From 0157556f2253d279589491379c3df11577023111 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 10:42:28 +0200 Subject: [PATCH 01/12] APT signing test --- .github/workflows/release.yaml | 796 ++++++++++++++++++--------------- 1 file changed, 424 insertions(+), 372 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 99978f0f..7a1602dc 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,8 +1,10 @@ name: "Build app and create release" on: push: - tags: - - v*.*.* + branches: + - apt_repository + # tags: + # - v*.*.* jobs: create-release: @@ -18,11 +20,11 @@ jobs: draft: true generate_release_notes: true - create-sbom: - needs: [create-release] - uses: ./.github/workflows/sbom.yml - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} + # create-sbom: + # needs: [create-release] + # uses: ./.github/workflows/sbom.yml + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} build-linux: needs: @@ -48,11 +50,16 @@ jobs: - uses: actions/checkout@v5 with: submodules: "recursive" + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - name: Write release version run: | VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} + echo "VERSION=1.5.2" >> ${GITHUB_ENV} - uses: actions/setup-node@v5 with: node-version: "24" @@ -83,7 +90,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - args: "--bundles deb,rpm" + args: "--bundles deb" #,rpm" - name: Calculate DEB SHA256 id: calculate-sha256 if: matrix.deb_arch == 'amd64' @@ -93,15 +100,15 @@ jobs: echo "DEB SHA256: $DEB_SHA256" echo "DEB_SHA256=$DEB_SHA256" >> ${GITHUB_ENV} echo "deb_sha256_${{ matrix.deb_arch }}=$DEB_SHA256" >> ${GITHUB_OUTPUT} - - name: Upload RPM - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - asset_content_type: application/octet-stream + # - name: Upload RPM + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + # asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + # asset_content_type: application/octet-stream - name: Upload DEB uses: actions/upload-release-asset@v1 env: @@ -111,369 +118,414 @@ jobs: asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_content_type: application/octet-stream - - name: Rename client binary - run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar client binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload client archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream - - name: Rename daemon binary - run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar daemon binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload daemon archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream + - name: Upload DEB to APT repository + run: | + export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" + COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. - - name: Rename dg binary - run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar dg binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload dg archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream - - name: Build dg deb - uses: defGuard/fpm-action@main - with: - fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" - - name: Upload DEB - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - asset_content_type: application/octet-stream - - name: Build dg rpm - uses: defGuard/fpm-action@main - with: - fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" - - name: Upload RPM - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - asset_content_type: application/octet-stream + deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + # - name: Rename client binary + # run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # - name: Tar client binary + # uses: a7ul/tar-action@v1.2.0 + # with: + # command: c + # files: | + # defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # - name: Upload client archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_content_type: application/octet-stream + # - name: Rename daemon binary + # run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # - name: Tar daemon binary + # uses: a7ul/tar-action@v1.2.0 + # with: + # command: c + # files: | + # defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # - name: Upload daemon archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_content_type: application/octet-stream - update-aur: - needs: - - create-release - - build-linux - if: "!contains(github.ref_name, '-')" - runs-on: - - self-hosted - - Linux - - ${{ matrix.architecture }} - container: archlinux:latest - strategy: - fail-fast: false - matrix: - architecture: [X64] - include: - - architecture: X64 - deb_arch: amd64 - binary_arch: x86_64 - steps: - - name: Install dependencies - run: | - pacman -Syu --noconfirm - pacman -S --noconfirm git openssh base-devel - - name: Create non-root user - run: | - useradd -m -G wheel -s /bin/bash builduser - echo 'builduser ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers - - name: Setup SSH - uses: webfactory/ssh-agent@v0.9.0 - with: - ssh-private-key: ${{ secrets.AUR_SSH_KEY }} - - name: Checkout AUR repository - run: | - mkdir -p ~/.ssh - ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts - chmod 644 ~/.ssh/known_hosts - export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new" - rm -rf aur-repo - git clone ssh://aur@aur.archlinux.org/defguard-client.git