From 3844a4dfef1acd37277b439f4e410f506e5838df Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 08:07:37 +0200 Subject: [PATCH 01/12] implement sbom workflow --- .github/workflows/release.yml | 7 ++++ .github/workflows/sbom.yml | 66 +++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 .github/workflows/sbom.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0977caef..ae0629ac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -51,6 +51,13 @@ jobs: draft: true generate_release_notes: true + create-sbom: + # TODO change to build-docker-release + needs: [create-release, build-docker-prerelease] + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + build-release: name: Release ${{ matrix.build }} needs: [create-release] diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 00000000..0b32060c --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,66 @@ +name: Create SBOM files + +on: + workflow_call: + inputs: + upload_url: + description: "Release assets upload url" + required: true + type: string + +jobs: + create-sbom: + runs-on: + - codebuild-defguard-gateway-runner-${{ github.run_id }}-${{ github.run_attempt }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Create SBOM with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + format: 'github' + output: "defguard-${{ env.VERSION }}.sbom.json" + scan-ref: '.' + severity: "CRITICAL,HIGH,MEDIUM" + + - name: Create docker image SBOM with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + image-ref: "ghcr.io/defguard/gateway:${{ env.VERSION }}" + scan-type: 'image' + format: 'github' + output: "defguard-${{ env.VERSION }}-docker.sbom.json" + severity: "CRITICAL,HIGH,MEDIUM" + + - name: Upload SBOM + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ inputs.upload_url }} + asset_path: sbom.json + asset_name: sbom.json + asset_content_type: application/octet-stream + + - name: Upload docker SBOM + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ inputs.upload_url }} + asset_path: sbom-docker.json + asset_name: sbom-docker.json + asset_content_type: application/octet-stream + From c8c48c2cda9a233726a3b787a151a41d258870d7 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 08:24:37 +0200 Subject: [PATCH 02/12] fix asset name --- .github/workflows/sbom.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 0b32060c..ab3ddc27 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -31,7 +31,7 @@ jobs: with: scan-type: 'fs' format: 'github' - output: "defguard-${{ env.VERSION }}.sbom.json" + output: "defguard-gateway-${{ env.VERSION }}.sbom.json" scan-ref: '.' severity: "CRITICAL,HIGH,MEDIUM" @@ -41,7 +41,7 @@ jobs: image-ref: "ghcr.io/defguard/gateway:${{ env.VERSION }}" scan-type: 'image' format: 'github' - output: "defguard-${{ env.VERSION }}-docker.sbom.json" + output: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json" severity: "CRITICAL,HIGH,MEDIUM" - name: Upload SBOM @@ -50,8 +50,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ inputs.upload_url }} - asset_path: sbom.json - asset_name: sbom.json + asset_path: "defguard-gateway-${{ env.VERSION }}.sbom.json" + asset_name: "defguard-gateway-${{ env.VERSION }}.sbom.json" asset_content_type: application/octet-stream - name: Upload docker SBOM @@ -60,7 +60,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ inputs.upload_url }} - asset_path: sbom-docker.json - asset_name: sbom-docker.json + asset_path: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json" + asset_name: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json" asset_content_type: application/octet-stream From 67c553e4b83fa40af97ffa952df6e186b3f35626 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 08:46:20 +0200 Subject: [PATCH 03/12] spdx format --- .github/workflows/sbom.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index ab3ddc27..72fbcd51 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -30,7 +30,7 @@ jobs: uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' - format: 'github' + format: 'spdx-json' output: "defguard-gateway-${{ env.VERSION }}.sbom.json" scan-ref: '.' severity: "CRITICAL,HIGH,MEDIUM" @@ -40,9 +40,10 @@ jobs: with: image-ref: "ghcr.io/defguard/gateway:${{ env.VERSION }}" scan-type: 'image' - format: 'github' + format: 'spdx-json' output: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json" severity: "CRITICAL,HIGH,MEDIUM" + scanners: "vuln" - name: Upload SBOM uses: actions/upload-release-asset@v1.0.2 @@ -53,6 +54,7 @@ jobs: asset_path: "defguard-gateway-${{ env.VERSION }}.sbom.json" asset_name: "defguard-gateway-${{ env.VERSION }}.sbom.json" asset_content_type: application/octet-stream + scanners: "vuln" - name: Upload docker SBOM uses: actions/upload-release-asset@v1.0.2 From 076603071101bebd30b25ff81c26aadbc9376e02 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 09:56:22 +0200 Subject: [PATCH 04/12] depend on build-docker-release instead of prerelease --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ae0629ac..2c4c91c6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,8 +52,7 @@ jobs: generate_release_notes: true create-sbom: - # TODO change to build-docker-release - needs: [create-release, build-docker-prerelease] + needs: [create-release, build-docker-release] uses: ./.github/workflows/sbom.yml with: upload_url: ${{ needs.create-release.outputs.upload_url }} From cbb8ca596814767c5d4d6697ba43c358838103da Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 12:18:52 +0200 Subject: [PATCH 05/12] test self-hosted runner --- .github/workflows/release.yml | 306 +++++++++++++++++----------------- .github/workflows/sbom.yml | 3 +- 2 files changed, 154 insertions(+), 155 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2c4c91c6..44f95d42 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -84,156 +84,156 @@ jobs: os: Linux asset_name: defguard-gateway-freebsd-x86_64 target: x86_64-unknown-freebsd - steps: - # Store the version, stripping any v-prefix - - name: Write release version - run: | - VERSION=${GITHUB_REF_NAME#v} - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - - name: Checkout - uses: actions/checkout@v3 - with: - submodules: recursive - - - name: Install Rust stable - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - target: ${{ matrix.target }} - override: true - - - name: Setup `packer` - uses: hashicorp/setup-packer@main - id: setup - - - name: Build release binary - uses: actions-rs/cargo@v1 - with: - use-cross: true - command: build - args: --locked --release --target ${{ matrix.target }} - - - name: Rename binary - run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} - - - name: Tar - uses: a7ul/tar-action@v1.1.0 - with: - command: c - files: | - ${{ matrix.asset_name }}-${{ github.ref_name }} - outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - - name: Upload release archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - asset_content_type: application/octet-stream - - - name: Build DEB package - if: matrix.build != 'freebsd' - uses: defGuard/fpm-action@main - with: - fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" - - - name: Upload DEB - if: matrix.build != 'freebsd' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - asset_content_type: application/octet-stream - - - name: Run `packer init` - if: matrix.build == 'linux' && matrix.arch == 'amd64' - id: init - run: "packer init ./images/ami/gateway.pkr.hcl" - - - name: Build AMI images for multiple regions - if: matrix.build == 'linux' && matrix.arch == 'amd64' - run: | - regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - for region in "${regions[@]}"; do - echo "Building AMI for region: $region" - echo "Running packer validate for $region..." - packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - echo "Building AMI image for $region..." - packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - done - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Build RPM package - if: matrix.build == 'linux' - uses: defGuard/fpm-action@main - with: - fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" - - - name: Upload RPM - if: matrix.build == 'linux' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - asset_content_type: application/octet-stream - - - name: Build FreeBSD package - if: matrix.build == 'freebsd' - uses: defGuard/fpm-action@main - with: - fpm_args: - "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - example-config.toml=/etc/defguard/gateway.toml.sample - defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" - - - name: Upload FreeBSD - if: matrix.build == 'freebsd' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - asset_content_type: application/octet-stream - - - name: Build OPNsense package - if: matrix.build == 'freebsd' - uses: defGuard/fpm-action@main - with: - fpm_args: - "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - example-config.toml=/etc/defguard/gateway.toml.sample - defguard-rc.conf=/etc/rc.conf.d/defguard_gateway - opnsense/src/etc/=/usr/local/etc/ - opnsense/src/opnsense/=/usr/local/opnsense/" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" - - - name: Upload OPNsense package - if: matrix.build == 'freebsd' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - asset_content_type: application/octet-stream + # steps: + # # Store the version, stripping any v-prefix + # - name: Write release version + # run: | + # VERSION=${GITHUB_REF_NAME#v} + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> $GITHUB_ENV + + # - name: Checkout + # uses: actions/checkout@v3 + # with: + # submodules: recursive + + # - name: Install Rust stable + # uses: actions-rs/toolchain@v1 + # with: + # toolchain: stable + # target: ${{ matrix.target }} + # override: true + + # - name: Setup `packer` + # uses: hashicorp/setup-packer@main + # id: setup + + # - name: Build release binary + # uses: actions-rs/cargo@v1 + # with: + # use-cross: true + # command: build + # args: --locked --release --target ${{ matrix.target }} + + # - name: Rename binary + # run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} + + # - name: Tar + # uses: a7ul/tar-action@v1.1.0 + # with: + # command: c + # files: | + # ${{ matrix.asset_name }}-${{ github.ref_name }} + # outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + + # - name: Upload release archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + # asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + # asset_content_type: application/octet-stream + + # - name: Build DEB package + # if: matrix.build != 'freebsd' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" + + # - name: Upload DEB + # if: matrix.build != 'freebsd' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + # asset_content_type: application/octet-stream + + # - name: Run `packer init` + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # id: init + # run: "packer init ./images/ami/gateway.pkr.hcl" + + # - name: Build AMI images for multiple regions + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # run: | + # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + # for region in "${regions[@]}"; do + # echo "Building AMI for region: $region" + # echo "Running packer validate for $region..." + # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + # echo "Building AMI image for $region..." + # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + # done + # env: + # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # - name: Build RPM package + # if: matrix.build == 'linux' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" + + # - name: Upload RPM + # if: matrix.build == 'linux' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + # asset_content_type: application/octet-stream + + # - name: Build FreeBSD package + # if: matrix.build == 'freebsd' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: + # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + # example-config.toml=/etc/defguard/gateway.toml.sample + # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" + + # - name: Upload FreeBSD + # if: matrix.build == 'freebsd' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + # asset_content_type: application/octet-stream + + # - name: Build OPNsense package + # if: matrix.build == 'freebsd' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: + # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + # example-config.toml=/etc/defguard/gateway.toml.sample + # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway + # opnsense/src/etc/=/usr/local/etc/ + # opnsense/src/opnsense/=/usr/local/opnsense/" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" + + # - name: Upload OPNsense package + # if: matrix.build == 'freebsd' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + # asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + # asset_content_type: application/octet-stream diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 72fbcd51..aea72452 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -10,8 +10,7 @@ on: jobs: create-sbom: - runs-on: - - codebuild-defguard-gateway-runner-${{ github.run_id }}-${{ github.run_attempt }} + runs-on: self-hosted steps: - name: Checkout From 5aeb9293c4210ee23fcfcd6b4f0f8ca623385c9b Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 12:20:16 +0200 Subject: [PATCH 06/12] uncomment build steps --- .github/workflows/release.yml | 306 +++++++++++++++++----------------- 1 file changed, 153 insertions(+), 153 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 44f95d42..2c4c91c6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -84,156 +84,156 @@ jobs: os: Linux asset_name: defguard-gateway-freebsd-x86_64 target: x86_64-unknown-freebsd - # steps: - # # Store the version, stripping any v-prefix - # - name: Write release version - # run: | - # VERSION=${GITHUB_REF_NAME#v} - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> $GITHUB_ENV - - # - name: Checkout - # uses: actions/checkout@v3 - # with: - # submodules: recursive - - # - name: Install Rust stable - # uses: actions-rs/toolchain@v1 - # with: - # toolchain: stable - # target: ${{ matrix.target }} - # override: true - - # - name: Setup `packer` - # uses: hashicorp/setup-packer@main - # id: setup - - # - name: Build release binary - # uses: actions-rs/cargo@v1 - # with: - # use-cross: true - # command: build - # args: --locked --release --target ${{ matrix.target }} - - # - name: Rename binary - # run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} - - # - name: Tar - # uses: a7ul/tar-action@v1.1.0 - # with: - # command: c - # files: | - # ${{ matrix.asset_name }}-${{ github.ref_name }} - # outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - # - name: Upload release archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - # asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - # asset_content_type: application/octet-stream - - # - name: Build DEB package - # if: matrix.build != 