4141 steps :
4242 - name : Checkout Repository
4343 uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
44+ with :
45+ persist-credentials : false
4446
4547 - name : Get server branch to checkout
4648 id : server-branch-name
@@ -51,14 +53,14 @@ jobs:
5153 # Extract coreVersion from versions.json
5254 CORE_VERSION=$(jq -r '.versions.coreVersion' versions.json)
5355 echo "Server version from versions.json: $CORE_VERSION"
54- echo "server_ref=refs/tags/v$CORE_VERSION" >> $GITHUB_OUTPUT
55- echo "ref_type=tag" >> $GITHUB_OUTPUT
56+ echo "server_ref=refs/tags/v$CORE_VERSION" >> " $GITHUB_OUTPUT"
57+ echo "ref_type=tag" >> " $GITHUB_OUTPUT"
5658 elif [[ -z "${SERVER_BRANCH}" ]]; then
57- echo "server_ref=main" >> $GITHUB_OUTPUT
58- echo "ref_type=branch" >> $GITHUB_OUTPUT
59+ echo "server_ref=main" >> " $GITHUB_OUTPUT"
60+ echo "ref_type=branch" >> " $GITHUB_OUTPUT"
5961 else
60- echo "server_ref=${SERVER_BRANCH#refs/heads/}" >> $GITHUB_OUTPUT
61- echo "ref_type=branch" >> $GITHUB_OUTPUT
62+ echo "server_ref=${SERVER_BRANCH#refs/heads/}" >> " $GITHUB_OUTPUT"
63+ echo "ref_type=branch" >> " $GITHUB_OUTPUT"
6264 fi
6365
6466name : Check Branch to Publish
@@ -70,15 +72,15 @@ jobs:
7072 run : |
7173 REF=${GITHUB_REF#refs/heads/}
7274
73- IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
75+ IFS="," read -a publish_branches <<< " $PUBLISH_BRANCHES"
7476
7577 if [[ "${REF_TYPE}" == "tag" ]]; then
7678 # If the build is triggered by a tag, always publish
77- echo "is_publish_branch=true" >> $GITHUB_ENV
79+ echo "is_publish_branch=true" >> " $GITHUB_ENV"
7880 elif [[ "${publish_branches[*]}" =~ "${REF}" && "${publish_branches[*]}" =~ "${SERVER_BRANCH}" ]]; then
79- echo "is_publish_branch=true" >> $GITHUB_ENV
81+ echo "is_publish_branch=true" >> " $GITHUB_ENV"
8082 else
81- echo "is_publish_branch=false" >> $GITHUB_ENV
83+ echo "is_publish_branch=false" >> " $GITHUB_ENV"
8284 fi
8385
8486# ######### Set up Docker ##########
@@ -127,7 +129,7 @@ jobs:
127129 fi
128130 fi
129131
130- echo "image_tag=${IMAGE_TAG}" >> $GITHUB_OUTPUT
132+ echo "image_tag=${IMAGE_TAG}" >> " $GITHUB_OUTPUT"
131133
132134name : Generate tag list
133135 id : tag-list
@@ -136,9 +138,9 @@ jobs:
136138 IS_PUBLISH_BRANCH : ${{ env.is_publish_branch }}
137139 run : |
138140 if [[ ("${IMAGE_TAG}" == "dev" || "${IMAGE_TAG}" == "beta") && "${IS_PUBLISH_BRANCH}" == "true" ]]; then
139- echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},ghcr.io/bitwarden/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
141+ echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG},ghcr.io/bitwarden/self-host:${IMAGE_TAG}" >> " $GITHUB_OUTPUT"
140142 else
141- echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> $GITHUB_OUTPUT
143+ echo "tags=$_AZ_REGISTRY/self-host:${IMAGE_TAG}" >> " $GITHUB_OUTPUT"
142144 fi
143145
144146name : Get Azure Key Vault secrets
@@ -162,6 +164,7 @@ jobs:
162164 token : ${{ steps.app-token.outputs.token }}
163165 ref : ${{ steps.server-branch-name.outputs.server_ref }}
164166 path : " server"
167+ persist-credentials : false
165168
166169 - name : Download web client branch artifacts for dev builds
167170 if : steps.tag.outputs.image_tag == 'dev'
@@ -180,7 +183,7 @@ jobs:
180183 run : |
181184 WEB_ARTIFACT=$(find . -name "web-*-selfhosted-DEV.zip" | head -1)
182185 if [[ -n "${WEB_ARTIFACT}" ]]; then
183- echo "WEB_ARTIFACT_PATH=${WEB_ARTIFACT}" >> $GITHUB_ENV
186+ echo "WEB_ARTIFACT_PATH=${WEB_ARTIFACT}" >> " $GITHUB_ENV"
184187 fi
185188
186189name : Build and push Docker image
@@ -209,21 +212,24 @@ jobs:
209212 DIGEST : ${{ steps.build-docker.outputs.digest }}
210213 TAGS : ${{ steps.tag-list.outputs.tags }}
211214 run : |
212- IFS="," read -a tags <<< "${TAGS}"
213- images=""
214- for tag in "${tags [@]}"; do
215- images+="${tag}@${DIGEST} "
215+ IFS=',' read -r -a tags_array <<< "${TAGS}"
216+ images=()
217+ for tag in "${tags_array [@]}"; do
218+ images+=( "${tag}@${DIGEST}")
216219 done
217- cosign sign --yes ${images}
218- echo "images=${images}" >> $GITHUB_OUTPUT
220+ cosign sign --yes " ${images[@]}"
221+ echo "images=${images[*] }" >> " $GITHUB_OUTPUT"
219222
220223name : Verify the signed image(s) with Cosign
221224 if : env.is_publish_branch == 'true'
225+ env :
226+ IMAGES : ${{ steps.sign.outputs.images }}
222227 run : |
228+ read -r -a images_array <<< "${COSIGN_IMAGES}"
223229 cosign verify \
224- --certificate-identity "${{ github.server_url }} /${{ github.workflow_ref } }" \
230+ --certificate-identity "${GITHUB_SERVER_URL} /${GITHUB_WORKFLOW_REF }" \
225231 --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
226- ${{ steps.sign.outputs.images }}
232+ "${images_array[@]}"
227233
228234name : Scan Docker image
229235 id : container-scan
@@ -244,7 +250,7 @@ jobs:
244250 if : env.is_publish_branch == 'true'
245251 run : |
246252 docker logout ghcr.io
247- docker logout $_AZ_REGISTRY
253+ docker logout " $_AZ_REGISTRY"
248254
249255name : Log out from Azure
250256 uses : bitwarden/gh-actions/azure-logout@main
0 commit comments