From 63b6a9e67eb688fb22e8e7c44ee4efe4d5cae05a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 12:11:01 +0100 Subject: [PATCH 1/8] [deps]: Update @types/node to v18.19.18 (#616) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [@types/node](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)) | [`18.19.17` -> `18.19.18`](https://renovatebot.com/diffs/npm/@types%2fnode/18.19.17/18.19.18) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fnode/18.19.18?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@types%2fnode/18.19.18?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@types%2fnode/18.19.17/18.19.18?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fnode/18.19.17/18.19.18?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Configuration 📅 **Schedule**: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/bitwarden/sdk). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- languages/js/sdk-client/package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/languages/js/sdk-client/package-lock.json b/languages/js/sdk-client/package-lock.json index 036117a72..176ed5eca 100644 --- a/languages/js/sdk-client/package-lock.json +++ b/languages/js/sdk-client/package-lock.json @@ -39,9 +39,9 @@ } }, "node_modules/@types/node": { - "version": "18.19.17", - "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.17.tgz", - "integrity": "sha512-SzyGKgwPzuWp2SHhlpXKzCX0pIOfcI4V2eF37nNBJOhwlegQ83omtVQ1XxZpDE06V/d6AQvfQdPfnw0tRC//Ng==", + "version": "18.19.18", + "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.18.tgz", + "integrity": "sha512-80CP7B8y4PzZF0GWx15/gVWRrB5y/bIjNI84NK3cmQJu0WZwvmj2WMA5LcofQFVfLqqCSp545+U2LsrVzX36Zg==", "dev": true, "dependencies": { "undici-types": "~5.26.4" From aad70143868ebef6694fbdc95766e290da70f612 Mon Sep 17 00:00:00 2001 From: Oscar Hinton Date: Tue, 27 Feb 2024 13:47:07 +0100 Subject: [PATCH 2/8] [PM-6437] Implement admin password reset logic (#631) Implement cryptographic logic for admin password reset. --- crates/bitwarden-uniffi/src/crypto.rs | 15 ++++- crates/bitwarden/src/mobile/client_crypto.rs | 16 +++-- crates/bitwarden/src/mobile/crypto.rs | 61 ++++++++++++++++++++ 3 files changed, 87 insertions(+), 5 deletions(-) diff --git a/crates/bitwarden-uniffi/src/crypto.rs b/crates/bitwarden-uniffi/src/crypto.rs index 2d847b33d..0f877d52e 100644 --- a/crates/bitwarden-uniffi/src/crypto.rs +++ b/crates/bitwarden-uniffi/src/crypto.rs @@ -3,7 +3,7 @@ use std::sync::Arc; use bitwarden::mobile::crypto::{ DerivePinKeyResponse, InitOrgCryptoRequest, InitUserCryptoRequest, UpdatePasswordResponse, }; -use bitwarden_crypto::EncString; +use bitwarden_crypto::{AsymmetricEncString, EncString}; use crate::{error::Result, Client}; @@ -83,4 +83,17 @@ impl ClientCrypto { .derive_pin_user_key(encrypted_pin) .await?) } + + pub async fn enroll_admin_password_reset( + &self, + public_key: String, + ) -> Result { + Ok(self + .0 + .0 + .write() + .await + .crypto() + .enroll_admin_password_reset(public_key)?) + } } diff --git a/crates/bitwarden/src/mobile/client_crypto.rs b/crates/bitwarden/src/mobile/client_crypto.rs index f6ea3346b..6ef65975d 100644 --- a/crates/bitwarden/src/mobile/client_crypto.rs +++ b/crates/bitwarden/src/mobile/client_crypto.rs @@ -1,14 +1,14 @@ #[cfg(feature = "internal")] -use bitwarden_crypto::EncString; +use bitwarden_crypto::{AsymmetricEncString, EncString}; use crate::Client; #[cfg(feature = "internal")] use crate::{ error::Result, mobile::crypto::{ - derive_pin_key, derive_pin_user_key, get_user_encryption_key, initialize_org_crypto, - initialize_user_crypto, update_password, DerivePinKeyResponse, InitOrgCryptoRequest, - InitUserCryptoRequest, UpdatePasswordResponse, + derive_pin_key, derive_pin_user_key, enroll_admin_password_reset, get_user_encryption_key, + initialize_org_crypto, initialize_user_crypto, update_password, DerivePinKeyResponse, + InitOrgCryptoRequest, InitUserCryptoRequest, UpdatePasswordResponse, }, }; @@ -49,6 +49,14 @@ impl<'a> ClientCrypto<'a> { pub async fn derive_pin_user_key(&mut self, encrypted_pin: EncString) -> Result { derive_pin_user_key(self.client, encrypted_pin) } + + #[cfg(feature = "internal")] + pub fn enroll_admin_password_reset( + &mut self, + public_key: String, + ) -> Result { + enroll_admin_password_reset(self.client, public_key) + } } impl<'a> Client { diff --git a/crates/bitwarden/src/mobile/crypto.rs b/crates/bitwarden/src/mobile/crypto.rs index a48b29b15..214643023 100644 --- a/crates/bitwarden/src/mobile/crypto.rs +++ b/crates/bitwarden/src/mobile/crypto.rs @@ -286,6 +286,24 @@ fn derive_pin_protected_user_key( Ok(derived_key.encrypt_user_key(user_key)?) } +#[cfg(feature = "internal")] +pub(super) fn enroll_admin_password_reset( + client: &mut Client, + public_key: String, +) -> Result { + use base64::{engine::general_purpose::STANDARD, Engine}; + use bitwarden_crypto::AsymmetricPublicCryptoKey; + + let public_key = AsymmetricPublicCryptoKey::from_der(&STANDARD.decode(public_key)?)?; + let enc = client.get_encryption_settings()?; + let key = enc.get_key(&None).ok_or(Error::VaultLocked)?; + + Ok(AsymmetricEncString::encrypt_rsa2048_oaep_sha1( + &key.to_vec(), + &public_key, + )?) +} + #[cfg(test)] mod tests { use super::*; @@ -461,4 +479,47 @@ mod tests { .to_base64() ); } + + #[cfg(feature = "internal")] + #[test] + fn test_enroll_admin_password_reset() { + use std::{num::NonZeroU32, ops::Deref}; + + use base64::{engine::general_purpose::STANDARD, Engine}; + use bitwarden_crypto::AsymmetricCryptoKey; + + let mut client = Client::new(None); + client.set_login_method(LoginMethod::User(UserLoginMethod::Username { + client_id: "7b821276-e27c-400b-9853-606393c87f18".to_owned(), + email: "test@bitwarden.com".to_owned(), + kdf: Kdf::PBKDF2 { + iterations: NonZeroU32::new(600_000).unwrap(), + }, + })); + + let user_key = "2.Q/2PhzcC7GdeiMHhWguYAQ==|GpqzVdr0go0ug5cZh1n+uixeBC3oC90CIe0hd/HWA/pTRDZ8ane4fmsEIcuc8eMKUt55Y2q/fbNzsYu41YTZzzsJUSeqVjT8/iTQtgnNdpo=|dwI+uyvZ1h/iZ03VQ+/wrGEFYVewBUUl/syYgjsNMbE=".parse().unwrap(); + let private_key ="2.yN7l00BOlUE0Sb0M//Q53w==|EwKG/BduQRQ33Izqc/ogoBROIoI5dmgrxSo82sgzgAMIBt3A2FZ9vPRMY+GWT85JiqytDitGR3TqwnFUBhKUpRRAq4x7rA6A1arHrFp5Tp1p21O3SfjtvB3quiOKbqWk6ZaU1Np9HwqwAecddFcB0YyBEiRX3VwF2pgpAdiPbSMuvo2qIgyob0CUoC/h4Bz1be7Qa7B0Xw9/fMKkB1LpOm925lzqosyMQM62YpMGkjMsbZz0uPopu32fxzDWSPr+kekNNyLt9InGhTpxLmq1go/pXR2uw5dfpXc5yuta7DB0EGBwnQ8Vl5HPdDooqOTD9I1jE0mRyuBpWTTI3FRnu3JUh3rIyGBJhUmHqGZvw2CKdqHCIrQeQkkEYqOeJRJVdBjhv5KGJifqT3BFRwX/YFJIChAQpebNQKXe/0kPivWokHWwXlDB7S7mBZzhaAPidZvnuIhalE2qmTypDwHy22FyqV58T8MGGMchcASDi/QXI6kcdpJzPXSeU9o+NC68QDlOIrMVxKFeE7w7PvVmAaxEo0YwmuAzzKy9QpdlK0aab/xEi8V4iXj4hGepqAvHkXIQd+r3FNeiLfllkb61p6WTjr5urcmDQMR94/wYoilpG5OlybHdbhsYHvIzYoLrC7fzl630gcO6t4nM24vdB6Ymg9BVpEgKRAxSbE62Tqacxqnz9AcmgItb48NiR/He3n3ydGjPYuKk/ihZMgEwAEZvSlNxYONSbYrIGDtOY+8Nbt6KiH3l06wjZW8tcmFeVlWv+tWotnTY9IqlAfvNVTjtsobqtQnvsiDjdEVtNy/s2ci5TH+NdZluca2OVEr91Wayxh70kpM6ib4UGbfdmGgCo74gtKvKSJU0rTHakQ5L9JlaSDD5FamBRyI0qfL43Ad9qOUZ8DaffDCyuaVyuqk7cz9HwmEmvWU3VQ+5t06n/5kRDXttcw8w+3qClEEdGo1KeENcnXCB32dQe3tDTFpuAIMLqwXs6FhpawfZ5kPYvLPczGWaqftIs/RXJ/EltGc0ugw2dmTLpoQhCqrcKEBDoYVk0LDZKsnzitOGdi9mOWse7Se8798ib1UsHFUjGzISEt6upestxOeupSTOh0v4+AjXbDzRUyogHww3V+Bqg71bkcMxtB+WM+pn1XNbVTyl9NR040nhP7KEf6e9ruXAtmrBC2ah5cFEpLIot77VFZ9ilLuitSz+7T8n1yAh1IEG6xxXxninAZIzi2qGbH69O5RSpOJuJTv17zTLJQIIc781JwQ2TTwTGnx5wZLbffhCasowJKd2EVcyMJyhz6ru0PvXWJ4hUdkARJs3Xu8dus9a86N8Xk6aAPzBDqzYb1vyFIfBxP0oO8xFHgd30Cgmz8UrSE3qeWRrF8ftrI6xQnFjHBGWD/JWSvd6YMcQED0aVuQkuNW9ST/DzQThPzRfPUoiL10yAmV7Ytu4fR3x2sF0Yfi87YhHFuCMpV/DsqxmUizyiJuD938eRcH8hzR/VO53Qo3UIsqOLcyXtTv6THjSlTopQ+JOLOnHm1w8dzYbLN44OG44rRsbihMUQp+wUZ6bsI8rrOnm9WErzkbQFbrfAINdoCiNa6cimYIjvvnMTaFWNymqY1vZxGztQiMiHiHYwTfwHTXrb9j0uPM=|09J28iXv9oWzYtzK2LBT6Yht4IT4MijEkk0fwFdrVQ4=".parse().unwrap(); + client + .initialize_user_crypto("asdfasdfasdf", user_key, private_key) + .unwrap(); + + let public_key = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsy7RFHcX3C8Q4/OMmhhbFReYWfB45W9PDTEA8tUZwZmtOiN2RErIS2M1c+K/4HoDJ/TjpbX1f2MZcr4nWvKFuqnZXyewFc+jmvKVewYi+NAu2++vqKq2kKcmMNhwoQDQdQIVy/Uqlp4Cpi2cIwO6ogq5nHNJGR3jm+CpyrafYlbz1bPvL3hbyoGDuG2tgADhyhXUdFuef2oF3wMvn1lAJAvJnPYpMiXUFmj1ejmbwtlxZDrHgUJvUcp7nYdwUKaFoi+sOttHn3u7eZPtNvxMjhSS/X/1xBIzP/mKNLdywH5LoRxniokUk+fV3PYUxJsiU3lV0Trc/tH46jqd8ZGjmwIDAQAB"; + + let encrypted = enroll_admin_password_reset(&mut client, public_key.to_owned()).unwrap(); + + let private_key = "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzLtEUdxfcLxDj84yaGFsVF5hZ8Hjlb08NMQDy1RnBma06I3ZESshLYzVz4r/gegMn9OOltfV/Yxlyvida8oW6qdlfJ7AVz6Oa8pV7BiL40C7b76+oqraQpyYw2HChANB1AhXL9SqWngKmLZwjA7qiCrmcc0kZHeOb4KnKtp9iVvPVs+8veFvKgYO4ba2AAOHKFdR0W55/agXfAy+fWUAkC8mc9ikyJdQWaPV6OZvC2XFkOseBQm9Rynudh3BQpoWiL6w620efe7t5k+02/EyOFJL9f/XEEjM/+Yo0t3LAfkuhHGeKiRST59Xc9hTEmyJTeVXROtz+0fjqOp3xkaObAgMBAAECggEACs4xhnO0HaZhh1/iH7zORMIRXKeyxP2LQiTR8xwN5JJ9wRWmGAR9VasS7EZFTDidIGVME2u/h4s5EqXnhxfO+0gGksVvgNXJ/qw87E8K2216g6ZNo6vSGA7H1GH2voWwejJ4/k/cJug6dz2S402rRAKh2Wong1arYHSkVlQp3diiMa5FHAOSE+Cy09O2ZsaF9IXQYUtlW6AVXFrBEPYH2kvkaPXchh8VETMijo6tbvoKLnUHe+wTaDMls7hy8exjtVyI59r3DNzjy1lNGaGb5QSnFMXR+eHhPZc844Wv02MxC15zKABADrl58gpJyjTl6XpDdHCYGsmGpVGH3X9TQQKBgQDz/9beFjzq59ve6rGwn+EtnQfSsyYT+jr7GN8lNEXb3YOFXBgPhfFIcHRh2R00Vm9w2ApfAx2cd8xm2I6HuvQ1Os7g26LWazvuWY0Qzb+KaCLQTEGH1RnTq6CCG+BTRq/a3J8M4t38GV5TWlzv8wr9U4dl6FR4efjb65HXs1GQ4QKBgQC7/uHfrOTEHrLeIeqEuSl0vWNqEotFKdKLV6xpOvNuxDGbgW4/r/zaxDqt0YBOXmRbQYSEhmO3oy9J6XfE1SUln0gbavZeW0HESCAmUIC88bDnspUwS9RxauqT5aF8ODKN/bNCWCnBM1xyonPOs1oT1nyparJVdQoG//Y7vkB3+wKBgBqLqPq8fKAp3XfhHLfUjREDVoiLyQa/YI9U42IOz9LdxKNLo6p8rgVthpvmnRDGnpUuS+KOWjhdqDVANjF6G3t3DG7WNl8Rh5Gk2H4NhFswfSkgQrjebFLlBy9gjQVCWXt8KSmjvPbiY6q52Aaa8IUjA0YJAregvXxfopxO+/7BAoGARicvEtDp7WWnSc1OPoj6N14VIxgYcI7SyrzE0d/1x3ffKzB5e7qomNpxKzvqrVP8DzG7ydh8jaKPmv1MfF8tpYRy3AhmN3/GYwCnPqT75YYrhcrWcVdax5gmQVqHkFtIQkRSCIftzPLlpMGKha/YBV8c1fvC4LD0NPh/Ynv0gtECgYEAyOZg95/kte0jpgUEgwuMrzkhY/AaUJULFuR5MkyvReEbtSBQwV5tx60+T95PHNiFooWWVXiLMsAgyI2IbkxVR1Pzdri3gWK5CTfqb7kLuaj/B7SGvBa2Sxo478KS5K8tBBBWkITqo+wLC0mn3uZi1dyMWO1zopTA+KtEGF2dtGQ="; + let