From 71849564c9b1463ba1557c6dc154dac95d5de39e Mon Sep 17 00:00:00 2001 From: dfunkt Date: Sun, 19 Apr 2026 21:49:28 +0300 Subject: [PATCH 1/7] Add image attestation - `setup-buildx-action` needed for attestation manifest generation - for ghcr.io and docker.io --- .github/workflows/release.yml | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1f04e88..78daa26 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,8 +13,8 @@ jobs: permissions: packages: write # Needed to upload packages and artifacts contents: read - # attestations: write # Needed to generate an artifact attestation for a build - # id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate + attestations: write # Needed to generate an artifact attestation for a build + id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate runs-on: ubuntu-latest env: # Force docker to output the progress in plain @@ -77,9 +77,31 @@ jobs: echo "tags=${tags:+${tags},}${{ vars.GHCR_REPO }}:${{ steps.vars.outputs.DOCKER_TAG }}" \ | tee -a "${GITHUB_ENV}" + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + with: + cache-binary: false + - name: Build and push uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + id: build with: context: . push: true tags: ${{ env.tags }} + + - name: Attest - docker.io + if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + with: + subject-name: ${{ vars.DOCKERHUB_REPO }} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true + + - name: Attest - ghcr.io + if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + with: + subject-name: ${{ vars.GHCR_REPO }} + subject-digest: ${{ steps.build.outputs.digest }} + push-to-registry: true From 71d5a4cc45cdcab53e31618a45383381ba527e52 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Wed, 22 Apr 2026 12:59:49 +0200 Subject: [PATCH 2/7] update to v2026.4.1 branch --- Dockerfile | 4 ++-- scripts/checkout_web_vault.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 60171a0..c3ee5ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,8 +23,8 @@ RUN node --version && npm --version # Can be a tag, release, but prefer a commit hash because it's not changeable # https://github.com/bitwarden/clients/commit/${VAULT_VERSION} # -# Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.3.1 -ARG VAULT_VERSION=cd1eb788b667bdf31aee2d8b32aae7718c59097e +# Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.4.1 +ARG VAULT_VERSION=e564bf7c687fb12a88dd8b53beff726eb23ea932 ENV VAULT_VERSION=$VAULT_VERSION ENV VAULT_FOLDER=bw_clients ENV CHECKOUT_TAGS=false diff --git a/scripts/checkout_web_vault.sh b/scripts/checkout_web_vault.sh index 47ae173..ec7f5bd 100755 --- a/scripts/checkout_web_vault.sh +++ b/scripts/checkout_web_vault.sh @@ -2,7 +2,7 @@ set -o pipefail -o errexit BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")"; pwd)/$(basename "${SP}")") -FALLBACK_WEBVAULT_VERSION=v2026.3.1 +FALLBACK_WEBVAULT_VERSION=v2026.4.1 # Error handling handle_error() { From 88e67d7c880311147a0a0a1856a0b839e28aa444 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Sat, 25 Apr 2026 20:55:22 +0200 Subject: [PATCH 3/7] update to make separator optional --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c3ee5ee..2303650 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,7 +24,7 @@ RUN node --version && npm --version # https://github.com/bitwarden/clients/commit/${VAULT_VERSION} # # Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.4.1 -ARG VAULT_VERSION=e564bf7c687fb12a88dd8b53beff726eb23ea932 +ARG VAULT_VERSION=876c4dbd526add221223d4869d75eb61efe57e37 ENV VAULT_VERSION=$VAULT_VERSION ENV VAULT_FOLDER=bw_clients ENV CHECKOUT_TAGS=false From 8f2a546db13d8dcda8aaa64bbeff2eb540525a38 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Fri, 29 May 2026 23:59:52 +0200 Subject: [PATCH 4/7] update to v2026.5.0 branch --- Dockerfile | 4 ++-- scripts/checkout_web_vault.