fix: add permission check for collection management api, refs AC-1647 #11376
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build | |
on: | |
push: | |
branches-ignore: | |
- "l10n_master" | |
- "gh-pages" | |
paths-ignore: | |
- ".github/workflows/**" | |
workflow_dispatch: | |
env: | |
_AZ_REGISTRY: "bitwardenprod.azurecr.io" | |
jobs: | |
cloc: | |
name: CLOC | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Install cloc | |
run: | | |
sudo apt-get update | |
sudo apt-get -y install cloc | |
- name: Print lines of code | |
run: cloc --include-lang C#,SQL,Razor,"Bourne Shell",PowerShell,HTML,CSS,Sass,JavaScript,TypeScript --vcs git | |
lint: | |
name: Lint | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up dotnet | |
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0 | |
- name: Verify Format | |
run: dotnet format --verify-no-changes | |
testing: | |
name: Testing | |
runs-on: ubuntu-22.04 | |
env: | |
NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up dotnet | |
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0 | |
- name: Print environment | |
run: | | |
dotnet --info | |
nuget help | grep Version | |
echo "GitHub ref: $GITHUB_REF" | |
echo "GitHub event: $GITHUB_EVENT" | |
- name: Restore | |
run: dotnet restore --locked-mode | |
shell: pwsh | |
- name: Remove SQL proj | |
run: dotnet sln bitwarden-server.sln remove src/Sql/Sql.sqlproj | |
- name: Build OSS solution | |
run: dotnet build bitwarden-server.sln -p:Configuration=Debug -p:DefineConstants="OSS" --verbosity minimal | |
shell: pwsh | |
- name: Build solution | |
run: dotnet build bitwarden-server.sln -p:Configuration=Debug --verbosity minimal | |
shell: pwsh | |
- name: Test OSS solution | |
run: dotnet test ./test --configuration Debug --no-build --logger "trx;LogFileName=oss-test-results.trx" | |
shell: pwsh | |
- name: Test Bitwarden solution | |
run: dotnet test ./bitwarden_license/test --configuration Debug --no-build --logger "trx;LogFileName=bw-test-results.trx" | |
shell: pwsh | |
- name: Report test results | |
uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0 | |
if: always() | |
with: | |
name: Test Results | |
path: "**/*-test-results.trx" | |
reporter: dotnet-trx | |
fail-on-error: true | |
build-artifacts: | |
name: Build artifacts | |
runs-on: ubuntu-22.04 | |
needs: | |
- testing | |
- lint | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- project_name: Admin | |
base_path: ./src | |
node: true | |
- project_name: Api | |
base_path: ./src | |
- project_name: Billing | |
base_path: ./src | |
- project_name: Events | |
base_path: ./src | |
- project_name: EventsProcessor | |
base_path: ./src | |
- project_name: Icons | |
base_path: ./src | |
- project_name: Identity | |
base_path: ./src | |
- project_name: MsSqlMigratorUtility | |
base_path: ./util | |
dotnet: true | |
- project_name: Notifications | |
base_path: ./src | |
- project_name: Scim | |
base_path: ./bitwarden_license/src | |
dotnet: true | |
- project_name: Server | |
base_path: ./util | |
- project_name: Setup | |
base_path: ./util | |
- project_name: Sso | |
base_path: ./bitwarden_license/src | |
node: true | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up dotnet | |
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0 | |
- name: Set up Node | |
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | |
with: | |
cache: "npm" | |
cache-dependency-path: "**/package-lock.json" | |
node-version: "16" | |
- name: Print environment | |
run: | | |
whoami | |
dotnet --info | |
node --version | |
npm --version | |
echo "GitHub ref: $GITHUB_REF" | |
echo "GitHub event: $GITHUB_EVENT" | |
- name: Restore/Clean project | |
working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }} | |
run: | | |
echo "Restore" | |
dotnet restore | |
echo "Clean" | |
dotnet clean -c "Release" -o obj/build-output/publish | |
- name: Build node | |
if: ${{ matrix.node }} | |
working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }} | |
run: | | |
npm ci | |
npm run build | |
- name: Publish project | |
working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }} | |
run: | | |
echo "Publish" | |
dotnet publish -c "Release" -o obj/build-output/publish | |
