Compare commits

...

11 commits

Author SHA1 Message Date
Daniel García
4c9856715c
Merge pull request #247 from dani-garcia/update-gha
Update GitHub Actions
2026-07-08 22:11:00 +02:00
BlackDex
effbc848cf
Update GitHub Actions
Signed-off-by: BlackDex <black.dex@gmail.com>
2026-07-08 18:52:58 +02:00
Mathijs van Veluw
b9697bda30
Merge pull request #245 from stefan0xC/update-to-v2026.5.0
update to v2026.6.2 branch
2026-07-08 18:51:52 +02:00
Mathijs van Veluw
c42b223356
Merge pull request #242 from dfunkt/add-attestation-support
Add image attestation
2026-07-08 17:27:09 +02:00
Stefan Melmuk
8f826cd68c
update to v2026.6.2 branch 2026-06-24 14:25:25 +02:00
Stefan Melmuk
3054af7ccc
update to v2026.6.0 branch 2026-06-13 22:51:33 +02:00
Stefan Melmuk
8f2a546db1
update to v2026.5.0 branch 2026-05-29 23:59:52 +02:00
Mathijs van Veluw
5f384e70bf
Merge pull request #243 from stefan0xC/update-to-v2026.4.1
update to v2026.4.1 branch
2026-04-30 17:40:39 +02:00
Stefan Melmuk
88e67d7c88
update to make separator optional 2026-04-25 20:55:22 +02:00
Stefan Melmuk
71d5a4cc45
update to v2026.4.1 branch 2026-04-22 12:59:49 +02:00
dfunkt
71849564c9 Add image attestation
- `setup-buildx-action` needed for attestation manifest generation
- for ghcr.io and docker.io
2026-04-20 10:16:37 +03:00
5 changed files with 108 additions and 23 deletions

View file

@ -1,43 +1,48 @@
name: CI name: CI
permissions: {} permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
on: on:
pull_request: pull_request:
paths: paths:
- ".github/workflows/ci.yml" - ".github/workflows/ci.yml"
- "patches/v20*.patch"
- "resources/**" - "resources/**"
- "scripts/**" - "scripts/**"
- "Dockerfile" - "Dockerfile"
defaults:
run:
shell: bash
jobs: jobs:
docker-build: docker-build:
name: Test building web-vault name: Test building web-vault
permissions: permissions:
packages: write # Needed to upload packages and artifacts packages: write # Needed to upload packages and artifacts
contents: read contents: read
runs-on: ubuntu-latest runs-on: ubuntu-24.04
env: env:
# Force docker to output the progress in plain # Force docker to output the progress in plain
BUILDKIT_PROGRESS: plain BUILDKIT_PROGRESS: plain
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with: with:
persist-credentials: false persist-credentials: false
- name: Build and Extract - name: Build and Extract
shell: bash
run: | run: |
make docker-extract make docker-extract
- name: Generate checksum - name: Generate checksum
shell: bash
run: | run: |
echo "sha256sum: $(sha256sum container_builds/bw_web_vault.tar.gz)" echo "sha256sum: $(sha256sum container_builds/bw_web_vault.tar.gz)"
- name: "Upload web-vault artifact" - name: "Upload web-vault artifact"
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with: with:
name: web-vault name: web-vault
compression-level: 0 compression-level: 0

44
.github/workflows/hadolint.yml vendored Normal file
View file

@ -0,0 +1,44 @@
name: Hadolint
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
on: [ push, pull_request ]
defaults:
run:
shell: bash
jobs:
hadolint:
name: Validate Dockerfile syntax
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
# Start Docker Buildx
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
# Checkout the repo
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
# End Checkout the repo
# Test Dockerfiles with hadolint
- name: Run hadolint on Dockerfile
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
with:
dockerfile: Dockerfile
# End Test Dockerfiles with hadolint
# Test Dockerfiles with docker build checks
- name: Run docker build check
run: |
echo "Checking Dockerfile"
docker build --check . -f Dockerfile
# End Test Dockerfiles with docker build checks

