Skip to content

BRE-896 - [Self-Host]: Update CD workflows for SemVer #329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

BRE-896 - [Self-Host]: Update CD workflows for SemVer #329

Changes from 6 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
aedc4fe
Updated SH version bump to prep for semver
mimartin12 Sep 11, 2025
fa4b2ac
Set version input to required
mimartin12 Sep 11, 2025
c58aa93
Refactor to use semver check, instead of external action
mimartin12 Sep 11, 2025
87a24b1
Fix bash
mimartin12 Sep 11, 2025
6cf5c65
Refactor to new GitHub App Token flow
mimartin12 Sep 15, 2025
a9ecc80
Update git client setup
mimartin12 Sep 15, 2025
8708279
Merge branch 'main' into BRE-896-update-cd-workflows-for-semver
mimartin12 Nov 3, 2025
3097f11
Update workflow with changes (#374)
vgrassia Nov 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
125 changes: 29 additions & 96 deletions .github/workflows/version-bump-self-host.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ name: Version Bump - Self Host
on:
workflow_dispatch:
inputs:
version_number_override:
description: "New version override (leave blank for automatic calculation, example: '2024.1.0')"
required: false
version_number:
description: "New version (example: '1.0.1')"
required: true
type: string

jobs:
Expand All @@ -19,15 +19,11 @@ jobs:
id-token: write
steps:
- name: Validate version input
if: ${{ inputs.version_number_override != '' }}
uses: bitwarden/gh-actions/version-check@main
with:
version: ${{ inputs.version_number_override }}

- name: Checkout Branch
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: main
run: |
if [[ ! "${{ inputs.version_number }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Invalid version format."
exit 1
fi

- name: Log in to Azure
uses: bitwarden/gh-actions/azure-login@main
Expand All @@ -40,33 +36,29 @@ jobs:
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-gpg-private-key,
github-gpg-private-key-passphrase,
github-pat-bitwarden-devops-bot-repo-scope"
keyvault: "gh-org-bitwarden"
secrets: "BW-GHAPP-ID,BW-GHAPP-KEY"

- name: Log out from Azure
uses: bitwarden/gh-actions/azure-logout@main

- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
- name: Generate GH App token
uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
id: app-token
with:
gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
git_user_signingkey: true
git_commit_gpgsign: true
app-id: ${{ steps.retrieve-secrets.outputs.BW-GHAPP-ID }}
private-key: ${{ steps.retrieve-secrets.outputs.BW-GHAPP-KEY }}

- name: Setup git
run: |
git config --local user.email "[email protected]"
git config --local user.name "bitwarden-devops-bot"

- name: Create version branch
id: create-branch
- name: Checkout Branch
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
ref: main
token: ${{ steps.app-token.outputs.token }}
- name: Set up Git client
run: |
NAME=version_bump_${{ github.ref_name }}_$(date +"%Y-%m-%d")
git switch -c $NAME
echo "name=$NAME" >> $GITHUB_OUTPUT
git config --global user.name 'bw-ghapp[bot]'
git config --global user.email '178206702+bw-ghapp[bot]@users.noreply.github.com'

- name: Get current version
id: current-version
Expand All @@ -75,10 +67,10 @@ jobs:
echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT

- name: Verify input version
if: ${{ inputs.version_number_override != '' }}
if: ${{ inputs.version_number != '' }}
env:
CURRENT_VERSION: ${{ steps.current-version.outputs.version }}
NEW_VERSION: ${{ inputs.version_number_override }}
NEW_VERSION: ${{ inputs.version_number }}
run: |
# Error if version has not changed.
if [[ "$NEW_VERSION" == "$CURRENT_VERSION" ]]; then
Expand All @@ -95,36 +87,18 @@ jobs:
exit 1
fi

- name: Calculate next release version
if: ${{ inputs.version_number_override == '' }}
id: calculate-next-version
uses: bitwarden/gh-actions/version-next@main
with:
version: ${{ steps.current-version.outputs.version }}

- name: Bump Chart Version - Version Override
if: ${{ inputs.version_number_override != '' }}
id: bump-version-override
uses: bitwarden/gh-actions/version-bump@main
with:
file_path: "charts/self-host/Chart.yaml"
version: ${{ inputs.version_number_override }}

- name: Bump Chart Version - Automatic Calculation
if: ${{ inputs.version_number_override == '' }}
id: bump-version-automatic
uses: bitwarden/gh-actions/version-bump@main
with:
file_path: "charts/self-host/Chart.yaml"
version: ${{ steps.calculate-next-version.outputs.version }}
version: ${{ inputs.version_number }}

- name: Set final version output
id: set-final-version-output
run: |
if [[ "${{ steps.bump-version-override.outcome }}" == "success" ]]; then
echo "version=${{ inputs.version_number_override }}" >> $GITHUB_OUTPUT
elif [[ "${{ steps.bump-version-automatic.outcome }}" == "success" ]]; then
echo "version=${{ steps.calculate-next-version.outputs.version }}" >> $GITHUB_OUTPUT
echo "version=${{ inputs.version_number }}" >> $GITHUB_OUTPUT
fi

- name: Check if version changed
Expand All @@ -143,45 +117,4 @@ jobs:

- name: Push changes
if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
env:
PR_BRANCH: ${{ steps.create-branch.outputs.name }}
run: git push -u origin $PR_BRANCH

- name: Create version PR
if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
id: create-pr
env:
GH_TOKEN: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
PR_BRANCH: ${{ steps.create-branch.outputs.name }}
TITLE: "Bump version to ${{ steps.set-final-version-output.outputs.version }}"
run: |
PR_URL=$(gh pr create --title "$TITLE" \
--base "main" \
--head "$PR_BRANCH" \
--label "version update" \
--label "automated pr" \
--body "
## Type of change
- [ ] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [X] Other

## Objective
Automated version bump to ${{ steps.set-final-version-output.outputs.version }}")
echo "pr_number=${PR_URL##*/}" >> $GITHUB_OUTPUT

- name: Approve PR
if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }}
run: gh pr review $PR_NUMBER --approve

- name: Merge PR
if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
env:
GH_TOKEN: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
PR_NUMBER: ${{ steps.create-pr.outputs.pr_number }}
run: gh pr merge $PR_NUMBER --squash --auto --delete-branch
run: git push