cd obj/build-output/publish | |
zip -r ${{ matrix.project_name }}.zip . | |
mv ${{ matrix.project_name }}.zip ../../../ | |
pwd | |
ls -atlh ../../../ | |
- name: Upload project artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: ${{ matrix.project_name }}.zip | |
path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip | |
if-no-files-found: error | |
build-docker: | |
name: Build Docker images | |
runs-on: ubuntu-22.04 | |
needs: build-artifacts | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- project_name: Admin | |
base_path: ./src | |
dotnet: true | |
- project_name: Api | |
base_path: ./src | |
dotnet: true | |
- project_name: Attachments | |
base_path: ./util | |
- project_name: Billing | |
base_path: ./src | |
dotnet: true | |
- project_name: Events | |
base_path: ./src | |
dotnet: true | |
- project_name: EventsProcessor | |
base_path: ./src | |
dotnet: true | |
- project_name: Icons | |
base_path: ./src | |
dotnet: true | |
- project_name: Identity | |
base_path: ./src | |
dotnet: true | |
- project_name: MsSql | |
base_path: ./util | |
- project_name: MsSqlMigratorUtility | |
base_path: ./util | |
dotnet: true | |
- project_name: Nginx | |
base_path: ./util | |
- project_name: Notifications | |
base_path: ./src | |
dotnet: true | |
- project_name: Scim | |
base_path: ./bitwarden_license/src | |
dotnet: true | |
- project_name: Server | |
base_path: ./util | |
dotnet: true | |
- project_name: Setup | |
base_path: ./util | |
dotnet: true | |
- project_name: Sso | |
base_path: ./bitwarden_license/src | |
dotnet: true | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Check Branch to Publish | |
env: | |
PUBLISH_BRANCHES: "master,rc,hotfix-rc" | |
id: publish-branch-check | |
run: | | |
IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES | |
if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then | |
echo "is_publish_branch=true" >> $GITHUB_ENV | |
else | |
echo "is_publish_branch=false" >> $GITHUB_ENV | |
fi | |
########## ACRs ########## | |
- name: Login to Azure - PROD Subscription | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
with: | |
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} | |
- name: Login to PROD ACR | |
run: az acr login -n bitwardenprod | |
- name: Login to Azure - CI Subscription | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve github PAT secrets | |
id: retrieve-secret-pat | |
uses: bitwarden/gh-actions/get-keyvault-secrets@f096207b7a2f31723165aee6ad03e91716686e78 | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "github-pat-bitwarden-devops-bot-repo-scope" | |
########## Generate image tag and build Docker image ########## | |
- name: Generate Docker image tag | |
id: tag | |
run: | | |
IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") # slash safe branch name | |
if [[ "$IMAGE_TAG" == "master" ]]; then | |
IMAGE_TAG=dev | |
fi | |
echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT | |
- name: Setup project name | |
id: setup | |
run: | | |
PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}') | |
echo "Matrix name: ${{ matrix.project_name }}" | |
echo "PROJECT_NAME: $PROJECT_NAME" | |
echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT | |
- name: Generate image full name | |
id: image-name | |
env: | |
IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} | |
PROJECT_NAME: ${{ steps.setup.outputs.project_name }} | |
run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
- name: Get build artifact | |
if: ${{ matrix.dotnet }} | |
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
with: | |
name: ${{ matrix.project_name }}.zip | |
- name: Setup build artifact | |
if: ${{ matrix.dotnet }} | |
run: | | |
mkdir -p ${{ matrix.base_path}}/${{ matrix.project_name }}/obj/build-output/publish | |
unzip ${{ matrix.project_name }}.zip \ | |
-d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish | |
- name: Build Docker image | |
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1 | |
with: | |
context: ${{ matrix.base_path }}/${{ matrix.project_name }} | |
file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile | |
platforms: linux/amd64 | |
push: true | |