private_key = + AsymmetricCryptoKey::from_der(&STANDARD.decode(private_key).unwrap()).unwrap(); + let decrypted: Vec = encrypted.decrypt_with_key(&private_key).unwrap(); + + let expected = client + .get_encryption_settings() + .unwrap() + .get_key(&None) + .unwrap() + .to_vec() + .deref() + .clone(); + assert_eq!(decrypted, expected); + } } From d1fe6b701324c540814fff0752209de3a7eefbcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?= Date: Tue, 27 Feb 2024 17:53:16 +0100 Subject: [PATCH 3/8] [DEVOPS-1333] Add code signing to the Windows bws CLI (#534) ## Type of change ``` - [ ] Bug fix - [ ] New feature development - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [x] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective Digitally sign Windows CLI .exe executable to prevent warning showing up on clients' computers while running `bws` commands. ## Code changes - **.github/workflows/build-cli.yml:** - split Windows and UNIX build jobs - add steps to windows build job to login to Azure, get secrets from KeyVault, install azuresigntool and use azuresigntool to sign windows CLI artifact. ## Before you submit - Please add **unit tests** where it makes sense to do so --------- Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com> --- .github/workflows/build-cli.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index f99645af5..e60928807 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -20,6 +20,7 @@ jobs: runs-on: ubuntu-22.04 outputs: package_version: ${{ steps.retrieve-version.outputs.package_version }} + sign: ${{ steps.sign.outputs.sign }} steps: - name: Checkout repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -30,6 +31,16 @@ jobs: VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") echo "package_version=$VERSION" >> $GITHUB_OUTPUT + - name: Sign if repo is owned by Bitwarden + id: sign + env: + REPO_OWNER: ${{ github.repository_owner }} + run: | + if [[ $REPO_OWNER == bitwarden ]]; then + echo "sign=true" >> $GITHUB_OUTPUT + fi + echo "sign=false" >> $GITHUB_OUTPUT + build-windows: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} @@ -66,11 +77,13 @@ jobs: run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} - name: Login to Azure + if: ${{ needs.setup.outputs.sign == 'true' }} uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets + if: ${{ needs.setup.outputs.sign == 'true' }} id: retrieve-secrets-windows uses: bitwarden/gh-actions/get-keyvault-secrets@main with: @@ -82,9 +95,11 @@ jobs: code-signing-cert-name" - name: Install AST + if: ${{ needs.setup.outputs.sign == 'true' }} run: dotnet tool install --global AzureSignTool --version 4.0.1 - name: Sign windows binary + if: ${{ needs.setup.outputs.sign == 'true' }} env: SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }} SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }} From e9b77a488403e90c89cf3cdffc4452eb84c3ed7e Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Tue, 27 Feb 2024 12:39:28 -0500 Subject: [PATCH 4/8] Provide global coverage configuration (#634) Codecov says it merges global and local configs, but looks like it doesn't. Provides global status configuration so this doesn't fail checks. --- .github/codecov.