Sign main branch Unified container builds with cosign and perform security scanning #2530
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build bws Docker image | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| workflow_dispatch: | |
| pull_request: | |
| env: | |
| _AZ_REGISTRY: bitwardenprod.azurecr.io | |
| jobs: | |
| build-docker: | |
| name: Build Docker image | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| security-events: write | |
| id-token: write | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Check Branch to Publish | |
| id: publish-branch-check | |
| run: | | |
| if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then | |
| echo "is_publish_branch=true" >> $GITHUB_ENV | |
| else | |
| echo "is_publish_branch=false" >> $GITHUB_ENV | |
| fi | |
| ########## Set up Docker ########## | |
| - name: Set up QEMU emulators | |
| uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
| ########## Login to Docker registries ########## | |
| - name: Login to Azure - Prod Subscription | |
| uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
| with: | |
| creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} | |
| - name: Login to Azure ACR | |
| run: az acr login -n ${_AZ_REGISTRY%.azurecr.io} | |
| - name: Login to Azure - CI Subscription | |
| uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
| with: | |
| creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
| - name: Retrieve github PAT secrets | |
| id: retrieve-secret-pat | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
| with: | |
| keyvault: "bitwarden-ci" | |
| secrets: "github-pat-bitwarden-devops-bot-repo-scope" | |
| - name: Setup Docker Trust | |
| if: ${{ env.is_publish_branch == 'true' }} | |
| uses: bitwarden/gh-actions/setup-docker-trust@main | |
| with: | |
| azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
| azure-keyvault-name: "bitwarden-ci" | |
| ########## Generate image tag and build Docker image ########## | |
| - name: Generate Docker image tag | |
| id: tag | |
| run: | | |
| REF=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}} | |
| IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g") # slash safe branch name | |
| if [[ "${IMAGE_TAG}" == "main" ]]; then | |
| IMAGE_TAG=dev | |
| fi | |
| echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
| - name: Generate tag list | |
| id: tag-list | |
| env: | |
| IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} | |
| run: | | |
| if [[ "${IMAGE_TAG}" == "dev" ]]; then | |
| echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG},bitwarden/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
| else | |
| echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Build and push Docker image | |
| id: build-docker | |
| uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
| with: | |
| context: . | |
| file: crates/bws/Dockerfile | |
| platforms: | | |
| linux/amd64, | |
| linux/arm64/v8 | |
| push: true | |
| tags: ${{ steps.tag-list.outputs.tags }} | |
| secrets: | | |
| "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" | |
| - name: Install Cosign | |
| if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: Sign image with Cosign | |
| if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' | |
| env: | |
| DIGEST: ${{ steps.build-docker.outputs.digest }} | |
| TAGS: ${{ steps.tag-list.outputs.tags }} | |
| run: | | |
| IFS="," read -a tags <<< "${TAGS}" | |
| images="" | |
| for tag in "${tags[@]}"; do | |
| images+="${tag}@${DIGEST} " | |
| done | |
| cosign sign --yes ${images} | |
| - name: Scan Docker image | |
| id: container-scan | |
| uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0 | |
| with: | |
| image: ${{ steps.tag-list.outputs.primary_tag }} | |
| fail-build: false | |
| output-format: sarif | |
| - name: Upload Grype results to GitHub | |
| uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 | |
| with: | |
| sarif_file: ${{ steps.container-scan.outputs.sarif }} | |
| - name: Log out of Docker and disable Docker Notary | |
| if: ${{ env.is_publish_branch == 'true' }} | |
| run: | | |
| docker logout | |
| echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV | |
| check-failures: | |
| name: Check for failures | |
| if: always() | |
| runs-on: ubuntu-22.04 | |
| needs: build-docker | |
| steps: | |
| - name: Check if any job failed | |
| if: github.ref == 'refs/heads/main' | |
| env: | |
| BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }} | |
| run: | | |
| if [ "$BUILD_DOCKER_STATUS" = "failure" ]; then | |
| exit 1 | |
| fi | |
| - name: Login to Azure - CI subscription | |
| uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
| if: failure() | |
| with: | |
| creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
| - name: Retrieve secrets | |
| id: retrieve-secrets | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
| if: failure() | |
| with: | |
| keyvault: "bitwarden-ci" | |
| secrets: "devops-alerts-slack-webhook-url" | |
| - name: Notify Slack on failure | |
| uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 | |
| if: failure() | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} | |
| with: | |
| status: ${{ job.status }} |