tags: ${{ steps.image-name.outputs.name }} | |
secrets: | | |
"GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}" | |
upload: | |
name: Upload | |
runs-on: ubuntu-22.04 | |
needs: build-docker | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up dotnet | |
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0 | |
- name: Login to Azure - PROD Subscription | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
with: | |
creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} | |
- name: Login to PROD ACR | |
run: az acr login -n $_AZ_REGISTRY --only-show-errors | |
- name: Restore | |
run: dotnet tool restore | |
- name: Make Docker stubs | |
if: github.ref == 'refs/heads/master' || | |
github.ref == 'refs/heads/rc' || | |
github.ref == 'refs/heads/hotfix-rc' | |
run: | | |
# Set proper setup image based on branch | |
case "${{ github.ref }}" in | |
"refs/heads/master") | |
SETUP_IMAGE="$_AZ_REGISTRY/setup:dev" | |
;; | |
"refs/heads/rc") | |
SETUP_IMAGE="$_AZ_REGISTRY/setup:rc" | |
;; | |
"refs/heads/hotfix-rc") | |
SETUP_IMAGE="$_AZ_REGISTRY/setup:hotfix-rc" | |
;; | |
esac | |
STUB_OUTPUT=$(pwd)/docker-stub | |
# Run setup | |
docker run -i --rm --name setup -v $STUB_OUTPUT/US:/bitwarden $SETUP_IMAGE \ | |
dotnet Setup.dll -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region US | |
docker run -i --rm --name setup -v $STUB_OUTPUT/EU:/bitwarden $SETUP_IMAGE \ | |
dotnet Setup.dll -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region EU | |
sudo chown -R $(whoami):$(whoami) $STUB_OUTPUT | |
# Remove extra directories and files | |
rm -rf $STUB_OUTPUT/US/letsencrypt | |
rm -rf $STUB_OUTPUT/EU/letsencrypt | |
rm $STUB_OUTPUT/US/env/uid.env $STUB_OUTPUT/US/config.yml | |
rm $STUB_OUTPUT/EU/env/uid.env $STUB_OUTPUT/EU/config.yml | |
# Create uid environment files | |
touch $STUB_OUTPUT/US/env/uid.env | |
touch $STUB_OUTPUT/EU/env/uid.env | |
# Zip up the Docker stub files | |
cd docker-stub/US; zip -r ../../docker-stub-US.zip *; cd ../.. | |
cd docker-stub/EU; zip -r ../../docker-stub-EU.zip *; cd ../.. | |
- name: Make Docker stub checksums | |
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc' | |
run: | | |
sha256sum docker-stub-US.zip > docker-stub-US-sha256.txt | |
sha256sum docker-stub-EU.zip > docker-stub-EU-sha256.txt | |
- name: Upload Docker stub US artifact | |
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc' | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: docker-stub-US.zip | |
path: docker-stub-US.zip | |
if-no-files-found: error | |
- name: Upload Docker stub EU artifact | |
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc' | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: docker-stub-EU.zip | |
path: docker-stub-EU.zip | |
if-no-files-found: error | |
- name: Upload Docker stub US checksum artifact | |
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc' | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: docker-stub-US-sha256.txt | |
path: docker-stub-US-sha256.txt | |
if-no-files-found: error | |
- name: Upload Docker stub EU checksum artifact | |
if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc' | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: docker-stub-EU-sha256.txt | |
path: docker-stub-EU-sha256.txt | |
if-no-files-found: error | |
- name: Build Swagger | |
run: | | |
cd ./src/Api | |
echo "Restore" | |
dotnet restore | |
echo "Clean" | |
dotnet clean -c "Release" -o obj/build-output/publish | |
echo "Publish" | |
dotnet publish -c "Release" -o obj/build-output/publish | |
dotnet swagger tofile --output ../../swagger.json --host https://api.bitwarden.com \ | |
./obj/build-output/publish/Api.dll public | |
cd ../.. | |
env: | |
ASPNETCORE_ENVIRONMENT: Production | |
swaggerGen: "True" | |
DOTNET_ROLL_FORWARD_ON_NO_CANDIDATE_FX: 2 | |
GLOBALSETTINGS__SQLSERVER__CONNECTIONSTRING: "placeholder" | |
- name: Upload Swagger artifact | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: swagger.json | |
path: swagger.json | |
if-no-files-found: error | |
build-mssqlmigratorutility: | |
name: Build MsSqlMigratorUtility | |
runs-on: ubuntu-22.04 | |
needs: lint | |
defaults: | |
run: | |
shell: bash | |
working-directory: "util/MsSqlMigratorUtility" | |