aur-repo - chown -R builduser:builduser aur-repo - - name: Update PKGBUILD version - run: | - cd aur-repo - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # - name: Rename dg binary + # run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # - name: Tar dg binary + # uses: a7ul/tar-action@v1.2.0 + # with: + # command: c + # files: | + # dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # - name: Upload dg archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_content_type: application/octet-stream + # - name: Build dg deb + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" + # - name: Upload DEB + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + # asset_content_type: application/octet-stream + # - name: Build dg rpm + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" + # - name: Upload RPM + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + # asset_content_type: application/octet-stream + + # update-aur: + # needs: + # - create-release + # - build-linux + # if: "!contains(github.ref_name, '-')" + # runs-on: + # - self-hosted + # - Linux + # - ${{ matrix.architecture }} + # container: archlinux:latest + # strategy: + # fail-fast: false + # matrix: + # architecture: [X64] + # include: + # - architecture: X64 + # deb_arch: amd64 + # binary_arch: x86_64 + # steps: + # - name: Install dependencies + # run: | + # pacman -Syu --noconfirm + # pacman -S --noconfirm git openssh base-devel + # - name: Create non-root user + # run: | + # useradd -m -G wheel -s /bin/bash builduser + # echo 'builduser ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers + # - name: Setup SSH + # uses: webfactory/ssh-agent@v0.9.0 + # with: + # ssh-private-key: ${{ secrets.AUR_SSH_KEY }} + # - name: Checkout AUR repository + # run: | + # mkdir -p ~/.ssh + # ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts + # chmod 644 ~/.ssh/known_hosts + # export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new" + # rm -rf aur-repo + # git clone ssh://aur@aur.archlinux.org/defguard-client.git aur-repo + # chown -R builduser:builduser aur-repo + # - name: Update PKGBUILD version + # run: | + # cd aur-repo + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo "Updating to version: $VERSION" - sed -i "s/^pkgver=.*/pkgver=$VERSION/" PKGBUILD + # echo "Updating to version: $VERSION" + # sed -i "s/^pkgver=.*/pkgver=$VERSION/" PKGBUILD - AMD64_SHA="${{ needs.build-linux.outputs.deb_sha256_amd64 }}" + # AMD64_SHA="${{ needs.build-linux.outputs.deb_sha256_amd64 }}" - echo "AMD64 DEB SHA256: $AMD64_SHA" - sed -i "s/^sha256sums_x86_64=.*/sha256sums_x86_64=('$AMD64_SHA')/" PKGBUILD - - name: Update .SRCINFO - run: | - cd aur-repo - sudo -u builduser makepkg --printsrcinfo > .SRCINFO - - name: Commit and push changes - run: | - cd aur-repo - chown -R builduser:builduser . - sudo -u builduser git config user.name "Defguard Build System" - sudo -u builduser git config user.email "community@defguard.net" - sudo -u builduser git add PKGBUILD .SRCINFO - sudo -u builduser git commit -m "Updated to $VERSION" - sudo -u builduser git push - cat PKGBUILD - cat .SRCINFO - build-macos: - needs: - - create-release - strategy: - fail-fast: false - matrix: - target: [aarch64-apple-darwin, x86_64-apple-darwin] - runs-on: - - self-hosted - - macOS - env: - APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)" - APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)" - APPLE_ID: "kamil@defguard.net" - APPLE_TEAM_ID: "82GZ7KN29J" - steps: - - uses: actions/checkout@v5 - with: - submodules: "recursive" - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - uses: actions/setup-node@v4 - with: - node-version: "22" - - uses: pnpm/action-setup@v4 - with: - version: 10 - run_install: false - - name: Get pnpm store directory - shell: bash - run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - - uses: actions/cache@v4 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install deps - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install protobuf compiler - run: brew install protobuf - - name: Install ARM target - run: rustup target add aarch64-apple-darwin - - name: Unlock keychain - run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain - - name: Build app - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} - APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} - APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - APPLE_ID: ${{ env.APPLE_ID }} - APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} - APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} - with: - args: --target ${{ matrix.target }} -v - - name: Build installation package - run: | - bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain - xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - - name: Upload installation package - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg - asset_content_type: application/octet-stream + # echo "AMD64 DEB SHA256: $AMD64_SHA" + # sed -i "s/^sha256sums_x86_64=.