bitwarden
diff --git a/‎templates/README.md‎
Lines changed: 8 additions & 0 deletions b/‎templates/README.md‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎templates/docker/README.md‎
Lines changed: 13 additions & 0 deletions b/‎templates/docker/README.md‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎templates/docker/product/README.md‎
Lines changed: 47 additions & 0 deletions b/‎templates/docker/product/README.md‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎templates/docker/product/build_push_acr.yml‎
Lines changed: 149 additions & 0 deletions b/‎templates/docker/product/build_push_acr.yml‎
Lines changed: 149 additions & 0 deletions
diff --git a/‎templates/docker/product/build_push_ghcr.yml‎
Lines changed: 141 additions & 0 deletions b/‎templates/docker/product/build_push_ghcr.yml‎
Lines changed: 141 additions & 0 deletions
@@ -0,0 +1,8 @@
+# Workflow Templates
+
+#### Purpose
+
+The intention of these templates is to provide a starting point for adding workflow support to repositories.<br/>
+They can be pulled together as necessary or have other steps added to meet the required need.
+
+
@@ -0,0 +1,13 @@
+# Docker Workflow Templates
+
+There are currently 2 types of templates:
+- Product Templates
+- Service Templates
+
+### Product Template
+This can be used when docker images are released as a product to the public.<br/>
+See the [product folder's README](./product/README.md) for more information.
+
+### Service Template
+This can be used when docker images are pushed as an internal service that supports either internal tools or the SAAS product.<br/>
+See the [service folder's README](./service/README.md) for more information.
@@ -0,0 +1,47 @@
+# Docker Workflow Templates for Product Images
+
+These workflow templates can be copied and modified as necessary to support building, releasing, and publishing docker images.
+
+## General Flow
+1. Build and Push
+2. Release
+3. Publish
+
+## Templates
+
+### Build and Push
+There are currently 2 versions of this template:
+- `build_push_acr.yml`
+- `build_push_ghcr.yml`
+
+These can be combined if necessary for pushing to both ACR and GHCR.
+
+Purpose: These build the docker image and push it out to registries if tags are set to be pushed (See below)
+
+Tags that are pushed:
+- On push to main: `dev`
+- On PR: `pr-#`
+
+---
+
+### Release
+The `release.yml` workflow handles release both ACR and GHCR.
+It can be modified to adjust to only doing one by removing the respective job.
+
+This will do 2 things:
+1. Create a GitHub Release
+2. Publish the `dev` tag as the release version tag in ACR and GHCR
+
+Tags that are pushed:
+- Release version tag
+
+---
+
+### Publish
+The `publish.yml` workflow handles publishing both ACR and GHCR.
+It can be modified to adjust to only doing one by removing the respective job
+
+This will copy the tag corresponding to the latest release to the `latest` tag
+
+Tags that are pushed:
+- `latest`
@@ -0,0 +1,149 @@
+name: Build
+
+on:
+  pull_request:
+  push:
+    branches:
+      - "main"
+  workflow_dispatch:
+
+permissions: {}
+
+env:
+  _AZURE_REGISTRY: bitwardenprod.azurecr.io
+  _IMAGE_NAME: TEMPLATE_IMAGE_NAME # UPDATE: TEMPLATE VALUE TO UPDATE WHEN COPIED
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Check if image should be published
+        env:
+          PUBLISH_BRANCHES: "main"
+          PUBLISH_TAGS: "false"
+          PUBLISH_PR: "true"
+        run: |
+          BRANCH_REF=${GITHUB_REF#refs/heads/}
+          IFS="," read -a publish_branches <<< "$PUBLISH_BRANCHES"
+
+          if [[ "${PUBLISH_TAGS}" == "true" && "${GITHUB_REF}" == refs/tags/* ]]; then
+            echo "push_image=true" >> "$GITHUB_ENV"
+          elif [[ "${publish_branches[*]}" =~ "${BRANCH_REF}" ]]; then
+            echo "push_image=true" >> "$GITHUB_ENV"
+          else
+            echo "push_image=false" >> "$GITHUB_ENV"
+          fi
+
+      - name: Check out repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      ########## Set up Docker ##########
+      - name: Set up QEMU emulators
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      ########## Login to Docker registries ##########
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      - name: Login to Azure ACR
+        run: az acr login -n "${_AZURE_REGISTRY%%.*}"
+
+      ########## Generate image tag and build Docker image ##########
+      - name: Generate Docker image tag
+        id: tag
+        env:
+          EVENT_TYPE: ${{ contains(github.event_name, 'pull_request') && 'pull_request' || '' }}
+        run: |
+          if [[ "$EVENT_TYPE" == "pull_request" ]]; then
+            IMAGE_TAG="pr-${{ github.event.pull_request.number }}"
+          else
+            IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
+            if [[ "$IMAGE_TAG" == "main" ]]; then
+              IMAGE_TAG=dev
+            fi
+          fi
+          echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Generate image tag(s)
+        id: image-tags
+        env:
+          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
+          SHA: ${{ github.sha }}
+        run: |
+          FULL_IMAGE_NAME="${_AZURE_REGISTRY}/${_IMAGE_NAME}"
+          TAGS="${FULL_IMAGE_NAME}:${IMAGE_TAG}"
+          echo "primary_tag=$TAGS" >> "$GITHUB_OUTPUT"
+          if [[ "$IMAGE_TAG" == "dev" ]]; then
+            SHORT_SHA="$(git rev-parse --short "${SHA}")"
+            TAGS="$TAGS,${FULL_IMAGE_NAME}:${IMAGE_TAG}-${SHORT_SHA}"
+          fi
+          echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
+
+      ########## Build Docker image ##########