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2303650..9ca0086 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,8 +23,8 @@ RUN node --version && npm --version # Can be a tag, release, but prefer a commit hash because it's not changeable # https://github.com/bitwarden/clients/commit/${VAULT_VERSION} # -# Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.4.1 -ARG VAULT_VERSION=876c4dbd526add221223d4869d75eb61efe57e37 +# Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.5.0 +ARG VAULT_VERSION=fa4722a72b5ef8a113e1f398d2306aa56e31280d ENV VAULT_VERSION=$VAULT_VERSION ENV VAULT_FOLDER=bw_clients ENV CHECKOUT_TAGS=false diff --git a/scripts/checkout_web_vault.sh b/scripts/checkout_web_vault.sh index ec7f5bd..b2f5378 100755 --- a/scripts/checkout_web_vault.sh +++ b/scripts/checkout_web_vault.sh @@ -2,7 +2,7 @@ set -o pipefail -o errexit BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")"; pwd)/$(basename "${SP}")") -FALLBACK_WEBVAULT_VERSION=v2026.4.1 +FALLBACK_WEBVAULT_VERSION=v2026.5.0 # Error handling handle_error() { From 3054af7ccc0899d58e1899f756c18e9982544a68 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Sat, 13 Jun 2026 22:51:33 +0200 Subject: [PATCH 5/7] update to v2026.6.0 branch --- Dockerfile | 4 ++-- scripts/checkout_web_vault.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9ca0086..d3b252d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,8 +23,8 @@ RUN node --version && npm --version # Can be a tag, release, but prefer a commit hash because it's not changeable # https://github.com/bitwarden/clients/commit/${VAULT_VERSION} # -# Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.5.0 -ARG VAULT_VERSION=fa4722a72b5ef8a113e1f398d2306aa56e31280d +# Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.6.0 +ARG VAULT_VERSION=13f9a3ae689f422b9c5ef3bb63c7c8ddb5035f45 ENV VAULT_VERSION=$VAULT_VERSION ENV VAULT_FOLDER=bw_clients ENV CHECKOUT_TAGS=false diff --git a/scripts/checkout_web_vault.sh b/scripts/checkout_web_vault.sh index b2f5378..60cfb02 100755 --- a/scripts/checkout_web_vault.sh +++ b/scripts/checkout_web_vault.sh @@ -2,7 +2,7 @@ set -o pipefail -o errexit BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")"; pwd)/$(basename "${SP}")") -FALLBACK_WEBVAULT_VERSION=v2026.5.0 +FALLBACK_WEBVAULT_VERSION=v2026.6.0 # Error handling handle_error() { From 8f826cd68cdf0bed6670e058dd69fb35909c1653 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk Date: Wed, 24 Jun 2026 14:25:25 +0200 Subject: [PATCH 6/7] update to v2026.6.2 branch --- Dockerfile | 4 ++-- scripts/checkout_web_vault.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index d3b252d..3a5f33d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -23,8 +23,8 @@ RUN node --version && npm --version # Can be a tag, release, but prefer a commit hash because it's not changeable # https://github.com/bitwarden/clients/commit/${VAULT_VERSION} # -# Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.6.0 -ARG VAULT_VERSION=13f9a3ae689f422b9c5ef3bb63c7c8ddb5035f45 +# Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.6.2 +ARG VAULT_VERSION=5756400aa48cc39a73984461f8d7c0ddf6feaa28 ENV VAULT_VERSION=$VAULT_VERSION ENV VAULT_FOLDER=bw_clients ENV CHECKOUT_TAGS=false diff --git a/scripts/checkout_web_vault.sh b/scripts/checkout_web_vault.sh index 60cfb02..ce20049 100755 --- a/scripts/checkout_web_vault.sh +++ b/scripts/checkout_web_vault.sh @@ -2,7 +2,7 @@ set -o pipefail -o errexit BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")"; pwd)/$(basename "${SP}")") -FALLBACK_WEBVAULT_VERSION=v2026.6.0 +FALLBACK_WEBVAULT_VERSION=v2026.6.2 # Error handling handle_error() { From effbc848cf5451e986f921c1193b6437f154cedc Mon Sep 17 00:00:00 2001 From: BlackDex Date: Wed, 8 Jul 2026 18:00:06 +0200 Subject: [PATCH 7/7] Update GitHub Actions Signed-off-by: BlackDex --- .github/workflows/ci.yml | 17 ++++++++----- .github/workflows/hadolint.yml | 44 ++++++++++++++++++++++++++++++++++ .github/workflows/release.yml | 44 ++++++++++++++++++++++------------ 3 files changed, 84 insertions(+), 21 deletions(-) create mode 100644 .github/workflows/hadolint.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index db9d3ff..cece2d2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,43 +1,48 @@ name: CI permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + on: pull_request: paths: - ".github/workflows/ci.yml" - - "patches/v20*.patch" - "resources/**" - "scripts/**" - "Dockerfile" +defaults: + run: + shell: bash + jobs: docker-build: name: Test building web-vault permissions: packages: write # Needed to upload packages and artifacts contents: read - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 env: # Force docker to output the progress in plain BUILDKIT_PROGRESS: plain steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Build