name: Release on: push: branches: - main tags: - '*' jobs: # https://github.com/marketplace/actions/skip-duplicate-actions # Some checks to determine if we need to continue with building a new docker. # We will skip this check if we are creating a tag, because that has the same hash as a previous run already. skip_check: runs-on: ubuntu-24.04 if: ${{ github.repository == 'dani-garcia/vaultwarden' }} outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} steps: - name: Skip Duplicates Actions id: skip_check uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1 with: cancel_others: 'true' # Only run this when not creating a tag if: ${{ github.ref_type == 'branch' }} docker-build: runs-on: ubuntu-24.04 timeout-minutes: 120 needs: skip_check if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }} # Start a local docker registry to extract the final Alpine static build binaries services: registry: image: registry:2 ports: - 5000:5000 env: SOURCE_COMMIT: ${{ github.sha }} SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}" # The *_REPO variables need to be configured as repository variables # Append `/settings/variables/actions` to your repo url # DOCKERHUB_REPO needs to be 'index.docker.io//' # Check for Docker hub credentials in secrets HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} # GHCR_REPO needs to be 'ghcr.io//' # Check for Github credentials in secrets HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }} # QUAY_REPO needs to be 'quay.io//' # Check for Quay.io credentials in secrets HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }} strategy: matrix: base_image: ["debian","alpine"] steps: # Checkout the repo - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - name: Initialize QEMU binfmt support uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 with: platforms: "arm64,arm" # Start Docker Buildx - name: Setup Docker Buildx uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 # https://github.com/moby/buildkit/issues/3969 # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills with: buildkitd-config-inline: | [worker.oci] max-parallelism = 2 driver-opts: | network=host # Determine Base Tags and Source Version - name: Determine Base Tags and Source Version shell: bash run: | # Check which main tag we are going to build determined by github.ref_type if [[ "${{ github.ref_type }}" == "tag" ]]; then echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}" elif [[ "${{ github.ref_type }}" == "branch" ]]; then echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}" fi # Get the Source Version for this release GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)" if [[ -n "${GIT_EXACT_TAG}" ]]; then echo "SOURCE_VERSION=${GIT_EXACT_TAG}" | tee -a "${GITHUB_ENV}" else GIT_LAST_TAG="$(git describe --tags --abbrev=0)" echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}" fi # End Determine Base Tags # Login to Docker Hub - name: Login to Docker Hub uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} - name: Add registry for DockerHub if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} shell: bash run: | echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}" # Login to GitHub Container Registry - name: Login to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} - name: Add registry for ghcr.io if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} shell: bash run: | echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}" # Login to Quay.io - name: Login to Quay.io uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: quay.io username: ${{ secrets.QUAY_USERNAME }} password: ${{ secrets.QUAY_TOKEN }} if: ${{ env.HAVE_QUAY_LOGIN == 'true' }} - name: Add registry for Quay.io if: ${{ env.HAVE_QUAY_LOGIN == 'true' }} shell: bash run: | echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}" - name: Configure build cache from/to shell: bash run: | # # Check if there is a GitHub Container Registry Login and use it for caching if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}" echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}" else echo "BAKE_CACHE_FROM=" echo "BAKE_CACHE_TO=" fi # - name: Add localhost registry if: ${{ matrix.base_image == 'alpine' }} shell: bash run: | echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}" - name: Bake ${{ matrix.base_image }} containers uses: docker/bake-action@76cc8060bdff6d632a465001e4cf300684c5472c # v5.7.0 env: BASE_TAGS: "${{ env.BASE_TAGS }}" SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}" SOURCE_VERSION: "${{ env.SOURCE_VERSION }}" SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}" CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}" with: pull: true push: true files: docker/docker-bake.hcl targets: "${{ matrix.base_image }}-multi" set: | *.cache-from=${{ env.BAKE_CACHE_FROM }} *.cache-to=${{ env.BAKE_CACHE_TO }} # Extract the Alpine binaries from the containers - name: Extract binaries if: ${{ matrix.base_image == 'alpine' }} shell: bash run: | # Check which main tag we are going to build determined by github.ref_type if [[ "${{ github.ref_type }}" == "tag" ]]; then EXTRACT_TAG="latest" elif [[ "${{ github.ref_type }}" == "branch" ]]; then EXTRACT_TAG="testing" fi # After each extraction the image is removed. # This is needed because using different platforms doesn't trigger a new pull/download # Extract amd64 binary docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" docker cp amd64:/vaultwarden vaultwarden-amd64 docker rm --force amd64 docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" # Extract arm64 binary docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" docker cp arm64:/vaultwarden vaultwarden-arm64 docker rm --force arm64 docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" # Extract armv7 binary docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" docker cp armv7:/vaultwarden vaultwarden-armv7 docker rm --force armv7 docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" # Extract armv6 binary docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" docker cp armv6:/vaultwarden vaultwarden-armv6 docker rm --force armv6 docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine" # Upload artifacts to Github Actions - name: "Upload amd64 artifact" uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: ${{ matrix.base_image == 'alpine' }} with: name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64 path: vaultwarden-amd64 - name: "Upload arm64 artifact" uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: ${{ matrix.base_image == 'alpine' }} with: name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64 path: vaultwarden-arm64 - name: "Upload armv7 artifact" uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: ${{ matrix.base_image == 'alpine' }} with: name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7 path: vaultwarden-armv7 - name: "Upload armv6 artifact" uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 if: ${{ matrix.base_image == 'alpine' }} with: name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6 path: vaultwarden-armv6 # End Upload artifacts to Github Actions