Compare commits

..

No commits in common. "master" and "v2026.3.1" have entirely different histories.

5 changed files with 23 additions and 108 deletions

View file

@ -1,48 +1,43 @@
name: CI name: CI
permissions: {} permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
on: on:
pull_request: pull_request:
paths: paths:
- ".github/workflows/ci.yml" - ".github/workflows/ci.yml"
- "patches/v20*.patch"
- "resources/**" - "resources/**"
- "scripts/**" - "scripts/**"
- "Dockerfile" - "Dockerfile"
defaults:
run:
shell: bash
jobs: jobs:
docker-build: docker-build:
name: Test building web-vault name: Test building web-vault
permissions: permissions:
packages: write # Needed to upload packages and artifacts packages: write # Needed to upload packages and artifacts
contents: read contents: read
runs-on: ubuntu-24.04 runs-on: ubuntu-latest
env: env:
# Force docker to output the progress in plain # Force docker to output the progress in plain
BUILDKIT_PROGRESS: plain BUILDKIT_PROGRESS: plain
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Build and Extract - name: Build and Extract
shell: bash
run: | run: |
make docker-extract make docker-extract
- name: Generate checksum - name: Generate checksum
shell: bash
run: | run: |
echo "sha256sum: $(sha256sum container_builds/bw_web_vault.tar.gz)" echo "sha256sum: $(sha256sum container_builds/bw_web_vault.tar.gz)"
- name: "Upload web-vault artifact" - name: "Upload web-vault artifact"
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with: with:
name: web-vault name: web-vault
compression-level: 0 compression-level: 0

View file

@ -1,44 +0,0 @@
name: Hadolint
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
on: [ push, pull_request ]
defaults:
run:
shell: bash
jobs:
hadolint:
name: Validate Dockerfile syntax
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
# Start Docker Buildx
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
# Checkout the repo
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
# End Checkout the repo
# Test Dockerfiles with hadolint
- name: Run hadolint on Dockerfile
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
with:
dockerfile: Dockerfile
# End Test Dockerfiles with hadolint
# Test Dockerfiles with docker build checks
- name: Run docker build check
run: |
echo "Checking Dockerfile"
docker build --check . -f Dockerfile
# End Test Dockerfiles with docker build checks

View file

@ -1,20 +1,11 @@
name: Release name: Release
permissions: {} permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
# Don't cancel other runs when creating a tag
cancel-in-progress: ${{ github.ref_type == 'branch' }}
on: on:
push: push:
tags: tags:
- 'v[0-9]+.[0-9]+.[0-9]+*' - 'v[0-9]+.[0-9]+.[0-9]+*'
defaults:
run:
shell: bash
jobs: jobs:
docker-build: docker-build:
name: Release web-vault name: Release web-vault
@ -22,9 +13,9 @@ jobs:
permissions: permissions:
packages: write # Needed to upload packages and artifacts packages: write # Needed to upload packages and artifacts
contents: read contents: read
attestations: write # Needed to generate an artifact attestation for a build # attestations: write # Needed to generate an artifact attestation for a build
id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate # id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate
runs-on: ubuntu-24.04 runs-on: ubuntu-latest
env: env:
# Force docker to output the progress in plain # Force docker to output the progress in plain
BUILDKIT_PROGRESS: plain BUILDKIT_PROGRESS: plain
@ -36,19 +27,18 @@ jobs:
HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }} HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
# Determine Docker Tag # Determine Docker Tag
- name: Init Variables - name: Init Variables
id: vars id: vars
env: shell: bash
GITHUB_REF: ${{ github.ref }}
run: | run: |
if [[ "${GITHUB_REF}" == refs/tags/* ]]; then if [[ "${{ github.ref }}" == refs/tags/* ]]; then
DOCKER_TAG="${GITHUB_REF#refs/*/}" DOCKER_TAG="${GITHUB_REF#refs/*/}"
elif [[ "${GITHUB_REF}" == refs/heads/* ]]; then elif [[ "${{ github.ref }}" == refs/heads/* ]]; then
DOCKER_TAG="testing" DOCKER_TAG="testing"
fi fi
# We use `+build.n` to version patches when there was no change to the web-vault version from upstream # We use `+build.n` to version patches when there was no change to the web-vault version from upstream
@ -58,7 +48,7 @@ jobs:
# Login to Docker Hub # Login to Docker Hub
- name: Login to Docker Hub - name: Login to Docker Hub
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
@ -66,16 +56,14 @@ jobs:
- name: Tags for DockerHub - name: Tags for DockerHub
if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
env: shell: bash
DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
DOCKER_TAG: ${{ steps.vars.outputs.DOCKER_TAG }}
run: | run: |
echo "tags=${tags:+${tags},}${DOCKERHUB_REPO}:${DOCKER_TAG}" \ echo "tags=${tags:+${tags},}${{ vars.DOCKERHUB_REPO }}:${{ steps.vars.outputs.DOCKER_TAG }}" \
| tee -a "${GITHUB_ENV}" | tee -a "${GITHUB_ENV}"
# Login to GitHub Container Registry # Login to GitHub Container Registry
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
@ -84,38 +72,14 @@ jobs:
- name: Tags for ghcr.io - name: Tags for ghcr.io
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
env: shell: bash
GHCR_REPO: ${{ vars.GHCR_REPO }}
DOCKER_TAG: ${{ steps.vars.outputs.DOCKER_TAG }}
run: | run: |
echo "tags=${tags:+${tags},}${GHCR_REPO}:${DOCKER_TAG}" \ echo "tags=${tags:+${tags},}${{ vars.GHCR_REPO }}:${{ steps.vars.outputs.DOCKER_TAG }}" \
| tee -a "${GITHUB_ENV}" | tee -a "${GITHUB_ENV}"
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
with:
cache-binary: false
- name: Build and push - name: Build and push
uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
id: build
with: with:
context: . context: .
push: true push: true
tags: ${{ env.tags }} tags: ${{ env.tags }}
- name: Attest - docker.io
if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1
with:
subject-name: ${{ vars.DOCKERHUB_REPO }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
- name: Attest - ghcr.io
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1
with:
subject-name: ${{ vars.GHCR_REPO }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true

View file

@ -23,8 +23,8 @@ RUN node --version && npm --version
# Can be a tag, release, but prefer a commit hash because it's not changeable # Can be a tag, release, but prefer a commit hash because it's not changeable
# https://github.com/bitwarden/clients/commit/${VAULT_VERSION} # https://github.com/bitwarden/clients/commit/${VAULT_VERSION}
# #
# Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.6.2 # Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.3.1
ARG VAULT_VERSION=5756400aa48cc39a73984461f8d7c0ddf6feaa28 ARG VAULT_VERSION=cd1eb788b667bdf31aee2d8b32aae7718c59097e
ENV VAULT_VERSION=$VAULT_VERSION ENV VAULT_VERSION=$VAULT_VERSION
ENV VAULT_FOLDER=bw_clients ENV VAULT_FOLDER=bw_clients
ENV CHECKOUT_TAGS=false ENV CHECKOUT_TAGS=false

View file

@ -2,7 +2,7 @@
set -o pipefail -o errexit set -o pipefail -o errexit
BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")"; pwd)/$(basename "${SP}")") BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")"; pwd)/$(basename "${SP}")")
FALLBACK_WEBVAULT_VERSION=v2026.6.2 FALLBACK_WEBVAULT_VERSION=v2026.3.1
# Error handling # Error handling
handle_error() { handle_error() {