[BEEEP] - Docker image for bws (#305)

## Type of change

Add a `bws` Dockerfile.

- [ ] Bug fix
- [x] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [x] Build/deploy pipeline (DevOps)
- [ ] Other

## Objective

This allows us to publish a `bitwarden/bws` docker image. Multi-arch
images can be built with the following command:

`docker buildx build -f ./crates/bws/Dockerfile --push -t bitwarden/bws
--platform linux/amd64,linux/arm64 .`

## Code changes

- **`Dockerfile`:** add file

## Before you submit

- Please add **unit tests** where it makes sense to do so (encouraged
but not required)

---------

Co-authored-by: Michał Chęciński <mchecinski@bitwarden.com>
Co-authored-by: Michał Chęciński <michal.checinski@outlook.com>
Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com>

.github/workflows/build-cli-docker.yml

@@ -0,0 +1,163 @@
+---
+name: Build bws Docker image
+
+on:
+  push:
+    paths:
+      - "crates/bws/**"
+  workflow_dispatch:
+    inputs:
+      sdk_branch:
+        description: "Server branch name to deploy (examples: 'master', 'rc', 'feature/sm')"
+        type: string
+        default: master
+  pull_request:
+    paths:
+      - ".github/workflows/build-cli-docker.yml"
+      - "crates/bws/**"
+
+env:
+  _AZ_REGISTRY: bitwardenprod.azurecr.io
+
+jobs:
+  build-docker:
+    name: Build Docker image
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Check Branch to Publish
+        env:
+          PUBLISH_BRANCHES: "master,rc,hotfix-rc"
+        id: publish-branch-check
+        run: |
+          REF=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
+
+          IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
+
+          if [[ "${publish_branches[*]}" =~ "${REF}" ]]; then
+            echo "is_publish_branch=true" >> $GITHUB_ENV
+          else
+            echo "is_publish_branch=false" >> $GITHUB_ENV
+          fi
+
+      ########## Set up Docker ##########
+      - name: Set up QEMU emulators
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
+
+      ########## Login to Docker registries ##########
+      - name: Login to Azure - Prod Subscription
+        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        with:
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Login to Azure ACR
+        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
+
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve github PAT secrets
+        id: retrieve-secret-pat
+        uses: bitwarden/gh-actions/get-keyvault-secrets@c86ced0dc8c9daeecf057a6333e6f318db9c5a2b
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "github-pat-bitwarden-devops-bot-repo-scope"
+
+      - name: Setup Docker Trust
+        if: ${{ env.is_publish_branch == 'true' }}
+        uses: bitwarden/gh-actions/setup-docker-trust@082f5e05ed97c3601c6f3179250b1a761c4d647f
+        with:
+          azure-creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+          azure-keyvault-name: "bitwarden-ci"
+
+      ########## Generate image tag and build Docker image ##########
+      - name: Generate Docker image tag
+        id: tag
+        run: |
+          REF=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
+          IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g")  # slash safe branch name
+          if [[ "${IMAGE_TAG}" == "master" ]]; then
+            IMAGE_TAG=dev
+          elif [[ ("${IMAGE_TAG}" == "rc") || ("${IMAGE_TAG}" == "hotfix-rc") ]]; then
+            IMAGE_TAG=rc
+          fi
+
+          echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
+
+      - name: Generate tag list
+        id: tag-list
+        env:
+          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
+          IS_PUBLISH_BRANCH: ${{ env.is_publish_branch }}
+        run: |
+          if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "rc") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then
+            echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG},bitwarden/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+          else
+            echo "tags=$_AZ_REGISTRY/bws:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v3.2.0
+        with:
+          context: .
+          file: crates/bws/Dockerfile
+          platforms: |
+            linux/amd64,
+            linux/arm64/v8
+          push: true
+          tags: ${{ steps.tag-list.outputs.tags }}
+          secrets: |
+            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
+
+      - name: Log out of Docker and disable Docker Notary
+        if: ${{ env.is_publish_branch == 'true' }}
+        run: |
+          docker logout
+          echo "DOCKER_CONTENT_TRUST=0" >> $GITHUB_ENV
+
+  check-failures:
+    name: Check for failures
+    if: always()
+    runs-on: ubuntu-22.04
+    needs: build-docker
+    steps:
+      - name: Check if any job failed
+        if: |
+          github.ref == 'refs/heads/master'
+          || github.ref == 'refs/heads/rc'
+          || github.ref == 'refs/heads/hotfix-rc'
+        env:
+          BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }}
+        run: |
+          if [ "$BUILD_DOCKER_STATUS" = "failure" ]; then
+              exit 1
+          fi
+
+      - name: Login to Azure - CI subscription
+        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        if: failure()
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Retrieve secrets
+        id: retrieve-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@c86ced0dc8c9daeecf057a6333e6f318db9c5a2b
+        if: failure()
+        with:
+          keyvault: "bitwarden-ci"
+          secrets: "devops-alerts-slack-webhook-url"
+
+      - name: Notify Slack on failure
+        uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
+        if: failure()
+        env:
+          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
+        with:
+          status: ${{ job.status }}

crates/bws/Dockerfile

@@ -0,0 +1,34 @@
+###############################################
+#                 Build stage                 #
+###############################################
+FROM --platform=$BUILDPLATFORM rust:1.73 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  ca-certificates \
+  && rm -rf /var/lib/apt/lists/*
+
+# Copy required project files
+COPY . /app
+
+# Build project
+WORKDIR /app/crates/bws
+RUN cargo build --release
+
+###############################################
+#                  App stage                  #
+###############################################
+FROM debian:bookworm-slim
+
+ARG TARGETPLATFORM
+LABEL com.bitwarden.product="bitwarden"
+
+# Copy built project from the build stage
+WORKDIR /usr/local/bin
+COPY --from=build /app/target/release/bws .
+COPY --from=build /etc/ssl/certs /etc/ssl/certs
+
+ENTRYPOINT ["bws"]
+

crates/bws/Dockerfile.dockerignore

@@ -0,0 +1,4 @@
+*
+!crates/*
+!Cargo.toml
+!Cargo.lock