From 29d11e5bc4bbd53fc1253669af8fef29341fdd09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= Date: Thu, 2 Apr 2026 10:00:33 +0200 Subject: [PATCH 1/2] Update workflows --- .github/workflows/build-docker.yml | 17 +++++++---------- .github/workflows/ci.yml | 16 ++++++++-------- .github/workflows/release.yml | 12 ++++++------ 3 files changed, 21 insertions(+), 24 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index 3abd2bed..6e728b3a 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -43,25 +43,25 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: submodules: recursive - name: Login to GitHub container registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Sanitize branch name run: echo "SAFE_REF=${GITHUB_REF_NAME//\//-}" >> $GITHUB_ENV - name: Build container - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v7 with: context: . platforms: linux/${{ matrix.cpu }} @@ -75,9 +75,6 @@ jobs: - name: Scan image with Trivy uses: aquasecurity/trivy-action@0.35.0 - env: - TRIVY_SHOW_SUPPRESSED: 1 - TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}" format: "table" @@ -98,11 +95,11 @@ jobs: steps: - name: Install Cosign - uses: sigstore/cosign-installer@v3.9.2 + uses: sigstore/cosign-installer@v4.1.0 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@v6 with: images: | ${{ env.GHCR_REPO }} @@ -110,7 +107,7 @@ jobs: tags: ${{ inputs.tags }} - name: Login to GitHub container registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3ba0fe7c..e97c67f1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,12 +38,9 @@ jobs: - name: Scan code with Trivy uses: aquasecurity/trivy-action@0.35.0 - env: - TRIVY_SHOW_SUPPRESSED: 1 - TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: - scan-type: "fs" - scan-ref: "." + scan-type: 'fs' + scan-ref: '.' exit-code: "1" ignore-unfixed: true severity: "CRITICAL,HIGH,MEDIUM" @@ -65,10 +62,13 @@ jobs: rustup component add clippy cargo clippy --all-targets --all-features -- -D warnings + - name: Install cargo extensions + uses: taiki-e/install-action@v2 + with: + tool: cargo-deny + - name: Run cargo deny - run: | - cargo install cargo-deny - cargo deny check + run: cargo deny check - name: Run tests run: cargo test --locked --no-fail-fast diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 59e60a29..6dce2fc5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,17 +11,17 @@ concurrency: jobs: build-docker-release: # Ignore tags with -, like v1.0.0-alpha + # This job will build the docker container with the "latest" tag which + # is a tag used in production, thus it should only be run for full releases. if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') name: Build Release Docker image uses: ./.github/workflows/build-docker.yml with: tags: | + type=raw,value=latest type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha - # Explicitly disable latest tag. It will be added otherwise. - flavor: | - latest=false build-docker-prerelease: # Only build tags with -, like v1.0.0-alpha @@ -92,14 +92,14 @@ jobs: echo Version: $VERSION echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v6 with: submodules: recursive - name: Install Rust stable uses: actions-rs/toolchain@v1 with: - toolchain: stable + toolchain: 1.89.0 # "stable" causes rust-lld: error on aarch64-linux target: ${{ matrix.target }} override: true @@ -118,7 +118,7 @@ jobs: run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }} - name: Tar - uses: a7ul/tar-action@v1.1.0 + uses: a7ul/tar-action@v1.2.0 with: command: c files: | From 5aa8a22581539534c9e83466240757d0abcf08dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= Date: Thu, 2 Apr 2026 10:34:20 +0200 Subject: [PATCH 2/2] Revert latest tag --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6dce2fc5..5610ee2d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,17 +11,17 @@ concurrency: jobs: build-docker-release: # Ignore tags with -, like v1.0.0-alpha - # This job will build the docker container with the "latest" tag which - # is a tag used in production, thus it should only be run for full releases. if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') name: Build Release Docker image uses: ./.github/workflows/build-docker.yml with: tags: | - type=raw,value=latest type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha + # Explicitly disable latest tag. It will be added otherwise. + flavor: | + latest=false build-docker-prerelease: # Only build tags with -, like v1.0.0-alpha