+      - name: Build Docker image
+        id: build-docker
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64
+          push: ${{ env.push_image == 'true' }}
+          tags: ${{ steps.image-tags.outputs.tags }}
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false
+
+      - name: Install Cosign
+        if: env.push_image == 'true'
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Sign image with Cosign
+        if: env.push_image == 'true'
+        env:
+          DIGEST: ${{ steps.build-docker.outputs.digest }}
+          TAGS: ${{ steps.image-tags.outputs.tags }}
+        run: |
+          IFS=',' read -r -a tags_array <<< "${TAGS}"
+          images=()
+          for tag in "${tags_array[@]}"; do
+            images+=("${tag}@${DIGEST}")
+          done
+          cosign sign --yes ${images[@]} # Do not quote the array to expand properly
+
+      - name: Scan Docker image
+        id: container-scan
+        uses: anchore/scan-action@568b89d27fc18c60e56937bff480c91c772cd993 # v7.1.0
+        with:
+          image: ${{ steps.image-tags.outputs.primary_tag }}
+          fail-build: false
+          output-format: sarif
+
+      - name: Upload Grype results to GitHub
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        with:
+          sarif_file: ${{ steps.container-scan.outputs.sarif }}
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
+
+      - name: Log out of Docker
+        run: |
+          docker logout "$_AZURE_REGISTRY"
+
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
@@ -0,0 +1,141 @@
+name: Build
+
+on:
+  pull_request:
+  push:
+    branches:
+      - "main"
+  workflow_dispatch:
+
+permissions: {}
+
+env:
+  _IMAGE_NAME: ghcr.io/bitwarden/TEMPLATE_IMAGE_NAME # TEMPLATE VALUE TO UPDATE WHEN COPIED
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Check if image should be published
+        env:
+          PUBLISH_BRANCHES: "main"
+          PUBLISH_TAGS: "false"
+          PUBLISH_PR: "true"
+        run: |
+          BRANCH_REF=${GITHUB_REF#refs/heads/}
+          IFS="," read -a publish_branches <<< "$PUBLISH_BRANCHES"
+
+          if [[ "${PUBLISH_TAGS}" == "true" && "${GITHUB_REF}" == refs/tags/* ]]; then
+            echo "push_image=true" >> "$GITHUB_ENV"
+          elif [[ "${publish_branches[*]}" =~ "${BRANCH_REF}" ]]; then
+            echo "push_image=true" >> "$GITHUB_ENV"
+          else
+            echo "push_image=false" >> "$GITHUB_ENV"
+          fi
+
+      - name: Check out repo
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      ########## Set up Docker ##########
+      - name: Set up QEMU emulators
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      ########## Login to Docker registries ##########
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      ########## Generate image tag and build Docker image ##########
+      - name: Generate Docker image tag
+        id: tag
+        env:
+          EVENT_TYPE: ${{ contains(github.event_name, 'pull_request') && 'pull_request' || '' }}
+        run: |
+          if [[ "$EVENT_TYPE" == "pull_request" ]]; then
+            IMAGE_TAG="pr-${{ github.event.pull_request.number }}"
+          else
+            IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
+            if [[ "$IMAGE_TAG" == "main" ]]; then
+              IMAGE_TAG=dev
+            fi
+          fi
+          echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Generate image tag(s)
+        id: image-tags
+        env:
+          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
+          SHA: ${{ github.sha }}
+        run: |
+          TAGS="${_IMAGE_NAME}:${IMAGE_TAG}"
+          echo "primary_tag=$TAGS" >> "$GITHUB_OUTPUT"
+          if [[ "$IMAGE_TAG" == "dev" ]]; then
+            SHORT_SHA="$(git rev-parse --short "${SHA}")"
+            TAGS="$TAGS,${_IMAGE_NAME}:${IMAGE_TAG}-${SHORT_SHA}"
+          fi
+          echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
+
+      ########## Build Docker image ##########
+      - name: Build Docker image
+        id: build-docker
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: Dockerfile
+          platforms: linux/amd64
+          push: ${{ env.push_image == 'true' }}
+          tags: ${{ steps.image-tags.outputs.tags }}
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false
+
+      - name: Install Cosign
+        if: env.push_image == 'true'
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Sign image with Cosign
+        if: env.push_image == 'true'
+        env:
+          DIGEST: ${{ steps.build-docker.outputs.digest }}
+          TAGS: ${{ steps.image-tags.outputs.tags }}
+        run: |
+          IFS=',' read -r -a tags_array <<< "${TAGS}"
+          images=()
+          for tag in "${tags_array[@]}"; do
+            images+=("${tag}@${DIGEST}")
+          done
+          cosign sign --yes ${images[@]} # Do not quote the array to expand properly
+
+      - name: Scan Docker image
+        id: container-scan
+        uses: anchore/scan-action@568b89d27fc18c60e56937bff480c91c772cd993 # v7.1.0
+        with:
+          image: ${{ steps.image-tags.outputs.primary_tag }}
+          fail-build: false
+          output-format: sarif
+
+      - name: Upload Grype results to GitHub
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
+        with:
+          sarif_file: ${{ steps.container-scan.outputs.sarif }}
+          sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
+          ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
+
+      - name: Log out of Docker
+        run: |
+          docker logout ghcr.io