Merge branch 'release/1.5-alpha' of github.com:DefGuard/defguard into build_alpine

Author: moubctez

.github/workflows/build-docker.yml

@@ -21,6 +21,7 @@ jobs:
       - self-hosted
       - Linux
       - ${{ matrix.runner }}
+
     strategy:
       matrix:
         # cpu: [arm64, amd64, arm/v7]
@@ -35,23 +36,31 @@ jobs:
           # - cpu: arm/v7
           #   runner: ARM
           #   tag: armv7
+
+    permissions:
+      contents: read
+      packages: write
+    
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           buildkitd-config-inline: |
             [registry."docker.io"]
               mirrors = ["dockerhub-proxy.teonite.net"]
+
       - name: Build container
         uses: docker/build-push-action@v6
         with:
@@ -65,8 +74,18 @@ jobs:
 
   docker-manifest:
     runs-on: [self-hosted, Linux]
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
     needs: [build-docker]
+   
     steps:
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -75,12 +94,14 @@ jobs:
             ${{ env.GHCR_REPO }}
           flavor: ${{ inputs.flavor }}
           tags: ${{ inputs.tags }}
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Create and push manifests
         run: |
           tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
@@ -90,4 +111,14 @@ jobs:
             docker manifest create ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64
             docker manifest push ${tag}
           done
-        #  ${{ env.GHCR_REPO }}:${{ github.sha }}-armv7
+        
+      - name: Sign the images with GitHub OIDC Token
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign sign --yes ${images}
+
+      - name: Verify image signatures
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign verify ${images} --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/DefGuard/defguard" -o text
+        

.github/workflows/ci.yml

@@ -20,8 +20,10 @@ on:
 
 jobs:
   test:
-    runs-on: [self-hosted, Linux, X64]
-    container: rust:1
+    runs-on:
+      - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }}
+
+    container: public.ecr.aws/docker/library/rust:1
 
     services:
       postgres:
@@ -52,21 +54,30 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Cache
         uses: Swatinem/rust-cache@v2
+
       - name: Install protoc
         run: apt-get update && apt-get -y install protobuf-compiler
+
       - name: Check format
         run: |
           rustup component add rustfmt
           cargo fmt -- --check
+
       - name: Run clippy linter
         run: |
           rustup component add clippy
           cargo clippy --all-targets --all-features -- -D warnings
+
       - name: Run cargo deny
-        uses: EmbarkStudios/cargo-deny-action@v2
+        run: |
+          cargo install cargo-deny
+          cargo deny check
+
       - name: Install nextest
         uses: taiki-e/install-action@nextest
+
       - name: Run tests
         run: cargo nextest run --locked --no-fail-fast

.github/workflows/lint-web.yml

@@ -4,19 +4,23 @@ on:
       - main
       - dev
       - 'release/**'
-    paths:
-      - "web/**"
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
   pull_request:
     branches:
       - main
       - dev
       - 'release/**'
-    paths:
-      - "web/**"
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
 
 jobs:
   lint-web:
-    runs-on: [self-hosted, Linux, X64]
+    runs-on:
+      - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }}
+
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/release.yml

@@ -53,10 +53,12 @@ jobs:
 
   build-binaries:
     needs: [create-release]
+
     runs-on:
       - self-hosted
       - Linux
       - X64
+
     strategy:
       fail-fast: false
       matrix:
@@ -71,6 +73,10 @@ jobs:
           - build: freebsd
             arch: amd64
             target: x86_64-unknown-freebsd
+
+    permissions:
+      contents: write # needed to upload release assets
+
     steps:
       # Store the version, stripping any v-prefix
       - name: Write release version
@@ -165,7 +171,7 @@ jobs:
       - name: Build AMI images for multiple regions
         if: matrix.build == 'linux' && matrix.arch == 'amd64'
         run: |
-          regions=(us-east-1 eu-west-1 ap-northeast-1)
+          regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1)
           for region in "${regions[@]}"; do
             echo "Building AMI for region: $region"
             echo "Running packer validate for $region..."