Initial commit

.github/CODEOWNERS

@@ -0,0 +1,8 @@
+# Please sort into logical groups with comment headers. Sort groups in order of specificity.
+# For example, default owners should always be the first group.
+# Sort lines alphabetically within these groups to avoid accidentally adding duplicates.
+#
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+# Default file owners.
+* @bitwarden/dept-devops

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,14 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Feature Requests
+    url: https://community.bitwarden.com/c/feature-requests/
+    about: Request new features using the Community Forums. Please search existing feature requests before making a new one.
+  - name: Bitwarden Community Forums
+    url: https://community.bitwarden.com
+    about: Please visit the community forums for general community discussion, support and the development roadmap.
+  - name: Customer Support
+    url: https://bitwarden.com/contact/
+    about: Please contact our customer support for account issues and general customer support.
+  - name: Security Issues
+    url: https://hackerone.com/bitwarden
+    about: We use HackerOne to manage security disclosures.

.github/ISSUE_TEMPLATE/self-host.yml

@@ -0,0 +1,69 @@
+name: Bitwarden Self-Host Chart Bug Report
+description: File a bug report
+labels: [bug, self-host]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report!
+
+        Please do not submit feature requests. The [Community Forums](https://community.bitwarden.com) has a section for submitting, voting for, and discussing product feature requests.
+  - type: textarea
+    id: reproduce
+    attributes:
+      label: Steps To Reproduce
+      description: How can we reproduce the behavior.
+      value: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. Click on '...'
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Result
+      description: A clear and concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    id: actual
+    attributes:
+      label: Actual Result
+      description: A clear and concise description of what is happening.
+    validations:
+      required: true
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots or Videos
+      description: If applicable, add screenshots and/or a short video to help explain your problem.
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional Context
+      description: Add any other context about the problem here.
+  - type: input
+    id: version
+    attributes:
+      label: Chart Version
+      description: Please use `helm list --namespace ns_here` and copy the chart name/version
+    validations:
+      required: true
+  - type: textarea
+    id: environment-details
+    attributes:
+      label: Environment Details
+      description: Please provide some additional environment details.
+      placeholder: |
+        - Environment: [e.g. AKS, EKS, K3s, K8s, OpenShift]
+        - Hardware: [e.g. Intel 6-core, 8GB RAM]
+  - type: checkboxes
+    id: issue-tracking-info
+    attributes:
+      label: Issue Tracking Info
+      description: |
+        Issue tracking information
+      options:
+        - label: I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

.github/renovate.json

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}

.github/workflows/build.yml

@@ -0,0 +1,78 @@
+---
+name: Build
+
+on:
+  push:
+    branches-ignore:
+      - "gh-pages"
+    paths-ignore:
+      - ".github/workflows/**"
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build Helm charts
+    runs-on: ubuntu-22.04
+    environment: Production
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - chart_name: self-host
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Set up Helm
+        uses: Azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: 'v3.13.1'
+
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Set up GPG key and passphrase
+        run: |
+          az keyvault secret download \
+            --vault-name bitwarden-ci \
+            --name helm-signing-gpg-private-key \
+            --file private
+
+          az keyvault secret download \
+          --vault-name bitwarden-ci \
+          --name helm-signing-gpg-private-key-passphrase \
+          --file .passphrase
+
+          az keyvault secret download \
+          --vault-name bitwarden-ci \
+          --name helm-signing-gpg-public-key \
+          --file public
+
+          gpg --dearmor private
+          gpg --dearmor public
+
+      - name: Package Helm chart
+        id: helm_package
+        run: |
+          helm package \
+            --sign \
+            --key "DevOps Team" \
+            --keyring private.gpg \
+            --passphrase-file .passphrase \
+            charts/${{ matrix.chart_name }}
+          PKG_NAME=$(ls *.tgz)
+          echo "name=$PKG_NAME" >> "$GITHUB_OUTPUT"
+
+      - name: Verify Helm chart
+        run: helm verify ${{ steps.helm_package.outputs.name }} --keyring public.gpg
+
+      - name: Upload Helm chart artifact
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: ${{ matrix.chart_name }}
+          path: |
+            ${{ steps.helm_package.outputs.name }}
+            ${{ steps.helm_package.outputs.name }}.prov
+          if-no-files-found: error

.github/workflows/linter.yml

@@ -0,0 +1,49 @@
+---
+name: Lint
+
+on:
+  pull_request:
+    paths:
+      - 'charts/*'
+  push:
+    branches:
+      - main
+    paths:
+      - 'charts/*'
+  workflow_dispatch:
+
+jobs:
+  lint:
+    name: Lint Helm charts
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: Azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: 'v3.13.1'
+
+      - name: Set up Python
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
+        with:
+          python-version: '3.12'
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@e8788873172cb653a90ca2e819d79d65a66d4e76 # v2.4.0
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          CHANGED=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$CHANGED" ]]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run chart-testing (lint)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }}

.github/workflows/release.yml

@@ -0,0 +1,90 @@
+---
+name: Release
+run-name: Release - ${{ inputs.release_mode }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      release_mode:
+        description: "Release Mode"
+        default: "Standard Release"
+        type: choice
+        options:
+          - Standard Release
+          - Dry Run
+
+jobs:
+  setup:
+    name: Setup
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Branch check
+        if: ${{ github.event.inputs.release_mode != 'Dry Run' }}
+        run: |
+          if [[ "$GITHUB_REF" != "refs/heads/main" ]]; then
+            echo "==================================="
+            echo "[!] Can only release from the 'main' branch"
+            echo "==================================="
+            exit 1
+          fi
+
+  release:
+    name: Release Helm chart
+    runs-on: ubuntu-22.04
+    needs: setup
+    permissions:
+      actions: read
+      contents: write
+      packages: write
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Set up Helm
+        uses: Azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        with:
+          version: v3.13.1
+
+      - name: Download Helm chart artifact
+        uses: bitwarden/gh-actions/download-artifacts@master
+        with:
+          branch: main
+          path: .cr-release-packages
+          workflow: build.yml
+          workflow_conclusion: success
+
+      - name: Release Helm chart
+        if: ${{ github.event.inputs.release_mode != 'Dry Run' }}
+        env:
+          CR_GENERATE_RELEASE_NOTES: true
+          CR_MAKE_RELEASE_LATEST: true
+          CR_SKIP_EXISTING: true
+          CR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        uses: helm/chart-releaser-action@be16258da8010256c6e82849661221415f031968 # v1.5.0
+        with:
+          skip_packaging: true
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push charts to GitHub Container Registry
+        if: ${{ github.event.inputs.release_mode != 'Dry Run' }}
+        run: |
+          shopt -s nullglob
+          for pkg in .cr-release-packages/*; do
+            if [ -z "${pkg:-}" ]; then
+              break
+            fi
+            helm push "${pkg}" "oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts"
+          done