From fbb4c91285df80f7b1a2e219b5aabc8691a89358 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 10:32:59 +0200 Subject: [PATCH 01/23] Create SBOM files (#593) * implement CI sbom * run sbom on self-hosted workers * use shogo82148/actions-upload-release-asset upload action --- .github/workflows/release.yaml | 6 +++++ .github/workflows/sbom.yml | 44 ++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) create mode 100644 .github/workflows/sbom.yml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b04338aa..a9073548 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -52,6 +52,12 @@ jobs: draft: true generate_release_notes: true + create-sbom: + needs: [create-release] + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + build-linux: needs: - create-release diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 00000000..3806208e --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,44 @@ +name: Create SBOM files + +on: + workflow_call: + inputs: + upload_url: + description: "Release assets upload URL" + required: true + type: string + +jobs: + create-sbom: + runs-on: self-hosted + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Create SBOM with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + format: 'spdx-json' + output: "defguard-client-${{ env.VERSION }}.sbom.json" + scan-ref: '.' + severity: "CRITICAL,HIGH,MEDIUM" + + - name: Upload SBOM + uses: shogo82148/actions-upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ inputs.upload_url }} + asset_path: "defguard-*.sbom.json" + asset_content_type: application/octet-stream From 7f2f5cf86ea71e021930d483e2b2859d9fb401a3 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 14:17:57 +0200 Subject: [PATCH 02/23] CI: scan code with trivy (#594) * CI: scan code with trivy * cargo update * add trivyignore * include low severity vulns in sbom --- .github/workflows/sbom.yml | 3 +- .github/workflows/test.yml | 9 +++ .trivyignore | 2 + src-tauri/Cargo.lock | 134 ++++++++++++++++++------------------- 4 files changed, 77 insertions(+), 71 deletions(-) create mode 100644 .trivyignore diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 3806208e..c470ea02 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -32,7 +32,8 @@ jobs: format: 'spdx-json' output: "defguard-client-${{ env.VERSION }}.sbom.json" scan-ref: '.' - severity: "CRITICAL,HIGH,MEDIUM" + severity: "CRITICAL,HIGH,MEDIUM,LOW" + scanners: "vuln" - name: Upload SBOM uses: shogo82148/actions-upload-release-asset@v1 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7a837db4..8cfbcf69 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -39,6 +39,15 @@ jobs: uses: actions/checkout@v5 with: submodules: recursive + - name: Scan code with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + scan-ref: '.' + exit-code: "1" + ignore-unfixed: true + severity: "CRITICAL,HIGH,MEDIUM" + scanners: "vuln" - name: Cache uses: Swatinem/rust-cache@v2 - name: Install required packages diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 00000000..26c4b951 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,2 @@ +# glib - transitive dependency +GHSA-wrw7-89jp-8q8g exp:2025-11-05 diff --git a/src-tauri/Cargo.lock b/src-tauri/Cargo.lock index e1062819..dd6fcaff 100644 --- a/src-tauri/Cargo.lock +++ b/src-tauri/Cargo.lock @@ -4,9 +4,9 @@ version = 3 [[package]] name = "addr2line" -version = "0.24.2" +version = "0.25.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dfbe277e56a376000877090da837660b4427aad530e3028d44e0bffe4f89a1c1" +checksum = "1b5d307320b3181d6d7954e663bd7c774a838b8220fe0593c86d9fb09f498b4b" dependencies = [ "gimli", ] @@ -296,7 +296,7 @@ dependencies = [ "polling", "rustix 1.1.2", "slab", - "windows-sys 0.61.0", + "windows-sys 0.61.1", ] [[package]] @@ -365,7 +365,7 @@ dependencies = [ "rustix 1.1.2", "signal-hook-registry", "slab", - "windows-sys 0.61.0", + "windows-sys 0.61.1", ] [[package]] @@ -502,9 +502,9 @@ dependencies = [ [[package]] name = "backtrace" -version = "0.3.75" +version = "0.3.76" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6806a6321ec58106fea15becdad98371e28d92ccbc7c8f1b3b6dd724fe8f1002" +checksum = "bb531853791a215d7c62a30daf0dde835f381ab5de4589cfe7c649d2cbe92bd6" dependencies = [ "addr2line", "cfg-if", @@ -512,7 +512,7 @@ dependencies = [ "miniz_oxide", "object", "rustc-demangle", - "windows-targets 0.52.6", + "windows-link 0.2.0", ] [[package]] @@ -779,9 +779,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.38" +version = "1.2.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "80f41ae168f955c12fb8960b057d70d0ca153fb83182b57d86380443527be7e9" +checksum = "e1354349954c6fc9cb0deab020f27f783cf0b604e8bb754dc4658ecf0d29c35f" dependencies = [ "find-msvc-tools", "jobserver", @@ -1466,7 +1466,7 @@ dependencies = [ "libc", "option-ext", "redox_users 0.5.2", - "windows-sys 0.61.0", + "windows-sys 0.61.1", ] [[package]] @@ -1706,7 +1706,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.61.0", + "windows-sys 0.61.1", ] [[package]] @@ -2196,9 +2196,9 @@ dependencies = [ [[package]] name = "gimli" -version = "0.31.1" +version = "0.32.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07e28edb80900c19c28f1072f2e8aeca7fa06b23cd4169cefe1af5aa3260783f" +checksum = "e629b9b98ef3dd8afe6ca2bd0f89306cec16d43d907889945bc5d6687f2f13c7" [[package]] name = "gio" @@ -2428,12 +2428,6 @@ dependencies = [ "foldhash", ] -[[package]] -name = "hashbrown" -version = "0.16.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5419bdc4f6a9207fbeba6d11b604d481addf78ecd10c11ad51e76c2f6482748d" - [[package]] name = "hashlink" version = "0.10.0" @@ -2659,7 +2653,7 @@ dependencies = [ "js-sys", "log", "wasm-bindgen", - "windows-core 0.62.0", + "windows-core 0.62.1", ] [[package]] @@ -2826,7 +2820,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5" dependencies = [ "equivalent", - "hashbrown 0.16.0", + "hashbrown 0.15.5", "serde", "serde_core", ] @@ -2964,9 +2958,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.80" +version = "0.3.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "852f13bec5eba4ba9afbeb93fd7c13fe56147f055939ae21c43a29a0ecb2702e" +checksum = "ec48937a97411dcb524a265206ccd4c90bb711fca92b2792c407f268825b9305" dependencies = [ "once_cell", "wasm-bindgen", @@ -3263,9 +3257,9 @@ dependencies = [ [[package]] name = "memchr" -version = "2.7.5" +version = "2.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32a282da65faaf38286cf3be983213fcf1d2e2a58700e808f83f4ea9a4804bc0" +checksum = "f52b00d39961fc5b2736ea853c9cc86238e165017a493d1d5c8eac6bdc4cc273" [[package]] name = "memoffset" @@ -3838,9 +3832,9 @@ dependencies = [ [[package]] name = "object" -version = "0.36.7" +version = "0.37.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "62948e14d923ea95ea2c7c86c71013138b66525b86bdc08d2dcc262bdb497b87" +checksum = "ff76201f031d8863c38aa7f905eca4f53abbfa15f609db4277d44cd8938f33fe" dependencies = [ "memchr", ] @@ -4332,7 +4326,7 @@ dependencies = [ "hermit-abi", "pin-project-lite", "rustix 1.1.2", - "windows-sys 0.61.0", + "windows-sys 0.61.1", ] [[package]] @@ -4831,9 +4825,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.11.2" +version = "1.11.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23d7fd106d8c02486a8d64e778353d1cffe08ce79ac2e82f540c86d0facf6912" +checksum = "8b5288124840bee7b386bc413c487869b360b2b4ec421ea56425128692f2a82c" dependencies = [ "aho-corasick", "memchr", @@ -4843,9 +4837,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.10" +version = "0.4.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6b9458fa0bfeeac22b5ca447c63aaf45f28439a709ccd244698632f9aa6394d6" +checksum = "833eb9ce86d40ef33cb1306d8accf7bc8ec2bfea4355cbdebb3df68b40925cad" dependencies = [ "aho-corasick", "memchr", @@ -5075,7 +5069,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys 0.11.0", - "windows-sys 0.61.0", + "windows-sys 0.61.1", ] [[package]] @@ -5153,7 +5147,7 @@ version = "0.1.28" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "891d81b926048e76efe18581bf793546b4c0eaf8448d72be8de2bbee5fd166e1" dependencies = [ - "windows-sys 0.61.0", + "windows-sys 0.61.1", ] [[package]] @@ -5291,9 +5285,9 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.226" +version = "1.0.227" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0dca6411025b24b60bfa7ec1fe1f8e710ac09782dca409ee8237ba74b51295fd" +checksum = "80ece43fc6fbed4eb5392ab50c07334d3e577cbf40997ee896fe7af40bba4245" dependencies = [ "serde_core", "serde_derive", @@ -5313,18 +5307,18 @@ dependencies = [ [[package]] name = "serde_core" -version = "1.0.226" +version = "1.0.227" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ba2ba63999edb9dac981fb34b3e5c0d111a69b0924e253ed29d83f7c99e966a4" +checksum = "7a576275b607a2c86ea29e410193df32bc680303c82f31e275bbfcafe8b33be5" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.226" +version = "1.0.227" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8db53ae22f34573731bafa1db20f04027b2d25e02d8205921b569171699cdb33" +checksum = "51e694923b8824cf0e9b382adf0f60d4e05f348f357b38833a3fa5ed7c2ede04" dependencies = [ "proc-macro2", "quote", @@ -6555,7 +6549,7 @@ dependencies = [ "getrandom 0.3.3", "once_cell", "rustix 1.1.2", - "windows-sys 0.61.0", + "windows-sys 0.61.1", ] [[package]] @@ -7439,9 +7433,9 @@ checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b" [[package]] name = "wasm-bindgen" -version = "0.2.103" +version = "0.2.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ab10a69fbd0a177f5f649ad4d8d3305499c42bab9aef2f7ff592d0ec8f833819" +checksum = "c1da10c01ae9f1ae40cbfac0bac3b1e724b320abfcf52229f80b547c0d250e2d" dependencies = [ "cfg-if", "once_cell", @@ -7452,9 +7446,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.103" +version = "0.2.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0bb702423545a6007bbc368fde243ba47ca275e549c8a28617f56f6ba53b1d1c" +checksum = "671c9a5a66f49d8a47345ab942e2cb93c7d1d0339065d4f8139c486121b43b19" dependencies = [ "bumpalo", "log", @@ -7466,9 +7460,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.53" +version = "0.4.54" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a0b221ff421256839509adbb55998214a70d829d3a28c69b4a6672e9d2a42f67" +checksum = "7e038d41e478cc73bae0ff9b36c60cff1c98b8f38f8d7e8061e79ee63608ac5c" dependencies = [ "cfg-if", "js-sys", @@ -7479,9 +7473,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.103" +version = "0.2.