From b84df4419e27f01a9fc8e64899cc169a9228ac7a Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 06:27:56 +0200 Subject: [PATCH 01/10] implement & test sbom files creation during CI process --- .github/workflows/release.yml | 359 +++++++++++++++++----------------- .github/workflows/sbom.yml | 0 2 files changed, 183 insertions(+), 176 deletions(-) create mode 100644 .github/workflows/sbom.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 45da7f893d..47ffde5f20 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -51,179 +51,186 @@ jobs: draft: true generate_release_notes: true - build-binaries: - needs: [create-release] - - runs-on: - - self-hosted - - Linux - - X64 - - strategy: - fail-fast: false - matrix: - build: [linux, linux-arm64, freebsd] - include: - - build: linux - arch: amd64 - target: x86_64-unknown-linux-gnu - - build: linux-arm64 - arch: arm64 - target: aarch64-unknown-linux-gnu - - build: freebsd - arch: amd64 - target: x86_64-unknown-freebsd - - permissions: - contents: write # needed to upload release assets - - steps: - # Store the version, stripping any v-prefix - - name: Write release version - run: | - VERSION=${GITHUB_REF_NAME#v} - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - - name: Checkout - uses: actions/checkout@v4 - with: - submodules: recursive - - - name: Setup `packer` - uses: hashicorp/setup-packer@main - id: setup - - - name: Install Rust stable - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - target: ${{ matrix.target }} - override: true - - - name: Set up Docker BuildX - uses: docker/setup-buildx-action@v3 - with: - buildkitd-config-inline: | - [registry."docker.io"] - mirrors = ["dockerhub-proxy.teonite.net"] - - - name: Install pnpm - uses: pnpm/action-setup@v4 - with: - version: 10 - - - name: Use Node.js 24 - uses: actions/setup-node@v4 - with: - node-version: 24 - - - name: Install frontend dependencies - run: pnpm install --ignore-scripts --frozen-lockfile - working-directory: web - - - name: Build frontend - run: pnpm build - working-directory: web - - - name: Build release binary - uses: actions-rs/cargo@v1 - with: - use-cross: true - command: build - args: --locked --release --target ${{ matrix.target }} - - - name: Rename binary - run: mv target/${{ matrix.target }}/release/defguard defguard-${{ github.ref_name }}-${{ matrix.target }} - - - name: Tar - uses: a7ul/tar-action@v1.1.0 - with: - command: c - files: | - defguard-${{ github.ref_name }}-${{ matrix.target }} - outPath: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - - name: Upload release archive - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - asset_name: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - asset_content_type: application/octet-stream - - - name: Build DEB package - if: matrix.build == 'linux' - uses: defGuard/fpm-action@main - with: - fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard defguard.service=/usr/lib/systemd/system/defguard.service .env-template=/etc/defguard/core.conf" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-${{ matrix.target }}.deb" - - - name: Run `packer init` - if: matrix.build == 'linux' && matrix.arch == 'amd64' - id: init - run: "packer init ./images/ami/core.pkr.hcl" - - - name: Build AMI images for multiple regions - if: matrix.build == 'linux' && matrix.arch == 'amd64' - run: | - regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - for region in "${regions[@]}"; do - echo "Building AMI for region: $region" - echo "Running packer validate for $region..." - packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/core.pkr.hcl - echo "Building AMI image for $region..." - packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/core.pkr.hcl - done - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Upload DEB - if: matrix.build == 'linux' - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}-${{ matrix.target }}.deb - asset_name: defguard-${{ env.VERSION }}-${{ matrix.target }}.deb - asset_content_type: application/octet-stream - - - name: Build RPM package - if: matrix.build == 'linux' - uses: defGuard/fpm-action@main - with: - fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard defguard.service=/usr/lib/systemd/system/defguard.service .env-template=/etc/defguard/core.conf" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm" - - - name: Upload RPM - if: matrix.build == 'linux' - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm - asset_name: defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm - asset_content_type: application/octet-stream - - - name: Build FreeBSD package - if: matrix.build == 'freebsd' - uses: defGuard/fpm-action@main - with: - fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/local/bin/defguard defguard.service.freebsd=/usr/local/etc/rc.d/defguard" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" - - - name: Upload FreeBSD - if: matrix.build == 'freebsd' - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg - asset_name: defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg - asset_content_type: application/octet-stream + create-sbom: + # TODO change to build-docker-release + needs: [create-release, build-docker-prerelease] + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + + # build-binaries: + # needs: [create-release] + + # runs-on: + # - self-hosted + # - Linux + # - X64 + + # strategy: + # fail-fast: false + # matrix: + # build: [linux, linux-arm64, freebsd] + # include: + # - build: linux + # arch: amd64 + # target: x86_64-unknown-linux-gnu + # - build: linux-arm64 + # arch: arm64 + # target: aarch64-unknown-linux-gnu + # - build: freebsd + # arch: amd64 + # target: x86_64-unknown-freebsd + + # permissions: + # contents: write # needed to upload release assets + + # steps: + # # Store the version, stripping any v-prefix + # - name: Write release version + # run: | + # VERSION=${GITHUB_REF_NAME#v} + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> $GITHUB_ENV + + # - name: Checkout + # uses: actions/checkout@v4 + # with: + # submodules: recursive + + # - name: Setup `packer` + # uses: hashicorp/setup-packer@main + # id: setup + + # - name: Install Rust stable + # uses: actions-rs/toolchain@v1 + # with: + # toolchain: stable + # target: ${{ matrix.target }} + # override: true + + # - name: Set up Docker BuildX + # uses: docker/setup-buildx-action@v3 + # with: + # buildkitd-config-inline: | + # [registry."docker.io"] + # mirrors = ["dockerhub-proxy.teonite.net"] + + # - name: Install pnpm + # uses: pnpm/action-setup@v4 + # with: + # version: 10 + + # - name: Use Node.js 24 + # uses: actions/setup-node@v4 + # with: + # node-version: 24 + + # - name: Install frontend dependencies + # run: pnpm install --ignore-scripts --frozen-lockfile + # working-directory: web + + # - name: Build frontend + # run: pnpm build + # working-directory: web + + # - name: Build release binary + # uses: actions-rs/cargo@v1 + # with: + # use-cross: true + # command: build + # args: --locked --release --target ${{ matrix.target }} + + # - name: Rename binary + # run: mv target/${{ matrix.target }}/release/defguard defguard-${{ github.ref_name }}-${{ matrix.target }} + + # - name: Tar + # uses: a7ul/tar-action@v1.1.0 + # with: + # command: c + # files: | + # defguard-${{ github.ref_name }}-${{ matrix.target }} + # outPath: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + + # - name: Upload release archive + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + # asset_name: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + # asset_content_type: application/octet-stream + + # - name: Build DEB package + # if: matrix.build == 'linux' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard defguard.service=/usr/lib/systemd/system/defguard.service .env-template=/etc/defguard/core.conf" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-${{ matrix.target }}.deb" + + # - name: Run `packer init` + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # id: init + # run: "packer init ./images/ami/core.pkr.hcl" + + # - name: Build AMI images for multiple regions + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # run: | + # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + # for region in "${regions[@]}"; do + # echo "Building AMI for region: $region" + # echo "Running packer validate for $region..." + # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/core.pkr.hcl + # echo "Building AMI image for $region..." + # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/core.pkr.hcl + # done + # env: + # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # - name: Upload DEB + # if: matrix.build == 'linux' + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-${{ env.VERSION }}-${{ matrix.target }}.deb + # asset_name: defguard-${{ env.VERSION }}-${{ matrix.target }}.deb + # asset_content_type: application/octet-stream + + # - name: Build RPM package + # if: matrix.build == 