Skip to content

[BRE-1004] Add GHCR Support to Build/Publish workflows #7263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
vgrassia wants to merge 8 commits into
base: main
Choose a base branch
from
+62 βˆ’24
Open

[BRE-1004] Add GHCR Support to Build/Publish workflows #7263

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
e502e5e
Update files to point to GHCR
vgrassia Mar 4, 2026
e3ff868
Merge branch 'main' into bre-1004_update-for-ghcr
vgrassia Mar 10, 2026
5bf43b8
Add in logic for GHCR
vgrassia Mar 10, 2026
0f80de3
Merge branch 'main' into bre-1004_update-for-ghcr
vgrassia Mar 10, 2026
7442b06
Add back logic for ACR
vgrassia Mar 10, 2026
9757d3e
Optimize logic
vgrassia Mar 19, 2026
0d7abd6
Replace string with env var
vgrassia Mar 19, 2026
73f7555
Merge branch 'main' into bre-1004_update-for-ghcr
vgrassia Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 34 additions & 23 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,22 @@
name: Build

on:
workflow_dispatch:
pull_request:
types: [opened, synchronize]
push:
branches:
- "main"
- "rc"
- "hotfix-rc"
pull_request:
types: [opened, synchronize]
workflow_call:
inputs: {}
workflow_dispatch:

permissions:
contents: read

env:
_AZ_REGISTRY: "bitwardenprod.azurecr.io"
_GHCR_REGISTRY: "ghcr.io/bitwarden"
_GITHUB_PR_REPO_NAME: ${{ github.event.pull_request.head.repo.full_name }}

jobs:
Expand Down Expand Up @@ -45,6 +45,7 @@ jobs:
permissions:
security-events: write
id-token: write
packages: write
timeout-minutes: 45
strategy:
fail-fast: false
Expand Down Expand Up @@ -177,15 +178,22 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

########## ACRs ##########
########## Registries ##########
- name: Log in to GHCR
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}

- name: Log in to ACR - production subscription
- name: Log in to ACR
run: az acr login -n bitwardenprod

########## Generate image tag and build Docker image ##########
Expand Down Expand Up @@ -227,10 +235,13 @@ jobs:
PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
SHA: ${{ github.sha }}
run: |
TAGS="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}"
echo "primary_tag=$TAGS" >> "$GITHUB_OUTPUT"
GHCR_TAG="${_GHCR_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}"
ACR_TAG="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}"
TAGS="${GHCR_TAG},${ACR_TAG}"
echo "primary_tag=${GHCR_TAG}" >> "$GITHUB_OUTPUT"
if [[ "${IMAGE_TAG}" == "dev" ]]; then
SHORT_SHA=$(git rev-parse --short "${SHA}")
TAGS=$TAGS",${_GHCR_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}"
TAGS=$TAGS",${_AZ_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}"
fi
echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
Expand All @@ -255,11 +266,11 @@ jobs:
tags: ${{ steps.image-tags.outputs.tags }}

- name: Install Cosign
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
if: github.event_name != 'pull_request' && env.is_publish_branch == 'true'
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0

- name: Sign image with Cosign
if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
if: github.event_name != 'pull_request' && env.is_publish_branch == 'true'
env:
DIGEST: ${{ steps.build-artifacts.outputs.digest }}
TAGS: ${{ steps.image-tags.outputs.tags }}
Expand Down Expand Up @@ -287,6 +298,9 @@ jobs:
sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}

- name: Log out from GHCR
run: docker logout ghcr.io

- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main

Expand All @@ -307,15 +321,12 @@ jobs:
- name: Set up .NET
uses: actions/setup-dotnet@baa11fbfe1d6520db94683bd5c7a3818018e4309 # v5.1.0

- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main
- name: Log in to GHCR
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
client_id: ${{ secrets.AZURE_CLIENT_ID }}

- name: Log in to ACR - production subscription
run: az acr login -n "$_AZ_REGISTRY" --only-show-errors
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Make Docker stubs
if: |
Expand All @@ -325,13 +336,13 @@ jobs:
# Set proper setup image based on branch
case "$GITHUB_REF" in
"refs/heads/main")
SETUP_IMAGE="$_AZ_REGISTRY/setup:dev"
SETUP_IMAGE="${_GHCR_REGISTRY}/setup:dev"
;;
"refs/heads/rc")
SETUP_IMAGE="$_AZ_REGISTRY/setup:rc"
SETUP_IMAGE="${_GHCR_REGISTRY}/setup:rc"
;;
"refs/heads/hotfix-rc")
SETUP_IMAGE="$_AZ_REGISTRY/setup:hotfix-rc"
SETUP_IMAGE="${_GHCR_REGISTRY}/setup:hotfix-rc"
;;
esac

Expand Down Expand Up @@ -359,8 +370,8 @@ jobs:
cd docker-stub/US; zip -r ../../docker-stub-US.zip ./*; cd ../..
cd docker-stub/EU; zip -r ../../docker-stub-EU.zip ./*; cd ../..

- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main
- name: Log out from GHCR
run: docker logout ghcr.io

- name: Upload Docker stub US artifact
if: |
Expand Down
29 changes: 28 additions & 1 deletion .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ on:

env:
_AZ_REGISTRY: "bitwardenprod.azurecr.io"
_GHCR_REGISTRY: "ghcr.io/bitwarden"

jobs:
setup:
Expand Down Expand Up @@ -69,6 +70,7 @@ jobs:
permissions:
contents: read
id-token: write
packages: write
env:
_RELEASE_VERSION: ${{ needs.setup.outputs.release-version }}
_BRANCH_NAME: ${{ inputs.branch }}
Expand Down Expand Up @@ -107,7 +109,32 @@ jobs:
echo "PROJECT_NAME: $PROJECT_NAME"
echo "project_name=$PROJECT_NAME" >> "$GITHUB_OUTPUT"

########## ACR PROD ##########
########## GHCR ##########
- name: Log in to GHCR
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Push version image
env:
PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
run: |
if [[ "${{ inputs.dry_run }}" == "true" ]]; then
skopeo copy --all \
"docker://$_GHCR_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" \
"docker://$_GHCR_REGISTRY/$PROJECT_NAME:dryrun"
else
skopeo copy --all \
"docker://$_GHCR_REGISTRY/$PROJECT_NAME:$_BRANCH_NAME" \
"docker://$_GHCR_REGISTRY/$PROJECT_NAME:$_RELEASE_VERSION"
fi

- name: Log out from GHCR
run: docker logout ghcr.io

########## ACR ##########
- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main
with:
Expand Down
Loading