bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2026-06-01 01:55:55 -05:00
Code Issues Packages Projects Releases 211 Wiki Activity
Files
ci/github-code-coverage-upload
server/.github/workflows/repository-management.yml
Amy Galles fcb08cf5c0 Fix/repository management remove tokens (#7626) 
* Remove BW-GHAPP tokens from repository-management workflow

- Remove all Azure Key Vault and BW-GHAPP token generation
- Use github.token instead of app token
- Use github-actions[bot] email instead of actions@github.com
- Create PR with version bump instead of pushing directly to main
- Update permissions (remove id-token, add pull-requests for bump_version)
- No GPG signing to remove (wasn't present)

* Fix
       template injection security issue

* Remove BW-GHAPP tokens from repository-management workflow

- Remove all Azure Key Vault and BW-GHAPP token generation
- Use github.token instead of app token
- Use github-actions[bot] email instead of actions@github.com
- Create PR with version bump instead of pushing directly to main
- Update permissions (remove id-token, add pull-requests for bump_version)
- Add 'version update' label to automated PRs
- Fix template injection security issue
2026-05-13 09:46:42 +02:00

235 lines
7.8 KiB
YAML
Raw Permalink Blame History

name: Repository management
on:
workflow_dispatch:
inputs:
task:
default: "Version Bump"
description: "Task to execute"
options:
- "Version Bump"
- "Version Bump and Cut rc"
- "Version Bump and Cut hotfix-rc"
required: true
type: choice
target_ref:
default: "main"
description: "Branch/Tag to target for cut"
required: true
type: string
version_number_override:
description: "New version override (leave blank for automatic calculation, example: '2024.1.0')"
required: false
type: string
permissions: {}
jobs:
setup:
name: Setup
runs-on: ubuntu-24.04
outputs:
branch: ${{ steps.set-branch.outputs.branch }}
permissions: {}
steps:
- name: Set branch
id: set-branch
env:
TASK: ${{ inputs.task }}
run: |
if [[ "$TASK" == "Version Bump" ]]; then
BRANCH="none"
elif [[ "$TASK" == "Version Bump and Cut rc" ]]; then
BRANCH="rc"
elif [[ "$TASK" == "Version Bump and Cut hotfix-rc" ]]; then
BRANCH="hotfix-rc"
fi
echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"
bump_version:
name: Bump Version
if: ${{ always() }}
runs-on: ubuntu-24.04
needs:
- setup
outputs:
version: ${{ steps.set-final-version-output.outputs.version }}
permissions:
contents: write
pull-requests: write
steps:
- name: Validate version input format
if: ${{ inputs.version_number_override != '' }}
uses: bitwarden/gh-actions/version-check@main
with:
version: ${{ inputs.version_number_override }}
- name: Check out branch
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: main
token: ${{ github.token }}
persist-credentials: true
- name: Configure Git
run: |
git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"
- name: Install xmllint
run: |
sudo apt-get update
sudo apt-get install -y libxml2-utils
- name: Get current version
id: current-version
run: |
CURRENT_VERSION=$(xmllint -xpath "/Project/PropertyGroup/Version/text()" Directory.Build.props)
echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT"
- name: Verify input version
if: ${{ inputs.version_number_override != '' }}
env:
CURRENT_VERSION: ${{ steps.current-version.outputs.version }}
NEW_VERSION: ${{ inputs.version_number_override }}
run: |
# Error if version has not changed.
if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
echo "Specified override version is the same as the current version." >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
# Check if version is newer.
if printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V; then
echo "Version is newer than the current version."
else
