Build Bitwarden lite #936

Workflow file for this run

.github/workflows/build-bitwarden-lite.yml at ffb3e1e

	name: Build Bitwarden lite

	on:
	push:
	paths:
	- "bitwarden-lite/**"
	- ".github/workflows/build-bitwarden-lite.yml"
	branches:
	- main
	workflow_dispatch:
	inputs:
	self_host_repo_ref:
	description: "Self-host ref to use for checkout (Default: current ref)"
	type: string
	required: false
	server_branch:
	description: "Server branch name (examples: 'main', 'rc', 'feature/sm')"
	type: string
	default: main
	web_branch:
	description: "Web client branch name (examples: 'main', 'rc', 'feature/sm')"
	type: string
	default: main
	use_latest_core_version:
	description: "Use the latest core version from version.json instead of branch"
	type: boolean
	default: false
	use_latest_web_version:
	description: "Use the latest web version from version.json instead of branch"
	type: boolean
	default: false
	workflow_call:
	inputs:
	self_host_repo_ref:
	description: "Self-host ref to use for checkout (Default: current ref)"
	type: string
	required: false
	server_branch:
	description: "Server branch name (examples: 'main', 'rc', 'feature/sm')"
	type: string
	default: main
	web_branch:
	description: "Web client branch name (examples: 'main', 'rc', 'feature/sm')"
	type: string
	default: main
	use_latest_core_version:
	description: "Use the latest core version from version.json instead of branch"
	type: boolean
	default: false
	use_latest_web_version:
	description: "Use the latest web version from version.json instead of branch"
	type: boolean
	default: false
	pull_request:
	paths:
	- ".github/workflows/build-bitwarden-lite.yml"
	- "bitwarden-lite/**"

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	permissions:
	contents: read

	jobs:
	setup:
	name: Setup
	runs-on: ubuntu-24.04
	outputs:
	server_ref: ${{ steps.set-server-variables.outputs.server_ref }}
	web_ref: ${{ steps.set-web-variables.outputs.web_ref }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
	with:
	ref: ${{ inputs.self_host_repo_ref \|\| github.ref }}
	persist-credentials: false

	- name: Set Server variables
	id: set-server-variables
	env:
	SERVER_BRANCH: ${{ inputs.server_branch }}
	USE_LATEST_CORE_VERSION: ${{ inputs.use_latest_core_version }}
	run: \|
	if [[ "$USE_LATEST_CORE_VERSION" == "true" ]]; then
	# Extract coreVersion from version.json
	CORE_VERSION=$(jq -r '.versions.coreVersion' version.json)
	echo "Server version from version.json: $CORE_VERSION"
	echo "server_ref=refs/tags/v$CORE_VERSION" >> "$GITHUB_OUTPUT"
	elif [[ -z "${SERVER_BRANCH}" ]]; then
	echo "server_ref=refs/heads/main" >> "$GITHUB_OUTPUT"
	else
	echo "server_ref=refs/heads/${SERVER_BRANCH#refs/heads/}" >> "$GITHUB_OUTPUT"
	fi

	- name: Set Web variables
	id: set-web-variables
	env:
	WEB_BRANCH: ${{ inputs.web_branch }}
	USE_LATEST_WEB_VERSION: ${{ inputs.use_latest_web_version }}
	run: \|
	if [[ "$USE_LATEST_WEB_VERSION" == "true" ]]; then
	# Extract webVersion from version.json
	WEB_VERSION=$(jq -r '.versions.webVersion' version.json)
	echo "Web version from version.json: $WEB_VERSION"
	echo "web_ref=refs/tags/web-v$WEB_VERSION" >> "$GITHUB_OUTPUT"
	elif [[ -z "${WEB_BRANCH}" ]]; then
	echo "web_ref=refs/heads/main" >> "$GITHUB_OUTPUT"
	else
	echo "web_ref=refs/heads/${WEB_BRANCH#refs/heads/}" >> "$GITHUB_OUTPUT"
	fi

	build-docker:
	name: Build Docker image
	runs-on: ubuntu-24.04
	timeout-minutes: 60
	needs: setup
	permissions:
	id-token: write
	packages: write
	security-events: write
	steps:
	- name: Checkout Repository
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
	with:
	ref: ${{ inputs.self_host_repo_ref \|\| github.ref }}
	persist-credentials: false

	- name: Set up QEMU emulators
	uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

