feat: non-root self hosted images for standard deployment (#5701)

* Use IHttpMessageHandlerFactory For HTTP Communication

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

* feat: allow custom app-id.json location for rootless

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>

* fix: new build context wont allow copying git context

* feat: allow images to run as non-root user

* fix: build failures caused by bad merge

* build: we don't need to copy the `.git` dir

* Revert "build: we don't need to copy the `.git` dir"

This reverts commit 32c2f62.

* Use `IHttpClientFactory` in more places

* update build workflow

* fix: compatibility with the existin run.sh script

* fix: compatibility with existing run.sh script

* Add SelfHosted GlobalSettings for Setup

* Fix my build error

* Add other services

* Add IConfiguration

* fix: missing gosu command for rootful mode

* fix: try using .net core certificate handling

* fix: add `SSL_CERT_DIR` to remaining images

* Remove X509ChainCustomization activation code

* Revert "Use IHttpMessageHandlerFactory For HTTP Communication"

This reverts commit c93be6d.

* Revert "fix: build failures caused by bad merge"

This reverts commit 3e46394.

* Revert "Use `IHttpClientFactory` in more places"

This reverts commit 284501a.

* remove unused code

* re-add error log for installation id

* remove missing error message in log

* build: remove duplicate docker+qemu setup steps

Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com>

* build: optimize for simpler builds over caching

* build: restore previous method for getting the GIT_HASH

* fix: add missing build args to remaining images

* fix: rm extraneous source revision id arg

* fmt: apply consistent spacing and rm redundant WORKDIR directive

* build: update migrator to use simpler build; apply consistent spacing

* fix: merge conflicts; simplify changes

* fix: add publish branch check back

---------

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Co-authored-by: Opeyemi <Alaoopeyemi101@gmail.com>

Author: 3 people

.github/workflows/build.yml

@@ -19,7 +19,7 @@ env:
 jobs:
   lint:
     name: Lint
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -33,46 +33,62 @@ jobs:
         run: dotnet format --verify-no-changes
 
   build-artifacts:
-    name: Build artifacts
-    runs-on: ubuntu-22.04
+    name: Build Docker images
+    runs-on: ubuntu-24.04
     needs:
       - lint
     outputs:
       has_secrets: ${{ steps.check-secrets.outputs.has_secrets }}
+    permissions:
+      security-events: write
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
         include:
           - project_name: Admin
             base_path: ./src
+            dotnet: true
             node: true
           - project_name: Api
             base_path: ./src
+            dotnet: true
+          - project_name: Attachments
+            base_path: ./util
           - project_name: Billing
             base_path: ./src
+            dotnet: true
           - project_name: Events
             base_path: ./src
+            dotnet: true
           - project_name: EventsProcessor
             base_path: ./src
+            dotnet: true
           - project_name: Icons
             base_path: ./src
+            dotnet: true
           - project_name: Identity
             base_path: ./src
+            dotnet: true
+          - project_name: MsSql
+            base_path: ./util
           - project_name: MsSqlMigratorUtility
             base_path: ./util
             dotnet: true
+          - project_name: Nginx
+            base_path: ./util
           - project_name: Notifications
             base_path: ./src
+            dotnet: true
           - project_name: Scim
             base_path: ./bitwarden_license/src
             dotnet: true
-          - project_name: Server
-            base_path: ./util
           - project_name: Setup
             base_path: ./util
+            dotnet: true
           - project_name: Sso
             base_path: ./bitwarden_license/src
-            node: true
+            dotnet: true
     steps:
       - name: Check secrets
         id: check-secrets
@@ -87,6 +103,18 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
 
+      - name: Check branch to publish
+        env:
+          PUBLISH_BRANCHES: "main,rc,hotfix-rc"
+        id: publish-branch-check
+        run: |
+          IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
+          if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
+            echo "is_publish_branch=true" >> $GITHUB_ENV
+          else
+            echo "is_publish_branch=false" >> $GITHUB_ENV
+          fi
+
       - name: Set up .NET
         uses: actions/setup-dotnet@87b7050bc53ea08284295505d98d2aa94301e852 # v4.2.0
 