echo "Version is older than the current version." >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
- name: Calculate next release version
if: ${{ inputs.version_number_override == '' }}
id: calculate-next-version
uses: bitwarden/gh-actions/version-next@main
with:
version: ${{ steps.current-version.outputs.version }}
- name: Bump version props - Version Override
if: ${{ inputs.version_number_override != '' }}
id: bump-version-override
uses: bitwarden/gh-actions/version-bump@main
with:
file_path: "Directory.Build.props"
version: ${{ inputs.version_number_override }}
- name: Bump version props - Automatic Calculation
if: ${{ inputs.version_number_override == '' }}
id: bump-version-automatic
uses: bitwarden/gh-actions/version-bump@main
with:
file_path: "Directory.Build.props"
version: ${{ steps.calculate-next-version.outputs.version }}
- name: Set final version output
id: set-final-version-output
env:
VERSION: ${{ inputs.version_number_override }}
BUMP_VERSION_OVERRIDE_OUTCOME: ${{ steps.bump-version-override.outcome }}
BUMP_VERSION_AUTOMATIC_OUTCOME: ${{ steps.bump-version-automatic.outcome }}
CALCULATE_NEXT_VERSION: ${{ steps.calculate-next-version.outputs.version }}
run: |
if [[ "${BUMP_VERSION_OVERRIDE_OUTCOME}" = "success" ]]; then
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
elif [[ "${BUMP_VERSION_AUTOMATIC_OUTCOME}" = "success" ]]; then
echo "version=${CALCULATE_NEXT_VERSION}" >> "$GITHUB_OUTPUT"
fi
- name: Check if version changed
id: version-changed
run: |
if [ -n "$(git status --porcelain)" ]; then
echo "changes_to_commit=TRUE" >> "$GITHUB_OUTPUT"
else
echo "changes_to_commit=FALSE" >> "$GITHUB_OUTPUT"
echo "No changes to commit!";
fi
- name: Create branch name
if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
id: create-branch-name
run: |
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
BRANCH_NAME="version-bump-${TIMESTAMP}"
echo "branch_name=$BRANCH_NAME" >> "$GITHUB_OUTPUT"
- name: Create branch and commit version bump
if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
env:
FINAL_VERSION: ${{ steps.set-final-version-output.outputs.version }}
BRANCH_NAME: ${{ steps.create-branch-name.outputs.branch_name }}
run: |
git checkout -b "$BRANCH_NAME"
git commit -m "Bumped version to $FINAL_VERSION" -a
- name: Push branch and create PR
if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
env:
BRANCH_NAME: ${{ steps.create-branch-name.outputs.branch_name }}
VERSION: ${{ steps.set-final-version-output.outputs.version }}
GH_TOKEN: ${{ github.token }}
run: |
git push -u origin "$BRANCH_NAME"
gh pr create \
--title "Bump version to $VERSION" \
--body "Automated version bump created by repository-management workflow" \
--label "version update" \
--base main \
--head "$BRANCH_NAME"
cut_branch:
name: Cut branch
if: ${{ needs.setup.outputs.branch != 'none' }}
needs:
- setup
- bump_version
runs-on: ubuntu-24.04
permissions:
contents: write
steps:
- name: Check out target ref
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ inputs.target_ref }}
token: ${{ github.token }}
persist-credentials: true
fetch-depth: 0
- name: Check if ${{ needs.setup.outputs.branch }} branch exists
env:
BRANCH_NAME: ${{ needs.setup.outputs.branch }}
run: |
if [[ $(git ls-remote --heads origin "$BRANCH_NAME") ]]; then
echo "$BRANCH_NAME already exists! Please delete $BRANCH_NAME before running again." >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
- name: Cut branch
env:
BRANCH_NAME: ${{ needs.setup.outputs.branch }}
run: |
git switch --quiet --create "$BRANCH_NAME"
git push --quiet --set-upstream origin "$BRANCH_NAME"
move_edd_db_scripts:
name: Move EDD database scripts
needs: cut_branch
permissions:
pull-requests: write
contents: write
id-token: write
actions: read
uses: ./.github/workflows/_move_edd_db_scripts.yml
Reference in New Issue View Git Blame Copy Permalink