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fc65f4f411d91494355917b605e1480033152658d71f722a90647f56a70c88a0" +checksum = "7ca60477e4c59f5f2986c50191cd972e3a50d8a95603bc9434501cf156a9a119" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -7489,9 +7483,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.103" +version = "0.2.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffc003a991398a8ee604a401e194b6b3a39677b3173d6e74495eb51b82e99a32" +checksum = "9f07d2f20d4da7b26400c9f4a0511e6e0345b040694e8a75bd41d578fa4421d7" dependencies = [ "proc-macro2", "quote", @@ -7502,9 +7496,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.103" +version = "0.2.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "293c37f4efa430ca14db3721dfbe48d8c33308096bd44d80ebaa775ab71ba1cf" +checksum = "bad67dc8b2a1a6e5448428adec4c3e84c43e561d8c9ee8a9e5aabeb193ec41d1" dependencies = [ "unicode-ident", ] @@ -7597,9 +7591,9 @@ dependencies = [ [[package]] name = "web-sys" -version = "0.3.80" +version = "0.3.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fbe734895e869dc429d78c4b433f8d17d95f8d05317440b4fad5ab2d33e596dc" +checksum = "9367c417a924a74cae129e6a2ae3b47fabb1f8995595ab474029da749a8be120" dependencies = [ "js-sys", "wasm-bindgen", @@ -7764,7 +7758,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.61.0", + "windows-sys 0.61.1", ] [[package]] @@ -7825,9 +7819,9 @@ dependencies = [ [[package]] name = "windows-core" -version = "0.62.0" +version = "0.62.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "57fe7168f7de578d2d8a05b07fd61870d2e73b4020e9f49aa00da8471723497c" +checksum = "6844ee5416b285084d3d3fffd743b925a6c9385455f64f6d4fa3031c4c2749a9" dependencies = [ "windows-implement", "windows-interface", @@ -7849,9 +7843,9 @@ dependencies = [ [[package]] name = "windows-implement" -version = "0.60.0" +version = "0.60.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a47fddd13af08290e67f4acabf4b459f647552718f683a7b415d290ac744a836" +checksum = "edb307e42a74fb6de9bf3a02d9712678b22399c87e6fa869d6dfcd8c1b7754e0" dependencies = [ "proc-macro2", "quote", @@ -7860,9 +7854,9 @@ dependencies = [ [[package]] name = "windows-interface" -version = "0.59.1" +version = "0.59.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bd9211b69f8dcdfa817bfd14bf1c97c9188afa36f4750130fcdf3f400eca9fa8" +checksum = "c0abd1ddbc6964ac14db11c7213d6532ef34bd9aa042c2e5935f59d7908b46a5" dependencies = [ "proc-macro2", "quote", @@ -7991,14 +7985,14 @@ version = "0.60.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb" dependencies = [ - "windows-targets 0.53.3", + "windows-targets 0.53.4", ] [[package]] name = "windows-sys" -version = "0.61.0" +version = "0.61.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e201184e40b2ede64bc2ea34968b28e33622acdbbf37104f0e4a33f7abe657aa" +checksum = "6f109e41dd4a3c848907eb83d5a42ea98b3769495597450cf6d153507b166f0f" dependencies = [ "windows-link 0.2.0", ] @@ -8051,11 +8045,11 @@ dependencies = [ [[package]] name = "windows-targets" -version = "0.53.3" +version = "0.53.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d5fe6031c4041849d7c496a8ded650796e7b6ecc19df1a431c1a363342e5dc91" +checksum = "2d42b7b7f66d2a06854650af09cfdf8713e427a439c97ad65a6375318033ac4b" dependencies = [ - "windows-link 0.1.3", + "windows-link 0.2.0", "windows_aarch64_gnullvm 0.53.0", "windows_aarch64_msvc 0.53.0", "windows_i686_gnu 0.53.0", @@ -8077,9 +8071,9 @@ dependencies = [ [[package]] name = "windows-version" -version = "0.1.5" +version = "0.1.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69e061eb0a22b4a1d778ad70f7575ec7845490abb35b08fa320df7895882cacb" +checksum = "700dad7c058606087f6fdc1f88da5841e06da40334413c6cd4367b25ef26d24e" dependencies = [ "windows-link 0.2.0", ] From bead78839728c0d34df332137c200285dc0ce37c Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Mon, 29 Sep 2025 15:47:33 +0200 Subject: [PATCH 03/23] Periodic sbom regeneration (#599) * regenerate sboms and advisories periodically * remove branch push trigger --- .github/workflows/sbom-regenerate.yml | 35 ++++++++++++++++++++++++ .github/workflows/sbom.yml | 39 +++++++++++++++++++-------- 2 files changed, 63 insertions(+), 11 deletions(-) create mode 100644 .github/workflows/sbom-regenerate.yml diff --git a/.github/workflows/sbom-regenerate.yml b/.github/workflows/sbom-regenerate.yml new file mode 100644 index 00000000..d3c7522c --- /dev/null +++ b/.github/workflows/sbom-regenerate.yml @@ -0,0 +1,35 @@ +name: Periodic SBOM Regeneration + +on: + schedule: + - cron: '30 2 * * *' # 2:30 AM UTC + +jobs: + list-releases: + name: List releases + runs-on: ubuntu-latest + outputs: + releases: ${{ steps.get-releases.outputs.releases }} + steps: + - name: Get list of releases + id: get-releases + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + RELEASES_JSON=$(gh api repos/${{ github.repository }}/releases \ + --jq '[.[] | select(.draft == false) | {tagName: .tag_name, uploadUrl: .upload_url}][:1]') + echo "releases=$RELEASES_JSON" >> $GITHUB_OUTPUT + regenerate-for-release: + name: Regenerate SBOM for release + needs: list-releases + # Don't run if no releases were found. + if: needs.list-releases.outputs.releases != '[]' + strategy: + fail-fast: false + matrix: + release: ${{ fromJson(needs.list-releases.outputs.releases) }} + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ matrix.release.uploadUrl }} + tag: ${{ matrix.release.tagName }} + secrets: inherit diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index c470ea02..e7f357ec 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -7,39 +7,56 @@ on: description: "Release assets upload URL" required: true type: string + tag: + description: "The git tag to generate SBOM for - used in scheduled runs" + required: false + type: string jobs: create-sbom: - runs-on: self-hosted + runs-on: [self-hosted, Linux, X64] steps: + - name: Determine release tag and version + id: vars + # Uses inputs.tag for scheduled runs, otherwise github.ref_name. + run: | + TAG_NAME=${{ inputs.tag || github.ref_name }} + VERSION=${TAG_NAME#v} + echo "TAG_NAME=$TAG_NAME" >> $GITHUB_OUTPUT + echo "VERSION=$VERSION" >> $GITHUB_OUTPUT + - name: Checkout uses: actions/checkout@v4 with: submodules: recursive - # Store the version, stripping any v-prefix - - name: Write release version - run: | - VERSION=${GITHUB_REF_NAME#v} - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - name: Create SBOM with Trivy uses: aquasecurity/trivy-action@0.33.1 with: scan-type: 'fs' format: 'spdx-json' - output: "defguard-client-${{ env.VERSION }}.sbom.json" + output: "defguard-client-${{ steps.vars.outputs.VERSION }}.sbom.json" + scan-ref: '.' + severity: "CRITICAL,HIGH,MEDIUM,LOW" + scanners: "vuln" + + - name: Create security advisory file with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + format: 'json' + output: "defguard-client-${{ steps.vars.outputs.VERSION }}.advisories.json" scan-ref: '.' severity: "CRITICAL,HIGH,MEDIUM,LOW" scanners: "vuln" - - name: Upload SBOM + - name: Upload SBOMs and advisories uses: shogo82148/actions-upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ inputs.upload_url }} - asset_path: "defguard-*.sbom.json" + asset_path: "defguard-*.json" asset_content_type: application/octet-stream + overwrite: true From 338e83b0bc2f63a4197284a0a888a9c99cdfc72d Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Tue, 30 Sep 2025 09:49:33 +0200 Subject: [PATCH 04/23] only generate sbom for full releases --- .github/workflows/sbom-regenerate.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sbom-regenerate.yml b/.github/workflows/sbom-regenerate.yml index d3c7522c..3ecb2e6e 100644 --- a/.github/workflows/sbom-regenerate.yml +++ b/.github/workflows/sbom-regenerate.yml @@ -17,7 +17,9 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | RELEASES_JSON=$(gh api repos/${{ github.repository }}/releases \ - --jq '[.[] | select(.draft == false) | {tagName: .tag_name, uploadUrl: .upload_url}][:1]') + --jq '[.[] + | select(.draft == false and (.tag_name | test("^v[0-9]+\\.[0-9]+\\.[0-9]+$"))) + | {tagName: .tag_name, uploadUrl: .upload_url}][:1]') echo "releases=$RELEASES_JSON" >> $GITHUB_OUTPUT regenerate-for-release: name: Regenerate SBOM for release From 218135d0ba05b13f5f5c4a0a936b6f411a480803 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Fri, 3 Oct 2025 08:01:28 +0200 Subject: [PATCH 05/23] bump version to 1.5.2 --- nix/package.nix | 2 +- package.json | 4 ++-- src-tauri/Cargo.lock | 6 +++--- src-tauri/Cargo.toml | 2 +- src-tauri/tauri.conf.json | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/nix/package.nix b/nix/package.nix index cad9c48b..0ec4456a 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -6,7 +6,7 @@ makeDesktopItem, }: let pname = "defguard-client"; - version = "1.5.1"; # TODO: Get this from Cargo.toml or git + version = "1.5.2"; # TODO: Get this from Cargo.toml or git desktopItem = makeDesktopItem { name = pname; diff --git a/package.json b/package.json index ee8a6109..f3cd54b6 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "defguard-client", "private": false, - "version": "1.5.1", + "version": "1.5.2", "type": "module", "scripts": { "dev": "npm-run-all --parallel vite typesafe-i18n", @@ -132,4 +132,4 @@ "volta": { "node": "20.5.1" } -} +} \ No newline at end of file diff --git a/src-tauri/Cargo.lock b/src-tauri/Cargo.lock index dd6fcaff..f9647ce4 100644 --- a/src-tauri/Cargo.lock +++ b/src-tauri/Cargo.lock @@ -909,7 +909,7 @@ dependencies = [ [[package]] name = "common" -version = "1.5.1" +version = "1.5.2" dependencies = [ "nix", ] @@ -1263,7 +1263,7 @@ checksum = "be1e0bca6c3637f992fc1cc7cbc52a78c1ef6db076dbf1059c4323d6a2048376" [[package]] name = "defguard-client" -version = "1.5.1" +version = "1.5.2" dependencies = [ "anyhow", "base64 0.22.1", @@ -1321,7 +1321,7 @@ dependencies = [ [[package]] name = "defguard-dg" -version = "1.5.1" +version = "1.5.2" dependencies = [ "clap", "common", diff --git a/src-tauri/Cargo.toml