From e502e5e13a3492f8fb299c5d6b52f79df56633a0 Mon Sep 17 00:00:00 2001 From: Vince Grassia <593223+vgrassia@users.noreply.github.com> Date: Wed, 4 Mar 2026 14:46:36 -0500 Subject: [PATCH 1/5] Update files to point to GHCR --- .github/workflows/build.yml | 54 ++++++++++++++++------------------- .github/workflows/publish.yml | 35 ++++++++++------------- 2 files changed, 40 insertions(+), 49 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5fd6a8b3efaa..930b9a08c798 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -16,7 +16,7 @@ permissions: contents: read env: - _AZ_REGISTRY: "bitwardenprod.azurecr.io" + _GHCR_REGISTRY: "ghcr.io/bitwarden" _GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }} jobs: @@ -45,6 +45,7 @@ jobs: permissions: security-events: write id-token: write + packages: write timeout-minutes: 45 strategy: fail-fast: false @@ -173,16 +174,13 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - ########## ACRs ########## - - name: Log in to Azure - uses: bitwarden/gh-actions/azure-login@main + ########## GHCR ########## + - name: Log in to GHCR + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - client_id: ${{ secrets.AZURE_CLIENT_ID }} - - - name: Log in to ACR - production subscription - run: az acr login -n bitwardenprod + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} ########## Generate image tag and build Docker image ########## - name: Generate Docker image tag @@ -222,11 +220,11 @@ jobs: PROJECT_NAME: ${{ steps.setup.outputs.project_name }} SHA: ${{ github.sha }} run: | - TAGS="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" + TAGS="${_GHCR_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" echo "primary_tag=$TAGS" >> "$GITHUB_OUTPUT" if [[ "${IMAGE_TAG}" == "dev" ]]; then SHORT_SHA=$(git rev-parse --short "${SHA}") - TAGS=$TAGS",${_AZ_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}" + TAGS=$TAGS",${_GHCR_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}" fi echo "tags=$TAGS" >> "$GITHUB_OUTPUT" @@ -244,11 +242,11 @@ jobs: tags: ${{ steps.image-tags.outputs.tags }} - name: Install Cosign - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' + if: github.event_name != 'pull_request' && env.is_publish_branch == 'true' uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 - name: Sign image with Cosign - if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' + if: github.event_name != 'pull_request' && env.is_publish_branch == 'true' env: DIGEST: ${{ steps.build-artifacts.outputs.digest }} TAGS: ${{ steps.image-tags.outputs.tags }} @@ -276,8 +274,8 @@ jobs: sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }} ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }} - - name: Log out from Azure - uses: bitwarden/gh-actions/azure-logout@main + - name: Log out from GHCR + run: docker logout ghcr.io upload: name: Upload @@ -286,6 +284,7 @@ jobs: permissions: id-token: write actions: read + packages: read steps: - name: Check out repo uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -296,15 +295,12 @@ jobs: - name: Set up .NET uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0 - - name: Log in to Azure - uses: bitwarden/gh-actions/azure-login@main + - name: Log in to GHCR + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - client_id: ${{ secrets.AZURE_CLIENT_ID }} - - - name: Log in to ACR - production subscription - run: az acr login -n "$_AZ_REGISTRY" --only-show-errors + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Make Docker stubs if: | @@ -314,13 +310,13 @@ jobs: # Set proper setup image based on branch case "$GITHUB_REF" in "refs/heads/main") - SETUP_IMAGE="$_AZ_REGISTRY/setup:dev" + SETUP_IMAGE="ghcr.io/bitwarden/setup:dev" ;; "refs/heads/rc") - SETUP_IMAGE="$_AZ_REGISTRY/setup:rc" + SETUP_IMAGE="ghcr.io/bitwarden/setup:rc" ;; "refs/heads/hotfix-rc") - SETUP_IMAGE="$_AZ_REGISTRY/setup:hotfix-rc" + SETUP_IMAGE="ghcr.io/bitwarden/setup:hotfix-rc" ;; esac @@ -348,8 +344,8 @@ jobs: cd docker-stub/US; zip -r ../../docker-stub-US.zip ./*; cd ../.. cd docker-stub/EU; zip -r ../../docker-stub-EU.zip ./*; cd ../.. - - name: Log out from Azure - uses: bitwarden/gh-actions/azure-logout@main + - name: Log out from GHCR + run: docker logout ghcr.io - name: Upload Docker stub US artifact if: | diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 1dac50531224..dc5a8e845f24 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,7 +23,7 @@ on: default: false env: - _AZ_REGISTRY: "bitwardenprod.azurecr.io" + _GHCR_REGISTRY: "ghcr.io/bitwarden" jobs: setup: @@ -69,6 +69,7 @@ jobs: permissions: contents: read id-token: write + packages: write env: _RELEASE_VERSION: ${{ needs.setup.outputs.release-version }} _BRANCH_NAME: ${{ inputs.branch }} @@ -107,36 +108,30 @@ jobs: echo "PROJECT_NAME: $PROJECT_NAME" echo "project_name=$PROJECT_NAME" >> "$GITHUB_OUTPUT" - ########## ACR PROD ########## - - name: Log in to Azure - uses: bitwarden/gh-actions/azure-login@main + ########## GHCR ########## + - name: Log in to GHCR + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - client_id: ${{ secrets.AZURE_CLIENT_ID }} + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - - name: Log in to Azure ACR - run: az acr login -n "$_AZ_REGISTRY" --only-show-errors - - - name: Push version and latest image + - name: Push version image env: PROJECT_NAME: ${{ steps.setup.outputs.project_name }} run: | if [[ "${{ inputs.dry_run }}" == "true" ]]; then skopeo copy --all \ - "docker://$_AZ_REGISTRY/$PROJECT_NAME:latest" \ - "docker://$_AZ_REGISTRY/$PROJECT_NAME:dryrun" + "docker://$_GHCR_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" \ + "docker://$_GHCR_REGISTRY/$PROJECT_NAME:dryrun" else skopeo copy --all \ - "docker://$_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" \ - "docker://$_AZ_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION" - skopeo copy --all \ - "docker://$_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" \ - "docker://$_AZ_REGISTRY/$PROJECT_NAME:latest" + "docker://$_GHCR_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" \ + "docker://$_GHCR_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION" fi - - name: Log out from Azure - uses: bitwarden/gh-actions/azure-logout@main + - name: Log out from GHCR + run: docker logout ghcr.io update-deployment: name: Update Deployment Status From 5bf43b8483e8abd62c836e8bf6ec25a5baab015b Mon Sep 17 00:00:00 2001 From: Vince Grassia <593223+vgrassia@users.noreply.github.com> Date: Tue, 10 Mar 2026 18:16:19 -0400 Subject: [PATCH 2/5] Add in logic for GHCR --- .github/workflows/build.yml | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a9422384fdeb..bf5995b30da3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,6 +17,7 @@ permissions: env: _GHCR_REGISTRY: "ghcr.io/bitwarden" + _AZ_REGISTRY: "bitwardenprod.azurecr.io" _GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }} jobs: @@ -174,7 +175,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - ########## GHCR ########## + ########## Registries ########## - name: Log in to GHCR uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: @@ -182,6 +183,16 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Log in to ACR + run: az acr login -n bitwardenprod + ########## Generate image tag and build Docker image ########## - name: Generate Docker image tag id: tag @@ -220,11 +231,13 @@ jobs: PROJECT_NAME: ${{ steps.setup.outputs.project_name }} SHA: ${{ github.sha }} run: | - TAGS="${_GHCR_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" - echo "primary_tag=$TAGS" >> "$GITHUB_OUTPUT" + GHCR_TAG="${_GHCR_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" + TAGS="${GHCR_TAG},${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" + echo "primary_tag=${GHCR_TAG}" >> "$GITHUB_OUTPUT" if [[ "${IMAGE_TAG}" == "dev" ]]; then SHORT_SHA=$(git rev-parse --short "${SHA}") TAGS=$TAGS",${_GHCR_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}" + TAGS=$TAGS",${_AZ_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}" fi echo "tags=$TAGS" >> "$GITHUB_OUTPUT" @@ -277,6 +290,9 @@ jobs: - name: Log out from GHCR run: docker logout ghcr.io + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + upload: name: Upload runs-on: ubuntu-22.04 From 7442b06c391c5f677a1ebb5666f619801d5c68d1 Mon Sep 17 00:00:00 2001 From: Vince Grassia <593223+vgrassia@users.noreply.github.com> Date: Tue, 10 Mar 2026 18:36:33 -0400 Subject: [PATCH 3/5] Add back logic for ACR --- .github/workflows/build.yml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index bf5995b30da3..e3a92b0da375 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -232,7 +232,8 @@ jobs: SHA: ${{ github.sha }} run: | GHCR_TAG="${_GHCR_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" - TAGS="${GHCR_TAG},${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" + ACR_TAG="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" + TAGS="${GHCR_TAG},${ACR_TAG}" echo "primary_tag=${GHCR_TAG}" >> "$GITHUB_OUTPUT" if [[ "${IMAGE_TAG}" == "dev" ]]; then SHORT_SHA=$(git rev-parse --short "${SHA}") @@ -318,6 +319,16 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Log in to ACR - production subscription + run: az acr login -n "$_AZ_REGISTRY" --only-show-errors + - name: Make Docker stubs if: | github.event_name != 'pull_request' @@ -363,6 +374,9 @@ jobs: - name: Log out from GHCR run: docker logout ghcr.io + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + - name: Upload Docker stub US artifact if: | github.event_name != 'pull_request' From 9757d3eb75435ca8f08122ec129380cafb3525db Mon Sep 17 00:00:00 2001 From: Vince Grassia <593223+vgrassia@users.noreply.github.com> Date: Thu, 19 Mar 2026 16:50:57 -0400 Subject: [PATCH 4/5] Optimize logic --- .github/workflows/build.yml | 22 ++++------------------ .github/workflows/publish.yml | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 18 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e3a92b0da375..34fcbdd62d87 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,23 +1,22 @@ name: Build on: - workflow_dispatch: + pull_request: + types: [opened, synchronize] push: branches: - "main" - "rc" - "hotfix-rc" - pull_request: - types: [opened, synchronize] workflow_call: - inputs: {} + workflow_dispatch: permissions: contents: read env: - _GHCR_REGISTRY: "ghcr.io/bitwarden" _AZ_REGISTRY: "bitwardenprod.azurecr.io" + _GHCR_REGISTRY: "ghcr.io/bitwarden" _GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }} jobs: @@ -319,16 +318,6 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Log in to Azure - uses: bitwarden/gh-actions/azure-login@main - with: - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - client_id: ${{ secrets.AZURE_CLIENT_ID }} - - - name: Log in to ACR - production subscription - run: az acr login -n "$_AZ_REGISTRY" --only-show-errors - - name: Make Docker stubs if: | github.event_name != 'pull_request' @@ -374,9 +363,6 @@ jobs: - name: Log out from GHCR run: docker logout ghcr.io - - name: Log out from Azure - uses: bitwarden/gh-actions/azure-logout@main - - name: Upload Docker stub US artifact if: | github.event_name != 'pull_request' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index dc5a8e845f24..a4609cc95c98 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,6 +23,7 @@ on: default: false env: + _AZ_REGISTRY: "bitwardenprod.azurecr.io" _GHCR_REGISTRY: "ghcr.io/bitwarden" jobs: @@ -133,6 +134,37 @@ jobs: - name: Log out from GHCR run: docker logout ghcr.io + ########## ACR ########## + - name: Log in to Azure + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Log in to Azure ACR + run: az acr login -n "$_AZ_REGISTRY" --only-show-errors + + - name: Push version and latest image + env: + PROJECT_NAME: ${{ steps.setup.outputs.project_name }} + run: | + if [[ "${{ inputs.dry_run }}" == "true" ]]; then + skopeo copy --all \ + "docker://$_AZ_REGISTRY/$PROJECT_NAME:latest" \ + "docker://$_AZ_REGISTRY/$PROJECT_NAME:dryrun" + else + skopeo copy --all \ + "docker://$_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" \ + "docker://$_AZ_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION" + skopeo copy --all \ + "docker://$_AZ_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" \ + "docker://$_AZ_REGISTRY/$PROJECT_NAME:latest" + fi + + - name: Log out from Azure + uses: bitwarden/gh-actions/azure-logout@main + update-deployment: name: Update Deployment Status runs-on: ubuntu-22.04 From 0d7abd6329e703fe58b85022990459d485648205 Mon Sep 17 00:00:00 2001 From: Vince Grassia <593223+vgrassia@users.noreply.github.com> Date: Thu, 19 Mar 2026 17:05:45 -0400 Subject: [PATCH 5/5] Replace string with env var --- .github/workflows/build.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 34fcbdd62d87..249283ab7918 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -300,7 +300,6 @@ jobs: permissions: id-token: write actions: read - packages: read steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -326,13 +325,13 @@ jobs: # Set proper setup image based on branch case "$GITHUB_REF" in "refs/heads/main") - SETUP_IMAGE="ghcr.io/bitwarden/setup:dev" + SETUP_IMAGE="${_GHCR_REGISTRY}/setup:dev" ;; "refs/heads/rc") - SETUP_IMAGE="ghcr.io/bitwarden/setup:rc" + SETUP_IMAGE="${_GHCR_REGISTRY}/setup:rc" ;; "refs/heads/hotfix-rc") - SETUP_IMAGE="ghcr.io/bitwarden/setup:hotfix-rc" + SETUP_IMAGE="${_GHCR_REGISTRY}/setup:hotfix-rc" ;; esac