name: Release permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} # Don't cancel other runs when creating a tag cancel-in-progress: ${{ github.ref_type == 'branch' }} on: push: tags: - 'v[0-9]+.[0-9]+.[0-9]+*' defaults: run: shell: bash jobs: docker-build: name: Release web-vault environment: release permissions: packages: write # Needed to upload packages and artifacts contents: read attestations: write # Needed to generate an artifact attestation for a build id-token: write # Needed to mint the OIDC token necessary to request a Sigstore signing certificate runs-on: ubuntu-24.04 env: # Force docker to output the progress in plain BUILDKIT_PROGRESS: plain # vars.DOCKERHUB_REPO needs to be '/', for example 'vaultwarden/web-vault' # Check for Docker hub credentials in secrets HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} # vars.GHCR_REPO needs to be 'ghcr.io//' # Check for Github credentials in secrets HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }} steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false # Determine Docker Tag - name: Init Variables id: vars env: GITHUB_REF: ${{ github.ref }} run: | if [[ "${GITHUB_REF}" == refs/tags/* ]]; then DOCKER_TAG="${GITHUB_REF#refs/*/}" elif [[ "${GITHUB_REF}" == refs/heads/* ]]; then DOCKER_TAG="testing" fi # We use `+build.n` to version patches when there was no change to the web-vault version from upstream # Container images are not allowed to contain `+` chars, replace them with an `_` # Since we do not use container names anyway this isn't an issue for matching and only used for the version echo "DOCKER_TAG=${DOCKER_TAG//+/_}" | tee -a "${GITHUB_OUTPUT}" # Login to Docker Hub - name: Login to Docker Hub uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} - name: Tags for DockerHub if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} env: DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }} DOCKER_TAG: ${{ steps.vars.outputs.DOCKER_TAG }} run: | echo "tags=${tags:+${tags},}${DOCKERHUB_REPO}:${DOCKER_TAG}" \ | tee -a "${GITHUB_ENV}" # Login to GitHub Container Registry - name: Login to GitHub Container Registry uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} - name: Tags for ghcr.io if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} env: GHCR_REPO: ${{ vars.GHCR_REPO }} DOCKER_TAG: ${{ steps.vars.outputs.DOCKER_TAG }} run: | echo "tags=${tags:+${tags},}${GHCR_REPO}:${DOCKER_TAG}" \ | tee -a "${GITHUB_ENV}" - name: Setup Docker Buildx uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 with: cache-binary: false - name: Build and push uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 id: build with: context: . push: true tags: ${{ env.tags }} - name: Attest - docker.io if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1 with: subject-name: ${{ vars.DOCKERHUB_REPO }} subject-digest: ${{ steps.build.outputs.digest }} push-to-registry: true - name: Attest - ghcr.io if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1 with: subject-name: ${{ vars.GHCR_REPO }} subject-digest: ${{ steps.build.outputs.digest }} push-to-registry: true