |
code-signing-client-id, | |
code-signing-tenant-id, | |
code-signing-client-secret, | |
code-signing-cert-name" | |
- name: Install AST | |
if: ${{ needs.setup.outputs.sign == 'true' }} | |
run: dotnet tool install --global AzureSignTool --version 4.0.1 | |
- name: Sign windows binary | |
if: ${{ needs.setup.outputs.sign == 'true' }} | |
env: | |
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }} | |
SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }} | |
SIGNING_TENANT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-tenant-id }} | |
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }} | |
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }} | |
run: | | |
azuresigntool sign -v \ | |
-kvu $SIGNING_VAULT_URL \ | |
-kvi $SIGNING_CLIENT_ID \ | |
-kvt $SIGNING_TENANT_ID \ | |
-kvs $SIGNING_CLIENT_SECRET \ | |
-kvc $SIGNING_CERT_NAME \ | |
-fd sha256 \ | |
-du https://bitwarden.com \ | |
-tr http://timestamp.digicert.com \ | |
./target/${{ matrix.settings.target }}/release/bws.exe | |
- name: Zip | |
shell: cmd | |
run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe | |
- name: Upload artifact | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
if-no-files-found: error | |
build-macos: | |
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} | |
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} | |
needs: | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
settings: | |
- os: macos-13 | |
target: x86_64-apple-darwin | |
- os: macos-13 | |
target: aarch64-apple-darwin | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable | |
with: | |
toolchain: stable | |
targets: ${{ matrix.settings.target }} | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | |
with: | |
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} | |
- name: Build | |
env: | |
TARGET: ${{ matrix.settings.target }} | |
run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
- name: Login to Azure | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets macos | |
id: retrieve-secrets-macos | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "macos-bws-notarization-apple-id, | |
macos-bws-notarization-team-id, | |
macos-bws-notarization-password, | |
macos-bws-certificate-name, | |
macos-bws-installer-certificate-name" | |
- name: Decrypt secrets | |
env: | |
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
run: | | |
mkdir -p $HOME/secrets | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
- name: Set up keychain | |
env: | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
run: | | |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security set-keychain-settings -lut 1200 build.keychain | |
ls $HOME/secrets | |
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
- name: Sign macos | |
env: | |
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./target/${{ matrix.settings.target }}/release/bws | |
- name: Notarize app macos | |
env: | |
MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} | |
MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} | |
MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} | |
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
run: | | |
echo "Create keychain profile" | |
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" | |
echo "Creating notarization archive" | |
zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws | |
codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
echo "Notarize app" | |
xcrun notarytool submit ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait | |
- name: Upload artifact | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
if-no-files-found: error | |
build-linux: | |
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} | |
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} | |
needs: | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
settings: | |
- os: ubuntu-20.04 | |
target: x86_64-unknown-linux-musl | |
- os: ubuntu-20.04 | |
target: aarch64-unknown-linux-musl | |
- os: ubuntu-20.04 | |
target: x86_64-unknown-linux-gnu | |
- os: ubuntu-20.04 | |
target: aarch64-unknown-linux-gnu | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable | |
with: | |
toolchain: stable | |
targets: ${{ matrix.settings.target }} | |
- uses: goto-bus-stop/setup-zig@7ab2955eb728f5440978d5824358023be3a2802d # v2.2.0 | |
with: | |
version: 0.12.0 | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | |
with: | |
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} | |
- name: Install Zigbuild | |
run: cargo install cargo-zigbuild --locked --git https://github.com/rust-cross/cargo-zigbuild --rev 6f7e1336c9cd13cf1b3704f93c40fcf84caaed6b # 0.18.4 | |
- name: Build | |
env: | |
TARGET: ${{ matrix.settings.target }} | |
run: cargo zigbuild ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
- name: Zip linux | |
run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws | |
- name: Upload artifact | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
if-no-files-found: error | |
macos-universal-binary: | |
name: Generate universal macOS binary | |
runs-on: macos-13 | |
needs: | |
- setup | |
- build-macos | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Download x86_64-apple-darwin artifact | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip | |
- name: Download aarch64-apple-darwin artifact | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip | |
- name: Unzip artifacts | |
run: | | |
unzip bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-x86_64-apple-darwin | |
unzip bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-aarch64-apple-darwin | |
- name: lipo create universal package | |
run: | | |
mkdir ./bws-macos-universal | |
lipo -create -output ./bws-macos-universal/bws ./bws-x86_64-apple-darwin/bws ./bws-aarch64-apple-darwin/bws | |
- name: Login to Azure | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets-macos | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "macos-bws-notarization-apple-id, | |
macos-bws-notarization-team-id, | |
macos-bws-notarization-password, | |
macos-bws-certificate-name, | |
macos-bws-installer-certificate-name" | |
- name: Decrypt secrets | |
env: | |
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
run: | | |
mkdir -p $HOME/secrets | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
- name: Set up keychain | |
env: | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
run: | | |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security set-keychain-settings -lut 1200 build.keychain | |
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
- name: Sign binary | |
env: | |
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-aarch64-apple-darwin/bws | |
- name: Notarize app | |
env: | |
MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} | |
MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} | |
MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} | |
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
run: | | |
echo "Create keychain profile" | |
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" | |
echo "Creating notarization archive" | |
zip -j ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws | |
codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip | |
echo "Notarize app" | |
xcrun notarytool submit ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait | |
- name: Upload artifact | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip | |
path: ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip | |
if-no-files-found: error | |
third_party: | |
name: Generate THIRDPARTY.html | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable | |
with: | |
toolchain: stable | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | |
with: | |
key: cargo-cli-about | |
- name: Install cargo-about | |
run: cargo install cargo-about | |
- name: Generate THIRDPARTY.html | |
working-directory: ./crates/bws | |
run: | | |
cargo about generate ../../about.hbs > THIRDPARTY.html | |
sed -i.bak 's/\$NAME\$/Bitwarden Secrets Manager CLI/g' THIRDPARTY.html | |
- name: Upload artifact | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: THIRDPARTY.html | |
path: ./crates/bws/THIRDPARTY.html | |
if-no-files-found: error | |
manpages: | |
name: Generate manpages | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable | |
with: | |
toolchain: stable | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | |
with: | |
key: cargo-cli-manpage | |
- name: Generate manpages | |
run: | | |
cargo check -p bws --message-format json > build.json | |
OUT_DIR=$(jq -r --slurp '.[] | select (.reason == "build-script-executed") | select(.package_id|contains("crates/bws")) .out_dir' build.json) | |
mv $OUT_DIR/manpages . | |
- name: Upload artifact | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: manpages | |
path: ./manpages/* | |
if-no-files-found: error |