Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PM-15126] Tighten scope of our client build pipelines to remove reliance on secrets #12243

Merged
merged 19 commits into from
Dec 12, 2024
Merged

[PM-15126] Tighten scope of our client build pipelines to remove reliance on secrets #12243

merged 19 commits into from
Dec 12, 2024
+269 −43

Conversation

coroiu
Copy link
Contributor

@coroiu coroiu commented Dec 4, 2024
edited
Loading

🎟️ Tracking

📔 Objective

This PR changes how our CI workflows run so that they are able to run even without secrets. It also adds another another set of workflows that can be manually triggered by Bitwarden employees to build contributor PRs with full access to secrets if needed.

  • build-<app>.yml workflows now run on pull_request instead of pull_request_target, this means that:
    • When the PR originates from within Bitwarden it should have full access to all secrets
    • When the PR originates from outside Bitwarden it won't have any access to secrets
    • Because "external PRs" no longer have access to secrets we can safely triggers these automatically
  • build-<app>-target.yml have been added to let Bitwarden employees manually trigger build-<app>.yml using pull_request_target which gives it access to all the secrets
    • These workflows are protected from running when triggered by a contributor
    • These workflows are skipped when the PR originates from within Bitwarden
    • These are very simple workflows which just trigger the regular build-<app>.yml but with full inherited secrets
  • A nice consequence of this is that the workflows now also function in forks, even without access to secrets
  • All executions of these workflows generate and upload artifacts (in forks too)
    • Artifacts which require secrets for things like signing will not be generated when no secrets are available

Here is an example of these workflows running in a fork: coroiu#1

📸 Screenshots

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 4, 2024
edited
Loading

Logo
Checkmarx One – Scan Summary & Detailseab99ab3-2225-4418-a32d-0dd6c9950083

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Client_Privacy_Violation /apps/web/src/app/core/event.service.ts: 549 Attack Vector
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 347 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-web.yml: 137 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-browser.yml: 383 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1494 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-web.yml: 316 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-cli.yml: 470 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-web.yml: 395 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 699 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 194 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-web.yml: 236 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1138 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-cli.yml: 281 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1394 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-cli.yml: 126 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-browser.yml: 438 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1543 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-browser.yml: 482 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-browser.yml: 187 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 889 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-web.yml: 347 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1049 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 362 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

Fixed Issues

Severity Issue Source File / Package
LOW Client_JQuery_Deprecated_Symbols /apps/cli/src/service-container/service-container.ts: 878
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 853
LOW Unpinned Actions Full Length Commit SHA /build-web.yml: 132
LOW Unpinned Actions Full Length Commit SHA /build-web.yml: 227
LOW Unpinned Actions Full Length Commit SHA /build-web.yml: 306
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 665
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 191
LOW Unpinned Actions Full Length Commit SHA /build-browser.yml: 379
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1456
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1356
LOW Unpinned Actions Full Length Commit SHA /build-web.yml: 337
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1101
LOW Unpinned Actions Full Length Commit SHA /build-cli.yml: 465
LOW Unpinned Actions Full Length Commit SHA /build-browser.yml: 184
LOW Unpinned Actions Full Length Commit SHA /build-browser.yml: 434
LOW Unpinned Actions Full Length Commit SHA /build-web.yml: 385
LOW Unpinned Actions Full Length Commit SHA /build-cli.yml: 121
LOW Unpinned Actions Full Length Commit SHA /build-cli.yml: 276
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1012
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 1505
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 357
LOW Unpinned Actions Full Length Commit SHA /build-browser.yml: 478
LOW Unpinned Actions Full Length Commit SHA /build-desktop.yml: 342

@codecov Codecov
Copy link

codecov bot commented Dec 4, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 33.42%. Comparing base (cecf1f2) to head (87cd88c).
Report is 1 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #12243      +/-   ##
==========================================
- Coverage   33.43%   33.42%   -0.01%     
==========================================
  Files        2901     2901              
  Lines       90566    90566              
  Branches    17213    17213              
==========================================
- Hits        30279    30272       -7     
- Misses      57892    57899       +7     
  Partials     2395     2395

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@coroiu coroiu force-pushed the PM-15126-tighten-scope-of-our-client-build-pipelines-to-remove-reliance-on-secrets branch from 50c5323 to 336ccf1 Compare December 4, 2024 15:33
@coroiu coroiu marked this pull request as ready for review December 10, 2024 13:03
@coroiu coroiu requested a review from addisonbeck December 10, 2024 13:05
addisonbeck
addisonbeck reviewed Dec 10, 2024
View reviewed changes
Copy link
Contributor

@addisonbeck addisonbeck left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great. Just a couple small things.

.github/workflows/lint.yml Outdated Show resolved Hide resolved
.github/workflows/build-browser-target.yml Show resolved Hide resolved
@coroiu coroiu requested a review from a team as a code owner December 11, 2024 10:46
@coroiu coroiu requested a review from addisonbeck December 11, 2024 10:46
@coroiu coroiu merged commit f8c33ea into main Dec 12, 2024
110 checks passed
@coroiu coroiu deleted the PM-15126-tighten-scope-of-our-client-build-pipelines-to-remove-reliance-on-secrets branch December 12, 2024 10:50
trmartin4 added a commit that referenced this pull request Dec 12, 2024
@trmartin4
Revert "[PM-15126] Tighten scope of our client build pipelines to rem…
617c7fe 
…ove reliance on secrets (#12243)"

This reverts commit f8c33ea.
@trmartin4 trmartin4 mentioned this pull request Dec 12, 2024
Merged
trmartin4 added a commit that referenced this pull request Dec 12, 2024
@trmartin4
Revert workflow changes (#12376)
7c8b9db 
* Revert "fix: target workflows not triggering on pull_request_target (#12370)"

This reverts commit 645d36f.

* Revert "[PM-15126] Tighten scope of our client build pipelines to remove reliance on secrets (#12243)"

This reverts commit f8c33ea.
coroiu added a commit to coroiu/clients that referenced this pull request Dec 13, 2024
@coroiu
[PM-15126] Tighten scope of our client build pipelines to remove reli…
8740bda 
…ance on secrets (bitwarden#12243)

* feat: create copy of desktop build for PR target

* chore: add temporary file to trigger ci

* fix: remove check-run from regular desktop build

* feat: change browser build to not use pr target

* fix: skip build-safari if secret is not available

* feat: skip safari build if secrets are not available

* feat: let windows desktop build without secrets

* fix: has_secrets not being output correctly

* feat: let macos desktop build without secrets

* feat: don't build browser as part of desktop

* feat: change CLI to pull_request

* feat: let web build without secrets

* feat: tweak lint to run on PR and not just push

* feat: add PR target workflows

* fix: remove wip files

* fix: lint on hotfix-rc branches

* feat: add new workflows to CODEOWNERS

(cherry picked from commit f8c33ea)
@coroiu coroiu mentioned this pull request Dec 13, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@addisonbeck addisonbeck addisonbeck approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@coroiu @addisonbeck