Update workflows

.github/workflows/build-docker.yml

@@ -43,25 +43,25 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           submodules: recursive
 
       - name: Login to GitHub container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Sanitize branch name
         run: echo "SAFE_REF=${GITHUB_REF_NAME//\//-}" >> $GITHUB_ENV
 
       - name: Build container
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: linux/${{ matrix.cpu }}
@@ -75,9 +75,6 @@ jobs:
 
       - name: Scan image with Trivy
         uses: aquasecurity/trivy-action@0.35.0
-        env:
-          TRIVY_SHOW_SUPPRESSED: 1
-          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
           image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
           format: "table"
@@ -98,19 +95,19 @@ jobs:
 
     steps:
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.9.2
+        uses: sigstore/cosign-installer@v4.1.0
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: |
             ${{ env.GHCR_REPO }}
           flavor: ${{ inputs.flavor }}
           tags: ${{ inputs.tags }}
 
       - name: Login to GitHub container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/ci.yml

@@ -38,12 +38,9 @@ jobs:
 
       - name: Scan code with Trivy
         uses: aquasecurity/trivy-action@0.35.0
-        env:
-          TRIVY_SHOW_SUPPRESSED: 1
-          TRIVY_IGNOREFILE: "./.trivyignore.yaml"
         with:
-          scan-type: "fs"
-          scan-ref: "."
+          scan-type: 'fs'
+          scan-ref: '.'
           exit-code: "1"
           ignore-unfixed: true
           severity: "CRITICAL,HIGH,MEDIUM"
@@ -65,10 +62,13 @@ jobs:
           rustup component add clippy
           cargo clippy --all-targets --all-features -- -D warnings
 
+      - name: Install cargo extensions
+        uses: taiki-e/install-action@v2
+        with:
+          tool: cargo-deny
+
       - name: Run cargo deny
-        run: |
-          cargo install cargo-deny
-          cargo deny check
+        run: cargo deny check
 
       - name: Run tests
         run: cargo test --locked --no-fail-fast

.github/workflows/release.yml

@@ -92,14 +92,14 @@ jobs:
           echo Version: $VERSION
           echo "VERSION=$VERSION" >> $GITHUB_ENV
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
         with:
           submodules: recursive
 
       - name: Install Rust stable
         uses: actions-rs/toolchain@v1
         with:
-          toolchain: stable
+          toolchain: 1.89.0 # "stable" causes rust-lld: error on aarch64-linux
           target: ${{ matrix.target }}
           override: true
 
@@ -118,7 +118,7 @@ jobs:
         run: mv target/${{ matrix.target }}/release/defguard-gateway ${{ matrix.asset_name }}-${{ github.ref_name }}
 
       - name: Tar
-        uses: a7ul/tar-action@v1.1.0
+        uses: a7ul/tar-action@v1.2.0
         with:
           command: c
           files: |