BRE-896 - [Self-Host]: Update CD workflows for SemVer

.github/workflows/version-bump-self-host.yml

@@ -3,32 +3,25 @@ name: Version Bump - Self Host
 on:
   workflow_dispatch:
     inputs:
-      version_number_override:
-        description: "New version override (leave blank for automatic calculation, example: '2024.1.0')"
-        required: false
+      version_number:
+        description: "New version (example: '1.0.1')"
+        required: true
         type: string
 
 jobs:
   bump_version:
     name: Bump Version
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     environment: Production
     permissions:
       contents: write
       pull-requests: write
       id-token: write
     steps:
       - name: Validate version input
-        if: ${{ inputs.version_number_override != '' }}
         uses: bitwarden/gh-actions/version-check@main
         with:
-          version: ${{ inputs.version_number_override }}
-
-      - name: Checkout Branch
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          ref: main
-          persist-credentials: true
+          version: ${{ inputs.version_number }}
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -41,30 +34,32 @@ jobs:
         id: retrieve-secrets
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
-          keyvault: "bitwarden-ci"
-          secrets: "github-gpg-private-key,
-            github-gpg-private-key-passphrase,
-            github-pat-bitwarden-devops-bot-repo-scope"
+          keyvault: "gh-org-bitwarden"
+          secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
 
-      - name: Import GPG key
-        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+      - name: Generate GH App token
+        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        id: app-token
         with:
-          gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
-          passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
-          git_user_signingkey: true
-          git_commit_gpgsign: true
+          app-id: ${{ steps.retrieve-secrets.outputs.BW-GHAPP-ID }}
+          private-key: ${{ steps.retrieve-secrets.outputs.BW-GHAPP-KEY }}
 
-      - name: Setup git
-        run: |
-          git config --local user.email "[email protected]"
-          git config --local user.name "bitwarden-devops-bot"
-
-      - name: Create version branch
+      - name: Checkout Branch
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: true
+          ref: main
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Set up Git client
         id: create-branch
         run: |
+          git config --global user.name 'bw-ghapp[bot]'
+          git config --global user.email '178206702+bw-ghapp[bot]@users.noreply.github.com'
+
           NAME=version_bump_${GITHUB_REF_NAME}_$(date +"%Y-%m-%d")
           git switch -c "$NAME"
           echo "name=$NAME" >> "$GITHUB_OUTPUT"
@@ -76,10 +71,9 @@ jobs:
           echo "version=$CURRENT_VERSION" >> "$GITHUB_OUTPUT"
 
       - name: Verify input version
-        if: ${{ inputs.version_number_override != '' }}
         env:
           CURRENT_VERSION: ${{ steps.current-version.outputs.version }}
-          NEW_VERSION: ${{ inputs.version_number_override }}
+          NEW_VERSION: ${{ inputs.version_number }}
         run: |
           # Error if version has not changed.
           if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
@@ -95,42 +89,11 @@ jobs:
             exit 1
           fi
 
-      - name: Calculate next release version
-        if: ${{ inputs.version_number_override == '' }}
-        id: calculate-next-version
-        uses: bitwarden/gh-actions/version-next@main
-        with:
-          version: ${{ steps.current-version.outputs.version }}
-
-      - name: Bump Chart Version - Version Override
-        if: ${{ inputs.version_number_override != '' }}
-        id: bump-version-override
-        uses: bitwarden/gh-actions/version-bump@main
-        with:
-          file_path: "charts/self-host/Chart.yaml"
-          version: ${{ inputs.version_number_override }}
-
-      - name: Bump Chart Version - Automatic Calculation
-        if: ${{ inputs.version_number_override == '' }}
-        id: bump-version-automatic
+      - name: Bump Chart Version
         uses: bitwarden/gh-actions/version-bump@main
         with:
           file_path: "charts/self-host/Chart.yaml"
-          version: ${{ steps.calculate-next-version.outputs.version }}
-
-      - name: Set final version output
-        id: set-final-version-output
-        env:
-          _BUMP_VERSION_OVERRIDE_OUTCOME: ${{ steps.bump-version-override.outcome }}
-          _INPUT_VERSION_NUMBER_OVERRIDE: ${{ inputs.version_number_override }}
-          _BUMP_VERSION_AUTOMATIC_OUTCOME: ${{ steps.bump-version-automatic.outcome }}
-          _CALCULATE_NEXT_VERSION: ${{ steps.calculate-next-version.outputs.version }}
-        run: |
-          if [[ "${_BUMP_VERSION_OVERRIDE_OUTCOME}" == "success" ]]; then
-            echo "version=${_INPUT_VERSION_NUMBER_OVERRIDE}" >> "$GITHUB_OUTPUT"
-          elif [[ "${_BUMP_VERSION_AUTOMATIC_OUTCOME}" == "success" ]]; then
-            echo "version=${_CALCULATE_NEXT_VERSION}" >> "$GITHUB_OUTPUT"
-          fi
+          version: ${{ inputs.version_number }}
 
       - name: Check if version changed
         id: version-changed
@@ -145,8 +108,8 @@ jobs:
       - name: Commit files
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
         env:
-          _FINAL_VERSION: ${{ steps.set-final-version-output.outputs.version }}
-        run: git commit -m "Bumped version to ${_FINAL_VERSION}" -a
+          VERSION: ${{ inputs.version_number }}
+        run: git commit -m "Bumped version to ${VERSION}" -a
 
       - name: Push changes
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
@@ -158,10 +121,10 @@ jobs:
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
         id: create-pr
         env:
-          GH_TOKEN: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           PR_BRANCH: ${{ steps.create-branch.outputs.name }}
-          TITLE: "Bump version to ${{ steps.set-final-version-output.outputs.version }}"
-          _FINAL_VERSION: ${{ steps.set-final-version-output.outputs.version }}
+          TITLE: "Bump version to ${{ inputs.version_number }}"
+          VERSION: ${{ inputs.version_number }}
         run: |
           PR_URL=$(gh pr create --title "$TITLE" \
             --base "main" \
@@ -177,7 +140,7 @@ jobs:
               - [X] Other
 
               ## Objective
-              Automated version bump to ${_FINAL_VERSION}")
+              Automated version bump to ${VERSION}")
           echo "pr_number=${PR_URL##*/}" >> "$GITHUB_OUTPUT"
 
       - name: Approve PR
@@ -190,6 +153,6 @@ jobs:
       - name: Merge PR
         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
         env:
-          GH_TOKEN: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
           PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }}
         run: gh pr merge "$PR_NUMBER" --squash --auto --delete-branch