Skip to content

[PM-5693] Migrate SDK to CryptoService #5662

[PM-5693] Migrate SDK to CryptoService

[PM-5693] Migrate SDK to CryptoService #5662

Workflow file for this run

---
name: Build CLI
on:
pull_request:
push:
branches:
- "main"
workflow_dispatch:
defaults:
run:
shell: bash
jobs:
setup:
name: Setup
runs-on: ubuntu-22.04
outputs:
package_version: ${{ steps.retrieve-version.outputs.package_version }}
sign: ${{ steps.sign.outputs.sign }}
steps:
- name: Checkout repo
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Get Package Version
id: retrieve-version
run: |
VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
echo "package_version=$VERSION" >> $GITHUB_OUTPUT
- name: Sign if repo is owned by Bitwarden
id: sign
env:
REPO_OWNER: ${{ github.repository_owner }}
run: |
if [[ $REPO_OWNER == bitwarden ]]; then
echo "sign=true" >> $GITHUB_OUTPUT
fi
echo "sign=false" >> $GITHUB_OUTPUT
build-windows:
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
needs: setup
env:
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
strategy:
fail-fast: false
matrix:
settings:
- os: windows-2022
target: x86_64-pc-windows-msvc
- os: windows-2022
target: aarch64-pc-windows-msvc
steps:
- name: Checkout repo
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Install rust
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable
with:
toolchain: stable
targets: ${{ matrix.settings.target }}
- name: Cache cargo registry
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
with:
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }}
- name: Build
env:
TARGET: ${{ matrix.settings.target }}
run: cargo build -p bws --release --target=${{ matrix.settings.target }}
- name: Login to Azure
if: ${{ needs.setup.outputs.sign == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets
if: ${{ needs.setup.outputs.sign == 'true' }}
id: retrieve-secrets-windows
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "code-signing-vault-url,
code-signing-client-id,
code-signing-tenant-id,
code-signing-client-secret,
code-signing-cert-name"
- name: Install AST
if: ${{ needs.setup.outputs.sign == 'true' }}
run: dotnet tool install --global AzureSignTool --version 4.0.1
- name: Sign windows binary
if: ${{ needs.setup.outputs.sign == 'true' }}
env:
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }}
SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }}
SIGNING_TENANT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-tenant-id }}
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }}
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }}
run: |
azuresigntool sign -v \
-kvu $SIGNING_VAULT_URL \
-kvi $SIGNING_CLIENT_ID \
-kvt $SIGNING_TENANT_ID \
-kvs $SIGNING_CLIENT_SECRET \
-kvc $SIGNING_CERT_NAME \
-fd sha256 \
-du https://bitwarden.com \
-tr http://timestamp.digicert.com \
./target/${{ matrix.settings.target }}/release/bws.exe
- name: Zip
shell: cmd
run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe
- name: Upload artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
if-no-files-found: error
build-macos:
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
needs: setup
env:
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
strategy:
fail-fast: false
matrix:
settings:
- os: macos-13
target: x86_64-apple-darwin
- os: macos-13
target: aarch64-apple-darwin
steps:
- name: Checkout repo
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Install rust
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable
with:
toolchain: stable
targets: ${{ matrix.settings.target }}
- name: Cache cargo registry
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
with:
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }}
- name: Build
env:
TARGET: ${{ matrix.settings.target }}
run: cargo build -p bws --release --target=${{ matrix.settings.target }}
- name: Login to Azure
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets macos
id: retrieve-secrets-macos
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "macos-bws-notarization-apple-id,
macos-bws-notarization-team-id,
macos-bws-notarization-password,
macos-bws-certificate-name,
macos-bws-installer-certificate-name"
- name: Decrypt secrets
env:
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
run: |
mkdir -p $HOME/secrets
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
--output "$HOME/secrets/devid-app-cert.p12" \
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg"
- name: Set up keychain
env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}
run: |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
security set-keychain-settings -lut 1200 build.keychain
ls $HOME/secrets
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
- name: Sign macos
env:
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./target/${{ matrix.settings.target }}/release/bws
- name: Notarize app macos
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }}
MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }}
MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }}
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
run: |
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
echo "Creating notarization archive"
zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws
codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
echo "Notarize app"
xcrun notarytool submit ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait
- name: Upload artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
