DefGuard · wojcik91 · Sep 15, 2025 · Jul 14, 2025 · Jul 14, 2025 · Jul 25, 2025
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -18,39 +18,45 @@ env:
 jobs:
   build-docker:
     runs-on:
-      - self-hosted
-      - Linux
-      - ${{ matrix.runner }}
+      - codebuild-defguard-gateway-runner-${{ github.run_id }}-${{ github.run_attempt }}
+        image:${{ matrix.os }}
+        instance-size:${{ matrix.size }}
     strategy:
       matrix:
-        cpu: [arm64, amd64, arm/v7]
         include:
-          - cpu: arm64
-            runner: ARM64
+          - os: arm-3.0
+            size: xlarge
+            cpu: arm64
             tag: arm64
-          - cpu: amd64
-            runner: X64
+          - os: ubuntu-7.0
+            size: xlarge
+            cpu: amd64
             tag: amd64
-          - cpu: arm/v7
-            runner: ARM
+          - os: arm-3.0
+            size: xlarge
+            cpu: arm/v7
             tag: armv7
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-        with:
-          buildkitd-config-inline: |
-            [registry."docker.io"]
-              mirrors = ["dockerhub-proxy.teonite.net"]
+
       - name: Build container
         uses: docker/build-push-action@v5
         with:
@@ -59,13 +65,35 @@ jobs:
           provenance: false
           push: true
           tags: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: |
+            type=registry,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}
+            type=registry,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ github.ref_name }}
+          cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ github.ref_name }}
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH,MEDIUM"
 
   docker-manifest:
     runs-on: [self-hosted, Linux]
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
     needs: [build-docker]
+
     steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.9.2
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -74,12 +102,14 @@ jobs:
             ${{ env.GHCR_REPO }}
           flavor: ${{ inputs.flavor }}
           tags: ${{ inputs.tags }}
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Create and push manifests
         run: |
           tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
@@ -89,3 +119,13 @@ jobs:
             docker manifest create ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64 ${{ env.GHCR_REPO }}:${{ github.sha }}-armv7
             docker manifest push ${tag}
           done
+
+      - name: Sign the images with GitHub OIDC Token
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign sign --yes ${images}
+
+      - name: Verify image signatures
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign verify ${images} --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/DefGuard/gateway" -o text
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -5,15 +5,15 @@ on:
     branches:
       - main
       - dev
-      - 'release/**'
+      - "release/**"
     paths-ignore:
       - "*.md"
       - "LICENSE"
   pull_request:
     branches:
       - main
       - dev
-      - 'release/**'
+      - "release/**"
     paths-ignore:
       - "*.md"
       - "LICENSE"
@@ -23,31 +23,38 @@ env:
 
 jobs:
   test:
-    runs-on: [self-hosted, Linux, X64]
-    container: rust:1
+    runs-on:
+      - codebuild-defguard-gateway-runner-${{ github.run_id }}-${{ github.run_attempt }}
+    container: public.ecr.aws/docker/library/rust:1
 
     steps:
-      - name: Debug
-        run: echo ${{ github.ref_name }}
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Cache
         uses: Swatinem/rust-cache@v2
         with:
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+
       - name: Install dependencies
         run: apt-get update && apt-get -y install protobuf-compiler libnftnl-dev libmnl-dev
+
       - name: Check format
         run: |
           rustup component add rustfmt
           cargo fmt -- --check
+
       - name: Run clippy linter
         run: |
           rustup component add clippy
           cargo clippy --all-targets --all-features -- -D warnings
+
       - name: Run cargo deny
-        uses: EmbarkStudios/cargo-deny-action@v2
+        run: |
+          cargo install cargo-deny
+          cargo deny check
+
       - name: Run tests
         run: cargo test --locked --no-fail-fast
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -98,6 +98,10 @@ jobs:
           target: ${{ matrix.target }}
           override: true
 
+      - name: Setup `packer`
+        uses: hashicorp/setup-packer@main
+        id: setup
+
       - name: Build release binary
         uses: actions-rs/cargo@v1
         with:
@@ -144,6 +148,26 @@ jobs:
           asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb
           asset_content_type: application/octet-stream
 
+      - name: Run `packer init`
+        if: matrix.build == 'linux' && matrix.arch == 'amd64'
+        id: init
+        run: "packer init ./images/ami/gateway.pkr.hcl"
+
+      - name: Build AMI images for multiple regions
+        if: matrix.build == 'linux' && matrix.arch == 'amd64'
+        run: |
+          regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1)
+          for region in "${regions[@]}"; do
+            echo "Building AMI for region: $region"
+            echo "Running packer validate for $region..."
+            packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl
+            echo "Building AMI image for $region..."
+            packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl
+          done
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
       - name: Build RPM package
         if: matrix.build == 'linux'
         uses: defGuard/fpm-action@main