'freebsd' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" - - # - name: Upload DEB - # if: matrix.build != 'freebsd' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - # asset_content_type: application/octet-stream - - # - name: Run `packer init` - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # id: init - # run: "packer init ./images/ami/gateway.pkr.hcl" - - # - name: Build AMI images for multiple regions - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # run: | - # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - # for region in "${regions[@]}"; do - # echo "Building AMI for region: $region" - # echo "Running packer validate for $region..." - # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - # echo "Building AMI image for $region..." - # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - # done - # env: - # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - # - name: Build RPM package - # if: matrix.build == 'linux' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" - - # - name: Upload RPM - # if: matrix.build == 'linux' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - # asset_content_type: application/octet-stream - - # - name: Build FreeBSD package - # if: matrix.build == 'freebsd' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: - # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - # example-config.toml=/etc/defguard/gateway.toml.sample - # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" - - # - name: Upload FreeBSD - # if: matrix.build == 'freebsd' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - # asset_content_type: application/octet-stream - - # - name: Build OPNsense package - # if: matrix.build == 'freebsd' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: - # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - # example-config.toml=/etc/defguard/gateway.toml.sample - # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway - # opnsense/src/etc/=/usr/local/etc/ - # opnsense/src/opnsense/=/usr/local/opnsense/" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" - - # - name: Upload OPNsense package - # if: matrix.build == 'freebsd' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - # asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - # asset_content_type: application/octet-stream + steps: + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Install Rust stable + uses: actions-rs/toolchain@v1 + with: + toolchain: stable + target: ${{ matrix.target }} + override: true + + - name: Setup `packer` + uses: hashicorp/setup-packer@main + id: setup + + - name: Build release binary + uses: actions-rs/cargo@v1 + with: + use-cross: true + command: build + args: --locked --release --target ${{ matrix.target }} + + - name: Rename binary + run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} + + - name: Tar + uses: a7ul/tar-action@v1.1.0 + with: + command: c + files: | + ${{ matrix.asset_name }}-${{ github.ref_name }} + outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + + - name: Upload release archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + asset_content_type: application/octet-stream + + - name: Build DEB package + if: matrix.build != 'freebsd' + uses: defGuard/fpm-action@main + with: + fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" + + - name: Upload DEB + if: matrix.build != 'freebsd' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + asset_content_type: application/octet-stream + + - name: Run `packer init` + if: matrix.build == 'linux' && matrix.arch == 'amd64' + id: init + run: "packer init ./images/ami/gateway.pkr.hcl" + + - name: Build AMI images for multiple regions + if: matrix.build == 'linux' && matrix.arch == 'amd64' + run: | + regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + for region in "${regions[@]}"; do + echo "Building AMI for region: $region" + echo "Running packer validate for $region..." + packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + echo "Building AMI image for $region..." + packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + done + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Build RPM package + if: matrix.build == 'linux' + uses: defGuard/fpm-action@main + with: + fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" + + - name: Upload RPM + if: matrix.build == 'linux' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + asset_content_type: application/octet-stream + + - name: Build FreeBSD package + if: matrix.build == 'freebsd' + uses: defGuard/fpm-action@main + with: + fpm_args: + "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + example-config.toml=/etc/defguard/gateway.toml.sample + defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" + + - name: Upload FreeBSD + if: matrix.build == 'freebsd' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + asset_content_type: application/octet-stream + + - name: Build OPNsense package + if: matrix.build == 'freebsd' + uses: defGuard/fpm-action@main + with: + fpm_args: + "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + example-config.toml=/etc/defguard/gateway.toml.sample + defguard-rc.conf=/etc/rc.conf.d/defguard_gateway + opnsense/src/etc/=/usr/local/etc/ + opnsense/src/opnsense/=/usr/local/opnsense/" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" + + - name: Upload OPNsense package + if: matrix.build == 'freebsd' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + asset_content_type: application/octet-stream From 876ddb19f7fb59c9038a4a5c10794f113c7d2f96 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 13:48:03 +0200 Subject: [PATCH 07/12] test on prerelease --- .github/workflows/release.yml | 362 +++++++++++++++++----------------- 1 file changed, 181 insertions(+), 181 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2c4c91c6..f606034e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,188 +52,188 @@ jobs: generate_release_notes: true create-sbom: - needs: [create-release, build-docker-release] + needs: [create-release, build-docker-prerelease] uses: ./.github/workflows/sbom.yml with: upload_url: ${{ needs.create-release.outputs.upload_url }} - build-release: - name: Release ${{ matrix.build }} - needs: [create-release] - runs-on: - - self-hosted - - ${{ matrix.os }} - - X64 - strategy: - fail-fast: false - matrix: - build: [linux, linux-arm64, freebsd] - include: - - build: linux - arch: amd64 - os: Linux - asset_name: defguard-gateway-linux-x86_64 - target: x86_64-unknown-linux-gnu - - build: linux-arm64 - arch: arm64 - os: Linux - asset_name: defguard-gateway-linux-arm64 - target: aarch64-unknown-linux-gnu - - build: freebsd - arch: amd64 - os: Linux - asset_name: defguard-gateway-freebsd-x86_64 - target: x86_64-unknown-freebsd - steps: - # Store the version, stripping any v-prefix - - name: Write release version - run: | - VERSION=${GITHUB_REF_NAME#v} - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - - name: Checkout - uses: actions/checkout@v3 - with: - submodules: recursive - - - name: Install Rust stable - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - target: ${{ matrix.target }} - override: true - - - name: Setup `packer` - uses: hashicorp/setup-packer@main - id: setup - - - name: Build release binary - uses: actions-rs/cargo@v1 - with: - use-cross: true - command: build - args: --locked --release --target ${{ matrix.target }} - - - name: Rename binary - run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} - - - name: Tar - uses: a7ul/tar-action@v1.1.0 - with: - command: c - files: | - ${{ matrix.asset_name }}-${{ github.ref_name }} - outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - - name: Upload release archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - asset_content_type: application/octet-stream - - - name: Build DEB package - if: matrix.build != 'freebsd' - uses: defGuard/fpm-action@main - with: - fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" - - - name: Upload DEB - if: matrix.build != 'freebsd' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - asset_content_type: application/octet-stream - - - name: Run `packer init` - if: matrix.build == 'linux' && matrix.arch == 'amd64' - id: init - run: "packer init ./images/ami/gateway.pkr.hcl" - - - name: Build AMI images for multiple regions - if: matrix.build == 'linux' && matrix.arch == 'amd64' - run: | - regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - for region in "${regions[@]}"; do - echo "Building AMI for region: $region" - echo "Running packer validate for $region..." - packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - echo "Building AMI image for $region..." - packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - done - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Build RPM package - if: matrix.build == 'linux' - uses: defGuard/fpm-action@main - with: - fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" - - - name: Upload RPM - if: matrix.build == 'linux' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - asset_content_type: application/octet-stream - - - name: Build FreeBSD package - if: matrix.build == 'freebsd' - uses: defGuard/fpm-action@main - with: - fpm_args: - "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - example-config.toml=/etc/defguard/gateway.toml.sample - defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" - - - name: Upload FreeBSD - if: matrix.build == 'freebsd' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - asset_content_type: application/octet-stream - - - name: Build OPNsense package - if: matrix.build == 'freebsd' - uses: defGuard/fpm-action@main - with: - fpm_args: - "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - example-config.toml=/etc/defguard/gateway.toml.sample - defguard-rc.conf=/etc/rc.conf.d/defguard_gateway - opnsense/src/etc/=/usr/local/etc/ - opnsense/src/opnsense/=/usr/local/opnsense/" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" - - - name: Upload OPNsense package - if: matrix.build == 'freebsd' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - asset_content_type: application/octet-stream + # build-release: + # name: Release ${{ matrix.build }} + # needs: [create-release] + # runs-on: + # - self-hosted + # - ${{ matrix.os }} + # - X64 + # strategy: + # fail-fast: false + # matrix: + # build: [linux, linux-arm64, freebsd] + # include: + # - build: linux + # arch: amd64 + # os: Linux + # asset_name: defguard-gateway-linux-x86_64 + # target: x86_64-unknown-linux-gnu + # - build: linux-arm64 + # arch: arm64 + # os: Linux + # asset_name: defguard-gateway-linux-arm64 + # target: aarch64-unknown-linux-gnu + # - build: freebsd + # arch: amd64 + # os: Linux + # asset_name: defguard-gateway-freebsd-x86_64 + # target: x86_64-unknown-freebsd + # steps: + # # Store the version, stripping any v-prefix + # - name: Write release version + # run: | + # VERSION=${GITHUB_REF_NAME#v} + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> $GITHUB_ENV + + # - name: Checkout + # uses: actions/checkout@v3 + # with: + # submodules: recursive + + # - name: Install Rust stable + # uses: actions-rs/toolchain@v1 + # with: + # toolchain: stable + # target: ${{ matrix.target }} + # override: true + + # - name: Setup `packer` + # uses: hashicorp/setup-packer@main + # id: setup + + # - name: Build release binary + # uses: actions-rs/cargo@v1 + # with: + # use-cross: true + # command: build + # args: --locked --release --target ${{ matrix.target }} + + # - name: Rename binary + # run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} + + # - name: Tar + # uses: a7ul/tar-action@v1.1.0 + # with: + # command: c + # files: | + # ${{ matrix.asset_name }}-${{ github.ref_name }} + # outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + + # - name: Upload release archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + # asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + # asset_content_type: application/octet-stream + + # - name: Build DEB package + # if: matrix.build != 'freebsd' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" + + # - name: Upload DEB + # if: matrix.build != 'freebsd' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + # asset_content_type: application/octet-stream + + # - name: Run `packer init` + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # id: init + # run: "packer init ./images/ami/gateway.pkr.hcl" + + # - name: Build AMI images for multiple regions + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # run: | + # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + # for region in "${regions[@]}"; do + # echo "Building AMI for region: $region" + # echo "Running packer validate for $region..." + # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + # echo "Building AMI image for $region..." + # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + # done + # env: + # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # - name: Build RPM package + # if: matrix.build == 'linux' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" + + # - name: Upload RPM + # if: matrix.build == 'linux' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + # asset_content_type: application/octet-stream + + # - name: Build FreeBSD package + # if: matrix.build == 'freebsd' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: + # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + # example-config.toml=/etc/defguard/gateway.toml.sample + # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" + + # - name: Upload FreeBSD + # if: matrix.build == 'freebsd' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + # asset_content_type: application/octet-stream + + # - name: Build OPNsense package + # if: matrix.build == 'freebsd' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: + # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + # example-config.toml=/etc/defguard/gateway.toml.sample + # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway + # opnsense/src/etc/=/usr/local/etc/ + # opnsense/src/opnsense/=/usr/local/opnsense/" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" + + # - name: Upload OPNsense package + # if: matrix.build == 'freebsd' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + # asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + # asset_content_type: application/octet-stream From c60468be9298443d62e195a5003ae2597e5565a1 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 14:10:09 +0200 Subject: [PATCH 08/12] use aws docker image to avoid limits --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2c2d714c..d1d5bd69 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,11 @@ -FROM rust:1-slim AS builder +FROM public.ecr.aws/docker/library/rust:1-slim AS builder RUN apt-get update && apt-get -y install protobuf-compiler libnftnl-dev libmnl-dev WORKDIR /app COPY . . RUN cargo build --release -FROM debian:13-slim +FROM public.ecr.aws/docker/library/debian:13-slim