*/sha256sums_x86_64=('$AMD64_SHA')/" PKGBUILD + # - name: Update .SRCINFO + # run: | + # cd aur-repo + # sudo -u builduser makepkg --printsrcinfo > .SRCINFO + # - name: Commit and push changes + # run: | + # cd aur-repo + # chown -R builduser:builduser . + # sudo -u builduser git config user.name "Defguard Build System" + # sudo -u builduser git config user.email "community@defguard.net" + # sudo -u builduser git add PKGBUILD .SRCINFO + # sudo -u builduser git commit -m "Updated to $VERSION" + # sudo -u builduser git push + # cat PKGBUILD + # cat .SRCINFO + # build-macos: + # needs: + # - create-release + # strategy: + # fail-fast: false + # matrix: + # target: [aarch64-apple-darwin, x86_64-apple-darwin] + # runs-on: + # - self-hosted + # - macOS + # env: + # APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)" + # APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)" + # APPLE_ID: "kamil@defguard.net" + # APPLE_TEAM_ID: "82GZ7KN29J" + # steps: + # - uses: actions/checkout@v5 + # with: + # submodules: "recursive" + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - uses: actions/setup-node@v4 + # with: + # node-version: "22" + # - uses: pnpm/action-setup@v4 + # with: + # version: 10 + # run_install: false + # - name: Get pnpm store directory + # shell: bash + # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + # - uses: actions/cache@v4 + # name: Setup pnpm cache + # with: + # path: ${{ env.STORE_PATH }} + # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + # restore-keys: | + # ${{ runner.os }}-pnpm-build-store- + # - name: Install deps + # run: pnpm install --frozen-lockfile + # - uses: dtolnay/rust-toolchain@stable + # - name: Install protobuf compiler + # run: brew install protobuf + # - name: Install ARM target + # run: rustup target add aarch64-apple-darwin + # - name: Unlock keychain + # run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain + # - name: Build app + # uses: tauri-apps/tauri-action@v0 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} + # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} + # APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + # APPLE_ID: ${{ env.APPLE_ID }} + # APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} + # APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} + # with: + # args: --target ${{ matrix.target }} -v + # - name: Build installation package + # run: | + # bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain + # xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + # xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + # - name: Upload installation package + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + # asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg + # asset_content_type: application/octet-stream - # Building signed Windows bundle involves a few steps as described here: - # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line - # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows) - # 2. Detach the burn engine from the bundle so that it can be signed (also Windows) - # 3. Sign the burn engine (Linux) - # 4. Reattach the burn engine back to the bundle (Windows again) - # 5. Sign the whole bundle (Linux) - build-windows: - needs: - - create-release - runs-on: windows-latest - steps: - - uses: actions/checkout@v5 - with: - submodules: "recursive" - - name: Write release version - run: | - $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] - echo Version: $env:VERSION - echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV - - uses: actions/setup-node@v4 - with: - node-version: "22" - - uses: pnpm/action-setup@v4 - with: - version: 10 - run_install: false - - name: Get pnpm store directory - shell: bash - run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - - uses: actions/cache@v4 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install deps - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install Protoc - uses: arduino/setup-protoc@v2 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Remove "default-run" line from Cargo.toml - run: | - Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch) - - name: Build packages - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Bundle application - run: | - dotnet tool install --global wix --version 4.0.5 - wix extension add WixToolset.Bal.wixext/4 - wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll - wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe - - name: Upload unsigned bundle and burn-engine - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-and-burnengine - path: | - src-tauri/resources-windows/defguard-client.exe - src-tauri/resources-windows/burnengine.exe - sign-burn-engine: - needs: - - build-windows - runs-on: - - self-hosted - - Linux - - X64 - steps: - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - name: Download unsigned bundle & burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-and-burnengine - - name: Sign burn-engine - run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe - - name: Upload bundle and burn-engine artifact - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-and-signed-burnengine - path: | - defguard-client.exe - burnengine-signed.exe - reattach-burn-engine: - needs: - - sign-burn-engine - runs-on: windows-latest - steps: - - name: Download unsigned bundle and signed burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-and-signed-burnengine - - name: Reattach burn-engine - run: | - dotnet tool install --global wix --version 4.0.5 - wix extension add WixToolset.Bal.wixext/4 - wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe - - name: Upload bundle with reattached burn-engine - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-with-reattached-signed-burn-engine - path: defguard-client-reattached.exe - sign-bundle: - needs: - - create-release - - reattach-burn-engine + # # Building signed Windows bundle involves a few steps as described here: + # # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line + # # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows) + # # 2. Detach the burn engine from the bundle so that it can be signed (also Windows) + # # 3. Sign the burn engine (Linux) + # # 4. Reattach the burn engine back to the bundle (Windows again) + # # 5. Sign the whole bundle (Linux) + # build-windows: + # needs: + # - create-release + # runs-on: windows-latest + # steps: + # - uses: actions/checkout@v5 + # with: + # submodules: "recursive" + # - name: Write release version + # run: | + # $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] + # echo Version: $env:VERSION + # echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV + # - uses: actions/setup-node@v4 + # with: + # node-version: "22" + # - uses: pnpm/action-setup@v4 + # with: + # version: 10 + # run_install: false + # - name: Get pnpm store directory + # shell: bash + # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + # - uses: actions/cache@v4 + # name: Setup pnpm cache + # with: + # path: ${{ env.STORE_PATH }} + # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + # restore-keys: | + # ${{ runner.os }}-pnpm-build-store- + # - name: Install deps + # run: pnpm install --frozen-lockfile + # - uses: dtolnay/rust-toolchain@stable + # - name: Install Protoc + # uses: arduino/setup-protoc@v2 + # with: + # repo-token: ${{ secrets.GITHUB_TOKEN }} + # - name: Remove "default-run" line from Cargo.toml + # run: | + # Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch) + # - name: Build packages + # uses: tauri-apps/tauri-action@v0 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # - name: Bundle application + # run: | + # dotnet tool install --global wix --version 4.0.5 + # wix extension add WixToolset.Bal.wixext/4 + # wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll + # wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe + # - name: Upload unsigned bundle and burn-engine + # uses: actions/upload-artifact@v4 + # with: + # name: unsigned-bundle-and-burnengine + # path: | + # src-tauri/resources-windows/defguard-client.exe + # src-tauri/resources-windows/burnengine.exe + # sign-burn-engine: + # needs: + # - build-windows + # runs-on: + # - self-hosted + # - Linux + # - X64 + # steps: + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - name: Download unsigned bundle & burn-engine + # uses: actions/download-artifact@v4 + # with: + # name: unsigned-bundle-and-burnengine + # - name: Sign burn-engine + # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe + # - name: Upload bundle and burn-engine artifact + # uses: actions/upload-artifact@v4 + # with: + # name: unsigned-bundle-and-signed-burnengine + # path: | + # defguard-client.exe + # burnengine-signed.exe + # reattach-burn-engine: + # needs: + # - sign-burn-engine + # runs-on: windows-latest + # steps: + # - name: Download unsigned bundle and signed burn-engine + # uses: actions/download-artifact@v4 + # with: + # name: unsigned-bundle-and-signed-burnengine + # - name: Reattach burn-engine + # run: | + # dotnet tool install --global wix --version 4.0.5 + # wix extension add WixToolset.Bal.wixext/4 + # wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe + # - name: Upload bundle with reattached burn-engine + # uses: actions/upload-artifact@v4 + # with: + # name: unsigned-bundle-with-reattached-signed-burn-engine + # path: defguard-client-reattached.exe + # sign-bundle: + # needs: + # - create-release + # - reattach-burn-engine + # runs-on: + # - self-hosted + # - Linux + # - X64 + # steps: + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - name: Download unsigned bundle & signed burn-engine + # uses: actions/download-artifact@v4 + # with: + # name: unsigned-bundle-with-reattached-signed-burn-engine + # - name: Sign bundle + # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe + # - name: Upload installer asset + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-client-signed.exe + # asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe + # asset_content_type: application/octet-stream + apt-sign: + needs: + - build-linux runs-on: - self-hosted - Linux - X64 + strategy: + fail-fast: false steps: - - name: Write release version + - name: Sign APT repository on trixie run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - name: Download unsigned bundle & signed burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-with-reattached-signed-burn-engine - - name: Sign bundle - run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe - - name: Upload installer asset - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-client-signed.exe - asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe - asset_content_type: application/octet-stream + export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY }} + export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY }} + export