View file

@ -1,11 +1,20 @@
name: Release name: Release
permissions: {} permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
# Don't cancel other runs when creating a tag
cancel-in-progress: ${{ github.ref_type == 'branch' }}
on: on:
push: push:
tags: tags:
- 'v[0-9]+.[0-9]+.[0-9]+*' - 'v[0-9]+.[0-9]+.[0-9]+*'
defaults:
run:
shell: bash
jobs: jobs:
docker-build: docker-build:
name: Release web-vault name: Release web-vault
@ -13,9 +22,9 @@ jobs:
permissions: permissions:
packages: write # Needed to upload packages and artifacts packages: write # Needed to upload packages and artifacts
contents: read contents: read
# attestations: write # Needed to generate an artifact attestation for a build attestations: write # Needed to generate an artifact attestation for a build
# id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate
runs-on: ubuntu-latest runs-on: ubuntu-24.04
env: env:
# Force docker to output the progress in plain # Force docker to output the progress in plain
BUILDKIT_PROGRESS: plain BUILDKIT_PROGRESS: plain
@ -27,18 +36,19 @@ jobs:
HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }} HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with: with:
persist-credentials: false persist-credentials: false
# Determine Docker Tag # Determine Docker Tag
- name: Init Variables - name: Init Variables
id: vars id: vars
shell: bash env:
GITHUB_REF: ${{ github.ref }}
run: | run: |
if [[ "${{ github.ref }}" == refs/tags/* ]]; then if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
DOCKER_TAG="${GITHUB_REF#refs/*/}" DOCKER_TAG="${GITHUB_REF#refs/*/}"
elif [[ "${{ github.ref }}" == refs/heads/* ]]; then elif [[ "${GITHUB_REF}" == refs/heads/* ]]; then
DOCKER_TAG="testing" DOCKER_TAG="testing"
fi fi
# We use `+build.n` to version patches when there was no change to the web-vault version from upstream # We use `+build.n` to version patches when there was no change to the web-vault version from upstream
@ -48,7 +58,7 @@ jobs:
# Login to Docker Hub # Login to Docker Hub
- name: Login to Docker Hub - name: Login to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
@ -56,14 +66,16 @@ jobs:
- name: Tags for DockerHub - name: Tags for DockerHub
if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
shell: bash env:
DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }}
DOCKER_TAG: ${{ steps.vars.outputs.DOCKER_TAG }}
run: | run: |
echo "tags=${tags:+${tags},}${{ vars.DOCKERHUB_REPO }}:${{ steps.vars.outputs.DOCKER_TAG }}" \ echo "tags=${tags:+${tags},}${DOCKERHUB_REPO}:${DOCKER_TAG}" \
| tee -a "${GITHUB_ENV}" | tee -a "${GITHUB_ENV}"
# Login to GitHub Container Registry # Login to GitHub Container Registry
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
@ -72,14 +84,38 @@ jobs:
- name: Tags for ghcr.io - name: Tags for ghcr.io
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
shell: bash env:
GHCR_REPO: ${{ vars.GHCR_REPO }}
DOCKER_TAG: ${{ steps.vars.outputs.DOCKER_TAG }}
run: | run: |
echo "tags=${tags:+${tags},}${{ vars.GHCR_REPO }}:${{ steps.vars.outputs.DOCKER_TAG }}" \ echo "tags=${tags:+${tags},}${GHCR_REPO}:${DOCKER_TAG}" \
| tee -a "${GITHUB_ENV}" | tee -a "${GITHUB_ENV}"
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
with:
cache-binary: false
- name: Build and push - name: Build and push
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0
id: build
with: with:
context: . context: .
push: true push: true
tags: ${{ env.tags }} tags: ${{ env.tags }}
- name: Attest - docker.io
if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1
with:
subject-name: ${{ vars.DOCKERHUB_REPO }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
- name: Attest - ghcr.io
if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1
with:
subject-name: ${{ vars.GHCR_REPO }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true

View file

@ -23,8 +23,8 @@ RUN node --version && npm --version
# Can be a tag, release, but prefer a commit hash because it's not changeable # Can be a tag, release, but prefer a commit hash because it's not changeable
# https://github.com/bitwarden/clients/commit/${VAULT_VERSION} # https://github.com/bitwarden/clients/commit/${VAULT_VERSION}
# #
# Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.3.1 # Using https://github.com/vaultwarden/vw_web_builds/tree/v2026.6.2
ARG VAULT_VERSION=cd1eb788b667bdf31aee2d8b32aae7718c59097e ARG VAULT_VERSION=5756400aa48cc39a73984461f8d7c0ddf6feaa28
ENV VAULT_VERSION=$VAULT_VERSION ENV VAULT_VERSION=$VAULT_VERSION
ENV VAULT_FOLDER=bw_clients ENV VAULT_FOLDER=bw_clients
ENV CHECKOUT_TAGS=false ENV CHECKOUT_TAGS=false

View file

@ -2,7 +2,7 @@
set -o pipefail -o errexit set -o pipefail -o errexit
BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")"; pwd)/$(basename "${SP}")") BASEDIR=$(RL=$(readlink -n "$0"); SP="${RL:-$0}"; dirname "$(cd "$(dirname "${SP}")"; pwd)/$(basename "${SP}")")
FALLBACK_WEBVAULT_VERSION=v2026.3.1 FALLBACK_WEBVAULT_VERSION=v2026.6.2
# Error handling # Error handling
handle_error() { handle_error() {