From 14ac78ab1d3c8062e2de25b66ce5e24ee597fdc2 Mon Sep 17 00:00:00 2001 From: Maciek <19913370+wojcik91@users.noreply.github.com> Date: Thu, 28 May 2026 12:41:15 +0200 Subject: [PATCH] chore: bump version to 2.1.0 & merge upstream changes from stable/2.x (#329) * chore(CI): update CI workflows for new branching setup (#327) * update branch references in workflows * pin GH actions to specific hashes * build images tagged with latest version * Build debs for debian 12/ubuntu 22.04 (#328) * bump version --------- Co-authored-by: Kuba <78603704+jakub-tldr@users.noreply.github.com> --- .github/workflows/build-docker.yml | 16 +-- .github/workflows/ci.yml | 12 +- .github/workflows/current.yml | 2 +- .github/workflows/publish-docker-latest.yml | 6 +- .github/workflows/release.yml | 135 ++++++++++++++++---- .github/workflows/sbom.yml | 12 +- .github/workflows/update-repositories.yml | 2 +- Cargo.lock | 2 +- Cargo.toml | 2 +- 9 files changed, 138 insertions(+), 51 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index e8259524..8b1246a2 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -43,25 +43,25 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive - name: Login to GitHub container registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Sanitize branch name run: echo "SAFE_REF=${GITHUB_REF_NAME//\//-}" >> $GITHUB_ENV - name: Build container - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: context: . platforms: linux/${{ matrix.cpu }} @@ -74,7 +74,7 @@ jobs: cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ env.SAFE_REF }} - name: Scan image with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -98,11 +98,11 @@ jobs: steps: - name: Install Cosign - uses: sigstore/cosign-installer@v4.1.0 + uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 - name: Docker meta id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: images: | ${{ env.GHCR_REPO }} @@ -110,7 +110,7 @@ jobs: tags: ${{ inputs.tags }} - name: Login to GitHub container registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72d3c6b5..72191ad8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,17 +3,17 @@ name: Continuous integration on: push: branches: - - main - dev - "release/**" + - "stable/**" paths-ignore: - "*.md" - "LICENSE" pull_request: branches: - - main - dev - "release/**" + - "stable/**" paths-ignore: - "*.md" - "LICENSE" @@ -32,12 +32,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive - name: Scan code with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -50,7 +50,7 @@ jobs: scanners: "vuln" - name: Run sccache-cache - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Install dependencies run: apt-get update && apt-get -y install protobuf-compiler libnftnl-dev libmnl-dev @@ -66,7 +66,7 @@ jobs: cargo clippy --all-targets --all-features -- -D warnings - name: Install cargo extensions - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@3235f8901fd37ffed0052b276cec25a362fb82e9 # v2 with: tool: cargo-deny diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml index 1587da18..1bf35ccb 100644 --- a/.github/workflows/current.yml +++ b/.github/workflows/current.yml @@ -2,9 +2,9 @@ name: Build current image on: push: branches: - - main - dev - 'release/**' + - 'stable/**' paths-ignore: - "*.md" - "LICENSE" diff --git a/.github/workflows/publish-docker-latest.yml b/.github/workflows/publish-docker-latest.yml index a7cb236e..87889f87 100644 --- a/.github/workflows/publish-docker-latest.yml +++ b/.github/workflows/publish-docker-latest.yml @@ -19,17 +19,17 @@ jobs: steps: - name: Install Cosign - uses: sigstore/cosign-installer@v4.1.1 + uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 - name: Login to GitHub container registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Derive semver tag run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5bcd983c..907141d1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,11 +8,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -env: - SQLX_OFFLINE: "1" - # sccache - SCCACHE_GHA_ENABLED: "true" - RUSTC_WRAPPER: "sccache" + jobs: build-docker-release: @@ -24,6 +20,7 @@ jobs: tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} type=sha # Explicitly disable latest tag. It will be added by publish-docker-latest.yml. flavor: | @@ -51,7 +48,7 @@ jobs: steps: - name: Create GitHub release id: release - uses: shogo82148/actions-create-release@v1 + uses: shogo82148/actions-create-release@6a396031bc74c57403da1018fec74d24c6aa03cd # v1 with: draft: true generate_release_notes: true @@ -71,6 +68,11 @@ jobs: - self-hosted - Linux - X64 + env: + SQLX_OFFLINE: "1" + # sccache + SCCACHE_GHA_ENABLED: "true" + RUSTC_WRAPPER: "sccache" steps: # Store the version, stripping any v-prefix - name: Write release version @@ -80,17 +82,17 @@ jobs: echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: targets: "aarch64-unknown-linux-gnu" - name: Run sccache-cache - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Build Linux x86_64 binary run: | @@ -118,7 +120,7 @@ jobs: defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd - name: Build x86_64 DEB package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-gateway @@ -135,7 +137,7 @@ jobs: --after-remove linux/postrm" - name: Build aarch64 DEB package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-gateway @@ -152,7 +154,7 @@ jobs: --after-remove linux/postrm" - name: Build x86_64 RPM package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-gateway @@ -169,7 +171,7 @@ jobs: --after-remove linux/postrm" - name: Build aarch64 RPM package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-gateway @@ -186,7 +188,7 @@ jobs: --after-remove linux/postrm" - name: Build FreeBSD package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway @@ -201,7 +203,7 @@ jobs: --depends openssl" - name: Build OPNsense package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway @@ -219,7 +221,7 @@ jobs: --depends openssl" - name: Upload Linux x86_64 archive - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -229,7 +231,7 @@ jobs: overwrite: true - name: Upload Linux aarch64 archive - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -239,7 +241,7 @@ jobs: overwrite: true - name: Upload FreeBSD x86_64 archive - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -249,7 +251,7 @@ jobs: overwrite: true - name: Upload Linux x86_64 DEB - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -259,7 +261,7 @@ jobs: overwrite: true - name: Upload Linux aarch64 DEB - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -269,7 +271,7 @@ jobs: overwrite: true - name: Upload Linux x86_64 RPM - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -279,7 +281,7 @@ jobs: overwrite: true - name: Upload Linux aarch64 RPM - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -289,7 +291,7 @@ jobs: overwrite: true - name: Upload FreeBSD package - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -299,7 +301,7 @@ jobs: overwrite: true - name: Upload OPNsense package - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -307,3 +309,88 @@ jobs: asset_path: defguard-gateway-${{ env.VERSION }}_x86_64-unknown-opnsense.pkg asset_content_type: application/x-pkg overwrite: true + + ubuntu-22-04-build: + needs: + - create-release + runs-on: + - self-hosted + - Linux + - ${{ matrix.architecture }} + strategy: + fail-fast: false + matrix: + architecture: [ARM64, X64] + include: + - architecture: ARM64 + deb_arch: arm64 + rust_target: aarch64-unknown-linux-gnu + - architecture: X64 + deb_arch: amd64 + rust_target: x86_64-unknown-linux-gnu + container: + image: ubuntu:22.04 + env: + DEBIAN_FRONTEND: noninteractive + HOME: /root + RUSTUP_HOME: /root/.rustup + CARGO_HOME: /root/.cargo + + steps: + - name: Install git + run: | + apt-get update + apt-get install -y git curl ca-certificates libatomic1 + git config --global --add safe.directory '*' + + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + submodules: recursive + + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Install Rust stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable + + - name: Install build dependencies + run: | + apt-get install -y \ + build-essential pkg-config cmake \ + libssl-dev libmnl-dev libnftnl-dev \ + protobuf-compiler libprotobuf-dev \ + ruby ruby-dev rubygems rpm + gem install fpm --no-document + + - name: Build binary + run: | + cargo build --locked --release --target ${{ matrix.rust_target }} + + - name: Build DEB package (ubuntu-22-04-lts) + run: | + fpm \ + --output-type deb \ + --version "${{ env.VERSION }}" \ + --architecture ${{ matrix.deb_arch }} \ + --package defguard-gateway-${{ env.VERSION }}-${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb \ + --before-install linux/preinst \ + --after-install linux/postinst \ + --before-remove linux/prerm \ + --after-remove linux/postrm \ + "target/${{ matrix.rust_target }}/release/defguard-gateway=/usr/bin/defguard-gateway" \ + "linux/defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service" \ + "example-config.toml=/etc/defguard/gateway.toml" + + - name: Upload ubuntu-22-04-lts DEB + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway-${{ env.VERSION }}-${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb + asset_content_type: application/gzip + overwrite: true diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 52080a4b..975d436b 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -27,13 +27,13 @@ jobs: echo "VERSION=$VERSION" >> $GITHUB_OUTPUT - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ steps.vars.outputs.TAG_NAME }} submodules: recursive - name: Create SBOM with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -46,7 +46,7 @@ jobs: scanners: "vuln" - name: Create docker image SBOM with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -59,7 +59,7 @@ jobs: scanners: "vuln" - name: Create security advisory file with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -72,7 +72,7 @@ jobs: scanners: "vuln" - name: Create Docker image security advisory file with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -85,7 +85,7 @@ jobs: scanners: "vuln" - name: Upload SBOMs and advisories - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/update-repositories.yml b/.github/workflows/update-repositories.yml index 4d3cdf95..3028b9f2 100644 --- a/.github/workflows/update-repositories.yml +++ b/.github/workflows/update-repositories.yml @@ -12,7 +12,7 @@ jobs: - X64 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install gh cli run: | sudo apt-get install -y gh diff --git a/Cargo.lock b/Cargo.lock index 62fb9a77..4cf204c3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -835,7 +835,7 @@ checksum = "a4ae5f15dda3c708c0ade84bfee31ccab44a3da4f88015ed22f63732abe300c8" [[package]] name = "defguard-gateway" -version = "2.0.1" +version = "2.1.0" dependencies = [ "axum", "base64 0.22.1", diff --git a/Cargo.toml b/Cargo.toml index b6da3642..6b8e4cb6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "defguard-gateway" -version = "2.0.1" +version = "2.1.0" edition = "2024" [dependencies]