BRE-1190 - Update workflows to use GHCR instead of Azure ACR (#231)

Author: vgrassia

.github/workflows/build.yml

@@ -7,10 +7,14 @@ on:
       - "main"
   pull_request:
 
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
 jobs:
   build-artifacts:
     name: Build artifacts
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
 
@@ -24,59 +28,61 @@ jobs:
       - name: Publish project
         working-directory: src/KeyConnector
         run: |
-          echo "Publish"
           dotnet publish -c "Release" -o obj/build-output/publish
           cd obj/build-output/publish
           zip -r KeyConnector.zip .
           mv KeyConnector.zip ../../../
-          pwd
-          ls -atlh ../../../
 
       - name: Upload project artifact
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: KeyConnector.zip
           path: src/KeyConnector/KeyConnector.zip
           if-no-files-found: error
+          retention-days: 7
 
   build-docker:
     name: Build Docker images
     runs-on: ubuntu-24.04
     needs: build-artifacts
     permissions:
-      security-events: write
       id-token: write
-    env:
-      _AZ_REGISTRY: bitwardenprod.azurecr.io
-      _PROJECT_NAME: key-connector
+      packages: write
+      security-events: write
     steps:
       - name: Check out repo
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Log in to ACR
-        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Generate Docker image tag
         id: tag
         run: |
-          IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
-          if [[ "$IMAGE_TAG" == "main" ]]; then
+          # Main branch always uses 'dev' tag
+          if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
             IMAGE_TAG=dev
+          # PRs use 'pr-<number>' format for consistency
+          elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then
+            IMAGE_TAG="pr-${{ github.event.pull_request.number }}"
+          # Other branches: sanitize name for Docker tag compatibility
+          else
+            # Extract branch name from refs
+            IMAGE_TAG="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
+            # Lowercase, replace invalid chars with dash, collapse dashes, trim, limit to 128 chars, remove trailing separators
+            IMAGE_TAG=$(echo "$IMAGE_TAG" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g; s/-+/-/g; s/^-+|-+$//g' | cut -c1-128 | sed -E 's/[.-]$//')
           fi
           echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
 
       - name: Generate full image name
         id: image-name
         env:
           IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
-        run: echo "name=${_AZ_REGISTRY}/${_PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+        run: echo "name=ghcr.io/bitwarden/key-connector:${IMAGE_TAG}" >> $GITHUB_OUTPUT
 
       - name: Get build artifact
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
@@ -95,7 +101,8 @@ jobs:
           context: src/KeyConnector
           file: src/KeyConnector/Dockerfile
           platforms: linux/amd64
-          push: true
+          load: ${{ github.event_name == 'pull_request' }}
+          push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.image-name.outputs.name }}
 
       - name: Install Cosign
@@ -123,12 +130,12 @@ jobs:
           fail-build: false
           output-format: sarif
 
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
-
       - name: Upload Grype results to GitHub
         uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13
         with:
           sarif_file: ${{ steps.container-scan.outputs.sarif }}
           sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }}
           ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }}
+
+      - name: Log out of Docker
+        run: docker logout ghcr.io

.github/workflows/cleanup-container-images.yml

@@ -0,0 +1,49 @@
+name: Cleanup Container Images
+
+on:
+  delete:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.ref }}
+  cancel-in-progress: false
+
+jobs:
+  cleanup-images:
+    name: Delete branch container images
+    runs-on: ubuntu-24.04
+    permissions:
+      packages: write
+    steps:
+      - name: Generate image tag to delete
+        id: tag
+        run: |
+          # Sanitize deleted branch name to match build workflow tag generation
+          BRANCH_NAME="${{ github.event.ref }}"
+          IMAGE_TAG=$(echo "$BRANCH_NAME" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g; s/-+/-/g; s/^-+|-+$//g' | cut -c1-128 | sed -E 's/[.-]$//')
+          echo "tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Delete container image version
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          IMAGE_TAG: ${{ steps.tag.outputs.tag }}
+        run: |
+          # Get the version ID for this specific tag
+          VERSION_ID=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/orgs/bitwarden/packages/container/key-connector/versions" \
+            --jq ".[] | select(.metadata.container.tags[] | contains(\"$IMAGE_TAG\")) | .id" \
+            | head -1)
+
+          if [[ -n "$VERSION_ID" ]]; then
+            echo "Deleting image with tag: $IMAGE_TAG (version ID: $VERSION_ID)"
+            gh api \
+              --method DELETE \
+              -H "Accept: application/vnd.github+json" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              "/orgs/bitwarden/packages/container/key-connector/versions/$VERSION_ID"
+            echo "Successfully deleted image"
+          else
+            echo "No image found with tag: $IMAGE_TAG"
+          fi