'linux' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard defguard.service=/usr/lib/systemd/system/defguard.service .env-template=/etc/defguard/core.conf" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm" + + # - name: Upload RPM + # if: matrix.build == 'linux' + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm + # asset_name: defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm + # asset_content_type: application/octet-stream + + # - name: Build FreeBSD package + # if: matrix.build == 'freebsd' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/local/bin/defguard defguard.service.freebsd=/usr/local/etc/rc.d/defguard" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" + + # - name: Upload FreeBSD + # if: matrix.build == 'freebsd' + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg + # asset_name: defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg + # asset_content_type: application/octet-stream diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 0000000000..e69de29bb2 From a0ec393ce39ea9ee79edfffbf6dad63cb1729fdb Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 06:31:54 +0200 Subject: [PATCH 02/10] add sbom workflow file --- .github/workflows/sbom.yml | 59 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index e69de29bb2..62b453227e 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -0,0 +1,59 @@ +name: Create SBOM files + +on: + workflow_call: + inputs: + upload_url: + description: "Release assets upload url" + required: true + type: string + +jobs: + create-sbom: + runs-on: + - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + - name: Create SBOM with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + format: 'github' + output: 'sbom.json' + scan-ref: '.' + severity: "CRITICAL,HIGH,MEDIUM" + + - name: Create docker image SBOM with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + image-ref: "ghcr.io/defguard/defguard:${{ github.ref_name }}" + scan-type: 'image' + format: 'github' + output: 'sbom-docker.json' + severity: "CRITICAL,HIGH,MEDIUM" + + - name: Upload SBOM + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ inputs.upload_url }} + asset_path: sbom.json + asset_name: sbom.json + asset_content_type: application/octet-stream + + - name: Upload docker SBOM + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ inputs.upload_url }} + asset_path: sbom-docker.json + asset_name: sbom-docker.json + asset_content_type: application/octet-stream + From 3ffd45bd7195e659ed701be5d57c34357b0b49e6 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 06:56:32 +0200 Subject: [PATCH 03/10] strip 'v' from ref_name --- .github/workflows/sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 62b453227e..ef59b20bcf 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -31,7 +31,7 @@ jobs: - name: Create docker image SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 with: - image-ref: "ghcr.io/defguard/defguard:${{ github.ref_name }}" + image-ref: "ghcr.io/defguard/defguard:${{ github.ref_name#v }}" scan-type: 'image' format: 'github' output: 'sbom-docker.json' From c6eb83d081bf785aa2cac67c6f8f9f418dd41cbf Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 07:03:54 +0200 Subject: [PATCH 04/10] fix version stripping --- .github/workflows/sbom.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index ef59b20bcf..a3e3f11ad5 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -19,6 +19,13 @@ jobs: with: submodules: recursive + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + - name: Create SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 with: @@ -31,7 +38,7 @@ jobs: - name: Create docker image SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 with: - image-ref: "ghcr.io/defguard/defguard:${{ github.ref_name#v }}" + image-ref: "ghcr.io/defguard/defguard:${{ env.VERSION }}" scan-type: 'image' format: 'github' output: 'sbom-docker.json' From 0316d392b09662ac00f07800192e9bb535b41a7e Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 08:01:45 +0200 Subject: [PATCH 05/10] rename sbom file --- .github/workflows/sbom.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index a3e3f11ad5..ac06a05ed9 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -31,7 +31,7 @@ jobs: with: scan-type: 'fs' format: 'github' - output: 'sbom.json' + output: "defguard-${{ env.VERSION }}.sbom.json" scan-ref: '.' severity: "CRITICAL,HIGH,MEDIUM" @@ -41,7 +41,7 @@ jobs: image-ref: "ghcr.io/defguard/defguard:${{ env.VERSION }}" scan-type: 'image' format: 'github' - output: 'sbom-docker.json' + output: "defguard-${{ env.VERSION }}-docker.sbom.json" severity: "CRITICAL,HIGH,MEDIUM" - name: Upload SBOM From 5b41a6d40d14c91002ca8f528419f15a818a3f0f Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 08:21:56 +0200 Subject: [PATCH 06/10] fix asset path --- .github/workflows/sbom.