AWS_REGION=eu-north-1 + sudo apt update -y + sudo apt install -y awscli curl jq + + #For trixie + aws s3 cp s3://apt.defguard.net/dists/trixie/Release . + curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ + -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ + -F "file=@Release" \ + -o response.json + cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg + cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease + aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ --acl public-read + aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ --acl public-read + + #For bookworm + aws s3 cp s3://apt.defguard.net/dists/bookworm/Release . + curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ + -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ + -F "file=@Release" \ + -o response.json + cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg + cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease + aws s3 cp Release.gpg s3://apt.defguard.net/dists/bookworm/ --acl public-read + aws s3 cp InRelease s3://apt.defguard.net/dists/bookworm/ --acl public-read From bc36894d45b911508a52a2522718d15061480ca4 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 10:45:30 +0200 Subject: [PATCH 02/12] typo fix --- .github/workflows/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7a1602dc..b9e333aa 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,7 +2,7 @@ name: "Build app and create release" on: push: branches: - - apt_repository + - apt_repostiory # tags: # - v*.*.* @@ -118,7 +118,7 @@ jobs: asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_content_type: application/octet-stream - - name: Upload DEB to APT repository + - name: Upload DEB to APT repository on S3 run: | export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. From 3de9c6f9248db0a719f399b02be98ace0b58017a Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 11:01:58 +0200 Subject: [PATCH 03/12] ready to release --- .github/workflows/release.yaml | 765 ++++++++++++++++----------------- 1 file changed, 379 insertions(+), 386 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b9e333aa..7f25d0a8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,10 +1,8 @@ name: "Build app and create release" on: push: - branches: - - apt_repostiory - # tags: - # - v*.*.* + tags: + - v*.*.* jobs: create-release: @@ -20,11 +18,11 @@ jobs: draft: true generate_release_notes: true - # create-sbom: - # needs: [create-release] - # uses: ./.github/workflows/sbom.yml - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} + create-sbom: + needs: [create-release] + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} build-linux: needs: @@ -50,16 +48,11 @@ jobs: - uses: actions/checkout@v5 with: submodules: "recursive" - # - name: Write release version - # run: | - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - name: Write release version run: | VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) echo Version: $VERSION - echo "VERSION=1.5.2" >> ${GITHUB_ENV} + echo "VERSION=$VERSION" >> ${GITHUB_ENV} - uses: actions/setup-node@v5 with: node-version: "24" @@ -90,7 +83,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - args: "--bundles deb" #,rpm" + args: "--bundles deb,rpm" - name: Calculate DEB SHA256 id: calculate-sha256 if: matrix.deb_arch == 'amd64' @@ -100,15 +93,15 @@ jobs: echo "DEB SHA256: $DEB_SHA256" echo "DEB_SHA256=$DEB_SHA256" >> ${GITHUB_ENV} echo "deb_sha256_${{ matrix.deb_arch }}=$DEB_SHA256" >> ${GITHUB_OUTPUT} - # - name: Upload RPM - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - # asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - # asset_content_type: application/octet-stream + - name: Upload RPM + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + asset_content_type: application/octet-stream - name: Upload DEB uses: actions/upload-release-asset@v1 env: @@ -118,378 +111,378 @@ jobs: asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_content_type: application/octet-stream - - name: Upload DEB to APT repository on S3 + - name: Upload DEB to APT repository run: | export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - # - name: Rename client binary - # run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # - name: Tar client binary - # uses: a7ul/tar-action@v1.2.0 - # with: - # command: c - # files: | - # defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # - name: Upload client archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_content_type: application/octet-stream - # - name: Rename daemon binary - # run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # - name: Tar daemon binary - # uses: a7ul/tar-action@v1.2.0 - # with: - # command: c - # files: | - # defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # - name: Upload daemon archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_content_type: application/octet-stream + - name: Rename client binary + run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + - name: Tar client binary + uses: a7ul/tar-action@v1.2.0 + with: + command: c + files: | + defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + - name: Upload client archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_content_type: application/octet-stream + - name: Rename daemon binary + run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + - name: Tar daemon binary + uses: a7ul/tar-action@v1.2.0 + with: + command: c + files: | + defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + - name: Upload daemon archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_content_type: application/octet-stream - # - name: Rename dg binary - # run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # - name: Tar dg binary - # uses: a7ul/tar-action@v1.2.0 - # with: - # command: c - # files: | - # dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # - name: Upload dg archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_content_type: application/octet-stream - # - name: Build dg deb - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" - # - name: Upload DEB - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - # asset_content_type: application/octet-stream - # - name: Build dg rpm - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" - # - name: Upload RPM - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - # asset_content_type: application/octet-stream + - name: Rename dg binary + run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + - name: Tar dg binary + uses: a7ul/tar-action@v1.2.0 + with: + command: c + files: | + dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + - name: Upload dg archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_content_type: application/octet-stream + - name: Build dg deb + uses: defGuard/fpm-action@main + with: + fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" + - name: Upload DEB + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + asset_content_type: application/octet-stream + - name: Build dg rpm + uses: defGuard/fpm-action@main + with: + fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" + - name: Upload RPM + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + asset_content_type: application/octet-stream - # update-aur: - # needs: - # - create-release - # - build-linux - # if: "!contains(github.ref_name, '-')" - # runs-on: - # - self-hosted - # - Linux - # - ${{ matrix.architecture }} - # container: archlinux:latest - # strategy: - # fail-fast: false - # matrix: - # architecture: [X64] - # include: - # - architecture: X64 - # deb_arch: amd64 - # binary_arch: x86_64 - # steps: - # - name: Install dependencies - # run: | - # pacman -Syu --noconfirm - # pacman -S --noconfirm git openssh base-devel - # - name: Create non-root user - # run: | - # useradd -m -G wheel -s /bin/bash builduser - # echo 'builduser ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers - # - name: Setup SSH - # uses: webfactory/ssh-agent@v0.9.0 - # with: - # ssh-private-key: ${{ secrets.AUR_SSH_KEY }} - # - name: Checkout AUR repository - # run: | - # mkdir -p ~/.ssh - # ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts - # chmod 644 ~/.ssh/known_hosts - # export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new" - # rm -rf aur-repo - # git clone ssh://aur@aur.archlinux.org/defguard-client.git aur-repo - # chown -R builduser:builduser aur-repo - # - name: Update PKGBUILD version - # run: | - # cd aur-repo - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + update-aur: + needs: + - create-release + - build-linux + if: "!contains(github.ref_name, '-')" + runs-on: + - self-hosted + - Linux + - ${{ matrix.architecture }} + container: archlinux:latest + strategy: + fail-fast: false + matrix: + architecture: [X64] + include: + - architecture: X64 + deb_arch: amd64 + binary_arch: x86_64 + steps: + - name: Install dependencies + run: | + pacman -Syu --noconfirm + pacman -S --noconfirm git openssh base-devel + - name: Create non-root user + run: | + useradd -m -G wheel -s /bin/bash builduser + echo 'builduser ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers + - name: Setup SSH + uses: webfactory/ssh-agent@v0.9.0 + with: + ssh-private-key: ${{ secrets.AUR_SSH_KEY }} + - name: Checkout AUR repository + run: | + mkdir -p ~/.ssh + ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts + chmod 644 ~/.ssh/known_hosts + export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new" + rm -rf aur-repo + git clone ssh://aur@aur.archlinux.org/defguard-client.git aur-repo + chown -R builduser:builduser aur-repo + - name: Update PKGBUILD version + run: | + cd aur-repo + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo "Updating to version: $VERSION" - # sed -i "s/^pkgver=.*/pkgver=$VERSION/" PKGBUILD + echo "Updating to version: $VERSION" + sed -i "s/^pkgver=.*/pkgver=$VERSION/" PKGBUILD - # AMD64_SHA="${{ needs.build-linux.outputs.deb_sha256_amd64 }}" + AMD64_SHA="${{ needs.build-linux.outputs.deb_sha256_amd64 }}" - # echo "AMD64 DEB SHA256: $AMD64_SHA" - # sed -i "s/^sha256sums_x86_64=.