.github/workflows/publish.yml

@@ -25,13 +25,17 @@ jobs:
     permissions:
       contents: read
     outputs:
-      release-version: ${{ steps.version-output.outputs.version }}
+      release_version: ${{ steps.version-output.outputs.version }}
     steps:
       - name: Version output
         id: version-output
         run: |
           if [[ "${{ inputs.version }}" == "latest" || "${{ inputs.version }}" == "" ]]; then
-            VERSION=$(curl  "https://api.github.com/repos/bitwarden/directory-connector/releases" | jq -c '.[] | select(.tag_name) | .tag_name' | head -1 | grep -ohE '20[0-9]{2}\.([1-9]|1[0-2])\.[0-9]+')
+            VERSION=$(curl -sSfL "https://api.github.com/repos/bitwarden/key-connector/releases" | jq -c '.[] | select(.tag_name) | .tag_name' | head -1 | grep -ohE '20[0-9]{2}\.([1-9]|1[0-2])\.[0-9]+')
+            if [[ -z "$VERSION" ]]; then
+              echo "Failed to fetch latest version"
+              exit 1
+            fi
             echo "Latest Released Version: $VERSION"
             echo "version=$VERSION" >> $GITHUB_OUTPUT
           else
@@ -44,81 +48,51 @@ jobs:
     runs-on: ubuntu-24.04
     needs: setup
     env:
-      _AZ_REGISTRY: bitwardenprod.azurecr.io
-      _PROJECT_NAME: key-connector
-      _RELEASE_VERSION: ${{ needs.setup.outputs.release-version }}
+      _RELEASE_VERSION: ${{ needs.setup.outputs.release_version }}
     permissions:
       id-token: write
       packages: write
     steps:
       - name: Install Cosign
         uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
 
-      - name: Log in to Azure
-        uses: bitwarden/gh-actions/azure-login@main
-        with:
-          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-          client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-      - name: Log in to ACR
-        run: az acr login -n ${_AZ_REGISTRY%.azurecr.io}
-
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Pull image
-        run: docker pull $_AZ_REGISTRY/$_PROJECT_NAME:dev
+        run: docker pull ghcr.io/bitwarden/key-connector:dev
 
       - name: Tag version and latest
         run: |
           if [[ "${{ inputs.publish_type }}" == "Dry Run" ]]; then
-            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev ghcr.io/bitwarden/$_PROJECT_NAME:dryrun
+            docker tag ghcr.io/bitwarden/key-connector:dev ghcr.io/bitwarden/key-connector:dryrun
           else
-            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_VERSION
-            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev $_AZ_REGISTRY/$_PROJECT_NAME:latest
-
-            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
-            docker tag $_AZ_REGISTRY/$_PROJECT_NAME:dev ghcr.io/bitwarden/$_PROJECT_NAME:latest
+            docker tag ghcr.io/bitwarden/key-connector:dev ghcr.io/bitwarden/key-connector:$_RELEASE_VERSION
+            docker tag ghcr.io/bitwarden/key-connector:dev ghcr.io/bitwarden/key-connector:latest
           fi
 
-      - name: Push release version and latest image to ACR
-        if: ${{ inputs.publish_type != 'Dry Run' }}
-        run: |
-          docker push $_AZ_REGISTRY/$_PROJECT_NAME:$_RELEASE_VERSION
-          docker push $_AZ_REGISTRY/$_PROJECT_NAME:latest
-
       - name: Push release version and latest image
         if: ${{ inputs.publish_type != 'Dry Run' }}
         run: |
-          docker push ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
-          docker push ghcr.io/bitwarden/$_PROJECT_NAME:latest
-
-      - name: Sign image with Cosign
-        run: |
-          cosign sign --yes ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
-          cosign sign --yes ghcr.io/bitwarden/$_PROJECT_NAME:latest
+          docker push ghcr.io/bitwarden/key-connector:$_RELEASE_VERSION
+          docker push ghcr.io/bitwarden/key-connector:latest
 
       - name: Verify the signed image with Cosign
+        if: ${{ inputs.publish_type != 'Dry Run' }}
         run: |
           cosign verify \
-            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
+            --certificate-identity-regexp="https://github\.com/bitwarden/key-connector/.*" \
             --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            ghcr.io/bitwarden/$_PROJECT_NAME:$_RELEASE_VERSION
+            ghcr.io/bitwarden/key-connector:$_RELEASE_VERSION
 
           cosign verify \
-            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
+            --certificate-identity-regexp="https://github\.com/bitwarden/key-connector/.*" \
             --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
-            ghcr.io/bitwarden/$_PROJECT_NAME:latest
+            ghcr.io/bitwarden/key-connector:latest
 
       - name: Log out of Docker
-        run: |
-          docker logout ghcr.io
-          docker logout $_AZ_REGISTRY
-
-      - name: Log out from Azure
-        uses: bitwarden/gh-actions/azure-logout@main
+        run: docker logout ghcr.io

.github/workflows/release.yml

@@ -16,13 +16,11 @@ on:
 jobs:
   setup:
     name: Setup
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
     outputs:
       release_version: ${{ steps.version.outputs.version }}
-      branch-name: ${{ steps.branch.outputs.branch-name }}
-
     steps:
       - name: Check branch
         if: ${{ inputs.release_type != 'Dry Run' }}
@@ -54,7 +52,7 @@ jobs:
   release-github:
     name: Create GitHub Release
     if: ${{ inputs.release_type != 'Dry Run' }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs: setup
     permissions:
       contents: write
@@ -72,7 +70,7 @@ jobs:
   check-failures:
     name: Check for failures
     if: always()
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs:
       - release-github
       - setup

.github/workflows/scan.yml

@@ -14,6 +14,10 @@ on:
     branches:
       - main
 
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
+
 permissions: {}
 
 jobs:

.github/workflows/test.yml

@@ -7,12 +7,15 @@ on:
       - "main"
   pull_request:
 
-jobs:
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: true
 
+jobs:
   testing:
     name: Run tests
     if: ${{ startsWith(github.head_ref, 'version_bump_') == false }}
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       checks: write
       contents: read