b/src-tauri/Cargo.toml index e7ec0f43..466a0b5d 100644 --- a/src-tauri/Cargo.toml +++ b/src-tauri/Cargo.toml @@ -31,7 +31,7 @@ edition = "2021" homepage = "https://github.com/DefGuard/client" license-file = "../LICENSE.md" rust-version = "1.80" -version = "1.5.1" +version = "1.5.2" [package] name = "defguard-client" diff --git a/src-tauri/tauri.conf.json b/src-tauri/tauri.conf.json index a9a3ed85..8c9b8904 100644 --- a/src-tauri/tauri.conf.json +++ b/src-tauri/tauri.conf.json @@ -72,7 +72,7 @@ "productName": "defguard-client", "mainBinaryName": "defguard-client", "identifier": "net.defguard", - "version": "1.5.1", + "version": "1.5.2", "app": { "security": { "capabilities": [ @@ -107,4 +107,4 @@ } } } -} +} \ No newline at end of file From b3c146435db3f0f5ff3edd615c7c246b2d9db5a5 Mon Sep 17 00:00:00 2001 From: Adam Date: Fri, 3 Oct 2025 10:45:26 +0200 Subject: [PATCH 06/23] Fix pnpm build (#606) --- .github/workflows/release.yaml | 6 +++--- README.md | 6 ------ 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a9073548..d1b9c831 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -85,12 +85,12 @@ jobs: VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) echo Version: $VERSION echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v5 with: - node-version: "22" + node-version: "24" - uses: pnpm/action-setup@v4 with: - version: 10 + version: 10.17 run_install: false - name: Get pnpm store directory shell: bash diff --git a/README.md b/README.md index 3d94ae36..64c52278 100644 --- a/README.md +++ b/README.md @@ -72,12 +72,6 @@ Built packages are available after in `src-tauri/target/release/bundle`. Remove `default-run` line from `[package]` section in `Cargo.toml` to build the project. -# Built and sponsored by - -

- build by teonite -

- # Legal WireGuard® is [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld. From a22afa95358de558f33f5bfc8e381a2e8636ae40 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 7 Oct 2025 09:16:16 +0200 Subject: [PATCH 07/23] Build Ubuntu 22/Debian 12 package (#611) --- .github/workflows/release.yaml | 83 +++++++++++++++++++++++++++++++--- 1 file changed, 77 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d1b9c831..aa681a20 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,9 +1,3 @@ -name: "Build app and create release" -on: - push: - tags: - - v*.*.* - jobs: build-wireguard-go: strategy: @@ -57,6 +51,83 @@ jobs: uses: ./.github/workflows/sbom.yml with: upload_url: ${{ needs.create-release.outputs.upload_url }} + ubuntu-22-04-build: + needs: + - create-release + runs-on: + - self-hosted + - Linux + - ${{ matrix.architecture }} + strategy: + fail-fast: false + matrix: + architecture: [ARM64, X64] + include: + - architecture: ARM64 + deb_arch: arm64 + binary_arch: aarch64 + - architecture: X64 + deb_arch: amd64 + binary_arch: x86_64 + container: + image: ubuntu:22.04 + env: + DEBIAN_FRONTEND: noninteractive + HOME: /root + RUSTUP_HOME: /root/.rustup + CARGO_HOME: /root/.cargo + steps: + - name: git install + run: | + apt-get update + apt-get install -y git curl ca-certificates + git config --global --add safe.directory '*' + - uses: actions/checkout@v5 + with: + submodules: "recursive" + - uses: pnpm/action-setup@v4 + with: + version: 10.17 + run_install: false + - uses: actions/setup-node@v5 + with: + node-version: "24" + - name: Get pnpm store directory + run: | + echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + - name: Write release version + run: | + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + echo Version: $VERSION + echo "VERSION=$VERSION" >> ${GITHUB_ENV} + - uses: actions/cache@v4 + name: Setup pnpm cache + with: + path: ${{ env.STORE_PATH }} + key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + restore-keys: | + ${{ runner.os }}-pnpm-build-store- + - name: Install Node dependencies + run: pnpm install --frozen-lockfile + - uses: dtolnay/rust-toolchain@stable + - name: Install dependencies + run: | + apt-get install -y build-essential libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm + - name: Build packages + uses: tauri-apps/tauri-action@v0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + args: "--bundles deb" + - name: Upload DEB + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb + asset_content_type: application/octet-stream build-linux: needs: From 8706cead2abc2483a7d1dbd84ce27c61b050433b Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Mon, 13 Oct 2025 04:39:34 -0700 Subject: [PATCH 08/23] Setup ctrl+q keyboard shortcut (#618) * register shortcut * ctrl+q keyboard shortcut closes active connections and exits --- src-tauri/Cargo.lock | 40 ++++++++++++++++++++++++++++ src-tauri/Cargo.toml | 1 + src-tauri/src/bin/defguard-client.rs | 15 +++++++++++ 3 files changed, 56 insertions(+) diff --git a/src-tauri/Cargo.lock b/src-tauri/Cargo.lock index f9647ce4..3c7eba8d 100644 --- a/src-tauri/Cargo.lock +++ b/src-tauri/Cargo.lock @@ -1293,6 +1293,7 @@ dependencies = [ "tauri-plugin-deep-link", "tauri-plugin-dialog", "tauri-plugin-fs", + "tauri-plugin-global-shortcut", "tauri-plugin-http", "tauri-plugin-log", "tauri-plugin-notification", @@ -2298,6 +2299,24 @@ version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280" +[[package]] +name = "global-hotkey" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b9247516746aa8e53411a0db9b62b0e24efbcf6a76e0ba73e5a91b512ddabed7" +dependencies = [ + "crossbeam-channel", + "keyboard-types", + "objc2 0.6.2", + "objc2-app-kit", + "once_cell", + "serde", + "thiserror 2.0.16", + "windows-sys 0.59.0", + "x11rb", + "xkeysym", +] + [[package]] name = "gloo-timers" version = "0.3.0" @@ -6291,6 +6310,21 @@ dependencies = [ "url", ] +[[package]] +name = "tauri-plugin-global-shortcut" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6df9f0f7bf2fe768b85fee4951c2505a35b72c44df1f6403e74e110bc13c5f58" +dependencies = [ + "global-hotkey", + "log", + "serde", + "serde_json", + "tauri", + "tauri-plugin", + "thiserror 2.0.16", +] + [[package]] name = "tauri-plugin-http" version = "2.5.2" @@ -8431,6 +8465,12 @@ dependencies = [ "zeroize", ] +[[package]] +name = "xkeysym" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b9cc00251562a284751c9973bace760d86c0276c471b4be569fe6b068ee97a56" + [[package]] name = "yoke" version = "0.8.0" diff --git a/src-tauri/Cargo.toml b/src-tauri/Cargo.toml index 466a0b5d..85b570e7 100644 --- a/src-tauri/Cargo.toml +++ b/src-tauri/Cargo.toml @@ -110,6 +110,7 @@ x25519-dalek = { version = "2", features = [ "serde", "static_secrets", ] } +tauri-plugin-global-shortcut = "2.3.0" [target.'cfg(unix)'.dependencies] hyper-util = "0.1" diff --git a/src-tauri/src/bin/defguard-client.rs b/src-tauri/src/bin/defguard-client.rs index c9a337d3..76514a4a 100644 --- a/src-tauri/src/bin/defguard-client.rs +++ b/src-tauri/src/bin/defguard-client.rs @@ -28,6 +28,7 @@ use log::{Level, LevelFilter}; #[cfg(target_os = "macos")] use tauri::{process, Env}; use tauri::{AppHandle, Builder, Manager, RunEvent, WindowEvent}; +use tauri_plugin_global_shortcut::{Code, GlobalShortcutExt, Modifiers, Shortcut, ShortcutState}; use tauri_plugin_log::{Target, TargetKind}; #[macro_use] @@ -263,6 +264,20 @@ fn main() { .build(), )?; + // Setup ctrl-q keyboard shortcut + let ctrl_q_shortcut = Shortcut::new(Some(Modifiers::CONTROL), Code::KeyQ); + app_handle.plugin( + tauri_plugin_global_shortcut::Builder::new() + .with_handler(move |app, shortcut, event| { + if shortcut == &ctrl_q_shortcut && event.state() == ShortcutState::Pressed { + info!("Ctrl-Q pressed, closing active connections and exiting"); + app.exit(0); + } + }) + .build(), + )?; + app.global_shortcut().register(ctrl_q_shortcut)?; + let state = AppState::new(config); app.manage(state); From fa11096a10de31f5c75968a22f81013bc6364459 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 19:05:56 +0200 Subject: [PATCH 09/23] undo unnecessary deletion (#620) --- .github/workflows/release.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index aa681a20..67e125a6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,3 +1,8 @@ +name: "Build app and create release" +on: + push: + tags: + - v*.*.* jobs: build-wireguard-go: strategy: From 694894e0afcb1b7a5aa02ce7d7be36105204bbf2 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 19:32:06 +0200 Subject: [PATCH 10/23] workflow test --- .github/workflows/release.yaml | 876 +++++++++++++++++---------------- 1 file changed, 448 insertions(+), 428 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 67e125a6..edc6007d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,42 +1,44 @@ name: "Build app and create release" on: push: - tags: - - v*.*.* + branches: + - apt_repository + # tags: + # - v*.*.