[PM-11404] Account Management: Prevent a verified user from purging their vault #30587
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build Browser | |
on: | |
pull_request: | |
branches-ignore: | |
- 'l10n_master' | |
- 'cf-pages' | |
paths: | |
- 'apps/browser/**' | |
- 'libs/**' | |
- '*' | |
- '!*.md' | |
- '!*.txt' | |
push: | |
branches: | |
- 'main' | |
- 'rc' | |
- 'hotfix-rc-browser' | |
paths: | |
- 'apps/browser/**' | |
- 'libs/**' | |
- '*' | |
- '!*.md' | |
- '!*.txt' | |
- '.github/workflows/build-browser.yml' | |
workflow_call: | |
inputs: {} | |
workflow_dispatch: | |
inputs: {} | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
setup: | |
name: Setup | |
runs-on: ubuntu-22.04 | |
outputs: | |
repo_url: ${{ steps.gen_vars.outputs.repo_url }} | |
adj_build_number: ${{ steps.gen_vars.outputs.adj_build_number }} | |
node_version: ${{ steps.retrieve-node-version.outputs.node_version }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Get Package Version | |
id: gen_vars | |
run: | | |
repo_url=https://github.com/$GITHUB_REPOSITORY.git | |
adj_build_num=${GITHUB_SHA:0:7} | |
echo "repo_url=$repo_url" >> $GITHUB_OUTPUT | |
echo "adj_build_number=$adj_build_num" >> $GITHUB_OUTPUT | |
- name: Get Node Version | |
id: retrieve-node-version | |
working-directory: ./ | |
run: | | |
NODE_NVMRC=$(cat .nvmrc) | |
NODE_VERSION=${NODE_NVMRC/v/''} | |
echo "node_version=$NODE_VERSION" >> $GITHUB_OUTPUT | |
locales-test: | |
name: Locales Test | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
defaults: | |
run: | |
working-directory: apps/browser | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Testing locales - extName length | |
run: | | |
found_error=false | |
echo "Locales Test" | |
echo "============" | |
echo "extName string must be 40 characters or less" | |
echo | |
for locale in $(ls src/_locales/); do | |
string_length=$(jq '.extName.message | length' src/_locales/$locale/messages.json) | |
if [[ $string_length -gt 40 ]]; then | |
echo "$locale: $string_length" | |
found_error=true | |
fi | |
done | |
if $found_error; then | |
echo | |
echo "Please fix 'extName' for the locales listed above." | |
exit 1 | |
else | |
echo "Test passed!" | |
fi | |
build: | |
name: Build | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
- locales-test | |
env: | |
_BUILD_NUMBER: ${{ needs.setup.outputs.adj_build_number }} | |
_NODE_VERSION: ${{ needs.setup.outputs.node_version }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Set up Node | |
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 | |
with: | |
cache: 'npm' | |
cache-dependency-path: '**/package-lock.json' | |
node-version: ${{ env._NODE_VERSION }} | |
- name: Print environment | |
run: | | |
node --version | |
npm --version | |
- name: Build sources for reviewers | |
run: | | |
# Include hidden files in glob copy | |
shopt -s dotglob | |
# Remove ".git" directory | |
rm -r .git | |
# Copy root level files to source directory | |
mkdir browser-source | |
FILES=$(find . -maxdepth 1 -type f) | |
for FILE in $FILES; do cp "$FILE" browser-source/; done | |
# Copy patches to the Browser source directory | |
mkdir -p browser-source/patches | |
cp -r patches/* browser-source/patches | |
# Copy apps/browser to the Browser source directory | |
mkdir -p browser-source/apps/browser | |
cp -r apps/browser/* browser-source/apps/browser | |
# Copy libs to Browser source directory | |
mkdir browser-source/libs | |
cp -r libs/* browser-source/libs | |
zip -r browser-source.zip browser-source | |
- name: NPM setup | |
run: npm ci | |
working-directory: browser-source/ | |
- name: Build | |
run: npm run dist | |
working-directory: browser-source/apps/browser | |
- name: Build Manifest v3 | |
run: npm run dist:mv3 | |
working-directory: browser-source/apps/browser | |
- name: Build Chrome Manifest v3 Beta | |
run: npm run dist:chrome:beta | |
working-directory: browser-source/apps/browser | |
- name: Upload Opera artifact | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: dist-opera-${{ env._BUILD_NUMBER }}.zip | |
path: browser-source/apps/browser/dist/dist-opera.zip | |
if-no-files-found: error | |
- name: Upload Opera MV3 artifact (DO NOT USE FOR PROD) | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: DO-NOT-USE-FOR-PROD-dist-opera-MV3-${{ env._BUILD_NUMBER }}.zip | |
path: browser-source/apps/browser/dist/dist-opera-mv3.zip | |
if-no-files-found: error | |
- name: Upload Chrome MV3 artifact | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: dist-chrome-MV3-${{ env._BUILD_NUMBER }}.zip | |
path: browser-source/apps/browser/dist/dist-chrome-mv3.zip | |
if-no-files-found: error | |
- name: Upload Chrome MV3 Beta artifact (DO NOT USE FOR PROD) | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: DO-NOT-USE-FOR-PROD-dist-chrome-MV3-beta-${{ env._BUILD_NUMBER }}.zip | |
path: browser-source/apps/browser/dist/dist-chrome-mv3-beta.zip | |
if-no-files-found: error | |
- name: Upload Firefox artifact | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: dist-firefox-${{ env._BUILD_NUMBER }}.zip | |
path: browser-source/apps/browser/dist/dist-firefox.zip | |
if-no-files-found: error | |