*/sha256sums_x86_64=('$AMD64_SHA')/" PKGBUILD - # - name: Update .SRCINFO - # run: | - # cd aur-repo - # sudo -u builduser makepkg --printsrcinfo > .SRCINFO - # - name: Commit and push changes - # run: | - # cd aur-repo - # chown -R builduser:builduser . - # sudo -u builduser git config user.name "Defguard Build System" - # sudo -u builduser git config user.email "community@defguard.net" - # sudo -u builduser git add PKGBUILD .SRCINFO - # sudo -u builduser git commit -m "Updated to $VERSION" - # sudo -u builduser git push - # cat PKGBUILD - # cat .SRCINFO - # build-macos: - # needs: - # - create-release - # strategy: - # fail-fast: false - # matrix: - # target: [aarch64-apple-darwin, x86_64-apple-darwin] - # runs-on: - # - self-hosted - # - macOS - # env: - # APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)" - # APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)" - # APPLE_ID: "kamil@defguard.net" - # APPLE_TEAM_ID: "82GZ7KN29J" - # steps: - # - uses: actions/checkout@v5 - # with: - # submodules: "recursive" - # - name: Write release version - # run: | - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - # - uses: actions/setup-node@v4 - # with: - # node-version: "22" - # - uses: pnpm/action-setup@v4 - # with: - # version: 10 - # run_install: false - # - name: Get pnpm store directory - # shell: bash - # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - # - uses: actions/cache@v4 - # name: Setup pnpm cache - # with: - # path: ${{ env.STORE_PATH }} - # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - # restore-keys: | - # ${{ runner.os }}-pnpm-build-store- - # - name: Install deps - # run: pnpm install --frozen-lockfile - # - uses: dtolnay/rust-toolchain@stable - # - name: Install protobuf compiler - # run: brew install protobuf - # - name: Install ARM target - # run: rustup target add aarch64-apple-darwin - # - name: Unlock keychain - # run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain - # - name: Build app - # uses: tauri-apps/tauri-action@v0 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} - # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} - # APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - # APPLE_ID: ${{ env.APPLE_ID }} - # APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} - # APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} - # with: - # args: --target ${{ matrix.target }} -v - # - name: Build installation package - # run: | - # bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain - # xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - # xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - # - name: Upload installation package - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - # asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg - # asset_content_type: application/octet-stream + echo "AMD64 DEB SHA256: $AMD64_SHA" + sed -i "s/^sha256sums_x86_64=.*/sha256sums_x86_64=('$AMD64_SHA')/" PKGBUILD + - name: Update .SRCINFO + run: | + cd aur-repo + sudo -u builduser makepkg --printsrcinfo > .SRCINFO + - name: Commit and push changes + run: | + cd aur-repo + chown -R builduser:builduser . + sudo -u builduser git config user.name "Defguard Build System" + sudo -u builduser git config user.email "community@defguard.net" + sudo -u builduser git add PKGBUILD .SRCINFO + sudo -u builduser git commit -m "Updated to $VERSION" + sudo -u builduser git push + cat PKGBUILD + cat .SRCINFO + build-macos: + needs: + - create-release + strategy: + fail-fast: false + matrix: + target: [aarch64-apple-darwin, x86_64-apple-darwin] + runs-on: + - self-hosted + - macOS + env: + APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)" + APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)" + APPLE_ID: "kamil@defguard.net" + APPLE_TEAM_ID: "82GZ7KN29J" + steps: + - uses: actions/checkout@v5 + with: + submodules: "recursive" + - name: Write release version + run: | + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + echo Version: $VERSION + echo "VERSION=$VERSION" >> ${GITHUB_ENV} + - uses: actions/setup-node@v4 + with: + node-version: "22" + - uses: pnpm/action-setup@v4 + with: + version: 10 + run_install: false + - name: Get pnpm store directory + shell: bash + run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + - uses: actions/cache@v4 + name: Setup pnpm cache + with: + path: ${{ env.STORE_PATH }} + key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + restore-keys: | + ${{ runner.os }}-pnpm-build-store- + - name: Install deps + run: pnpm install --frozen-lockfile + - uses: dtolnay/rust-toolchain@stable + - name: Install protobuf compiler + run: brew install protobuf + - name: Install ARM target + run: rustup target add aarch64-apple-darwin + - name: Unlock keychain + run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain + - name: Build app + uses: tauri-apps/tauri-action@v0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} + APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + APPLE_ID: ${{ env.APPLE_ID }} + APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} + APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} + with: + args: --target ${{ matrix.target }} -v + - name: Build installation package + run: | + bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain + xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + - name: Upload installation package + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg + asset_content_type: application/octet-stream - # # Building signed Windows bundle involves a few steps as described here: - # # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line - # # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows) - # # 2. Detach the burn engine from the bundle so that it can be signed (also Windows) - # # 3. Sign the burn engine (Linux) - # # 