Skip to content

Commit

Permalink
Merge branch 'main' into DEVOPS-1749-Update-release-pipeline-for-C#
Browse files Browse the repository at this point in the history
  • Loading branch information
michalchecinski authored Mar 19, 2024
2 parents 7f56e84 + a518551 commit 3058725
Show file tree
Hide file tree
Showing 8 changed files with 327 additions and 45 deletions.
267 changes: 230 additions & 37 deletions .github/workflows/publish-php.yml
Original file line number Diff line number Diff line change
@@ -1,20 +1,50 @@
name: Publish PHP SDK
run-name: Publish PHP SDK ${{ inputs.release_type }}

on:
push:
branches:
- main
workflow_dispatch:
inputs:
release_type:
description: "Release Options"
required: true
default: "Release"
type: choice
options:
- Release
- Dry Run

env:
_KEY_VAULT: "bitwarden-ci"

jobs:
build_rust:
uses: ./.github/workflows/build-rust-cross-platform.yml
validate:
name: Setup
runs-on: ubuntu-22.04
outputs:
version: ${{ steps.version.outputs.version }}
steps:
- name: Checkout repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

setup_php:
- name: Branch check
if: ${{ inputs.release_type != 'Dry Run' }}
run: |
if [[ "$GITHUB_REF" != "refs/heads/rc" ]] && [[ "$GITHUB_REF" != "refs/heads/hotfix-rc" ]]; then
echo "==================================="
echo "[!] Can only release from the 'rc' or 'hotfix-rc' branches"
echo "==================================="
exit 1
fi
- name: Get version
id: version
run: |
VERSION=$(cat languages/php/composer.json | grep -Eo '"version": "[0-9]+\.[0-9]+\.[0-9]+"' | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+')
echo "version=$VERSION" >> $GITHUB_OUTPUT
setup-php:
name: Setup PHP
runs-on: ubuntu-22.04
needs:
- build_rust

steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand All @@ -32,44 +62,207 @@ jobs:
composer validate
working-directory: languages/php/

- name: Download x86_64-apple-darwin files
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
repo-sync:
name: Push changed files to SDK PHP repo
runs-on: ubuntu-22.04
needs:
- validate
- setup-php
env:
_BOT_EMAIL: [email protected]
_BOT_NAME: bitwarden-devops-bot
_PKG_VERSION: ${{ needs.validate.outputs.version }}
steps:
- name: Checkout SDK repo
uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 # v4.0.0
with:
name: libbitwarden_c_files-x86_64-apple-darwin
path: temp/macos-x64
path: sdk

- name: Download aarch64-apple-darwin files
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
- name: Login to Azure - Prod Subscription
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
name: libbitwarden_c_files-aarch64-apple-darwin
path: temp/macos-arm64
creds: ${{ secrets.AZURE_CI_SERVICE_PRINCIPAL }}

- name: Download x86_64-unknown-linux-gnu files
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@4f37134d838f21609c38cb56694d8605f176704c
with:
name: libbitwarden_c_files-x86_64-unknown-linux-gnu
path: temp/linux-x64
keyvault: ${{ env._KEY_VAULT }}
secrets: "github-pat-bitwarden-devops-bot-repo-scope"

- name: Download x86_64-pc-windows-msvc files
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
- name: Checkout SDK-PHP repo
uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 # v4.0.0
with:
name: libbitwarden_c_files-x86_64-pc-windows-msvc
path: temp/windows-x64
repository: bitwarden/sm-sdk-php
path: sm-sdk-php
ref: main
token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}

