diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 202395839..25e94a7bd 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,15 +9,14 @@ on: paths-ignore: - ".github/workflows/**" workflow_dispatch: - inputs: {} jobs: cloc: name: CLOC - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Checkout repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up CLOC run: | @@ -30,13 +29,13 @@ jobs: setup: name: Setup - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 outputs: rc_branch_exists: ${{ steps.branch-check.outputs.rc_branch_exists }} hotfix_branch_exists: ${{ steps.branch-check.outputs.hotfix_branch_exists }} steps: - name: Checkout repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: 'true' @@ -54,7 +53,6 @@ jobs: else echo "hotfix_branch_exists=0" >> $GITHUB_OUTPUT fi - shell: bash android: @@ -82,25 +80,12 @@ jobs: - name: Setup Windows builder run: choco install checksum --no-progress - - name: Work Around for broken Windows 2022 Runner Image + - name: Install Microsoft OpenJDK 11 run: | - Set-Location "C:\Program Files (x86)\Microsoft Visual Studio\Installer\" - $InstallPath = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise" - $componentsToAdd = @( - "Component.Xamarin" - ) - [string]$workloadArgs = $componentsToAdd | ForEach-Object {" --add " + $_} - $Arguments = ('/c', "vs_installer.exe", 'modify', '--installPath', "`"$InstallPath`"",$workloadArgs, '--quiet', '--norestart', '--nocache') - $process = Start-Process -FilePath cmd.exe -ArgumentList $Arguments -Wait -PassThru -WindowStyle Hidden - if ($process.ExitCode -eq 0) - { - Write-Host "components have been successfully added" - } - else - { - Write-Host "components were not installed" - exit 1 - } + choco install microsoft-openjdk11 --no-progress + Write-Output "JAVA_HOME=$(Get-ChildItem -Path 'C:\Program Files\Microsoft\jdk*' | Select -First 1 -ExpandProperty FullName)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + Write-Output "Java Home: $env:JAVA_HOME" + - name: Print environment run: | nuget help | grep Version @@ -110,9 +95,10 @@ jobs: echo "GitHub event: $GITHUB_EVENT" - name: Checkout repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 + - name: Decrypt secrets env: DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} @@ -126,6 +112,7 @@ jobs: gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output $HOME/secrets/play_creds.json ./.github/secrets/play_creds.json.gpg shell: bash + - name: Decrypt secrets - Google Services if: ${{ matrix.variant == 'prod' }} env: @@ -134,6 +121,7 @@ jobs: gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output ./src/Android/google-services.json ./.github/secrets/google-services.json.gpg shell: bash + - name: Increment version run: | BUILD_NUMBER=$((3000 + $GITHUB_RUN_NUMBER)) @@ -151,15 +139,12 @@ jobs: - name: Restore tools run: dotnet tool restore - shell: pwsh - name: Verify Format run: dotnet tool run dotnet-format --check - shell: pwsh - name: Run Core tests run: dotnet test test/Core.Test/Core.Test.csproj --logger "trx;LogFileName=test-results.trx" - shell: pwsh - name: Report test results uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0 @@ -186,8 +171,6 @@ jobs: Write-Output "########################################" msbuild "$($env:GITHUB_WORKSPACE + "/src/Android/Android.csproj")" "/p:Configuration=$configuration" - shell: pwsh - - name: Sign Android Build env: PLAY_KEYSTORE_PASSWORD: ${{ secrets.PLAY_KEYSTORE_PASSWORD }} @@ -234,10 +217,10 @@ jobs: $signedApkDestPath = $($env:GITHUB_WORKSPACE + "/$($packageName).apk"); Copy-Item $signedApkPath $signedApkDestPath - shell: pwsh + - name: Upload Prod .aab artifact if: ${{ matrix.variant == 'prod' }} - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: com.x8bit.bitwarden.aab path: ./com.x8bit.bitwarden.aab @@ -245,7 +228,7 @@ jobs: - name: Upload Prod .apk artifact if: ${{ matrix.variant == 'prod' }} - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: com.x8bit.bitwarden.apk path: ./com.x8bit.bitwarden.apk @@ -253,7 +236,7 @@ jobs: - name: Upload Other .apk artifact if: ${{ matrix.variant != 'prod' }} - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: com.x8bit.bitwarden.