@@ -115,6 +143,7 @@ jobs:
 
       - name: Publish project
         working-directory: ${{ matrix.base_path }}/${{ matrix.project_name }}
+        if: ${{ matrix.dotnet }}
         run: |
           echo "Publish"
           dotnet publish -c "Release" -o obj/build-output/publish
@@ -128,87 +157,18 @@ jobs:
 
       - name: Upload project artifact
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        if: ${{ matrix.dotnet }}
         with:
           name: ${{ matrix.project_name }}.zip
           path: ${{ matrix.base_path }}/${{ matrix.project_name }}/${{ matrix.project_name }}.zip
           if-no-files-found: error
 
-  build-docker:
-    name: Build Docker images
-    runs-on: ubuntu-22.04
-    permissions:
-      security-events: write
-      id-token: write
-    needs:
-      - build-artifacts
-    if: ${{ needs.build-artifacts.outputs.has_secrets == 'true' }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - project_name: Admin
-            base_path: ./src
-            dotnet: true
-          - project_name: Api
-            base_path: ./src
-            dotnet: true
-          - project_name: Attachments
-            base_path: ./util
-          - project_name: Billing
-            base_path: ./src
-            dotnet: true
-          - project_name: Events
-            base_path: ./src
-            dotnet: true
-          - project_name: EventsProcessor
-            base_path: ./src
-            dotnet: true
-          - project_name: Icons
-            base_path: ./src
-            dotnet: true
-          - project_name: Identity
-            base_path: ./src
-            dotnet: true
-          - project_name: MsSql
-            base_path: ./util
-          - project_name: MsSqlMigratorUtility
-            base_path: ./util
-            dotnet: true
-          - project_name: Nginx
-            base_path: ./util
-          - project_name: Notifications
-            base_path: ./src
-            dotnet: true
-          - project_name: Scim
-            base_path: ./bitwarden_license/src
-            dotnet: true
-          - project_name: Server
-            base_path: ./util
-            dotnet: true
-          - project_name: Setup
-            base_path: ./util
-            dotnet: true
-          - project_name: Sso
-            base_path: ./bitwarden_license/src
-            dotnet: true
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
+      ########## Set up Docker ##########
+      - name: Set up QEMU emulators
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
-      - name: Check branch to publish
-        env:
-          PUBLISH_BRANCHES: "main,rc,hotfix-rc"
-        id: publish-branch-check
-        run: |
-          IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
-
-          if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
-            echo "is_publish_branch=true" >> $GITHUB_ENV
-          else
-            echo "is_publish_branch=false" >> $GITHUB_ENV
-          fi
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
       ########## ACRs ##########
       - name: Log in to Azure - production subscription
@@ -277,26 +237,24 @@ jobs:
           fi
           echo "tags=$TAGS" >> $GITHUB_OUTPUT
 
-      - name: Get build artifact
-        if: ${{ matrix.dotnet }}
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
-        with:
-          name: ${{ matrix.project_name }}.zip
-
-      - name: Set up build artifact
-        if: ${{ matrix.dotnet }}
-        run: |
-          mkdir -p ${{ matrix.base_path}}/${{ matrix.project_name }}/obj/build-output/publish
-          unzip ${{ matrix.project_name }}.zip \
-            -d ${{ matrix.base_path }}/${{ matrix.project_name }}/obj/build-output/publish
+      - name: Generate image full name
+        id: cache-name
+        env:
+          PROJECT_NAME: ${{ steps.setup.outputs.project_name }}
+        run: echo "name=${_AZ_REGISTRY}/${PROJECT_NAME}:buildcache" >> $GITHUB_OUTPUT
 