	- name: Login to GitHub Container Registry
	uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Generate Docker image tag
	id: tag
	env:
	SERVER_REF: ${{ needs.setup.outputs.server_ref }}
	run: \|
	if [[ $SERVER_REF =~ ^refs/tags/v(.+)$ ]]; then
	IMAGE_TAG="${BASH_REMATCH[1]}"
	else
	IMAGE_TAG=$(echo "${SERVER_REF#refs/heads/}" \| \
	tr '[:upper:]' '[:lower:]' \| \
	sed -E 's/[^a-z0-9._-]+/-/g; s/-+/-/g; s/^-+\|-+$//g' \| \
	cut -c1-128 \| \
	sed -E 's/[.-]$//')
	fi

	if [[ "$IMAGE_TAG" == "main" ]]; then
	IMAGE_TAG=dev
	fi

	if [[ -z "$IMAGE_TAG" ]]; then
	echo "ERROR: Failed to generate valid IMAGE_TAG from SERVER_REF: $SERVER_REF"
	exit 1
	fi

	echo "Using $IMAGE_TAG for build"
	echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"

	- name: Generate web image tag
	id: web-tag
	env:
	WEB_REF: ${{ needs.setup.outputs.web_ref }}
	run: \|
	if [[ $WEB_REF =~ ^refs/tags/web-v(.+)$ ]]; then
	WEB_TAG="${BASH_REMATCH[1]}"
	WEB_IMAGE="ghcr.io/bitwarden/web"
	else
	WEB_TAG=$(echo "${WEB_REF#refs/heads/}" \| \
	tr '[:upper:]' '[:lower:]' \| \
	sed -E 's/[^a-z0-9._-]+/-/g; s/-+/-/g; s/^-+\|-+$//g' \| \
	cut -c1-128 \| \
	sed -E 's/[.-]$//')
	[[ "$WEB_TAG" == "main" ]] && WEB_TAG=dev
	WEB_IMAGE="ghcr.io/bitwarden/web-dev"
	fi
	echo "web_tag=${WEB_TAG}" >> "$GITHUB_OUTPUT"
	echo "web_image=${WEB_IMAGE}" >> "$GITHUB_OUTPUT"

	- name: Log build configuration
	env:
	SERVER_TAG: ${{ steps.tag.outputs.image_tag }}
	WEB_IMAGE: ${{ steps.web-tag.outputs.web_image }}
	WEB_TAG: ${{ steps.web-tag.outputs.web_tag }}
	run: \|
	echo "### Build Configuration" >> $GITHUB_STEP_SUMMARY
	echo "- Server: ghcr.io/bitwarden/\*:${SERVER_TAG}" >> $GITHUB_STEP_SUMMARY
	echo "- Web: ${WEB_IMAGE}:${WEB_TAG}" >> $GITHUB_STEP_SUMMARY

	- name: Build and push Docker image
	id: build-docker
	uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
	with:
	context: .
	file: bitwarden-lite/Dockerfile
	platforms: \|
	linux/amd64,
	linux/arm/v7,
	linux/arm64/v8
	push: true
	tags: ghcr.io/bitwarden/lite:${{ steps.tag.outputs.image_tag }}
	build-args: \|
	SERVER_TAG=${{ steps.tag.outputs.image_tag }}
	WEB_IMAGE=${{ steps.web-tag.outputs.web_image }}
	WEB_TAG=${{ steps.web-tag.outputs.web_tag }}
	cache-from: type=gha
	cache-to: type=gha,mode=min

	- name: Install Cosign
	uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

	- name: Sign image with Cosign
	env:
	DIGEST: ${{ steps.build-docker.outputs.digest }}
	IMAGE: ghcr.io/bitwarden/lite:${{ steps.tag.outputs.image_tag }}
	run: cosign sign --yes "${IMAGE}@${DIGEST}"

	- name: Scan Docker image
	id: container-scan
	uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0
	with:
	image: ghcr.io/bitwarden/lite:${{ steps.tag.outputs.image_tag }}
	fail-build: false
	output-format: sarif

	- name: Upload Grype results to GitHub
	uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0
	with:
	sarif_file: ${{ steps.container-scan.outputs.sarif }}
	sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha \|\| github.sha }}
	ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) \|\| github.ref }}

	- name: Log out of GHCR
	run: docker logout ghcr.io

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build Bitwarden lite #936

Workflow file

Build Bitwarden lite #936

Uh oh!

Workflow file for this run