From 9fd50ccdd53fa0d0ed4e3f513c153c78047cc3ac Mon Sep 17 00:00:00 2001 From: Vince Grassia <593223+vgrassia@users.noreply.github.com> Date: Thu, 30 Apr 2026 19:33:20 -0400 Subject: [PATCH] Checkout workflow fix from main --- .github/workflows/build-cli.yml | 65 +++------------- .github/workflows/build-desktop.yml | 116 +++++++--------------------- 2 files changed, 38 insertions(+), 143 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index f6cc961ce5e..0d8b4156b1c 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -247,25 +247,28 @@ jobs: zip "../../bw${{ matrix.license_type.artifact_prefix }}-$_LOWER_RUNNER_OS${{ matrix.os.target_suffix }}-$_PACKAGE_VERSION.zip" ./bw - name: Set up private auth key + id: setup-auth-key if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} env: - _APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} + APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} run: | mkdir ~/private_keys - cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 - $_APP_STORE_CONNECT_AUTH_KEY + KEY_PATH="$HOME/private_keys/auth_key.p8" + cat << EOF > "$KEY_PATH" + $APP_STORE_CONNECT_AUTH_KEY EOF + echo "auth-key-path=$KEY_PATH" >> $GITHUB_OUTPUT - name: Notarize app if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }} env: APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} - APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP - APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8 + APP_STORE_CONNECT_AUTH_KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} + APP_STORE_CONNECT_AUTH_KEY_PATH: ${{ steps.setup-auth-key.outputs.auth-key-path }} _LOWER_RUNNER_OS: ${{ env.LOWER_RUNNER_OS }} run: | echo "Create keychain profile" - xcrun notarytool store-credentials "notarytool-profile" --key-id "$APP_STORE_CONNECT_AUTH_KEY" --key "$APP_STORE_CONNECT_AUTH_KEY_PATH" --issuer "$APP_STORE_CONNECT_TEAM_ISSUER" + xcrun notarytool store-credentials "notarytool-profile" --key-id "$APP_STORE_CONNECT_AUTH_KEY_ID" --key "$APP_STORE_CONNECT_AUTH_KEY_PATH" --issuer "$APP_STORE_CONNECT_TEAM_ISSUER" codesign --sign "Developer ID Application: Bitwarden Inc" --verbose=3 --force --options=runtime --timestamp "./dist/bw${{ matrix.license_type.artifact_prefix }}-$_LOWER_RUNNER_OS${{ matrix.os.target_suffix }}-$_PACKAGE_VERSION.zip" @@ -615,53 +618,3 @@ jobs: name: bw_${{ env._PACKAGE_VERSION }}_amd64.snap path: apps/cli/dist/snap/bw_${{ env._PACKAGE_VERSION }}_amd64.snap if-no-files-found: error - - - check-failures: - name: Check for failures - if: always() - runs-on: ubuntu-24.04 - permissions: - contents: read - id-token: write - needs: - - setup - - cli - - cli-windows - - snap - steps: - - name: Check if any job failed - working-directory: ${{ github.workspace }} - if: | - github.event_name != 'pull_request_target' - && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc-cli') - && contains(needs.*.result, 'failure') - run: exit 1 - - - name: Log in to Azure - if: failure() - uses: bitwarden/gh-actions/azure-login@main - with: - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - client_id: ${{ secrets.AZURE_CLIENT_ID }} - - - name: Retrieve secrets - id: retrieve-secrets - if: failure() - uses: bitwarden/gh-actions/get-keyvault-secrets@main - with: - keyvault: "bitwarden-ci" - secrets: "devops-alerts-slack-webhook-url" - - - name: Log out from Azure - if: failure() - uses: bitwarden/gh-actions/azure-logout@main - - - name: Notify Slack on failure - uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 - if: failure() - env: - SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} - with: - status: ${{ job.status }} diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml index ee2926f104d..40523f294ed 100644 --- a/.github/workflows/build-desktop.yml +++ b/.github/workflows/build-desktop.yml @@ -1430,19 +1430,22 @@ jobs: cp -r "$GITHUB_WORKSPACE/browser-build-artifacts/Safari/dmg/build/Release/safari.appex" PlugIns/safari.appex - name: Set up private auth key + id: setup-auth-key env: - _APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} + APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} run: | mkdir ~/private_keys - cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 - $_APP_STORE_CONNECT_AUTH_KEY + KEY_PATH="$HOME/private_keys/auth_key.p8" + cat << EOF > "$KEY_PATH" + $APP_STORE_CONNECT_AUTH_KEY EOF + echo "auth-key-path=$KEY_PATH" >> $GITHUB_OUTPUT - name: Build application (dist) env: APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} - APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP - APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8 + APP_STORE_CONNECT_AUTH_KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} + APP_STORE_CONNECT_AUTH_KEY_PATH: ${{ steps.setup-auth-key.outputs.auth-key-path }} CSC_FOR_PULL_REQUEST: true run: npm run pack:mac @@ -1563,7 +1566,7 @@ jobs: uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: bitwarden-ci - secrets: "slack-bot-token" + secrets: "slack-webhook-alerts-deploy-qa" - name: Download Provisioning Profiles secrets env: @@ -1586,9 +1589,6 @@ jobs: run: | mkdir -p "$HOME/certificates" - az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | - jq -r .value | base64 -d > "$HOME/certificates/bitwarden-desktop-key.p12" - az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | jq -r .value | base64 -d > "$HOME/certificates/appstore-app-cert.p12" @@ -1613,9 +1613,6 @@ jobs: security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ - -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/certificates/appstore-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild @@ -1710,19 +1707,22 @@ jobs: cp -r "$GITHUB_WORKSPACE/browser-build-artifacts/Safari/mas/build/Release/safari.appex" "PlugIns/safari.appex" - name: Set up private auth key + id: setup-auth-key env: - _APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} + APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }} run: | mkdir ~/private_keys - cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8 - $_APP_STORE_CONNECT_AUTH_KEY + KEY_PATH="$HOME/private_keys/auth_key.p8" + cat << EOF > "$KEY_PATH" + $APP_STORE_CONNECT_AUTH_KEY EOF + echo "auth-key-path=$KEY_PATH" >> $GITHUB_OUTPUT - name: Build application for App Store env: APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} - APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP - APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8 + APP_STORE_CONNECT_AUTH_KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} + APP_STORE_CONNECT_AUTH_KEY_PATH: ${{ steps.setup-auth-key.outputs.auth-key-path }} CSC_FOR_PULL_REQUEST: true run: npm run pack:mac:mas @@ -1756,15 +1756,17 @@ jobs: && (inputs.testflight_distribute || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc-desktop') env: _APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} + _APP_STORE_CONNECT_AUTH_KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} + APP_STORE_CONNECT_AUTH_KEY_PATH: ${{ steps.setup-auth-key.outputs.auth-key-path }} run: | brew install gsed - KEY_WITHOUT_NEWLINES=$(gsed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' ~/private_keys/AuthKey_6TV9MKN3GP.p8) + KEY_WITHOUT_NEWLINES=$(gsed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' "$APP_STORE_CONNECT_AUTH_KEY_PATH") cat << EOF > ~/secrets/appstoreconnect-fastlane.json { "issuer_id": "$_APP_STORE_CONNECT_TEAM_ISSUER", - "key_id": "6TV9MKN3GP", + "key_id": "$_APP_STORE_CONNECT_AUTH_KEY_ID", "key": "$KEY_WITHOUT_NEWLINES" } EOF @@ -1776,7 +1778,7 @@ jobs: && (inputs.testflight_distribute || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc-desktop') env: APP_STORE_CONNECT_TEAM_ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }} - APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP + APP_STORE_CONNECT_AUTH_KEY_ID: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-ID }} BRANCH: ${{ github.ref }} run: | @@ -1797,11 +1799,10 @@ jobs: if: | github.event_name != 'pull_request_target' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc-desktop') - uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 + uses: slackapi/slack-github-action@03ea5433c137af7c0495bc0cad1af10403fc800c # v3.0.2 with: - channel-id: C074F5UESQ0 - method: chat.postMessage - token: ${{ steps.retrieve-slack-secret.outputs.slack-bot-token }} + webhook: ${{ steps.retrieve-slack-secret.outputs.slack-webhook-alerts-deploy-qa }} + webhook-type: incoming-webhook payload: | { "blocks": [ @@ -1848,17 +1849,17 @@ jobs: id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: - keyvault: "bitwarden-ci" - secrets: "crowdin-api-token" + keyvault: "gh-clients" + secrets: "CROWDIN-API-TOKEN" - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main - name: Upload Sources - uses: crowdin/github-action@8818ff65bfc4322384f983ea37e3926948c11745 # v2.15.0 + uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # v2.16.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }} + CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.CROWDIN-API-TOKEN }} CROWDIN_PROJECT_ID: "299360" with: config: apps/desktop/crowdin.yml @@ -2186,62 +2187,3 @@ jobs: echo "Bitwarden is not running." exit 1 fi - - check-failures: - name: Check for failures - if: always() - runs-on: ubuntu-22.04 - needs: - - electron-verify - - browser-build - - setup - - linux - - windows - - macos-build - - macos-package-github - - macos-package-mas - - crowdin-push - - validate-linux-x64-deb - - validate-linux-x64-appimage - - validate-linux-flatpak - - validate-linux-snap - - validate-linux-wayland - - validate-macos-dmg - - validate-windows-portable - permissions: - contents: read - id-token: write - steps: - - name: Check if any job failed - if: | - github.event_name != 'pull_request_target' - && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc-desktop') - && contains(needs.*.result, 'failure') - run: exit 1 - - - name: Log in to Azure - if: failure() - uses: bitwarden/gh-actions/azure-login@main - with: - subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - tenant_id: ${{ secrets.AZURE_TENANT_ID }} - client_id: ${{ secrets.AZURE_CLIENT_ID }} - - - name: Retrieve secrets - id: retrieve-secrets - if: failure() - uses: bitwarden/gh-actions/get-keyvault-secrets@main - with: - keyvault: "bitwarden-ci" - secrets: "devops-alerts-slack-webhook-url" - - - name: Log out from Azure - uses: bitwarden/gh-actions/azure-logout@main - - - name: Notify Slack on failure - uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 - if: failure() - env: - SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} - with: - status: ${{ job.status }}