- name: Copy lib files
- name: Setup Git
working-directory: sm-sdk-php
run: |
mkdir -p languages/php/src/lib/macos-arm64
mkdir -p languages/php/src/lib/linux-x64
mkdir -p languages/php/src/lib/macos-x64
mkdir -p languages/php/src/lib/windows-x64
git config --local user.email "${{ env._BOT_EMAIL }}"
git config --local user.name "${{ env._BOT_NAME }}"
platforms=("macos-arm64" "linux-x64" "macos-x64" "windows-x64")
files=("libbitwarden_c.dylib" "libbitwarden_c.so" "libbitwarden_c.dylib" "bitwarden_c.dll")
- name: Update files
run: |
# Copy files to local sm-sdk-php repo path
cp --verbose -rf sdk/languages/php/. sm-sdk-php
- name: Replace repo name
working-directory: sm-sdk-php
run: |
find . -name '*' -exec \
sed -i -e 's/github.com\/bitwarden\/sdk\/languages\/php/github.com\/bitwarden\/sm-sdk-php/g' {} \;
for ((i=0; i<${#platforms[@]}; i++)); do
cp "temp/${platforms[$i]}/${files[$i]}" "languages/php/src/lib/${platforms[$i]}/${files[$i]}"
done
find . -name '*' -exec \
sed -i -e 's/github.com\/bitwarden\/sdk/github.com\/bitwarden\/sm-sdk-php/g' {} \;
- name: Push changes
working-directory: sm-sdk-php
run: |
git add .
git commit -m "Update Go SDK to ${{ github.sha }}"
if [[ "${{ inputs.release_type }}" == "Dry Run" ]]; then
echo "==================================="
echo "[!] Dry Run - Skipping push"
echo "==================================="
git ls-files -m
exit 0
else
git push origin main
fi
- name: Create release tag on SDK Go repo
if: ${{ inputs.release_type != 'Dry Run' }}
working-directory: sm-sdk-php
run: |
# Check if tag exists, set output then exit 0 if true.
if git log v${{ env._PKG_VERSION }} >/dev/null 2>&1; then
echo "==================================="
echo "[!] Tag v${{ env._PKG_VERSION }} already exists"
echo "==================================="
exit 1
fi
git tag v${{ env._PKG_VERSION }}
git push origin v${{ env._PKG_VERSION }}
github-release:
name: GitHub Release
runs-on: ubuntu-22.04
needs:
- setup-php
- repo-sync
- validate
env:
_PKG_VERSION: ${{ needs.validate.outputs.version }}
steps:
- name: Login to Azure - Prod Subscription
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_CI_SERVICE_PRINCIPAL }}

- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@4f37134d838f21609c38cb56694d8605f176704c
with:
keyvault: ${{ env._KEY_VAULT }}
secrets: "github-pat-bitwarden-devops-bot-repo-scope"

- name: Download x86_64-apple-darwin artifact
uses: bitwarden/gh-actions/download-artifacts@main
with:
workflow: build-rust-cross-platform.yml
workflow_conclusion: success
branch: ${{ inputs.release_type == 'Dry Run' && 'main' || github.ref_name }}
artifacts: libbitwarden_c_files-x86_64-apple-darwin
skip_unpack: true

- name: Download aarch64-apple-darwin artifact
uses: bitwarden/gh-actions/download-artifacts@main
with:
workflow: build-rust-cross-platform.yml
workflow_conclusion: success
branch: ${{ inputs.release_type == 'Dry Run' && 'main' || github.ref_name }}
artifacts: libbitwarden_c_files-aarch64-apple-darwin
skip_unpack: true

- name: Download x86_64-unknown-linux-gnu artifact
uses: bitwarden/gh-actions/download-artifacts@main
with:
workflow: build-rust-cross-platform.yml
workflow_conclusion: success
branch: ${{ inputs.release_type == 'Dry Run' && 'main' || github.ref_name }}
artifacts: libbitwarden_c_files-x86_64-unknown-linux-gnu
skip_unpack: true

- name: Download x86_64-pc-windows-msvc artifact
uses: bitwarden/gh-actions/download-artifacts@main
with:
workflow: build-rust-cross-platform.yml
workflow_conclusion: success
branch: ${{ inputs.release_type == 'Dry Run' && 'main' || github.ref_name }}
artifacts: libbitwarden_c_files-x86_64-pc-windows-msvc
skip_unpack: true