and Extract - shell: bash run: | make docker-extract - name: Generate checksum - shell: bash run: | echo "sha256sum: $(sha256sum container_builds/bw_web_vault.tar.gz)" - name: "Upload web-vault artifact" - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: web-vault compression-level: 0 diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml new file mode 100644 index 0000000..50ad022 --- /dev/null +++ b/.github/workflows/hadolint.yml @@ -0,0 +1,44 @@ +name: Hadolint +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +on: [ push, pull_request ] + +defaults: + run: + shell: bash + +jobs: + hadolint: + name: Validate Dockerfile syntax + runs-on: ubuntu-24.04 + timeout-minutes: 30 + + steps: + # Start Docker Buildx + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 + + # Checkout the repo + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + # End Checkout the repo + + # Test Dockerfiles with hadolint + - name: Run hadolint on Dockerfile + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 + with: + dockerfile: Dockerfile + # End Test Dockerfiles with hadolint + + # Test Dockerfiles with docker build checks + - name: Run docker build check + run: | + echo "Checking Dockerfile" + docker build --check . -f Dockerfile + # End Test Dockerfiles with docker build checks diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 78daa26..4f2b1dc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,11 +1,20 @@ name: Release permissions: {} +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + # Don't cancel other runs when creating a tag + cancel-in-progress: ${{ github.ref_type == 'branch' }} + on: push: tags: - 'v[0-9]+.[0-9]+.[0-9]+*' +defaults: + run: + shell: bash + jobs: docker-build: name: Release web-vault @@ -15,7 +24,7 @@ jobs: contents: read attestations: write # Needed to generate an artifact attestation for a build id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 env: # Force docker to output the progress in plain BUILDKIT_PROGRESS: plain @@ -27,18 +36,19 @@ jobs: HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }} steps: - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # Determine Docker Tag - name: Init Variables id: vars - shell: bash + env: + GITHUB_REF: ${{ github.ref }} run: | - if [[ "${{ github.ref }}" == refs/tags/* ]]; then + if [[ "${GITHUB_REF}" == refs/tags/* ]]; then DOCKER_TAG="${GITHUB_REF#refs/*/}" - elif [[ "${{ github.ref }}" == refs/heads/* ]]; then + elif [[ "${GITHUB_REF}" == refs/heads/* ]]; then DOCKER_TAG="testing" fi # We use `+build.n` to version patches when there was no change to the web-vault version from upstream @@ -48,7 +58,7 @@ jobs: # Login to Docker Hub - name: Login to Docker Hub - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -56,14 +66,16 @@ jobs: - name: Tags for DockerHub if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} - shell: bash + env: + DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }} + DOCKER_TAG: ${{ steps.vars.outputs.DOCKER_TAG }} run: | - echo "tags=${tags:+${tags},}${{ vars.DOCKERHUB_REPO }}:${{ steps.vars.outputs.DOCKER_TAG }}" \ + echo "tags=${tags:+${tags},}${DOCKERHUB_REPO}:${DOCKER_TAG}" \ | tee -a "${GITHUB_ENV}" # Login to GitHub Container Registry - name: Login to GitHub Container Registry - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -72,18 +84,20 @@ jobs: - name: Tags for ghcr.io if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} - shell: bash + env: + GHCR_REPO: ${{ vars.GHCR_REPO }} + DOCKER_TAG: ${{ steps.vars.outputs.DOCKER_TAG }} run: | - echo "tags=${tags:+${tags},}${{ vars.GHCR_REPO }}:${{ steps.vars.outputs.DOCKER_TAG }}" \ + echo "tags=${tags:+${tags},}${GHCR_REPO}:${DOCKER_TAG}" \ | tee -a "${GITHUB_ENV}" - name: Setup Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 with: cache-binary: false - name: Build and push - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 id: build with: context: . @@ -92,7 +106,7 @@ jobs: - name: Attest - docker.io if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1 with: subject-name: ${{ vars.DOCKERHUB_REPO }} subject-digest: ${{ steps.build.outputs.digest }} @@ -100,7 +114,7 @@ jobs: - name: Attest - ghcr.io if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1 with: subject-name: ${{ vars.GHCR_REPO }} subject-digest: ${{ steps.build.outputs.digest }}