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/codecov.yml b/.github/codecov.yml index 3228d009c..e91eb4393 100644 --- a/.github/codecov.yml +++ b/.github/codecov.yml @@ -1,3 +1,9 @@ +coverage: + status: + project: + default: + informational: true + ignore: - "crates/sdk-schemas" # Tool - "crates/uniffi-bindgen" # Tool From cdfb9fa529ffd8277d0e23c0562a140fac164d5c Mon Sep 17 00:00:00 2001 From: Oscar Hinton Date: Tue, 27 Feb 2024 19:26:27 +0100 Subject: [PATCH 5/8] Make codecov patch informational (#636) ## Type of change ``` - [ ] Bug fix - [ ] New feature development - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [x] Other ``` ## Objective We should make the patch check informational too. ## Before you submit - Please add **unit tests** where it makes sense to do so --- .github/codecov.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/codecov.yml b/.github/codecov.yml index e91eb4393..eb851984f 100644 --- a/.github/codecov.yml +++ b/.github/codecov.yml @@ -1,8 +1,7 @@ coverage: status: - project: - default: - informational: true + patch: + informational: true ignore: - "crates/sdk-schemas" # Tool From 4e456269ec2e2057ac70af8012a2abc367488dc9 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Tue, 27 Feb 2024 15:56:37 -0500 Subject: [PATCH 6/8] Export Clippy results as SARIF and upload (#633) ## Type of change ``` - [ ] Bug fix - [ ] New feature development - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [X] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective Takes Clippy results as SARIF and uploads to GHAS for easier viewing and management. ## Code changes - **.github/workflows/lint.yml:** New Cargo package usage and SARIF upload. ## Before you submit - Please add **unit tests** where it makes sense to do so --------- Co-authored-by: Hinton --- .github/workflows/lint.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1c2279b3d..771b368f5 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -35,6 +35,20 @@ jobs: - name: Cargo fmt run: cargo +nightly fmt --check + - name: Install clippy-sarif and sarif-fmt + run: cargo install clippy-sarif sarif-fmt --locked --git https://github.com/psastras/sarif-rs.git --rev 11c33a53f6ffeaed736856b86fb6b7b09fabdfd8 + + - name: Cargo clippy + run: cargo clippy --all-features --tests --message-format=json | + clippy-sarif | tee clippy_result.sarif | sarif-fmt + env: + RUSTFLAGS: "-D warnings" + + - name: Upload Clippy results to GitHub + uses: github/codeql-action/upload-sarif@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 + with: + sarif_file: clippy_result.sarif + - name: Set up Node uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: @@ -52,8 +66,3 @@ jobs: run: cargo doc --no-deps --features internal env: RUSTDOCFLAGS: "-D warnings" - - - name: Cargo clippy - run: cargo clippy --all-features --tests - env: - RUSTFLAGS: "-D warnings" From 932945de319c7950a1e4f27fb55d378b261eb8b6 Mon Sep 17 00:00:00 2001 From: Matt Bishop Date: Thu, 29 Feb 2024 03:58:24 -0500 Subject: [PATCH 7/8] Undo global coverage setting application (#637) Reverts #634 and #636 as we found our mistake. --- .github/codecov.