- name: Rename build artifacts
run: |
mv libbitwarden_c_files-x86_64-apple-darwin.zip libbitwarden_c_files-x86_64-apple-darwin-$_PKG_VERSION.zip
mv libbitwarden_c_files-aarch64-apple-darwin.zip libbitwarden_c_files-aarch64-apple-darwin-$_PKG_VERSION.zip
mv libbitwarden_c_files-x86_64-unknown-linux-gnu.zip libbitwarden_c_files-x86_64-unknown-linux-gnu-$_PKG_VERSION.zip
mv libbitwarden_c_files-x86_64-pc-windows-msvc.zip libbitwarden_c_files-x86_64-pc-windows-msvc-$_PKG_VERSION.zip
- name: Create release
if: ${{ inputs.release_type != 'Dry Run' }}
uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5 # v1.13.0
with:
tag: v${{ env._PKG_VERSION }}
name: v${{ env._PKG_VERSION }}
body: "<insert release notes here>"
token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
draft: true
repo: sm-sdk-php
owner: bitwarden
artifacts: "libbitwarden_c_files-x86_64-apple-darwin-${{ env._PKG_VERSION }}.zip,
libbitwarden_c_files-aarch64-apple-darwin-${{ env._PKG_VERSION }}.zip,
libbitwarden_c_files-x86_64-unknown-linux-gnu-${{ env._PKG_VERSION }}.zip,
libbitwarden_c_files-x86_64-pc-windows-msvc-${{ env._PKG_VERSION }}.zip"

packagist-publish:
name: Publish to Packagist
runs-on: ubuntu-22.04
needs:
- validate
- setup-php
- repo-sync
- github-release
steps:
- name: Login to Azure - Prod Subscription
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_CI_SERVICE_PRINCIPAL }}

- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@4f37134d838f21609c38cb56694d8605f176704c
with:
keyvault: ${{ env._KEY_VAULT }}
secrets: "github-pat-bitwarden-devops-bot-repo-scope,
packagist-key"

- name: Checkout SDK-PHP repo
uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 # v4.0.0
with:
repository: bitwarden/sm-sdk-php
path: sm-sdk-php
ref: main
token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}

- name: Publish version
run: curl -XPOST -H'content-type:application/json' 'https://packagist.org/api/update-package?username=malirobot&apiToken=${{secrets.PACKAGIST_KEY}}' -d'{"repository":{"url":"https://packagist.org/packages/bitwarden/sdk"}}'
working-directory: languages/php/
if: ${{ inputs.release_type != 'Dry Run' }}
env:
PACKAGIST_KEY: ${{ steps.retrieve-secrets.outputs.packagist-key }}
run: curl -XPOST -H'content-type:application/json' 'https://packagist.org/api/update-package?username=bitwarden&apiToken=${{ env.PACKAGIST_KEY }}' -d'{"repository":{"url":"https://packagist.org/packages/bitwarden/sdk-secrets"}}'
working-directory: sm-sdk-php
4 changes: 2 additions & 2 deletions .github/workflows/release-go.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ jobs:

- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@4f37134d838f21609c38cb56694d8605f176704c
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: ${{ env._KEY_VAULT }}
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
Expand Down Expand Up @@ -151,7 +151,7 @@ jobs:

- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@4f37134d838f21609c38cb56694d8605f176704c
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: ${{ env._KEY_VAULT }}
secrets: "github-pat-bitwarden-devops-bot-repo-scope"
Expand Down
71 changes: 71 additions & 0 deletions .github/workflows/scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
name: Scan

on:
workflow_dispatch:
push:
branches:
- "main"
- "rc"
- "hotfix-rc"
pull_request_target:
types: [opened, synchronize]

permissions: read-all

jobs:
check-run:
name: Check PR run
uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main

sast:
name: SAST scan
runs-on: ubuntu-22.04
needs: check-run
permissions:
security-events: write

steps:
- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: Scan with Checkmarx
uses: checkmarx/ast-github-action@749fec53e0db0f6404a97e2e0807c3e80e3583a7 #2.0.23
env:
INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
with:
project_name: ${{ github.repository }}
cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
base_uri: https://ast.checkmarx.net/
cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
additional_params: --report-format sarif --output-path . ${{ env.INCREMENTAL }}

- name: Upload Checkmarx results to GitHub
uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
with:
sarif_file: cx_result.sarif

quality:
name: Quality scan
runs-on: ubuntu-22.04
needs: check-run

steps:
- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}

- name: Scan with SonarCloud
uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
args: >
-Dsonar.organization=${{ github.repository_owner }}
-Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
-Dsonar.exclusions=languages/**
Loading

0 comments on commit 3058725

Please sign in to comment.