* jobs: - build-wireguard-go: - strategy: - fail-fast: false - matrix: - architecture: [arm64, amd64] - runs-on: [self-hosted, macOS] - steps: - - uses: actions/checkout@v5 - with: - repository: WireGuard/wireguard-go - ref: master - fetch-depth: 0 - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version: "1.24" - - name: Build wireguard-go binary - run: make - env: - GOOS: darwin - GOARCH: ${{ matrix.architecture }} - - name: Upload binary artifact arm64 - if: matrix.architecture == 'arm64' - uses: actions/upload-artifact@v4 - with: - name: wireguard-go-aarch64-apple-darwin - path: wireguard-go - - name: Upload binary artifact amd64 - if: matrix.architecture == 'amd64' - uses: actions/upload-artifact@v4 - with: - name: wireguard-go-x86_64-apple-darwin - path: wireguard-go + # build-wireguard-go: + # strategy: + # fail-fast: false + # matrix: + # architecture: [arm64, amd64] + # runs-on: [self-hosted, macOS] + # steps: + # - uses: actions/checkout@v5 + # with: + # repository: WireGuard/wireguard-go + # ref: master + # fetch-depth: 0 + # - name: Set up Go + # uses: actions/setup-go@v5 + # with: + # go-version: "1.24" + # - name: Build wireguard-go binary + # run: make + # env: + # GOOS: darwin + # GOARCH: ${{ matrix.architecture }} + # - name: Upload binary artifact arm64 + # if: matrix.architecture == 'arm64' + # uses: actions/upload-artifact@v4 + # with: + # name: wireguard-go-aarch64-apple-darwin + # path: wireguard-go + # - name: Upload binary artifact amd64 + # if: matrix.architecture == 'amd64' + # uses: actions/upload-artifact@v4 + # with: + # name: wireguard-go-x86_64-apple-darwin + # path: wireguard-go create-release: name: create-release @@ -51,88 +53,94 @@ jobs: draft: true generate_release_notes: true - create-sbom: - needs: [create-release] - uses: ./.github/workflows/sbom.yml - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - ubuntu-22-04-build: - needs: - - create-release - runs-on: - - self-hosted - - Linux - - ${{ matrix.architecture }} - strategy: - fail-fast: false - matrix: - architecture: [ARM64, X64] - include: - - architecture: ARM64 - deb_arch: arm64 - binary_arch: aarch64 - - architecture: X64 - deb_arch: amd64 - binary_arch: x86_64 - container: - image: ubuntu:22.04 - env: - DEBIAN_FRONTEND: noninteractive - HOME: /root - RUSTUP_HOME: /root/.rustup - CARGO_HOME: /root/.cargo - steps: - - name: git install - run: | - apt-get update - apt-get install -y git curl ca-certificates - git config --global --add safe.directory '*' - - uses: actions/checkout@v5 - with: - submodules: "recursive" - - uses: pnpm/action-setup@v4 - with: - version: 10.17 - run_install: false - - uses: actions/setup-node@v5 - with: - node-version: "24" - - name: Get pnpm store directory - run: | - echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - uses: actions/cache@v4 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install Node dependencies - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install dependencies - run: | - apt-get install -y build-essential libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm - - name: Build packages - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - args: "--bundles deb" - - name: Upload DEB - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb - asset_content_type: application/octet-stream + # create-sbom: + # needs: [create-release] + # uses: ./.github/workflows/sbom.yml + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # ubuntu-22-04-build: + # needs: + # - create-release + # runs-on: + # - self-hosted + # - Linux + # - ${{ matrix.architecture }} + # strategy: + # fail-fast: false + # matrix: + # architecture: [ARM64, X64] + # include: + # - architecture: ARM64 + # deb_arch: arm64 + # binary_arch: aarch64 + # - architecture: X64 + # deb_arch: amd64 + # binary_arch: x86_64 + # container: + # image: ubuntu:22.04 + # env: + # DEBIAN_FRONTEND: noninteractive + # HOME: /root + # RUSTUP_HOME: /root/.rustup + # CARGO_HOME: /root/.cargo + # steps: + # - name: git install + # run: | + # apt-get update + # apt-get install -y git curl ca-certificates + # git config --global --add safe.directory '*' + # - uses: actions/checkout@v5 + # with: + # submodules: "recursive" + # - uses: pnpm/action-setup@v4 + # with: + # version: 10.17 + # run_install: false + # - uses: actions/setup-node@v5 + # with: + # node-version: "24" + # - name: Get pnpm store directory + # run: | + # echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + # # - name: Write release version + # # run: | + # # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # # echo Version: $VERSION + # # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=1.5.2" >> ${GITHUB_ENV} + # - uses: actions/cache@v4 + # name: Setup pnpm cache + # with: + # path: ${{ env.STORE_PATH }} + # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + # restore-keys: | + # ${{ runner.os }}-pnpm-build-store- + # - name: Install Node dependencies + # run: pnpm install --frozen-lockfile + # - uses: dtolnay/rust-toolchain@stable + # - name: Install dependencies + # run: | + # apt-get install -y build-essential libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm ruby + # gem install deb-s3 + # - name: Build packages + # uses: tauri-apps/tauri-action@v0 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # args: "--bundles deb" + # - name: Upload DEB + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + # asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb + # asset_content_type: application/octet-stream build-linux: needs: @@ -156,11 +164,16 @@ jobs: - uses: actions/checkout@v5 with: submodules: "recursive" + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - name: Write release version run: | VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} + echo "VERSION=1.5.2" >> ${GITHUB_ENV} - uses: actions/setup-node@v5 with: node-version: "24" @@ -185,22 +198,23 @@ jobs: - name: Install Linux dependencies run: | sudo apt-get update - sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm + sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm ruby + gem install deb-s3 - name: Build packages uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - args: "--bundles deb,rpm" - - name: Upload RPM - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - asset_content_type: application/octet-stream + args: "--bundles deb" #,rpm" + # - name: Upload RPM + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + # asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + # asset_content_type: application/octet-stream - name: Upload DEB uses: actions/upload-release-asset@v1 env: @@ -210,176 +224,182 @@ jobs: asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_content_type: application/octet-stream - - name: Rename client binary - run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar client binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload client archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream - - name: Rename daemon binary - run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar daemon binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload daemon archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream + - name: Upload DEB to apt repository on s3 + run: | + COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. - - name: Rename dg binary - run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar dg binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload dg archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream - - name: Build dg deb - uses: defGuard/fpm-action@main - with: - fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" - - name: Upload DEB - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - asset_content_type: application/octet-stream - - name: Build dg rpm - uses: defGuard/fpm-action@main - with: - fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" - - name: Upload RPM - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - asset_content_type: application/octet-stream + deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - build-macos: - needs: - - create-release - - build-wireguard-go - strategy: - fail-fast: false - matrix: - target: [aarch64-apple-darwin, x86_64-apple-darwin] - runs-on: - - self-hosted - - macOS - env: - APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)" - APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)" - APPLE_ID: "kamil@defguard.net" - APPLE_TEAM_ID: "82GZ7KN29J" - steps: - - uses: actions/checkout@v5 - with: - submodules: "recursive" - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - uses: actions/setup-node@v4 - with: - node-version: "22" - - uses: pnpm/action-setup@v4 - with: - version: 10 - run_install: false - - name: Get pnpm store directory - shell: bash - run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - - uses: actions/cache@v4 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install deps - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install protobuf compiler - run: brew install protobuf - - name: Install ARM target - run: rustup target add aarch64-apple-darwin - - name: Download wireguard-go binary - uses: actions/download-artifact@v4 - with: - name: wireguard-go-${{ matrix.target }} - path: src-tauri/resources-macos/binaries - - name: Rename wireguard-go binary - run: | - ls -l src-tauri/resources-macos/binaries - mv src-tauri/resources-macos/binaries/wireguard-go src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} - - name: Unlock keychain - run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain - - name: Build app - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} - APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} - APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - APPLE_ID: ${{ env.APPLE_ID }} - APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} - APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} - with: - args: --target ${{ matrix.target }} -v - - name: Build installation package - run: | - bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain - xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - - name: Upload installation package - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg - asset_content_type: application/octet-stream + # - name: Rename client binary + # run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # - name: Tar client binary + # uses: a7ul/tar-action@v1.2.0 + # with: + # command: c + # files: | + # defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # - name: Upload client archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_content_type: application/octet-stream + # - name: Rename daemon binary + # run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # - name: Tar daemon binary + # uses: a7ul/tar-action@v1.2.0 + # with: + # command: c + # files: | + # defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # - name: Upload daemon archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_content_type: application/octet-stream + + # - name: Rename dg binary + # run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # - name: Tar dg binary + # uses: a7ul/tar-action@v1.2.0 + # with: + # command: c + # files: | + # dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # - name: Upload dg archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_content_type: application/octet-stream + # - name: Build dg deb + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" + # - name: Upload DEB + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + # asset_content_type: application/octet-stream + # - name: Build dg rpm + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" + # - name: Upload RPM + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + # asset_content_type: application/octet-stream + + # build-macos: + # needs: + # - create-release + # - build-wireguard-go + # strategy: + # fail-fast: false + # matrix: + # target: [aarch64-apple-darwin, x86_64-apple-darwin] + # runs-on: + # - self-hosted + # - macOS + # env: + # APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)" + # APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)" + # APPLE_ID: "kamil@defguard.net" + # APPLE_TEAM_ID: "82GZ7KN29J" + # steps: + # - uses: actions/checkout@v5 + # with: + # submodules: "recursive" + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - uses: actions/setup-node@v4 + # with: + # node-version: "22" + # - uses: pnpm/action-setup@v4 + # with: + # version: 10 + # run_install: false + # - name: Get pnpm store directory + # shell: bash + # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + # - uses: actions/cache@v4 + # name: Setup pnpm cache + # with: + # path: ${{ env.STORE_PATH }} + # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + # restore-keys: | + # ${{ runner.os }}-pnpm-build-store- + # - name: Install deps + # run: pnpm install --frozen-lockfile + # - uses: dtolnay/rust-toolchain@stable + # - name: Install protobuf compiler + # run: brew install protobuf + # - name: Install ARM target + # run: rustup target add aarch64-apple-darwin + # - name: Download wireguard-go binary + # uses: actions/download-artifact@v4 + # with: + # name: wireguard-go-${{ matrix.target }} + # path: src-tauri/resources-macos/binaries + # - name: Rename wireguard-go binary + # run: | + # ls -l src-tauri/resources-macos/binaries + # mv src-tauri/resources-macos/binaries/wireguard-go src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} + # - name: Unlock keychain + # run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain + # - name: Build app + # uses: tauri-apps/tauri-action@v0 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} + # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} + # APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + # APPLE_ID: ${{ env.APPLE_ID }} + # APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} + # APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} + # with: + # args: --target ${{ matrix.target }} -v + # - name: Build installation package + # run: | + # bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain + # xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + # xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + # - name: Upload installation package + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + # asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg + # asset_content_type: application/octet-stream # Building signed Windows bundle involves a few steps as described here: # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line @@ -388,134 +408,134 @@ jobs: # 3. Sign the burn engine (Linux) # 4. Reattach the burn engine back to the bundle (Windows again) # 5. Sign the whole bundle (Linux) - build-windows: - needs: - - create-release - runs-on: windows-latest - steps: - - uses: actions/checkout@v5 - with: - submodules: "recursive" - - name: Write release version - run: | - $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] - echo Version: $env:VERSION - echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV - - uses: actions/setup-node@v4 - with: - node-version: "22" - - uses: pnpm/action-setup@v4 - with: - version: 10 - run_install: false - - name: Get pnpm store directory - shell: bash - run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - - uses: actions/cache@v4 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install deps - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install Protoc - uses: arduino/setup-protoc@v2 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Remove "default-run" line from Cargo.toml - run: | - Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch) - - name: Build packages - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Bundle application - run: | - dotnet tool install --global wix --version 4.0.5 - wix extension add WixToolset.Bal.wixext/4 - wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll - wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe - - name: Upload unsigned bundle and burn-engine - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-and-burnengine - path: | - src-tauri/resources-windows/defguard-client.exe - src-tauri/resources-windows/burnengine.exe - sign-burn-engine: - needs: - - build-windows - runs-on: - - self-hosted - - Linux - - X64 - steps: - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - name: Download unsigned bundle & burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-and-burnengine - - name: Sign burn-engine - run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe - - name: Upload bundle and burn-engine artifact - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-and-signed-burnengine - path: | - defguard-client.exe - burnengine-signed.exe - reattach-burn-engine: - needs: - - sign-burn-engine - runs-on: windows-latest - steps: - - name: Download unsigned bundle and signed burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-and-signed-burnengine - - name: Reattach burn-engine - run: | - dotnet tool install --global wix --version 4.0.5 - wix extension add WixToolset.Bal.wixext/4 - wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe - - name: Upload bundle with reattached burn-engine - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-with-reattached-signed-burn-engine - path: defguard-client-reattached.exe - sign-bundle: - needs: - - create-release - - reattach-burn-engine - runs-on: - - self-hosted - - Linux - - X64 - steps: - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - name: Download unsigned bundle & signed burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-with-reattached-signed-burn-engine - - name: Sign bundle - run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe - - name: Upload installer asset - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-client-signed.exe - asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe - asset_content_type: application/octet-stream + # build-windows: + # needs: + # - create-release + # runs-on: windows-latest + # steps: + # - uses: actions/checkout@v5 + # with: + # submodules: "recursive" + # - name: Write release version + # run: | + # $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] + # echo Version: $env:VERSION + # echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV + # - uses: actions/setup-node@v4 + # with: + # node-version: "22" + # - uses: pnpm/action-setup@v4 + # with: + # version: 10 + # run_install: false + # - name: Get pnpm store directory + # shell: bash + # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + # - uses: actions/cache@v4 + # name: Setup pnpm cache + # with: + # path: ${{ env.STORE_PATH }} + # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + # restore-keys: | + # ${{ runner.os }}-pnpm-build-store- + # - name: Install deps + # run: pnpm install --frozen-lockfile + # - uses: dtolnay/rust-toolchain@stable + # - name: Install Protoc + # uses: arduino/setup-protoc@v2 + # with: + # repo-token: ${{ secrets.GITHUB_TOKEN }} + # - name: Remove "default-run" line from Cargo.toml + # run: | + # Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch) + # - name: Build packages + # uses: tauri-apps/tauri-action@v0 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # - name: Bundle application + # run: | + # dotnet tool install --global wix --version 4.0.5 + # wix extension add WixToolset.Bal.wixext/4 + # wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll + # wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe + # - name: Upload unsigned bundle and burn-engine + # uses: actions/upload-artifact@v4 + # with: + # name: unsigned-bundle-and-burnengine + # path: | + # src-tauri/resources-windows/defguard-client.exe + # src-tauri/resources-windows/burnengine.exe + # sign-burn-engine: + # needs: + # - build-windows + # runs-on: + # - self-hosted + # - Linux + # - X64 + # steps: + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - name: Download unsigned bundle & burn-engine + # uses: actions/download-artifact@v4 + # with: + # name: unsigned-bundle-and-burnengine + # - name: Sign burn-engine + # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe + # - name: Upload bundle and burn-engine artifact + # uses: actions/upload-artifact@v4 + # with: + # name: unsigned-bundle-and-signed-burnengine + # path: | + # defguard-client.exe + # burnengine-signed.exe + # reattach-burn-engine: + # needs: + # - sign-burn-engine + # runs-on: windows-latest + # steps: + # - name: Download unsigned bundle and signed burn-engine + # uses: actions/download-artifact@v4 + # with: + # name: unsigned-bundle-and-signed-burnengine + # - name: Reattach burn-engine + # run: | + # dotnet tool install --global wix --version 4.0.5 + # wix extension add WixToolset.Bal.wixext/4 + # wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe + # - name: Upload bundle with reattached burn-engine + # uses: actions/upload-artifact@v4 + # with: + # name: unsigned-bundle-with-reattached-signed-burn-engine + # path: defguard-client-reattached.exe + # sign-bundle: + # needs: + # - create-release + # - reattach-burn-engine + # runs-on: + # - self-hosted + # - Linux + # - X64 + # steps: + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - name: Download unsigned bundle & signed burn-engine + # uses: actions/download-artifact@v4 + # with: + # name: unsigned-bundle-with-reattached-signed-burn-engine + # - name: Sign bundle + # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe + # - name: Upload installer asset + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-client-signed.exe + # asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe + # asset_content_type: application/octet-stream From 1e22971095d4805ef96f0722eda2b852d7f5e5e3 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 19:51:19 +0200 Subject: [PATCH 11/23] add ruby --- .github/workflows/release.