RUN apt-get update && apt-get -y --no-install-recommends install \ iproute2 wireguard-tools sudo ca-certificates iptables ebtables nftables && \ apt-get clean && rm -rf /var/lib/apt/lists/* From ae6ed3bcddd2d482d7706e23f560f0d92c5c6ec4 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 09:17:10 +0200 Subject: [PATCH 09/12] uncomment binary builds --- .github/workflows/release.yml | 362 +++++++++++++++++----------------- 1 file changed, 181 insertions(+), 181 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f606034e..2c4c91c6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,188 +52,188 @@ jobs: generate_release_notes: true create-sbom: - needs: [create-release, build-docker-prerelease] + needs: [create-release, build-docker-release] uses: ./.github/workflows/sbom.yml with: upload_url: ${{ needs.create-release.outputs.upload_url }} - # build-release: - # name: Release ${{ matrix.build }} - # needs: [create-release] - # runs-on: - # - self-hosted - # - ${{ matrix.os }} - # - X64 - # strategy: - # fail-fast: false - # matrix: - # build: [linux, linux-arm64, freebsd] - # include: - # - build: linux - # arch: amd64 - # os: Linux - # asset_name: defguard-gateway-linux-x86_64 - # target: x86_64-unknown-linux-gnu - # - build: linux-arm64 - # arch: arm64 - # os: Linux - # asset_name: defguard-gateway-linux-arm64 - # target: aarch64-unknown-linux-gnu - # - build: freebsd - # arch: amd64 - # os: Linux - # asset_name: defguard-gateway-freebsd-x86_64 - # target: x86_64-unknown-freebsd - # steps: - # # Store the version, stripping any v-prefix - # - name: Write release version - # run: | - # VERSION=${GITHUB_REF_NAME#v} - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> $GITHUB_ENV - - # - name: Checkout - # uses: actions/checkout@v3 - # with: - # submodules: recursive - - # - name: Install Rust stable - # uses: actions-rs/toolchain@v1 - # with: - # toolchain: stable - # target: ${{ matrix.target }} - # override: true - - # - name: Setup `packer` - # uses: hashicorp/setup-packer@main - # id: setup - - # - name: Build release binary - # uses: actions-rs/cargo@v1 - # with: - # use-cross: true - # command: build - # args: --locked --release --target ${{ matrix.target }} - - # - name: Rename binary - # run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} - - # - name: Tar - # uses: a7ul/tar-action@v1.1.0 - # with: - # command: c - # files: | - # ${{ matrix.asset_name }}-${{ github.ref_name }} - # outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - # - name: Upload release archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - # asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - # asset_content_type: application/octet-stream - - # - name: Build DEB package - # if: matrix.build != 'freebsd' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" - - # - name: Upload DEB - # if: matrix.build != 'freebsd' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - # asset_content_type: application/octet-stream - - # - name: Run `packer init` - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # id: init - # run: "packer init ./images/ami/gateway.pkr.hcl" - - # - name: Build AMI images for multiple regions - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # run: | - # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - # for region in "${regions[@]}"; do - # echo "Building AMI for region: $region" - # echo "Running packer validate for $region..." - # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - # echo "Building AMI image for $region..." - # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - # done - # env: - # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - # - name: Build RPM package - # if: matrix.build == 'linux' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" - - # - name: Upload RPM - # if: matrix.build == 'linux' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - # asset_content_type: application/octet-stream - - # - name: Build FreeBSD package - # if: matrix.build == 'freebsd' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: - # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - # example-config.toml=/etc/defguard/gateway.toml.sample - # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" - - # - name: Upload FreeBSD - # if: matrix.build == 'freebsd' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - # asset_content_type: application/octet-stream - - # - name: Build OPNsense package - # if: matrix.build == 'freebsd' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: - # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - # example-config.toml=/etc/defguard/gateway.toml.sample - # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway - # opnsense/src/etc/=/usr/local/etc/ - # opnsense/src/opnsense/=/usr/local/opnsense/" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" - - # - name: Upload OPNsense package - # if: matrix.build == 'freebsd' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - # asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - # asset_content_type: application/octet-stream + build-release: + name: Release ${{ matrix.build }} + needs: [create-release] + runs-on: + - self-hosted + - ${{ matrix.os }} + - X64 + strategy: + fail-fast: false + matrix: + build: [linux, linux-arm64, freebsd] + include: + - build: linux + arch: amd64 + os: Linux + asset_name: defguard-gateway-linux-x86_64 + target: x86_64-unknown-linux-gnu + - build: linux-arm64 + arch: arm64 + os: Linux + asset_name: defguard-gateway-linux-arm64 + target: aarch64-unknown-linux-gnu + - build: freebsd + arch: amd64 + os: Linux + asset_name: defguard-gateway-freebsd-x86_64 + target: x86_64-unknown-freebsd + steps: + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Install Rust stable + uses: actions-rs/toolchain@v1 + with: + toolchain: stable + target: ${{ matrix.target }} + override: true + + - name: Setup `packer` + uses: hashicorp/setup-packer@main + id: setup + + - name: Build release binary + uses: actions-rs/cargo@v1 + with: + use-cross: true + command: build + args: --locked --release --target ${{ matrix.target }} + + - name: Rename binary + run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} + + - name: Tar + uses: a7ul/tar-action@v1.1.0 + with: + command: c + files: | + ${{ matrix.asset_name }}-${{ github.ref_name }} + outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + + - name: Upload release archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + asset_content_type: application/octet-stream + + - name: Build DEB package + if: matrix.build != 'freebsd' + uses: defGuard/fpm-action@main + with: + fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" + + - name: Upload DEB + if: matrix.build != 'freebsd' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + asset_content_type: application/octet-stream + + - name: Run `packer init` + if: matrix.build == 'linux' && matrix.arch == 'amd64' + id: init + run: "packer init ./images/ami/gateway.pkr.hcl" + + - name: Build AMI images for multiple regions + if: matrix.build == 'linux' && matrix.arch == 'amd64' + run: | + regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + for region in "${regions[@]}"; do + echo "Building AMI for region: $region" + echo "Running packer validate for $region..." + packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + echo "Building AMI image for $region..." + packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + done + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Build RPM package + if: matrix.build == 'linux' + uses: defGuard/fpm-action@main + with: + fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" + + - name: Upload RPM + if: matrix.build == 'linux' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + asset_content_type: application/octet-stream + + - name: Build FreeBSD package + if: matrix.build == 'freebsd' + uses: defGuard/fpm-action@main + with: + fpm_args: + "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + example-config.toml=/etc/defguard/gateway.toml.sample + defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" + + - name: Upload FreeBSD + if: matrix.build == 'freebsd' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + asset_content_type: application/octet-stream + + - name: Build OPNsense package + if: matrix.build == 'freebsd' + uses: defGuard/fpm-action@main + with: + fpm_args: + "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + example-config.toml=/etc/defguard/gateway.toml.sample + defguard-rc.conf=/etc/rc.conf.d/defguard_gateway + opnsense/src/etc/=/usr/local/etc/ + opnsense/src/opnsense/=/usr/local/opnsense/" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" + + - name: Upload OPNsense package + if: matrix.build == 'freebsd' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + asset_content_type: application/octet-stream From 387281405ccb787789e7aafb25a5404fdeff046c Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 09:48:52 +0200 Subject: [PATCH 10/12] use shogo82148/actions-upload-release-asset upload action --- .github/workflows/release.yml | 362 +++++++++++++++++----------------- .github/workflows/sbom.yml | 23 +-- 2 files changed, 186 insertions(+), 199 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2c4c91c6..f606034e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,188 +52,188 @@ jobs: generate_release_notes: true create-sbom: - needs: [create-release, build-docker-release] + needs: [create-release, build-docker-prerelease] uses: ./.github/workflows/sbom.yml with: upload_url: ${{ needs.create-release.outputs.upload_url }} - build-release: - name: Release ${{ matrix.build }} - needs: [create-release] - runs-on: - - self-hosted - - ${{ matrix.os }} - - X64 - strategy: - fail-fast: false - matrix: - build: [linux, linux-arm64, freebsd] - include: - - build: linux - arch: amd64 - os: Linux - asset_name: defguard-gateway-linux-x86_64 - target: x86_64-unknown-linux-gnu - - build: linux-arm64 - arch: arm64 - os: Linux - asset_name: defguard-gateway-linux-arm64 - target: aarch64-unknown-linux-gnu - - build: freebsd - arch: amd64 - os: Linux - asset_name: defguard-gateway-freebsd-x86_64 - target: x86_64-unknown-freebsd - steps: - # Store the version, stripping any v-prefix - - name: Write release version - run: | - VERSION=${GITHUB_REF_NAME#v} - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - - name: Checkout - uses: actions/checkout@v3 - with: - submodules: recursive - - - name: Install Rust stable - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - target: ${{ matrix.target }} - override: true - - - name: Setup `packer` - uses: hashicorp/setup-packer@main - id: setup - - - name: Build release binary - uses: actions-rs/cargo@v1 - with: - use-cross: true - command: build - args: --locked --release --target ${{ matrix.target }} - - - name: Rename binary - run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} - - - name: Tar - uses: a7ul/tar-action@v1.1.0 - with: - command: c - files: | - ${{ matrix.asset_name }}-${{ github.ref_name }} - outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - - name: Upload release archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - asset_content_type: application/octet-stream - - - name: Build DEB package - if: matrix.build != 'freebsd' - uses: defGuard/fpm-action@main - with: - fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" - - - name: Upload DEB - if: matrix.build != 'freebsd' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - asset_content_type: application/octet-stream - - - name: Run `packer init` - if: matrix.build == 'linux' && matrix.arch == 'amd64' - id: init - run: "packer init ./images/ami/gateway.pkr.hcl" - - - name: Build AMI images for multiple regions - if: matrix.build == 'linux' && matrix.arch == 'amd64' - run: | - regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - for region in "${regions[@]}"; do - echo "Building AMI for region: $region" - echo "Running packer validate for $region..." - packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - echo "Building AMI image for $region..." - packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - done - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Build RPM package - if: matrix.build == 'linux' - uses: defGuard/fpm-action@main - with: - fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" - - - name: Upload RPM - if: matrix.build == 'linux' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - asset_content_type: application/octet-stream - - - name: Build FreeBSD package - if: matrix.build == 'freebsd' - uses: defGuard/fpm-action@main - with: - fpm_args: - "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - example-config.toml=/etc/defguard/gateway.toml.sample - defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" - - - name: Upload FreeBSD - if: matrix.build == 'freebsd' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - asset_content_type: application/octet-stream - - - name: Build OPNsense package - if: matrix.build == 'freebsd' - uses: defGuard/fpm-action@main - with: - fpm_args: - "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - example-config.toml=/etc/defguard/gateway.toml.sample - defguard-rc.conf=/etc/rc.conf.d/defguard_gateway - opnsense/src/etc/=/usr/local/etc/ - opnsense/src/opnsense/=/usr/local/opnsense/" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" - - - name: Upload OPNsense package - if: matrix.build == 'freebsd' - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - asset_content_type: application/octet-stream + # build-release: + # name: Release ${{ matrix.build }} + # needs: [create-release] + # runs-on: + # - self-hosted + # - ${{ matrix.os }} + # - X64 + # strategy: + # fail-fast: false + # matrix: + # build: [linux, linux-arm64, freebsd] + # include: + # - build: linux + # arch: amd64 + # os: Linux + # asset_name: defguard-gateway-linux-x86_64 + # target: x86_64-unknown-linux-gnu + # - build: linux-arm64 + # arch: arm64 + # os: Linux + # asset_name: defguard-gateway-linux-arm64 + # target: aarch64-unknown-linux-gnu + # - build: freebsd + # arch: amd64 + # os: Linux + # asset_name: defguard-gateway-freebsd-x86_64 + # target: x86_64-unknown-freebsd + # steps: + # # Store the version, stripping any v-prefix + # - name: Write release version + # run: | + # VERSION=${GITHUB_REF_NAME#v} + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> $GITHUB_ENV + + # - name: Checkout + # uses: actions/checkout@v3 + # with: + # submodules: recursive + + # - name: Install Rust stable + # uses: actions-rs/toolchain@v1 + # with: + # toolchain: stable + # target: ${{ matrix.target }} + # override: true + + # - name: Setup `packer` + # uses: hashicorp/setup-packer@main + # id: setup + + # - name: Build release binary + # uses: actions-rs/cargo@v1 + # with: + # use-cross: true + # command: build + # args: --locked --release --target ${{ matrix.target }} + + # - name: Rename binary + # run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} + + # - name: Tar + # uses: a7ul/tar-action@v1.1.0 + # with: + # command: c + # files: | + # ${{ matrix.asset_name }}-${{ github.ref_name }} + # outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + + # - name: Upload release archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + # asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + # asset_content_type: application/octet-stream + + # - name: Build DEB package + # if: matrix.build != 'freebsd' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" + + # - name: Upload DEB + # if: matrix.build != 'freebsd' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + # asset_content_type: application/octet-stream + + # - name: Run `packer init` + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # id: init + # run: "packer init ./images/ami/gateway.pkr.hcl" + + # - name: Build AMI images for multiple regions + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # run: | + # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + # for region in "${regions[@]}"; do + # echo "Building AMI for region: $region" + # echo "Running packer validate for $region..." + # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + # echo "Building AMI image for $region..." + # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + # done + # env: + # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # - name: Build RPM package + # if: matrix.build == 'linux' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" + + # - name: Upload RPM + # if: matrix.build == 'linux' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + # asset_content_type: application/octet-stream + + # - name: Build FreeBSD package + # if: matrix.build == 'freebsd' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: + # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + # example-config.toml=/etc/defguard/gateway.toml.sample + # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" + + # - name: Upload FreeBSD + # if: matrix.build == 'freebsd' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + # asset_content_type: application/octet-stream + + # - name: Build OPNsense package + # if: matrix.build == 'freebsd' + # uses: defGuard/fpm-action@main + # with: + # fpm_args: + # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + # example-config.toml=/etc/defguard/gateway.toml.sample + # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway + # opnsense/src/etc/=/usr/local/etc/ + # opnsense/src/opnsense/=/usr/local/opnsense/" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" + + # - name: Upload OPNsense package + # if: matrix.build == 'freebsd' + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + # asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + # asset_content_type: application/octet-stream diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index aea72452..e4910a4c 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -4,7 +4,7 @@ on: workflow_call: inputs: upload_url: - description: "Release assets upload url" + description: "Release assets upload URL" required: true type: string @@ -26,7 +26,7 @@ jobs: echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Create SBOM with Trivy - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@0 with: scan-type: 'fs' format: 'spdx-json' @@ -35,7 +35,7 @@ jobs: severity: "CRITICAL,HIGH,MEDIUM" - name: Create docker image SBOM with Trivy - uses: aquasecurity/trivy-action@0.33.1 + uses: aquasecurity/trivy-action@0 with: image-ref: "ghcr.io/defguard/gateway:${{ env.VERSION }}" scan-type: 'image' @@ -45,23 +45,10 @@ jobs: scanners: "vuln" - name: Upload SBOM - uses: actions/upload-release-asset@v1.0.2 + uses: shogo82148/actions-upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ inputs.upload_url }} - asset_path: "defguard-gateway-${{ env.VERSION }}.sbom.json" - asset_name: "defguard-gateway-${{ env.VERSION }}.sbom.json" + asset_path: "defguard-*.sbom.json" asset_content_type: application/octet-stream - scanners: "vuln" - - - name: Upload docker SBOM - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ inputs.upload_url }} - asset_path: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json" - asset_name: "defguard-gateway-${{ env.VERSION }}-docker.sbom.json" - asset_content_type: application/octet-stream - From 0e19819888228c52e8506dcaddb673c06575ce70 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 10:07:17 +0200 Subject: [PATCH 11/12] fix trivy action version --- .github/workflows/sbom.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index e4910a4c..ecf7b1b6 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -26,7 +26,7 @@ jobs: echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Create SBOM with Trivy - uses: aquasecurity/trivy-action@0 + uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' format: 'spdx-json' @@ -35,7 +35,7 @@ jobs: severity: "CRITICAL,HIGH,MEDIUM" - name: Create docker image SBOM with Trivy - uses: aquasecurity/trivy-action@0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: "ghcr.io/defguard/gateway:${{ env.VERSION }}" scan-type: 'image' From df49d1c9516d0fdbd7805e9c60932ce34e0bb888 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 10:16:24 +0200 Subject: [PATCH 12/12] uncomment binary build --- .github/workflows/release.yml | 362 +++++++++++++++++----------------- 1 file changed, 181 insertions(+), 181 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f606034e..2c4c91c6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,188 +52,188 @@ jobs: generate_release_notes: true create-sbom: - needs: [create-release, build-docker-prerelease] + needs: [create-release, build-docker-release] uses: ./.github/workflows/sbom.yml with: upload_url: ${{ needs.create-release.outputs.upload_url }} - # build-release: - # name: Release ${{ matrix.build }} - # needs: [create-release] - # runs-on: - # - self-hosted - # - ${{ matrix.os }} - # - X64 - # strategy: - # fail-fast: false - # matrix: - # build: [linux, linux-arm64, freebsd] - # include: - # - build: linux - # arch: amd64 - # os: Linux - # asset_name: defguard-gateway-linux-x86_64 - # target: x86_64-unknown-linux-gnu - # - build: linux-arm64 - # arch: arm64 - # os: Linux - # asset_name: defguard-gateway-linux-arm64 - # target: aarch64-unknown-linux-gnu - # - build: freebsd - # arch: amd64 - # os: Linux - # asset_name: defguard-gateway-freebsd-x86_64 - # target: x86_64-unknown-freebsd - # steps: - # # Store the version, stripping any v-prefix - # - name: Write release version - # run: | - # VERSION=${GITHUB_REF_NAME#v} - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> $GITHUB_ENV - - # - name: Checkout - # uses: actions/checkout@v3 - # with: - # submodules: recursive - - # - name: Install Rust stable - # uses: actions-rs/toolchain@v1 - # with: - # toolchain: stable - # target: ${{ matrix.target }} - # override: true - - # - name: Setup `packer` - # uses: hashicorp/setup-packer@main - # id: setup - - # - name: Build release binary - # uses: actions-rs/cargo@v1 - # with: - # use-cross: true - # command: build - # args: --locked --release --target ${{ matrix.target }} - - # - name: Rename binary - # run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} - - # - name: Tar - # uses: a7ul/tar-action@v1.1.0 - # with: - # command: c - # files: | - # ${{ matrix.asset_name }}-${{ github.ref_name }} - # outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - # - name: Upload release archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - # asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - # asset_content_type: application/octet-stream - - # - name: Build DEB package - # if: matrix.build != 'freebsd' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" - - # - name: Upload DEB - # if: matrix.build != 'freebsd' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb - # asset_content_type: application/octet-stream - - # - name: Run `packer init` - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # id: init - # run: "packer init ./images/ami/gateway.pkr.hcl" - - # - name: Build AMI images for multiple regions - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # run: | - # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - # for region in "${regions[@]}"; do - # echo "Building AMI for region: $region" - # echo "Running packer validate for $region..." - # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - # echo "Building AMI image for $region..." - # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl - # done - # env: - # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - # - name: Build RPM package - # if: matrix.build == 'linux' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" - - # - name: Upload RPM - # if: matrix.build == 'linux' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm - # asset_content_type: application/octet-stream - - # - name: Build FreeBSD package - # if: matrix.build == 'freebsd' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: - # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - # example-config.toml=/etc/defguard/gateway.toml.sample - # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" - - # - name: Upload FreeBSD - # if: matrix.build == 'freebsd' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - # asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg - # asset_content_type: application/octet-stream - - # - name: Build OPNsense package - # if: matrix.build == 'freebsd' - # uses: defGuard/fpm-action@main - # with: - # fpm_args: - # "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway - # defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway - # example-config.toml=/etc/defguard/gateway.toml.sample - # defguard-rc.conf=/etc/rc.conf.d/defguard_gateway - # opnsense/src/etc/=/usr/local/etc/ - # opnsense/src/opnsense/=/usr/local/opnsense/" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" - - # - name: Upload OPNsense package - # if: matrix.build == 'freebsd' - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - # asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg - # asset_content_type: application/octet-stream + build-release: + name: Release ${{ matrix.build }} + needs: [create-release] + runs-on: + - self-hosted + - ${{ matrix.os }} + - X64 + strategy: + fail-fast: false + matrix: + build: [linux, linux-arm64, freebsd] + include: + - build: linux + arch: amd64 + os: Linux + asset_name: defguard-gateway-linux-x86_64 + target: x86_64-unknown-linux-gnu + - build: linux-arm64 + arch: arm64 + os: Linux + asset_name: defguard-gateway-linux-arm64 + target: aarch64-unknown-linux-gnu + - build: freebsd + arch: amd64 + os: Linux + asset_name: defguard-gateway-freebsd-x86_64 + target: x86_64-unknown-freebsd + steps: + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Checkout + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Install Rust stable + uses: actions-rs/toolchain@v1 + with: + toolchain: stable + target: ${{ matrix.target }} + override: true + + - name: Setup `packer` + uses: hashicorp/setup-packer@main + id: setup + + - name: Build release binary + uses: actions-rs/cargo@v1 + with: + use-cross: true + command: build + args: --locked --release --target ${{ matrix.target }} + + - name: Rename binary + run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} + + - name: Tar + uses: a7ul/tar-action@v1.1.0 + with: + command: c + files: | + ${{ matrix.asset_name }}-${{ github.ref_name }} + outPath: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + + - name: Upload release archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + asset_name: ${{ matrix.asset_name }}-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + asset_content_type: application/octet-stream + + - name: Build DEB package + if: matrix.build != 'freebsd' + uses: defGuard/fpm-action@main + with: + fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb --after-install after-install.sh" + + - name: Upload DEB + if: matrix.build != 'freebsd' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.deb + asset_content_type: application/octet-stream + + - name: Run `packer init` + if: matrix.build == 'linux' && matrix.arch == 'amd64' + id: init + run: "packer init ./images/ami/gateway.pkr.hcl" + + - name: Build AMI images for multiple regions + if: matrix.build == 'linux' && matrix.arch == 'amd64' + run: | + regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + for region in "${regions[@]}"; do + echo "Building AMI for region: $region" + echo "Running packer validate for $region..." + packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + echo "Building AMI image for $region..." + packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/gateway.pkr.hcl + done + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Build RPM package + if: matrix.build == 'linux' + uses: defGuard/fpm-action@main + with: + fpm_args: "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/sbin/defguard-gateway defguard-gateway.service=/usr/lib/systemd/system/defguard-gateway.service example-config.toml=/etc/defguard/gateway.toml.sample" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm --after-install after-install.sh" + + - name: Upload RPM + if: matrix.build == 'linux' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.rpm + asset_content_type: application/octet-stream + + - name: Build FreeBSD package + if: matrix.build == 'freebsd' + uses: defGuard/fpm-action@main + with: + fpm_args: + "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + example-config.toml=/etc/defguard/gateway.toml.sample + defguard-rc.conf=/etc/rc.conf.d/defguard_gateway" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg --freebsd-osversion '*'" + + - name: Upload FreeBSD + if: matrix.build == 'freebsd' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + asset_name: defguard-gateway_${{ env.VERSION }}_${{ matrix.target }}.pkg + asset_content_type: application/octet-stream + + - name: Build OPNsense package + if: matrix.build == 'freebsd' + uses: defGuard/fpm-action@main + with: + fpm_args: + "${{ matrix.asset_name }}-${{ github.ref_name }}=/usr/local/sbin/defguard-gateway + defguard-gateway.service.freebsd=/usr/local/etc/rc.d/defguard_gateway + example-config.toml=/etc/defguard/gateway.toml.sample + defguard-rc.conf=/etc/rc.conf.d/defguard_gateway + opnsense/src/etc/=/usr/local/etc/ + opnsense/src/opnsense/=/usr/local/opnsense/" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type freebsd --version ${{ env.VERSION }} --package defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg --freebsd-osversion '*'" + + - name: Upload OPNsense package + if: matrix.build == 'freebsd' + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + asset_name: defguard-gateway_${{ env.VERSION }}_x86_64-unknown-opnsense.pkg + asset_content_type: application/octet-stream