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/codecov.yml b/.github/codecov.yml index eb851984f..3228d009c 100644 --- a/.github/codecov.yml +++ b/.github/codecov.yml @@ -1,8 +1,3 @@ -coverage: - status: - patch: - informational: true - ignore: - "crates/sdk-schemas" # Tool - "crates/uniffi-bindgen" # Tool From c0fe4ac39c6a91b23575b6cf8d1db48e79897761 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?= Date: Thu, 29 Feb 2024 12:13:01 +0100 Subject: [PATCH 8/8] [DEVOPS-1750] Build and release pipeline for go SDK (#632) ## Type of change ``` - [ ] Bug fix - [ ] New feature development - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [x] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective ## Code changes - **languages/go/.version:** Add file to hold current go SDK version - **.github/workflows/version-bump.yml** Add go SDK to version bump workflow - **.github/workflows/golang-release.yml** replace it with `.github/workflows/release-go.yaml` workflow. - **.github/workflows/build-go.yaml** Add build go as a separate workflow - **.github/workflows/release-go.yml** Update release go pipeline to our standards. Sync go SDK folder to external repo. Create release tag. ## Before you submit - Please add **unit tests** where it makes sense to do so --- .github/workflows/build-go.yaml | 49 +++++++++ .github/workflows/golang-release.yml | 73 ------------- .github/workflows/release-go.yml | 151 +++++++++++++++++++++++++++ .github/workflows/version-bump.yml | 6 ++ languages/go/.version | 1 + 5 files changed, 207 insertions(+), 73 deletions(-) create mode 100644 .github/workflows/build-go.yaml delete mode 100644 .github/workflows/golang-release.yml create mode 100644 .github/workflows/release-go.yml create mode 100644 languages/go/.version diff --git a/.github/workflows/build-go.yaml b/.github/workflows/build-go.yaml new file mode 100644 index 000000000..433013aac --- /dev/null +++ b/.github/workflows/build-go.yaml @@ -0,0 +1,49 @@ +name: Build Go SDK + +on: + push: + branches: + - main + - rc + - hotfix-rc + + pull_request: + +env: + GO111MODULE: on + GO_VERSION: "^1.18" + +jobs: + build: + name: Build + runs-on: ubuntu-22.04 + steps: + - name: Checkout Repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Setup Go environment + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version: ${{ env.GO_VERSION }} + + - name: Cache dependencies + uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - name: npm ci + run: npm ci + + - name: Generate schemas + run: npm run schemas + + - name: Build + working-directory: languages/go + run: go build -v ./... + + - name: Test + working-directory: languages/go + run: go test -v ./... diff --git a/.github/workflows/golang-release.yml b/.github/workflows/golang-release.yml deleted file mode 100644 index 10ec7675e..000000000 --- a/.github/workflows/golang-release.yml +++ /dev/null @@ -1,73 +0,0 @@ -name: Go Release - -on: - workflow_dispatch: - inputs: - version_number: - description: "New Version" - required: true - -env: - GO111MODULE: on - GO_VERSION: "^1.18" - -jobs: - build_rust: - uses: ./.github/workflows/build-rust-cross-platform.yml - - generate-schemas: - uses: ./.github/workflows/generate_schemas.yml - - build: - name: Build - needs: - - build_rust - - generate-schemas - runs-on: ubuntu-22.04 - steps: - - name: Checkout Repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Setup Go environment - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - - - name: Cache dependencies - uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Build - run: go build -v ./... - - - name: Test - run: go test -v ./... - - release: - name: Release - needs: build - runs-on: ubuntu-22.04 - steps: - - name: Checkout Repository - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Setup Go environment - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 - with: - go-version: ${{ env.GO_VERSION }} - - - name: Set release version - run: echo "VERSION=${{ github.event.inputs.version_number }}" >> $GITHUB_ENV - - - name: Install Goreleaser - run: go install github.com/goreleaser/goreleaser@v1.21.2 - - - name: Run Goreleaser - run: goreleaser release --rm-dist --skip-validate - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VERSION: ${{ env.VERSION }} diff --git a/.github/workflows/release-go.yml b/.github/workflows/release-go.yml new file mode 100644 index 000000000..830e5f313 --- /dev/null +++ b/.github/workflows/release-go.yml @@ -0,0 +1,151 @@ +name: Release Go + +on: + workflow_dispatch: + inputs: + release_type: + description: "Release Options" + required: true + default: "Release" + type: choice + options: + - Release + - Dry Run + +env: + GO111MODULE: on + GO_VERSION: "^1.18" + +jobs: + validate: + name: Setup + runs-on: ubuntu-22.04 + outputs: + version: ${{ steps.version.outputs.version }} + steps: + - name: Checkout repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Branch check + if: ${{ github.event.inputs.release_type != 'Dry Run' }} + run: | + if [[ "$GITHUB_REF" != "refs/heads/rc" ]] && [[ "$GITHUB_REF" != "refs/heads/hotfix-rc" ]]; then + echo "===================================" + echo "[!] Can only release from the 'rc' or 'hotfix-rc' branches" + echo "===================================" + exit 1 + fi + + - name: Get version + id: version + run: | + VERSION=$(cat languages/go/.version | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") + echo "version=$VERSION" >> $GITHUB_OUTPUT + + repo-sync: + name: Push changed files to SDK Go repo + runs-on: ubuntu-22.04 + needs: validate + env: + _KEY_VAULT: "bitwarden-ci" + _BOT_EMAIL: 106330231+bitwarden-devops-bot@users.noreply.github.com + _BOT_NAME: bitwarden-devops-bot + _PKG_VERSION: ${{ needs.validate.outputs.version }} + steps: + - name: Checkout SDK repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + path: sdk + + - name: Checkout SDK-Go repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + repository: bitwarden/sm-sdk-go + path: sm-sdk-go + ref: main + + - name: Login to Azure - Prod Subscription + uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 + with: + creds: ${{ secrets.AZURE_CI_SERVICE_PRINCIPAL }} + + - name: Retrieve secrets + id: retrieve-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@62d1bf7c3e31c458cc7236b1e69a475d235cd78f + with: + keyvault: ${{ env._KEY_VAULT }} + secrets: "github-pat-bitwarden-devops-bot-repo-scope" + + - name: Setup Git + working-directory: sm-sdk-go + run: | + git config --local user.email "${{ env._BOT_EMAIL }}" + git config --local user.name "${{ env._BOT_NAME }}" + + - name: Update files + run: | + # Copy files to local sm-sdk-go repo path + cp --verbose -rf sdk/languages/go sm-sdk-go + + - name: Push changes + working-directory: sm-sdk-go + run: | + git add . + git commit -m "Update Go SDK to ${{ github.sha }}" + + if [[ "${{ github.event.inputs.release_type }}" == "Dry Run" ]]; then + echo "===================================" + echo "[!] Dry Run - Skipping push" + echo "===================================" + git ls-files -m + exit 0 + else + git push origin main + fi + + - name: Create release tag on SDK Go repo + if: ${{ github.event.inputs.release_type != 'Dry Run' }} + working-directory: sm-sdk-go + run: | + # Check if tag exists, set output then exit 0 if true. + if git log v${{ env._PKG_VERSION }} >/dev/null 2>&1; then + echo "===================================" + echo "[!] Tag v${{ env._PKG_VERSION }} already exists" + echo "===================================" + exit 1 + fi + + git tag v${{ env._PKG_VERSION }} + git push origin v${{ env._PKG_VERSION }} + + github-release: + name: GitHub Release + runs-on: ubuntu-22.04 + needs: + - repo-sync + - validate + env: + _PKG_VERSION: ${{ needs.validate.outputs.version }} + steps: + - name: Login to Azure - Prod Subscription + uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 + with: + creds: ${{ secrets.AZURE_CI_SERVICE_PRINCIPAL }} + + - name: Retrieve secrets + id: retrieve-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@62d1bf7c3e31c458cc7236b1e69a475d235cd78f + with: + keyvault: ${{ env._KEY_VAULT }} + secrets: "github-pat-bitwarden-devops-bot-repo-scope" + + - name: Create release + if: ${{ github.event.inputs.release_type != 'Dry Run' }} + uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5 # v1.13.0 + with: + tag: v${{ env._PKG_VERSION }} + name: v${{ env._PKG_VERSION }} + body: "" + token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }} + draft: true + repo: bitwarden/sm-sdk-go diff --git a/.github/workflows/version-bump.yml b/.github/workflows/version-bump.yml index 3c6485a09..8298781fc 100644 --- a/.github/workflows/version-bump.yml +++ b/.github/workflows/version-bump.yml @@ -20,6 +20,7 @@ on: - napi - python-sdk - ruby-sdk + - go-sdk version_number: description: "New version (example: '2024.1.0')" required: true @@ -156,6 +157,11 @@ jobs: if: ${{ inputs.project == 'ruby-sdk' }} run: sed -i "s/VERSION = '[0-9]\.[0-9]\.[0-9]'/VERSION = '${{ inputs.version_number }}'/" ./languages/ruby/bitwarden_sdk_secrets/lib/version.rb + ### go sdk + - name: Bump go-sdk Version + if: ${{ inputs.project == 'go-sdk' }} + run: sed -i 's/[0-9]\.[0-9]\.[0-9]/${{ inputs.version_number }}/' ./languages/go/.version + ############################ # VERSION BUMP SECTION END # ############################ diff --git a/languages/go/.version b/languages/go/.version new file mode 100644 index 000000000..6c6aa7cb0 --- /dev/null +++ b/languages/go/.version @@ -0,0 +1 @@ +0.1.0 \ No newline at end of file