strategy: | |
fail-fast: false | |
matrix: | |
target: | |
- osx-x64 | |
- linux-x64 | |
- win-x64 | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set up dotnet | |
uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0 | |
- name: Print environment | |
run: | | |
whoami | |
dotnet --info | |
echo "GitHub ref: $GITHUB_REF" | |
echo "GitHub event: $GITHUB_EVENT" | |
- name: Restore project | |
run: | | |
echo "Restore" | |
dotnet restore | |
- name: Publish project | |
run: | | |
dotnet publish -c "Release" -o obj/build-output/publish -r ${{ matrix.target }} -p:PublishSingleFile=true \ | |
-p:IncludeNativeLibrariesForSelfExtract=true --self-contained true | |
- name: Upload project artifact Windows | |
if: ${{ contains(matrix.target, 'win') == true }} | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: MsSqlMigratorUtility-${{ matrix.target }} | |
path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility.exe | |
if-no-files-found: error | |
- name: Upload project artifact | |
if: ${{ contains(matrix.target, 'win') == false }} | |
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
with: | |
name: MsSqlMigratorUtility-${{ matrix.target }} | |
path: util/MsSqlMigratorUtility/obj/build-output/publish/MsSqlMigratorUtility | |
if-no-files-found: error | |
self-host-build: | |
name: Trigger self-host build | |
runs-on: ubuntu-22.04 | |
needs: | |
- build-docker | |
steps: | |
- name: Login to Azure - CI Subscription | |
uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf # v1.4.3 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve github PAT secrets | |
id: retrieve-secret-pat | |
uses: bitwarden/gh-actions/get-keyvault-secrets@f096207b7a2f31723165aee6ad03e91716686e78 | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "github-pat-bitwarden-devops-bot-repo-scope" | |
- name: Trigger self-host build | |
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 | |
with: | |
github-token: ${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }} | |
script: | | |
await github.rest.actions.createWorkflowDispatch({ | |
owner: 'bitwarden', | |
repo: 'self-host', | |
workflow_id: 'build-unified.yml', | |
ref: 'master', | |
inputs: { | |
server_branch: '${{ github.ref }}' | |
} | |
}) | |
check-failures: | |
name: Check for failures | |
if: always() | |
runs-on: ubuntu-22.04 | |
needs: | |
- cloc | |
- lint | |
- testing | |
- build-artifacts | |
- build-docker | |
- upload | |
- build-mssqlmigratorutility | |
- self-host-build | |
steps: | |
- name: Check if any job failed | |
if: | | |
github.ref == 'refs/heads/master' | |
|| github.ref == 'refs/heads/rc' | |
|| github.ref == 'refs/heads/hotfix-rc' | |
env: | |
CLOC_STATUS: ${{ needs.cloc.result }} | |
LINT_STATUS: ${{ needs.lint.result }} | |
TESTING_STATUS: ${{ needs.testing.result }} | |
BUILD_ARTIFACTS_STATUS: ${{ needs.build-artifacts.result }} | |
BUILD_DOCKER_STATUS: ${{ needs.build-docker.result }} | |
UPLOAD_STATUS: ${{ needs.upload.result }} | |
BUILD_MSSQLMIGRATORUTILITY_STATUS: ${{ needs.build-mssqlmigratorutility.result }} | |
TRIGGER_SELF_HOST_BUILD_STATUS: ${{ needs.self-host-build.result }} | |
run: | | |
if [ "$CLOC_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$LINT_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$TESTING_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$BUILD_ARTIFACTS_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$BUILD_DOCKER_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$UPLOAD_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$BUILD_MSSQLMIGRATORUTILITY_STATUS" = "failure" ]; then | |
exit 1 | |
elif [ "$TRIGGER_SELF_HOST_BUILD_STATUS" = "failure" ]; then | |
exit 1 | |
fi | |
- name: Login to Azure - CI subscription | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
if: failure() | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
uses: bitwarden/gh-actions/get-keyvault-secrets@f096207b7a2f31723165aee6ad03e91716686e78 | |
if: failure() | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "devops-alerts-slack-webhook-url" | |
- name: Notify Slack on failure | |
uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} | |
with: | |
status: ${{ job.status }} |