Build CLI #3030
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build CLI | |
on: | |
pull_request: | |
push: | |
branches: | |
- "main" | |
- "rc" | |
- "hotfix-rc" | |
workflow_dispatch: | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
setup: | |
name: Setup | |
runs-on: ubuntu-22.04 | |
outputs: | |
package_version: ${{ steps.retrieve-version.outputs.package_version }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Get Package Version | |
id: retrieve-version | |
run: | | |
VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") | |
echo "package_version=$VERSION" >> $GITHUB_OUTPUT | |
build: | |
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} | |
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} | |
needs: | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
settings: | |
- os: macos-12 | |
target: x86_64-apple-darwin | |
- os: macos-12 | |
target: aarch64-apple-darwin | |
- os: windows-2022 | |
target: x86_64-pc-windows-msvc | |
- os: windows-2022 | |
target: aarch64-pc-windows-msvc | |
- os: ubuntu-22.04 | |
target: x86_64-unknown-linux-gnu | |
- os: ubuntu-22.04 | |
target: aarch64-unknown-linux-gnu | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable | |
with: | |
toolchain: stable | |
targets: ${{ matrix.settings.target }} | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 | |
with: | |
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} | |
- name: Install Cross (aarch64-unknown-linux-gnu) | |
if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} | |
run: cargo install cross --locked | |
- name: Build | |
if: ${{ matrix.settings.target != 'aarch64-unknown-linux-gnu' }} | |
env: | |
TARGET: ${{ matrix.settings.target }} | |
run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
- name: Build (aarch64-unknown-linux-gnu) | |
if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} | |
env: | |
TARGET: ${{ matrix.settings.target }} | |
run: cross build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
- name: Login to Azure | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets macos | |
if: runner.os == 'macos' | |
id: retrieve-secrets-macos | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "macos-bws-notarization-apple-id, | |
macos-bws-notarization-team-id, | |
macos-bws-notarization-password, | |
macos-bws-certificate-name" | |
- name: Decrypt secrets | |
if: runner.os == 'macos' | |
env: | |
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
run: | | |
mkdir -p $HOME/secrets | |
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
--output "$HOME/secrets/devid-app-cert.p12" \ | |
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
- name: Set up keychain | |
if: runner.os == 'macos' | |
env: | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
run: | | |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security set-keychain-settings -lut 1200 build.keychain | |
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
- name: Sign macos | |
if: runner.os == 'macos' | |
env: | |
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v | |
- name: Notarize app macos | |
if: runner.os == 'macos' | |
env: | |
MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} | |
MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} | |
MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} | |
run: | | |
echo "Create keychain profile" | |
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" | |
echo "Creating temp notarization archive" | |
ditto -c -k --keepParent "./target/${{ matrix.settings.target }}/release/bws" "notarization.zip" | |
echo "Notarize app" | |
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait | |
echo "Attach staple" | |
xcrun stapler staple "./target/${{ matrix.settings.target }}/release/bws" | |
- name: Retrieve secrets windows | |
if: runner.os == 'Windows' | |
id: retrieve-secrets-windows | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "code-signing-vault-url, | |
code-signing-client-id, | |
code-signing-tenant-id, | |
code-signing-client-secret, | |
code-signing-cert-name" | |
- name: Install AST | |
if: runner.os == 'Windows' | |
run: dotnet tool install --global AzureSignTool --version 4.0.1 | |
- name: Sign windows binary | |
if: runner.os == 'Windows' | |
env: | |
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }} | |
SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }} | |
SIGNING_TENANT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-tenant-id }} | |
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }} | |
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }} | |
run: | | |
azuresigntool sign -v \ | |
-kvu $SIGNING_VAULT_URL \ | |
-kvi $SIGNING_CLIENT_ID \ | |
-kvt $SIGNING_TENANT_ID \ | |
-kvs $SIGNING_CLIENT_SECRET \ | |
-kvc $SIGNING_CERT_NAME \ | |
-fd sha256 \ | |
-du https://bitwarden.com \ | |
-tr http://timestamp.digicert.com \ | |
./target/${{ matrix.settings.target }}/release/bws.exe | |
- name: Zip Windows | |
shell: cmd | |
if: runner.os == 'Windows' | |
run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe | |
- name: Zip Unix | |
if: runner.os != 'Windows' | |
run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws | |
- name: Upload artifact | |
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 | |
with: | |
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
if-no-files-found: error | |
macos-universal-binary: | |
name: Generate universal macOS binary | |
runs-on: macos-12 | |
needs: | |
- setup | |
- build | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Download x86_64-apple-darwin artifact | |
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 | |
with: | |
name: bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip | |
- name: Download aarch64-apple-darwin artifact | |
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0 | |
with: | |
name: bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip | |
- name: Unzip artifacts | |
run: | | |
unzip bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-x86_64-apple-darwin | |
unzip bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-aarch64-apple-darwin | |
- name: lipo create universal package | |
run: | | |
mkdir ./bws-macos-universal | |
lipo -create -output ./bws-macos-universal/bws ./bws-x86_64-apple-darwin/bws ./bws-aarch64-apple-darwin/bws | |
- name: Zip universal artifact | |
run: zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws | |
- name: Upload artifact | |
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 | |
with: | |
name: bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip | |
path: ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip | |
if-no-files-found: error | |
third_party: | |
name: Generate THIRDPARTY.html | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable | |
with: | |
toolchain: stable | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 | |
with: | |
key: cargo-cli-about | |
- name: Install cargo-about | |
run: cargo install cargo-about | |
- name: Generate THIRDPARTY.html | |
working-directory: ./crates/bws | |
run: | | |
cargo about generate ../../about.hbs > THIRDPARTY.html | |
sed -i.bak 's/\$NAME\$/Bitwarden Secrets Manager CLI/g' THIRDPARTY.html | |
- name: Upload artifact | |
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 | |
with: | |
name: THIRDPARTY.html | |
path: ./crates/bws/THIRDPARTY.html | |
if-no-files-found: error |