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index edc6007d..8d757d18 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -195,10 +195,14 @@ jobs: - name: Install Node dependencies run: pnpm install --frozen-lockfile - uses: dtolnay/rust-toolchain@stable + - uses: ruby/setup-ruby@v1 + with: + ruby-version: '3.4' + bundler-cache: true - name: Install Linux dependencies run: | sudo apt-get update - sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm ruby + sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm gem install deb-s3 - name: Build packages uses: tauri-apps/tauri-action@v0 From c3c5917e641248dd544a029e4aa37f6b0fd7cd65 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 20:01:43 +0200 Subject: [PATCH 12/23] fix ruby --- .github/workflows/release.yaml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8d757d18..47c83b80 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -195,14 +195,11 @@ jobs: - name: Install Node dependencies run: pnpm install --frozen-lockfile - uses: dtolnay/rust-toolchain@stable - - uses: ruby/setup-ruby@v1 - with: - ruby-version: '3.4' - bundler-cache: true - name: Install Linux dependencies run: | sudo apt-get update - sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm + sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm ruby + export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" gem install deb-s3 - name: Build packages uses: tauri-apps/tauri-action@v0 From b693454c930544f4b6ea7779659a860d69cdff33 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 20:19:12 +0200 Subject: [PATCH 13/23] fix ruby 2 --- .github/workflows/release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 47c83b80..bb86c2a2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -227,6 +227,7 @@ jobs: asset_content_type: application/octet-stream - name: Upload DEB to apt repository on s3 run: | + export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb From 5d0f43586ec2eeff0efb5246735214248523839d Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 20:39:45 +0200 Subject: [PATCH 14/23] sign apt repository workflow --- .github/workflows/release.yaml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index bb86c2a2..acdc7332 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -141,6 +141,32 @@ jobs: # asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb # asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb # asset_content_type: application/octet-stream + apt-sign: + needs: + - build-linux + runs-on: + - self-hosted + - Linux + - X64 + startegy: + fail-fast: false + steps: + - name: Sign APT repository + run: | + export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY }} + export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY }} + export AWS_REGION=eu-north-1 + apt update -y + apt install -y awscli curl jq base64 + aws s3 cp s3://apt.defguard.net/dists/trixie/Release . + curl -X POST "${{ secrets.DEFGUARD_SIGNING_API_KEY }}?signature_type=both" \ + -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ + -F "file=@Release" \ + -o response.json + cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg + cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease + aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ + aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ build-linux: needs: From 385fa67d7da8aefd0f6ba76d4715a2a1fd06b15b Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 20:40:36 +0200 Subject: [PATCH 15/23] typo fix --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index acdc7332..aa1e040a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -148,7 +148,7 @@ jobs: - self-hosted - Linux - X64 - startegy: + strategy: fail-fast: false steps: - name: Sign APT repository From 08c11f54fac4e8541e487fcfd3283b87b02a43bb Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 20:52:22 +0200 Subject: [PATCH 16/23] change flag in deb-s3 --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index aa1e040a..41c4440f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -256,7 +256,7 @@ jobs: export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. - deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb # - name: Rename client binary # run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} From 0d552ec65db66e30857f9d04bd7f906fb61bf5ab Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 21:12:33 +0200 Subject: [PATCH 17/23] test apt signing --- .github/workflows/release.yaml | 372 ++++++++++++++++----------------- 1 file changed, 186 insertions(+), 186 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 41c4440f..688e220a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -40,18 +40,18 @@ jobs: # name: wireguard-go-x86_64-apple-darwin # path: wireguard-go - create-release: - name: create-release - runs-on: self-hosted - outputs: - upload_url: ${{ steps.release.outputs.upload_url }} - steps: - - name: Create GitHub release - id: release - uses: softprops/action-gh-release@v2 - with: - draft: true - generate_release_notes: true + # create-release: + # name: create-release + # runs-on: self-hosted + # outputs: + # upload_url: ${{ steps.release.outputs.upload_url }} + # steps: + # - name: Create GitHub release + # id: release + # uses: softprops/action-gh-release@v2 + # with: + # draft: true + # generate_release_notes: true # create-sbom: # needs: [create-release] @@ -142,8 +142,8 @@ jobs: # asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb # asset_content_type: application/octet-stream apt-sign: - needs: - - build-linux + # needs: + # - build-linux runs-on: - self-hosted - Linux @@ -156,8 +156,8 @@ jobs: export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY }} export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY }} export AWS_REGION=eu-north-1 - apt update -y - apt install -y awscli curl jq base64 + sudo apt update -y + sudo apt install -y awscli curl jq base64 aws s3 cp s3://apt.defguard.net/dists/trixie/Release . curl -X POST "${{ secrets.DEFGUARD_SIGNING_API_KEY }}?signature_type=both" \ -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ @@ -168,179 +168,179 @@ jobs: aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ - build-linux: - needs: - - create-release - runs-on: - - self-hosted - - Linux - - ${{ matrix.architecture }} - strategy: - fail-fast: false - matrix: - architecture: [ARM64, X64] - include: - - architecture: ARM64 - deb_arch: arm64 - binary_arch: aarch64 - - architecture: X64 - deb_arch: amd64 - binary_arch: x86_64 - steps: - - uses: actions/checkout@v5 - with: - submodules: "recursive" - # - name: Write release version - # run: | - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=1.5.2" >> ${GITHUB_ENV} - - uses: actions/setup-node@v5 - with: - node-version: "24" - - uses: pnpm/action-setup@v4 - with: - version: 10.17 - run_install: false - - name: Get pnpm store directory - shell: bash - run: | - echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - - uses: actions/cache@v4 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install Node dependencies - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install Linux dependencies - run: | - sudo apt-get update - sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm ruby - export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" - gem install deb-s3 - - name: Build packages - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - args: "--bundles deb" #,rpm" - # - name: Upload RPM - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - # asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - # asset_content_type: application/octet-stream - - name: Upload DEB - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - asset_content_type: application/octet-stream - - name: Upload DEB to apt repository on s3 - run: | - export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" - COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. + # build-linux: + # needs: + # - create-release + # runs-on: + # - self-hosted + # - Linux + # - ${{ matrix.architecture }} + # strategy: + # fail-fast: false + # matrix: + # architecture: [ARM64, X64] + # include: + # - architecture: ARM64 + # deb_arch: arm64 + # binary_arch: aarch64 + # - architecture: X64 + # deb_arch: amd64 + # binary_arch: x86_64 + # steps: + # - uses: actions/checkout@v5 + # with: + # submodules: "recursive" + # # - name: Write release version + # # run: | + # # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # # echo Version: $VERSION + # # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=1.5.2" >> ${GITHUB_ENV} + # - uses: actions/setup-node@v5 + # with: + # node-version: "24" + # - uses: pnpm/action-setup@v4 + # with: + # version: 10.17 + # run_install: false + # - name: Get pnpm store directory + # shell: bash + # run: | + # echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + # - uses: actions/cache@v4 + # name: Setup pnpm cache + # with: + # path: ${{ env.STORE_PATH }} + # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + # restore-keys: | + # ${{ runner.os }}-pnpm-build-store- + # - name: Install Node dependencies + # run: pnpm install --frozen-lockfile + # - uses: dtolnay/rust-toolchain@stable + # - name: Install Linux dependencies + # run: | + # sudo apt-get update + # sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm ruby + # export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" + # gem install deb-s3 + # - name: Build packages + # uses: tauri-apps/tauri-action@v0 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # args: "--bundles deb" #,rpm" + # # - name: Upload RPM + # # uses: actions/upload-release-asset@v1 + # # env: + # # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # # with: + # # upload_url: ${{ needs.create-release.outputs.upload_url }} + # # asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + # # asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + # # asset_content_type: application/octet-stream + # - name: Upload DEB + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + # asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + # asset_content_type: application/octet-stream + # - name: Upload DEB to apt repository on s3 + # run: | + # export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" + # COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. - deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + # deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - # - name: Rename client binary - # run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # - name: Tar client binary - # uses: a7ul/tar-action@v1.2.0 - # with: - # command: c - # files: | - # defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # - name: Upload client archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_content_type: application/octet-stream - # - name: Rename daemon binary - # run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # - name: Tar daemon binary - # uses: a7ul/tar-action@v1.2.0 - # with: - # command: c - # files: | - # defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # - name: Upload daemon archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_content_type: application/octet-stream + # # - name: Rename client binary + # # run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # # - name: Tar client binary + # # uses: a7ul/tar-action@v1.2.0 + # # with: + # # command: c + # # files: | + # # defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # # outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # # - name: Upload client archive + # # uses: actions/upload-release-asset@v1 + # # env: + # # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # # with: + # # upload_url: ${{ needs.create-release.outputs.upload_url }} + # # asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # # asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # # asset_content_type: application/octet-stream + # # - name: Rename daemon binary + # # run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # # - name: Tar daemon binary + # # uses: a7ul/tar-action@v1.2.0 + # # with: + # # command: c + # # files: | + # # defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # # outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # # - name: Upload daemon archive + # # uses: actions/upload-release-asset@v1 + # # env: + # # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # # with: + # # upload_url: ${{ needs.create-release.outputs.upload_url }} + # # asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # # asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # # asset_content_type: application/octet-stream - # - name: Rename dg binary - # run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # - name: Tar dg binary - # uses: a7ul/tar-action@v1.2.0 - # with: - # command: c - # files: | - # dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # - name: Upload dg archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_content_type: application/octet-stream - # - name: Build dg deb - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" - # - name: Upload DEB - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - # asset_content_type: application/octet-stream - # - name: Build dg rpm - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" - # - name: Upload RPM - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - # asset_content_type: application/octet-stream + # # - name: Rename dg binary + # # run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # # - name: Tar dg binary + # # uses: a7ul/tar-action@v1.2.0 + # # with: + # # command: c + # # files: | + # # dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # # outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # # - name: Upload dg archive + # # uses: actions/upload-release-asset@v1 + # # env: + # # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # # with: + # # upload_url: ${{ needs.create-release.outputs.upload_url }} + # # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # # asset_content_type: application/octet-stream + # # - name: Build dg deb + # # uses: defGuard/fpm-action@main + # # with: + # # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + # # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" + # # - name: Upload DEB + # # uses: actions/upload-release-asset@v1.0.2 + # # env: + # # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # # with: + # # upload_url: ${{ needs.create-release.outputs.upload_url }} + # # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + # # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + # # asset_content_type: application/octet-stream + # # - name: Build dg rpm + # # uses: defGuard/fpm-action@main + # # with: + # # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + # # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" + # # - name: Upload RPM + # # uses: actions/upload-release-asset@v1.0.2 + # # env: + # # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # # with: + # # upload_url: ${{ needs.create-release.outputs.upload_url }} + # # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + # # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + # # asset_content_type: application/octet-stream # build-macos: # needs: From 53dbf8ce7801e15990cabfeffb6e50e2e187a472 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 21:13:10 +0200 Subject: [PATCH 18/23] test apt signing 2 --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 688e220a..dbecd829 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -157,7 +157,7 @@ jobs: export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY }} export AWS_REGION=eu-north-1 sudo apt update -y - sudo apt install -y awscli curl jq base64 + sudo apt install -y awscli curl jq aws s3 cp s3://apt.defguard.net/dists/trixie/Release . curl -X POST "${{ secrets.DEFGUARD_SIGNING_API_KEY }}?signature_type=both" \ -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ From b010bff4f10822b96d3b1368f9cbe0ca9c67ec62 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 21:27:56 +0200 Subject: [PATCH 19/23] fix apt signing --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index dbecd829..61a20cf7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -159,7 +159,7 @@ jobs: sudo apt update -y sudo apt install -y awscli curl jq aws s3 cp s3://apt.defguard.net/dists/trixie/Release . - curl -X POST "${{ secrets.DEFGUARD_SIGNING_API_KEY }}?signature_type=both" \ + curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ -F "file=@Release" \ -o response.json From 243afa2fc7f99dcc4c942ab1c99c50d9f6f3227d Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 21:31:56 +0200 Subject: [PATCH 20/23] change acl on files --- .github/workflows/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 61a20cf7..9336eaeb 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -165,8 +165,8 @@ jobs: -o response.json cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease - aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ - aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ + aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ --acl public-read + aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ --acl public-read # build-linux: # needs: From e42608b424da93a9d0bf93ace6240b8d9ffecec9 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 21:40:17 +0200 Subject: [PATCH 21/23] add ubuntu 22.04 deb --- .github/workflows/release.yaml | 179 +++++++++++++++++---------------- 1 file changed, 94 insertions(+), 85 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9336eaeb..8d71b673 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -58,92 +58,101 @@ jobs: # uses: ./.github/workflows/sbom.yml # with: # upload_url: ${{ needs.create-release.outputs.upload_url }} - # ubuntu-22-04-build: - # needs: - # - create-release - # runs-on: - # - self-hosted - # - Linux - # - ${{ matrix.architecture }} - # strategy: - # fail-fast: false - # matrix: - # architecture: [ARM64, X64] - # include: - # - architecture: ARM64 - # deb_arch: arm64 - # binary_arch: aarch64 - # - architecture: X64 - # deb_arch: amd64 - # binary_arch: x86_64 - # container: - # image: ubuntu:22.04 - # env: - # DEBIAN_FRONTEND: noninteractive - # HOME: /root - # RUSTUP_HOME: /root/.rustup - # CARGO_HOME: /root/.cargo - # steps: - # - name: git install - # run: | - # apt-get update - # apt-get install -y git curl ca-certificates - # git config --global --add safe.directory '*' - # - uses: actions/checkout@v5 - # with: - # submodules: "recursive" - # - uses: pnpm/action-setup@v4 - # with: - # version: 10.17 - # run_install: false - # - uses: actions/setup-node@v5 - # with: - # node-version: "24" - # - name: Get pnpm store directory - # run: | - # echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - # # - name: Write release version - # # run: | - # # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # # echo Version: $VERSION - # # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - # - name: Write release version - # run: | - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo Version: $VERSION - # echo "VERSION=1.5.2" >> ${GITHUB_ENV} - # - uses: actions/cache@v4 - # name: Setup pnpm cache - # with: - # path: ${{ env.STORE_PATH }} - # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - # restore-keys: | - # ${{ runner.os }}-pnpm-build-store- - # - name: Install Node dependencies - # run: pnpm install --frozen-lockfile - # - uses: dtolnay/rust-toolchain@stable - # - name: Install dependencies - # run: | - # apt-get install -y build-essential libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm ruby - # gem install deb-s3 - # - name: Build packages - # uses: tauri-apps/tauri-action@v0 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # args: "--bundles deb" - # - name: Upload DEB - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - # asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb - # asset_content_type: application/octet-stream + ubuntu-22-04-build: + # needs: + # - create-release + runs-on: + - self-hosted + - Linux + - ${{ matrix.architecture }} + strategy: + fail-fast: false + matrix: + architecture: [ARM64, X64] + include: + - architecture: ARM64 + deb_arch: arm64 + binary_arch: aarch64 + - architecture: X64 + deb_arch: amd64 + binary_arch: x86_64 + container: + image: ubuntu:22.04 + env: + DEBIAN_FRONTEND: noninteractive + HOME: /root + RUSTUP_HOME: /root/.rustup + CARGO_HOME: /root/.cargo + steps: + - name: git install + run: | + apt-get update + apt-get install -y git curl ca-certificates + git config --global --add safe.directory '*' + - uses: actions/checkout@v5 + with: + submodules: "recursive" + - uses: pnpm/action-setup@v4 + with: + version: 10.17 + run_install: false + - uses: actions/setup-node@v5 + with: + node-version: "24" + - name: Get pnpm store directory + run: | + echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + - name: Write release version + run: | + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + echo Version: $VERSION + echo "VERSION=1.5.2" >> ${GITHUB_ENV} + - uses: actions/cache@v4 + name: Setup pnpm cache + with: + path: ${{ env.STORE_PATH }} + key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + restore-keys: | + ${{ runner.os }}-pnpm-build-store- + - name: Install Node dependencies + run: pnpm install --frozen-lockfile + - uses: dtolnay/rust-toolchain@stable + - name: Install dependencies + run: | + apt-get install -y build-essential libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm ruby + export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" + gem install deb-s3 + - name: Build packages + uses: tauri-apps/tauri-action@v0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + args: "--bundles deb" + - name: Upload DEB + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb + asset_content_type: application/octet-stream + - name: Upload DEB to apt repository on s3 + run: | + export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" + COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. + + deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=bookworm --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + apt-sign: - # needs: - # - build-linux + needs: + - ubuntu-22-04-build + # - build-linux runs-on: - self-hosted - Linux From 07359e9619a96407003e9d8c017088d1739ba678 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 21:50:00 +0200 Subject: [PATCH 22/23] fix workflow --- .github/workflows/release.yaml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8d71b673..ca7ebe45 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -40,18 +40,18 @@ jobs: # name: wireguard-go-x86_64-apple-darwin # path: wireguard-go - # create-release: - # name: create-release - # runs-on: self-hosted - # outputs: - # upload_url: ${{ steps.release.outputs.upload_url }} - # steps: - # - name: Create GitHub release - # id: release - # uses: softprops/action-gh-release@v2 - # with: - # draft: true - # generate_release_notes: true + create-release: + name: create-release + runs-on: self-hosted + outputs: + upload_url: ${{ steps.release.outputs.upload_url }} + steps: + - name: Create GitHub release + id: release + uses: softprops/action-gh-release@v2 + with: + draft: true + generate_release_notes: true # create-sbom: # needs: [create-release] @@ -59,8 +59,8 @@ jobs: # with: # upload_url: ${{ needs.create-release.outputs.upload_url }} ubuntu-22-04-build: - # needs: - # - create-release + needs: + - create-release runs-on: - self-hosted - Linux From 8b3ebe2b1ac1f6efb5243bb8ab44ac1d1b82bd0b Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Tue, 14 Oct 2025 22:01:45 +0200 Subject: [PATCH 23/23] Add apt signing for bookworm --- .github/workflows/release.yaml | 231 +++++++++++++++++---------------- 1 file changed, 122 insertions(+), 109 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ca7ebe45..e3d914b6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -40,118 +40,118 @@ jobs: # name: wireguard-go-x86_64-apple-darwin # path: wireguard-go - create-release: - name: create-release - runs-on: self-hosted - outputs: - upload_url: ${{ steps.release.outputs.upload_url }} - steps: - - name: Create GitHub release - id: release - uses: softprops/action-gh-release@v2 - with: - draft: true - generate_release_notes: true + # create-release: + # name: create-release + # runs-on: self-hosted + # outputs: + # upload_url: ${{ steps.release.outputs.upload_url }} + # steps: + # - name: Create GitHub release + # id: release + # uses: softprops/action-gh-release@v2 + # with: + # draft: true + # generate_release_notes: true - # create-sbom: - # needs: [create-release] - # uses: ./.github/workflows/sbom.yml - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - ubuntu-22-04-build: - needs: - - create-release - runs-on: - - self-hosted - - Linux - - ${{ matrix.architecture }} - strategy: - fail-fast: false - matrix: - architecture: [ARM64, X64] - include: - - architecture: ARM64 - deb_arch: arm64 - binary_arch: aarch64 - - architecture: X64 - deb_arch: amd64 - binary_arch: x86_64 - container: - image: ubuntu:22.04 - env: - DEBIAN_FRONTEND: noninteractive - HOME: /root - RUSTUP_HOME: /root/.rustup - CARGO_HOME: /root/.cargo - steps: - - name: git install - run: | - apt-get update - apt-get install -y git curl ca-certificates - git config --global --add safe.directory '*' - - uses: actions/checkout@v5 - with: - submodules: "recursive" - - uses: pnpm/action-setup@v4 - with: - version: 10.17 - run_install: false - - uses: actions/setup-node@v5 - with: - node-version: "24" - - name: Get pnpm store directory - run: | - echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - # - name: Write release version - # run: | - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=1.5.2" >> ${GITHUB_ENV} - - uses: actions/cache@v4 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install Node dependencies - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install dependencies - run: | - apt-get install -y build-essential libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm ruby - export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" - gem install deb-s3 - - name: Build packages - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - args: "--bundles deb" - - name: Upload DEB - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb - asset_content_type: application/octet-stream - - name: Upload DEB to apt repository on s3 - run: | - export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" - COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. + # # create-sbom: + # # needs: [create-release] + # # uses: ./.github/workflows/sbom.yml + # # with: + # # upload_url: ${{ needs.create-release.outputs.upload_url }} + # ubuntu-22-04-build: + # needs: + # - create-release + # runs-on: + # - self-hosted + # - Linux + # - ${{ matrix.architecture }} + # strategy: + # fail-fast: false + # matrix: + # architecture: [ARM64, X64] + # include: + # - architecture: ARM64 + # deb_arch: arm64 + # binary_arch: aarch64 + # - architecture: X64 + # deb_arch: amd64 + # binary_arch: x86_64 + # container: + # image: ubuntu:22.04 + # env: + # DEBIAN_FRONTEND: noninteractive + # HOME: /root + # RUSTUP_HOME: /root/.rustup + # CARGO_HOME: /root/.cargo + # steps: + # - name: git install + # run: | + # apt-get update + # apt-get install -y git curl ca-certificates + # git config --global --add safe.directory '*' + # - uses: actions/checkout@v5 + # with: + # submodules: "recursive" + # - uses: pnpm/action-setup@v4 + # with: + # version: 10.17 + # run_install: false + # - uses: actions/setup-node@v5 + # with: + # node-version: "24" + # - name: Get pnpm store directory + # run: | + # echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + # # - name: Write release version + # # run: | + # # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # # echo Version: $VERSION + # # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=1.5.2" >> ${GITHUB_ENV} + # - uses: actions/cache@v4 + # name: Setup pnpm cache + # with: + # path: ${{ env.STORE_PATH }} + # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + # restore-keys: | + # ${{ runner.os }}-pnpm-build-store- + # - name: Install Node dependencies + # run: pnpm install --frozen-lockfile + # - uses: dtolnay/rust-toolchain@stable + # - name: Install dependencies + # run: | + # apt-get install -y build-essential libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm ruby + # export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" + # gem install deb-s3 + # - name: Build packages + # uses: tauri-apps/tauri-action@v0 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # args: "--bundles deb" + # - name: Upload DEB + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + # asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb + # asset_content_type: application/octet-stream + # - name: Upload DEB to apt repository on s3 + # run: | + # export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" + # COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. - deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=bookworm --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + # deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=bookworm --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb apt-sign: - needs: - - ubuntu-22-04-build + # needs: + # - ubuntu-22-04-build # - build-linux runs-on: - self-hosted @@ -160,13 +160,15 @@ jobs: strategy: fail-fast: false steps: - - name: Sign APT repository + - name: Sign APT repository on trixie run: | export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY }} export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY }} export AWS_REGION=eu-north-1 sudo apt update -y sudo apt install -y awscli curl jq + + #For trixie aws s3 cp s3://apt.defguard.net/dists/trixie/Release . curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ @@ -177,6 +179,17 @@ jobs: aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ --acl public-read aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ --acl public-read + #For bookworm + aws s3 cp s3://apt.defguard.net/dists/bookworm/Release . + curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ + -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ + -F "file=@Release" \ + -o response.json + cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg + cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease + aws s3 cp Release.gpg s3://apt.defguard.net/dists/bookworm/ --acl public-read + aws s3 cp InRelease s3://apt.defguard.net/dists/bookworm/ --acl public-read + # build-linux: # needs: # - create-release