${{ matrix.variant }}.apk path: ./com.x8bit.bitwarden.${{ matrix.variant }}.apk @@ -273,7 +256,7 @@ jobs: - name: Upload .apk sha file for prod if: ${{ matrix.variant == 'prod' }} - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: bw-android-apk-sha256.txt path: ./bw-android-apk-sha256.txt @@ -281,7 +264,7 @@ jobs: - name: Upload .apk sha file for other if: ${{ matrix.variant != 'prod' }} - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: bw-android-${{ matrix.variant }}-apk-sha256.txt path: ./bw-android-${{ matrix.variant }}-apk-sha256.txt @@ -318,25 +301,11 @@ jobs: - name: Setup Windows builder run: choco install checksum --no-progress - - name: Work Around for broken Windows 2022 Runner Image + - name: Install Microsoft OpenJDK 11 run: | - Set-Location "C:\Program Files (x86)\Microsoft Visual Studio\Installer\" - $InstallPath = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise" - $componentsToAdd = @( - "Component.Xamarin" - ) - [string]$workloadArgs = $componentsToAdd | ForEach-Object {" --add " + $_} - $Arguments = ('/c', "vs_installer.exe", 'modify', '--installPath', "`"$InstallPath`"",$workloadArgs, '--quiet', '--norestart', '--nocache') - $process = Start-Process -FilePath cmd.exe -ArgumentList $Arguments -Wait -PassThru -WindowStyle Hidden - if ($process.ExitCode -eq 0) - { - Write-Host "components have been successfully added" - } - else - { - Write-Host "components were not installed" - exit 1 - } + choco install microsoft-openjdk11 --no-progress + Write-Output "JAVA_HOME=$(Get-ChildItem -Path 'C:\Program Files\Microsoft\jdk*' | Select -First 1 -ExpandProperty FullName)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + Write-Output "Java Home: $env:JAVA_HOME" - name: Print environment run: | @@ -347,7 +316,7 @@ jobs: echo "GitHub event: $GITHUB_EVENT" - name: Checkout repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Decrypt secrets env: @@ -441,7 +410,6 @@ jobs: $appCenterNode.ParentNode.RemoveChild($appCenterNode); $xml.Save($corePath); - shell: pwsh - name: Restore packages run: nuget restore @@ -455,7 +423,6 @@ jobs: Write-Output "########################################" msbuild "$($env:GITHUB_WORKSPACE + "/src/Android/Android.csproj")" "/p:Configuration=$configuration" - shell: pwsh - name: Sign for F-Droid env: @@ -479,10 +446,9 @@ jobs: $signedApkDestPath = $($env:GITHUB_WORKSPACE + "/com.x8bit.bitwarden-fdroid.apk"); Copy-Item $signedApkPath $signedApkDestPath - shell: pwsh - name: Upload F-Droid .apk artifact - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: com.x8bit.bitwarden-fdroid.apk path: ./com.x8bit.bitwarden-fdroid.apk @@ -494,7 +460,7 @@ jobs: -t sha256 | Out-File -Encoding ASCII ./bw-fdroid-apk-sha256.txt - name: Upload F-Droid sha file - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: bw-fdroid-apk-sha256.txt path: ./bw-fdroid-apk-sha256.txt @@ -520,7 +486,7 @@ jobs: echo "GitHub event: $GITHUB_EVENT" - name: Checkout repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: 'true' @@ -531,17 +497,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-ci - SECRETS: | - appcenter-ios-token - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "$i=$VALUE" >> $GITHUB_OUTPUT - done + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: "bitwarden-ci" + secrets: "appcenter-ios-token" - name: Decrypt secrets env: @@ -570,7 +529,6 @@ jobs: ./.github/secrets/dist_watch_app_extension.mobileprovision.gpg gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ --output ./src/watchOS/bitwarden/GoogleService-Info.plist ./.github/secrets/GoogleService-Info.plist.gpg - shell: bash - name: Increment version run: | @@ -586,8 +544,6 @@ jobs: perl -0777 -pi.bak -e 's/CFBundleVersion<\/key>\s*1<\/string>/CFBundleVersion<\/key>\n\t'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.ShareExtension/Info.plist cd src/watchOS/bitwarden agvtool new-version -all $BUILD_NUMBER - cd ../../.. - shell: bash - name: Update Entitlements run: | @@ -596,7 +552,6 @@ jobs: echo "########################################" perl -0777 -pi.bak -e 's/aps-environment<\/key>\s*development<\/string>/aps-environment<\/key>\n\tproduction<\/string>/' ./src/iOS/Entitlements.plist - shell: bash - name: Set up Keychain env: @@ -613,7 +568,6 @@ jobs: security import ~/secrets/iphone-distribution-cert.p12 -k build.keychain -P $DIST_CERT_PASSWORD \ -T /usr/bin/codesign -T /usr/bin/security security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - shell: bash - name: Set up provisioning profiles run: | @@ -644,7 +598,6 @@ jobs: WATCH_APP_EXTENSION_UUID=$(grep UUID -A1 -a $WATCH_APP_EXTENSION_PROFILE_PATH | grep -io "[-A-F0-9]\{36\}") cp $WATCH_APP_EXTENSION_PROFILE_PATH "$PROFILES_DIR_PATH/$WATCH_APP_EXTENSION_UUID.mobileprovision" - shell: bash - name: Bulid WatchApp run: | @@ -657,7 +610,6 @@ jobs: echo "########################################" echo "##### Done" echo "########################################" - shell: bash - name: Restore packages run: nuget restore @@ -703,7 +655,6 @@ jobs: xcodebuild -exportArchive -archivePath $ARCHIVE_PATH -exportPath $EXPORT_PATH \ -exportOptionsPlist $EXPORT_OPTIONS_PATH - shell: bash - name: Export .app for Automation CI run: | @@ -712,7 +663,6 @@ jobs: zip -r -q BitwardeniOS.app.zip $ARCHIVE_PATH mv BitwardeniOS.app.zip $EXPORT_PATH - shell: bash - name: Copy all dSYMs files to upload run: | @@ -725,10 +675,9 @@ jobs: cp -r -v $ARCHIVE_DSYMS_PATH $EXPORT_PATH mkdir $WATCH_DSYMS_EXPORT_PATH cp -r -v $WATCH_ARCHIVE_DSYMS_PATH $WATCH_DSYMS_EXPORT_PATH - shell: bash - name: Upload App Store .ipa & dSYMs artifacts - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: Bitwarden iOS path: | @@ -737,7 +686,7 @@ jobs: if-no-files-found: error - name: Upload .app file for Automation CI - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: BitwardeniOS.app.zip path: ./bitwarden-export/BitwardeniOS.app.zip @@ -762,7 +711,6 @@ jobs: env: APPCENTER_IOS_TOKEN: ${{ steps.retrieve-secrets.outputs.appcenter-ios-token }} run: appcenter crashes upload-symbols -a bitwarden/bitwarden -s "./bitwarden-export/dSYMs" --token $APPCENTER_IOS_TOKEN - shell: bash - name: Upload Watch dSYMs to Firebase Crashlytics if: | @@ -772,13 +720,11 @@ jobs: || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0) || github.ref == 'refs/heads/hotfix-rc' run: | - echo "########################################" echo "##### Uploading Watch dSYMs to Firebase" echo "########################################" find "$HOME/Library/Developer/XCode/DerivedData" -name "upload-symbols" -exec chmod +x {} \; -exec {} -gsp "./src/watchOS/bitwarden/GoogleService-Info.plist" -p ios "./bitwarden-export/Watch_dSYMs" \; - shell: bash - name: Deploy to App Store if: | @@ -793,7 +739,6 @@ jobs: run: | xcrun altool --upload-app --type ios --file "./bitwarden-export/Bitwarden.ipa" \ --username "$APPLE_ID_USERNAME" --password "$APPLE_ID_PASSWORD" - shell: bash crowdin-push: @@ -803,12 +748,12 @@ jobs: - android - f-droid - ios - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 env: _CROWDIN_PROJECT_ID: "269690" steps: - name: Checkout repo - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Login to Azure - CI Subscription uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6 @@ -817,17 +762,10 @@ jobs: - name: Retrieve secrets id: retrieve-secrets - env: - KEYVAULT: bitwarden-ci - SECRETS: | - crowdin-api-token - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "$i=$VALUE" >> $GITHUB_OUTPUT - done + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: "bitwarden-ci" + secrets: "crowdin-api-token" - name: Upload Sources uses: crowdin/github-action@965d501f160af7b1f88aed4c29154b0caf1e94b9 # v1.9.0 @@ -844,7 +782,7 @@ jobs: check-failures: name: Check for failures if: always() - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 needs: - cloc - android @@ -884,18 +822,11 @@ jobs: - name: Retrieve secrets id: retrieve-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main if: failure() - env: - KEYVAULT: bitwarden-ci - SECRETS: | - devops-alerts-slack-webhook-url - run: | - for i in ${SECRETS//,/ } - do - VALUE=$(az keyvault secret show --vault-name $KEYVAULT --name $i --query value --output tsv) - echo "::add-mask::$VALUE" - echo "$i=$VALUE" >> $GITHUB_OUTPUT - done + with: + keyvault: "bitwarden-ci" + secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0