vaultwarden/.github/workflows/release.yml

name: Release

on:
  push:
    branches:
      - main

    tags:
      - '*'

jobs:
  # https://github.com/marketplace/actions/skip-duplicate-actions
  # Some checks to determine if we need to continue with building a new docker.
  # We will skip this check if we are creating a tag, because that has the same hash as a previous run already.
  skip_check:
    runs-on: ubuntu-24.04
    if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
    outputs:
      should_skip: ${{ steps.skip_check.outputs.should_skip }}
    steps:
      - name: Skip Duplicates Actions
        id: skip_check
        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
        with:
          cancel_others: 'true'
        # Only run this when not creating a tag
        if: ${{ github.ref_type == 'branch' }}

  docker-build:
    runs-on: ubuntu-24.04
    timeout-minutes: 120
    needs: skip_check
    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
    # Start a local docker registry to extract the final Alpine static build binaries
    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000
    env:
      SOURCE_COMMIT: ${{ github.sha }}
      SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
      # The *_REPO variables need to be configured as repository variables
      # Append `/settings/variables/actions` to your repo url
      # DOCKERHUB_REPO needs to be 'index.docker.io/<user>/<repo>'
      # Check for Docker hub credentials in secrets
      HAVE_DOCKERHUB_LOGIN: ${{ vars.DOCKERHUB_REPO != '' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
      # GHCR_REPO needs to be 'ghcr.io/<user>/<repo>'
      # Check for Github credentials in secrets
      HAVE_GHCR_LOGIN: ${{ vars.GHCR_REPO != '' && github.repository_owner != '' && secrets.GITHUB_TOKEN != '' }}
      # QUAY_REPO needs to be 'quay.io/<user>/<repo>'
      # Check for Quay.io credentials in secrets
      HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
    strategy:
      matrix:
        base_image: ["debian","alpine"]

    steps:
      # Checkout the repo
      - name: Checkout
        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
        with:
          fetch-depth: 0

      - name: Initialize QEMU binfmt support
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
        with:
          platforms: "arm64,arm"

      # Start Docker Buildx
      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
        # https://github.com/moby/buildkit/issues/3969
        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
        with:
          buildkitd-config-inline: |
            [worker.oci]
              max-parallelism = 2            
          driver-opts: |
            network=host            

      # Determine Base Tags and Source Version
      - name: Determine Base Tags and Source Version
        shell: bash
        run: |
          # Check which main tag we are going to build determined by github.ref_type
          if [[ "${{ github.ref_type }}" == "tag" ]]; then
            echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
          elif [[ "${{ github.ref_type }}" == "branch" ]]; then
            echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
          fi

          # Get the Source Version for this release
          GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)"
          if [[ -n "${GIT_EXACT_TAG}" ]]; then
              echo "SOURCE_VERSION=${GIT_EXACT_TAG}" | tee -a "${GITHUB_ENV}"
          else
              GIT_LAST_TAG="$(git describe --tags --abbrev=0)"
              echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
          fi          
      # End Determine Base Tags

      # Login to Docker Hub
      - name: Login to Docker Hub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}

      - name: Add registry for DockerHub
        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
        shell: bash
        run: |
          echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}"          

      # Login to GitHub Container Registry
      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}

      - name: Add registry for ghcr.io
        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
        shell: bash
        run: |
          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"          

      # Login to Quay.io
      - name: Login to Quay.io
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_TOKEN }}
        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}

      - name: Add registry for Quay.io
        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
        shell: bash
        run: |
          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}"          

      - name: Configure build cache from/to
        shell: bash
        run: |
          #
          # Check if there is a GitHub Container Registry Login and use it for caching
          if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
            echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}"
            echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}"
          else
            echo "BAKE_CACHE_FROM="
            echo "BAKE_CACHE_TO="
          fi
          #          

      - name: Add localhost registry
        if: ${{ matrix.base_image == 'alpine' }}
        shell: bash
        run: |
          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"          

      - name: Bake ${{ matrix.base_image }} containers
        uses: docker/bake-action@2e3d19baedb14545e5d41222653874f25d5b4dfb # v5.10.0
        env:
          BASE_TAGS: "${{ env.BASE_TAGS }}"
          SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
          SOURCE_VERSION: "${{ env.SOURCE_VERSION }}"
          SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}"
          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
        with:
          pull: true
          push: true
          files: docker/docker-bake.hcl
          targets: "${{ matrix.base_image }}-multi"
          set: |
            *.cache-from=${{ env.BAKE_CACHE_FROM }}
            *.cache-to=${{ env.BAKE_CACHE_TO }}            


      # Extract the Alpine binaries from the containers
      - name: Extract binaries
        if: ${{ matrix.base_image == 'alpine' }}
        shell: bash
        run: |
          # Check which main tag we are going to build determined by github.ref_type
          if [[ "${{ github.ref_type }}" == "tag" ]]; then
            EXTRACT_TAG="latest"
          elif [[ "${{ github.ref_type }}" == "branch" ]]; then
            EXTRACT_TAG="testing"
          fi

          # After each extraction the image is removed.
          # This is needed because using different platforms doesn't trigger a new pull/download

          # Extract amd64 binary
          docker create --name amd64 --platform=linux/amd64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
          docker cp amd64:/vaultwarden vaultwarden-amd64
          docker rm --force amd64
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"

          # Extract arm64 binary
          docker create --name arm64 --platform=linux/arm64 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
          docker cp arm64:/vaultwarden vaultwarden-arm64
          docker rm --force arm64
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"

          # Extract armv7 binary
          docker create --name armv7 --platform=linux/arm/v7 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
          docker cp armv7:/vaultwarden vaultwarden-armv7
          docker rm --force armv7
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"

          # Extract armv6 binary
          docker create --name armv6 --platform=linux/arm/v6 "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"
          docker cp armv6:/vaultwarden vaultwarden-armv6
          docker rm --force armv6
          docker rmi --force "localhost:5000/vaultwarden/server:${EXTRACT_TAG}-alpine"          

      # Upload artifacts to Github Actions
      - name: "Upload amd64 artifact"
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: ${{ matrix.base_image == 'alpine' }}
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64
          path: vaultwarden-amd64

      - name: "Upload arm64 artifact"
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: ${{ matrix.base_image == 'alpine' }}
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64
          path: vaultwarden-arm64

      - name: "Upload armv7 artifact"
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: ${{ matrix.base_image == 'alpine' }}
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7
          path: vaultwarden-armv7

      - name: "Upload armv6 artifact"
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
        if: ${{ matrix.base_image == 'alpine' }}
        with:
          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6
          path: vaultwarden-armv6
      # End Upload artifacts to Github Actions