if-no-files-found: error
build-linux:
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
needs: setup
env:
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
strategy:
fail-fast: false
matrix:
settings:
- os: ubuntu-20.04
target: x86_64-unknown-linux-musl
- os: ubuntu-20.04
target: aarch64-unknown-linux-musl
- os: ubuntu-20.04
target: x86_64-unknown-linux-gnu
- os: ubuntu-20.04
target: aarch64-unknown-linux-gnu
steps:
- name: Checkout repo
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Install rust
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable
with:
toolchain: stable
targets: ${{ matrix.settings.target }}
- name: Set up Zig
uses: goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 # v2.2.1
with:
version: 0.12.0
- name: Cache cargo registry
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
with:
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }}
- name: Install Zigbuild
run: cargo install cargo-zigbuild --locked --git https://github.com/rust-cross/cargo-zigbuild --rev 6f7e1336c9cd13cf1b3704f93c40fcf84caaed6b # 0.18.4
- name: Build
env:
TARGET: ${{ matrix.settings.target }}
run: cargo zigbuild -p bws --release --target=${{ matrix.settings.target }}
- name: Zip linux
run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws
- name: Upload artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
if-no-files-found: error
macos-universal-binary:
name: Generate universal macOS binary
runs-on: macos-13
needs:
- setup
- build-macos
env:
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
steps:
- name: Checkout repo
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Download x86_64-apple-darwin artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip
- name: Download aarch64-apple-darwin artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip
- name: Unzip artifacts
run: |
unzip bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-x86_64-apple-darwin
unzip bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-aarch64-apple-darwin
- name: Create universal package with lipo
run: |
mkdir ./bws-macos-universal
lipo -create -output ./bws-macos-universal/bws ./bws-x86_64-apple-darwin/bws ./bws-aarch64-apple-darwin/bws
- name: Login to Azure
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets
id: retrieve-secrets-macos
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "macos-bws-notarization-apple-id,
macos-bws-notarization-team-id,
macos-bws-notarization-password,
macos-bws-certificate-name,
macos-bws-installer-certificate-name"
- name: Decrypt secrets
env:
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
run: |
mkdir -p $HOME/secrets
gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
--output "$HOME/secrets/devid-app-cert.p12" \
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg"
- name: Set up keychain
env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}
run: |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
security set-keychain-settings -lut 1200 build.keychain
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
- name: Sign binary
env:
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-macos-universal/bws
- name: Notarize app
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }}
MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }}
MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }}
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
run: |
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
echo "Creating notarization archive"
zip -j ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws
codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip
echo "Notarize app"
xcrun notarytool submit ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait
- name: Upload artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip
path: ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip
if-no-files-found: error
third_party:
name: Generate THIRDPARTY.html
runs-on: ubuntu-22.04
needs:
- setup
steps:
- name: Checkout repo
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Install rust
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable
with:
toolchain: stable
- name: Cache cargo registry
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
with:
key: cargo-cli-about
- name: Install cargo-about
run: cargo install cargo-about
- name: Generate THIRDPARTY.html
working-directory: ./crates/bws
run: |
cargo about generate ../../about.hbs > THIRDPARTY.html
sed -i.bak 's/\$NAME\$/Bitwarden Secrets Manager CLI/g' THIRDPARTY.html
- name: Upload artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: THIRDPARTY.html
path: ./crates/bws/THIRDPARTY.html
if-no-files-found: error
manpages:
name: Generate manpages
runs-on: ubuntu-22.04
needs: setup
steps:
- name: Checkout repo
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Install rust
uses: dtolnay/rust-toolchain@7b1c307e0dcbda6122208f10795a713336a9b35a # stable
with:
toolchain: stable
- name: Cache cargo registry
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3
with:
key: cargo-cli-manpage
- name: Generate manpages
run: |
cargo check -p bws --message-format json > build.json
OUT_DIR=$(jq -r --slurp '.[] | select (.reason == "build-script-executed") | select(.package_id|contains("crates/bws")) .out_dir' build.json)
mv $OUT_DIR/manpages .
- name: Upload artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: manpages
path: ./manpages/*
if-no-files-found: error