       - name: Build Docker image
-        id: build-docker
+        id: build-artifacts
         uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d # v6.12.0
         with:
-          context: ${{ matrix.base_path }}/${{ matrix.project_name }}
+          cache-from: type=registry,ref=${{ steps.cache-name.outputs.name }}
+          cache-to: type=registry,ref=${{ steps.cache-name.outputs.name}},mode=max
+          context: .
           file: ${{ matrix.base_path }}/${{ matrix.project_name }}/Dockerfile
-          platforms: linux/amd64
+          platforms: |
+            linux/amd64,
+            linux/arm/v7,
+            linux/arm64
           push: true
           tags: ${{ steps.image-tags.outputs.tags }}
           secrets: |
@@ -309,7 +267,7 @@ jobs:
       - name: Sign image with Cosign
         if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
         env:
-          DIGEST: ${{ steps.build-docker.outputs.digest }}
+          DIGEST: ${{ steps.build-artifacts.outputs.digest }}
           TAGS: ${{ steps.image-tags.outputs.tags }}
         run: |
           IFS="," read -a tags <<< "${TAGS}"
@@ -336,8 +294,8 @@ jobs:
 
   upload:
     name: Upload
-    runs-on: ubuntu-22.04
-    needs: build-docker
+    runs-on: ubuntu-24.04
+    needs: build-artifacts
     steps:
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -512,7 +470,7 @@ jobs:
 
   build-mssqlmigratorutility:
     name: Build MSSQL migrator utility
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs:
       - lint
     defaults:
@@ -568,9 +526,9 @@ jobs:
     if: |
       github.event_name != 'pull_request'
       && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc')
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs:
-      - build-docker
+      - build-artifacts
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -604,7 +562,7 @@ jobs:
     if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
     runs-on: ubuntu-22.04
     needs:
-      - build-docker
+      - build-artifacts
     steps:
       - name: Log in to Azure - CI subscription
         uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
@@ -638,7 +596,6 @@ jobs:
     name: Setup Ephemeral Environment
     needs:
       - build-artifacts
-      - build-docker
     if: |
       needs.build-artifacts.outputs.has_secrets == 'true'
       && github.event_name == 'pull_request'
@@ -656,7 +613,6 @@ jobs:
     needs:
       - lint
       - build-artifacts
-      - build-docker
       - upload
       - build-mssqlmigratorutility
       - self-host-build

Directory.Build.props

@@ -69,5 +69,4 @@
       </AssemblyAttribute>
     </ItemGroup>
   </Target>
-
-</Project>
+</Project>

bitwarden_license/src/Scim/.dockerignore

@@ -1,6 +1,50 @@
+###############################################
+#                 Build stage                 #
+###############################################
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0 AS build
+
+# Docker buildx supplies the value for this arg
+ARG TARGETPLATFORM
+
+# Determine proper runtime value for .NET
+# We put the value in a file to be read by later layers.
+RUN if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+    RID=linux-x64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+    RID=linux-arm64 ; \
+    elif [ "$TARGETPLATFORM" = "linux/arm/v7" ]; then \
+    RID=linux-arm ; \
+    fi \
+    && echo "RID=$RID" > /tmp/rid.txt
+
+# Copy required project files
+WORKDIR /source
+COPY . ./
+
+# Restore project dependencies and tools
+WORKDIR /source/bitwarden_license/src/Scim
+RUN . /tmp/rid.txt && dotnet restore -r $RID
+
+# Build project
+RUN . /tmp/rid.txt && dotnet publish \
+    -c release \
+    --no-restore \
+    --self-contained \
+    /p:PublishSingleFile=true \
+    -r $RID \
+    -o out
+
+###############################################
+#                  App stage                  #
+###############################################
 FROM mcr.microsoft.com/dotnet/aspnet:8.0
 
+ARG TARGETPLATFORM
 LABEL com.bitwarden.product="bitwarden"
+ENV ASPNETCORE_ENVIRONMENT=Production
+ENV ASPNETCORE_URLS=http://+:5000
+ENV SSL_CERT_DIR=/etc/bitwarden/ca-certificates
+EXPOSE 5000
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
@@ -9,11 +53,10 @@ RUN apt-get update \
     krb5-user \
     && rm -rf /var/lib/apt/lists/*
 
-ENV ASPNETCORE_URLS http://+:5000
+# Copy app from the build stage
 WORKDIR /app
-EXPOSE 5000
-COPY obj/build-output/publish .
-COPY entrypoint.sh /
+COPY --from=build /source/bitwarden_license/src/Scim/out /app
+COPY ./bitwarden_license/src/Scim/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/alive || exit 1