- name: Upload Firefox MV3 artifact (DO NOT USE FOR PROD) | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: DO-NOT-USE-FOR-PROD-dist-firefox-MV3-${{ env._BUILD_NUMBER }}.zip | |
path: browser-source/apps/browser/dist/dist-firefox-mv3.zip | |
if-no-files-found: error | |
- name: Upload Edge artifact | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: dist-edge-${{ env._BUILD_NUMBER }}.zip | |
path: browser-source/apps/browser/dist/dist-edge.zip | |
if-no-files-found: error | |
- name: Upload Edge MV3 artifact (DO NOT USE FOR PROD) | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: DO-NOT-USE-FOR-PROD-dist-edge-MV3-${{ env._BUILD_NUMBER }}.zip | |
path: browser-source/apps/browser/dist/dist-edge-mv3.zip | |
if-no-files-found: error | |
- name: Upload browser source | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: browser-source-${{ env._BUILD_NUMBER }}.zip | |
path: browser-source.zip | |
if-no-files-found: error | |
build-safari: | |
name: Build Safari | |
runs-on: macos-13 | |
needs: | |
- setup | |
- locales-test | |
env: | |
_BUILD_NUMBER: ${{ needs.setup.outputs.adj_build_number }} | |
_NODE_VERSION: ${{ needs.setup.outputs.node_version }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Set up Node | |
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4 | |
with: | |
cache: 'npm' | |
cache-dependency-path: '**/package-lock.json' | |
node-version: ${{ env._NODE_VERSION }} | |
- name: Print environment | |
run: | | |
node --version | |
npm --version | |
- name: Login to Azure | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Download Provisioning Profiles secrets | |
env: | |
ACCOUNT_NAME: bitwardenci | |
CONTAINER_NAME: profiles | |
run: | | |
mkdir -p $HOME/secrets | |
az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ | |
--name bitwarden_desktop_appstore.provisionprofile \ | |
--file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ | |
--output none | |
- name: Get certificates | |
run: | | |
mkdir -p $HOME/certificates | |
az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | | |
jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 | |
az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | | |
jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 | |
az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | | |
jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 | |
az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | | |
jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 | |
az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | | |
jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 | |
az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | | |
jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 | |
- name: Set up keychain | |
env: | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
run: | | |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security set-keychain-settings -lut 1200 build.keychain | |
security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/certificates/appstore-app-cert.p12" -k build.keychain -P "" \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/certificates/appstore-installer-cert.p12" -k build.keychain -P "" \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
- name: NPM setup | |
run: npm ci | |
working-directory: ./ | |
- name: Build Safari extension | |
run: npm run dist:safari | |
working-directory: apps/browser | |
- name: Zip Safari build artifact | |
run: | | |
cd apps/browser/dist | |
zip dist-safari.zip ./Safari/**/build/Release/safari.appex -r | |
pwd | |
ls -la | |
- name: Upload Safari artifact | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: dist-safari-${{ env._BUILD_NUMBER }}.zip | |
path: apps/browser/dist/dist-safari.zip | |
if-no-files-found: error | |
crowdin-push: | |
name: Crowdin Push | |
if: github.ref == 'refs/heads/main' | |
runs-on: ubuntu-22.04 | |
needs: | |
- build | |
- build-safari | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | |
- name: Login to Azure | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "crowdin-api-token" | |
- name: Upload Sources | |
uses: crowdin/github-action@30849777a3cba6ee9a09e24e195272b8287a0a5b # v1.20.4 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
CROWDIN_API_TOKEN: ${{ steps.retrieve-secrets.outputs.crowdin-api-token }} | |
CROWDIN_PROJECT_ID: "268134" | |
with: | |
config: apps/browser/crowdin.yml | |
crowdin_branch_name: main | |
upload_sources: true | |
upload_translations: false | |
check-failures: | |
name: Check for failures | |
if: always() | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
- locales-test | |
- build | |
- build-safari | |
- crowdin-push | |
steps: | |
- name: Check if any job failed | |
if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') && contains(needs.*.result, 'failure') | |
run: exit 1 | |
- name: Login to Azure - Prod Subscription | |
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
if: failure() | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets | |
if: failure() | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "devops-alerts-slack-webhook-url" | |
- name: Notify Slack on failure | |
uses: act10ns/slack@44541246747a30eb3102d87f7a4cc5471b0ffb7d # v2.1.0 | |
if: failure() | |
env: | |
SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} | |
with: | |
status: ${{ job.status }} |