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index ac06a05ed9..c3b379eaea 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -50,8 +50,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ inputs.upload_url }} - asset_path: sbom.json - asset_name: sbom.json + asset_path: "defguard-${{ env.VERSION }}.sbom.json" + asset_name: "defguard-${{ env.VERSION }}.sbom.json" asset_content_type: application/octet-stream - name: Upload docker SBOM @@ -60,7 +60,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ inputs.upload_url }} - asset_path: sbom-docker.json - asset_name: sbom-docker.json + asset_path: "defguard-${{ env.VERSION }}-docker.sbom.json" + asset_name: "defguard-${{ env.VERSION }}-docker.sbom.json" asset_content_type: application/octet-stream From 0da62179ba4cff3fad00f57469aed03ece619c1a Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 08:45:47 +0200 Subject: [PATCH 07/10] spdx format --- .github/workflows/sbom.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index c3b379eaea..e56ce206c0 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -30,19 +30,21 @@ jobs: uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' - format: 'github' + format: 'spdx-json' output: "defguard-${{ env.VERSION }}.sbom.json" scan-ref: '.' severity: "CRITICAL,HIGH,MEDIUM" + scanners: "vuln" - name: Create docker image SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 with: image-ref: "ghcr.io/defguard/defguard:${{ env.VERSION }}" scan-type: 'image' - format: 'github' + format: 'spdx-json' output: "defguard-${{ env.VERSION }}-docker.sbom.json" severity: "CRITICAL,HIGH,MEDIUM" + scanners: "vuln" - name: Upload SBOM uses: actions/upload-release-asset@v1.0.2 From 26351b25302d4909879558f08c6d811765e6845e Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 09:54:43 +0200 Subject: [PATCH 08/10] uncomment build-binaries job --- .github/workflows/release.yml | 355 +++++++++++++++++----------------- 1 file changed, 177 insertions(+), 178 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 47ffde5f20..1ee14f8322 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,185 +52,184 @@ jobs: generate_release_notes: true create-sbom: - # TODO change to build-docker-release - needs: [create-release, build-docker-prerelease] + needs: [create-release, build-docker-release] uses: ./.github/workflows/sbom.yml with: upload_url: ${{ needs.create-release.outputs.upload_url }} - # build-binaries: - # needs: [create-release] - - # runs-on: - # - self-hosted - # - Linux - # - X64 - - # strategy: - # fail-fast: false - # matrix: - # build: [linux, linux-arm64, freebsd] - # include: - # - build: linux - # arch: amd64 - # target: x86_64-unknown-linux-gnu - # - build: linux-arm64 - # arch: arm64 - # target: aarch64-unknown-linux-gnu - # - build: freebsd - # arch: amd64 - # target: x86_64-unknown-freebsd - - # permissions: - # contents: write # needed to upload release assets - - # steps: - # # Store the version, stripping any v-prefix - # - name: Write release version - # run: | - # VERSION=${GITHUB_REF_NAME#v} - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> $GITHUB_ENV - - # - name: Checkout - # uses: actions/checkout@v4 - # with: - # submodules: recursive - - # - name: Setup `packer` - # uses: hashicorp/setup-packer@main - # id: setup - - # - name: Install Rust stable - # uses: actions-rs/toolchain@v1 - # with: - # toolchain: stable - # target: ${{ matrix.target }} - # override: true - - # - name: Set up Docker BuildX - # uses: docker/setup-buildx-action@v3 - # with: - # buildkitd-config-inline: | - # [registry."docker.io"] - # mirrors = ["dockerhub-proxy.teonite.net"] - - # - name: Install pnpm - # uses: pnpm/action-setup@v4 - # with: - # version: 10 - - # - name: Use Node.js 24 - # uses: actions/setup-node@v4 - # with: - # node-version: 24 - - # - name: Install frontend dependencies - # run: pnpm install --ignore-scripts --frozen-lockfile - # working-directory: web - - # - name: Build frontend - # run: pnpm build - # working-directory: web - - # - name: Build release binary - # uses: actions-rs/cargo@v1 - # with: - # use-cross: true - # command: build - # args: --locked --release --target ${{ matrix.target }} - - # - name: Rename binary - # run: mv target/${{ matrix.target }}/release/defguard defguard-${{ github.ref_name }}-${{ matrix.target }} - - # - name: Tar - # uses: a7ul/tar-action@v1.1.0 - # with: - # command: c - # files: | - # defguard-${{ github.ref_name }}-${{ matrix.target }} - # outPath: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - # - name: Upload release archive - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - # asset_name: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - # asset_content_type: application/octet-stream - - # - name: Build DEB package - # if: matrix.build == 'linux' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard defguard.service=/usr/lib/systemd/system/defguard.service .env-template=/etc/defguard/core.conf" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-${{ matrix.target }}.deb" - - # - name: Run `packer init` - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # id: init - # run: "packer init ./images/ami/core.pkr.hcl" - - # - name: Build AMI images for multiple regions - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # run: | - # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - # for region in "${regions[@]}"; do - # echo "Building AMI for region: $region" - # echo "Running packer validate for $region..." - # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/core.pkr.hcl - # echo "Building AMI image for $region..." - # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/core.pkr.hcl - # done - # env: - # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - # - name: Upload DEB - # if: matrix.build == 'linux' - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-${{ env.VERSION }}-${{ matrix.target }}.deb - # asset_name: defguard-${{ env.VERSION }}-${{ matrix.target }}.deb - # asset_content_type: application/octet-stream - - # - name: Build RPM package - # if: matrix.build == 'linux' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard defguard.service=/usr/lib/systemd/system/defguard.service .env-template=/etc/defguard/core.conf" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm" - - # - name: Upload RPM - # if: matrix.build == 'linux' - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm - # asset_name: defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm - # asset_content_type: application/octet-stream - - # - name: Build FreeBSD package - # if: matrix.build == 'freebsd' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/local/bin/defguard defguard.service.freebsd=/usr/local/etc/rc.d/defguard" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" - - # - name: Upload FreeBSD - # if: matrix.build == 'freebsd' - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg - # asset_name: defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg - # asset_content_type: application/octet-stream + build-binaries: + needs: [create-release] + + runs-on: + - self-hosted + - Linux + - X64 + + strategy: + fail-fast: false + matrix: + build: [linux, linux-arm64, freebsd] + include: + - build: linux + arch: amd64 + target: x86_64-unknown-linux-gnu + - build: linux-arm64 + arch: arm64 + target: aarch64-unknown-linux-gnu + - build: freebsd + arch: amd64 + target: x86_64-unknown-freebsd + + permissions: + contents: write # needed to upload release assets + + steps: + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + - name: Setup `packer` + uses: hashicorp/setup-packer@main + id: setup + + - name: Install Rust stable + uses: actions-rs/toolchain@v1 + with: + toolchain: stable + target: ${{ matrix.target }} + override: true + + - name: Set up Docker BuildX + uses: docker/setup-buildx-action@v3 + with: + buildkitd-config-inline: | + [registry."docker.io"] + mirrors = ["dockerhub-proxy.teonite.net"] + + - name: Install pnpm + uses: pnpm/action-setup@v4 + with: + version: 10 + + - name: Use Node.js 24 + uses: actions/setup-node@v4 + with: + node-version: 24 + + - name: Install frontend dependencies + run: pnpm install --ignore-scripts --frozen-lockfile + working-directory: web + + - name: Build frontend + run: pnpm build + working-directory: web + + - name: Build release binary + uses: actions-rs/cargo@v1 + with: + use-cross: true + command: build + args: --locked --release --target ${{ matrix.target }} + + - name: Rename binary + run: mv target/${{ matrix.target }}/release/defguard defguard-${{ github.ref_name }}-${{ matrix.target }} + + - name: Tar + uses: a7ul/tar-action@v1.1.0 + with: + command: c + files: | + defguard-${{ github.ref_name }}-${{ matrix.target }} + outPath: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + + - name: Upload release archive + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + asset_name: defguard-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + asset_content_type: application/octet-stream + + - name: Build DEB package + if: matrix.build == 'linux' + uses: defGuard/fpm-action@main + with: + fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard defguard.service=/usr/lib/systemd/system/defguard.service .env-template=/etc/defguard/core.conf" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-${{ matrix.target }}.deb" + + - name: Run `packer init` + if: matrix.build == 'linux' && matrix.arch == 'amd64' + id: init + run: "packer init ./images/ami/core.pkr.hcl" + + - name: Build AMI images for multiple regions + if: matrix.build == 'linux' && matrix.arch == 'amd64' + run: | + regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + for region in "${regions[@]}"; do + echo "Building AMI for region: $region" + echo "Running packer validate for $region..." + packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/core.pkr.hcl + echo "Building AMI image for $region..." + packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/core.pkr.hcl + done + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Upload DEB + if: matrix.build == 'linux' + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-${{ env.VERSION }}-${{ matrix.target }}.deb + asset_name: defguard-${{ env.VERSION }}-${{ matrix.target }}.deb + asset_content_type: application/octet-stream + + - name: Build RPM package + if: matrix.build == 'linux' + uses: defGuard/fpm-action@main + with: + fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard defguard.service=/usr/lib/systemd/system/defguard.service .env-template=/etc/defguard/core.conf" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm" + + - name: Upload RPM + if: matrix.build == 'linux' + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm + asset_name: defguard-${{ env.VERSION }}-${{ matrix.target }}.rpm + asset_content_type: application/octet-stream + + - name: Build FreeBSD package + if: matrix.build == 'freebsd' + uses: defGuard/fpm-action@main + with: + fpm_args: "defguard-${{ github.ref_name }}-${{ matrix.target }}=/usr/local/bin/defguard defguard.service.freebsd=/usr/local/etc/rc.d/defguard" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" + + - name: Upload FreeBSD + if: matrix.build == 'freebsd' + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg + asset_name: defguard-${{ env.VERSION }}_${{ matrix.target }}.pkg + asset_content_type: application/octet-stream From 0a09cd705455ad99d90f87168ee807bc1571957b Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 09:02:20 +0200 Subject: [PATCH 09/10] run sbom on self-hosted workers --- .github/workflows/sbom.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index e56ce206c0..302500ba95 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -10,8 +10,7 @@ on: jobs: create-sbom: - runs-on: - - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }} + runs-on: self-hosted steps: - name: Checkout From c08bd93aa54de5b292675cb0ed1ea8d0b0d934de Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 10:18:32 +0200 Subject: [PATCH 10/10] use shogo82148/actions-upload-release-asset upload action --- .github/workflows/sbom.yml | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 302500ba95..42a0353500 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -4,7 +4,7 @@ on: workflow_call: inputs: upload_url: - description: "Release assets upload url" + description: "Release assets upload URL" required: true type: string @@ -46,22 +46,10 @@ jobs: scanners: "vuln" - name: Upload SBOM - uses: actions/upload-release-asset@v1.0.2 + uses: shogo82148/actions-upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ inputs.upload_url }} - asset_path: "defguard-${{ env.VERSION }}.sbom.json" - asset_name: "defguard-${{ env.VERSION }}.sbom.json" + asset_path: "defguard-*.sbom.json" asset_content_type: application/octet-stream - - - name: Upload docker SBOM - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ inputs.upload_url }} - asset_path: "defguard-${{ env.VERSION }}-docker.sbom.json" - asset_name: "defguard-${{ env.VERSION }}-docker.sbom.json" - asset_content_type: application/octet-stream -