4. Reattach the burn engine back to the bundle (Windows again) - # # 5. Sign the whole bundle (Linux) - # build-windows: - # needs: - # - create-release - # runs-on: windows-latest - # steps: - # - uses: actions/checkout@v5 - # with: - # submodules: "recursive" - # - name: Write release version - # run: | - # $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] - # echo Version: $env:VERSION - # echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV - # - uses: actions/setup-node@v4 - # with: - # node-version: "22" - # - uses: pnpm/action-setup@v4 - # with: - # version: 10 - # run_install: false - # - name: Get pnpm store directory - # shell: bash - # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - # - uses: actions/cache@v4 - # name: Setup pnpm cache - # with: - # path: ${{ env.STORE_PATH }} - # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - # restore-keys: | - # ${{ runner.os }}-pnpm-build-store- - # - name: Install deps - # run: pnpm install --frozen-lockfile - # - uses: dtolnay/rust-toolchain@stable - # - name: Install Protoc - # uses: arduino/setup-protoc@v2 - # with: - # repo-token: ${{ secrets.GITHUB_TOKEN }} - # - name: Remove "default-run" line from Cargo.toml - # run: | - # Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch) - # - name: Build packages - # uses: tauri-apps/tauri-action@v0 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # - name: Bundle application - # run: | - # dotnet tool install --global wix --version 4.0.5 - # wix extension add WixToolset.Bal.wixext/4 - # wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll - # wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe - # - name: Upload unsigned bundle and burn-engine - # uses: actions/upload-artifact@v4 - # with: - # name: unsigned-bundle-and-burnengine - # path: | - # src-tauri/resources-windows/defguard-client.exe - # src-tauri/resources-windows/burnengine.exe - # sign-burn-engine: - # needs: - # - build-windows - # runs-on: - # - self-hosted - # - Linux - # - X64 - # steps: - # - name: Write release version - # run: | - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - # - name: Download unsigned bundle & burn-engine - # uses: actions/download-artifact@v4 - # with: - # name: unsigned-bundle-and-burnengine - # - name: Sign burn-engine - # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe - # - name: Upload bundle and burn-engine artifact - # uses: actions/upload-artifact@v4 - # with: - # name: unsigned-bundle-and-signed-burnengine - # path: | - # defguard-client.exe - # burnengine-signed.exe - # reattach-burn-engine: - # needs: - # - sign-burn-engine - # runs-on: windows-latest - # steps: - # - name: Download unsigned bundle and signed burn-engine - # uses: actions/download-artifact@v4 - # with: - # name: unsigned-bundle-and-signed-burnengine - # - name: Reattach burn-engine - # run: | - # dotnet tool install --global wix --version 4.0.5 - # wix extension add WixToolset.Bal.wixext/4 - # wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe - # - name: Upload bundle with reattached burn-engine - # uses: actions/upload-artifact@v4 - # with: - # name: unsigned-bundle-with-reattached-signed-burn-engine - # path: defguard-client-reattached.exe - # sign-bundle: - # needs: - # - create-release - # - reattach-burn-engine - # runs-on: - # - self-hosted - # - Linux - # - X64 - # steps: - # - name: Write release version - # run: | - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - # - name: Download unsigned bundle & signed burn-engine - # uses: actions/download-artifact@v4 - # with: - # name: unsigned-bundle-with-reattached-signed-burn-engine - # - name: Sign bundle - # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe - # - name: Upload installer asset - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-client-signed.exe - # asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe - # asset_content_type: application/octet-stream + # Building signed Windows bundle involves a few steps as described here: + # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line + # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows) + # 2. Detach the burn engine from the bundle so that it can be signed (also Windows) + # 3. Sign the burn engine (Linux) + # 4. Reattach the burn engine back to the bundle (Windows again) + # 5. Sign the whole bundle (Linux) + build-windows: + needs: + - create-release + runs-on: windows-latest + steps: + - uses: actions/checkout@v5 + with: + submodules: "recursive" + - name: Write release version + run: | + $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] + echo Version: $env:VERSION + echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV + - uses: actions/setup-node@v4 + with: + node-version: "22" + - uses: pnpm/action-setup@v4 + with: + version: 10 + run_install: false + - name: Get pnpm store directory + shell: bash + run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + - uses: actions/cache@v4 + name: Setup pnpm cache + with: + path: ${{ env.STORE_PATH }} + key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + restore-keys: | + ${{ runner.os }}-pnpm-build-store- + - name: Install deps + run: pnpm install --frozen-lockfile + - uses: dtolnay/rust-toolchain@stable + - name: Install Protoc + uses: arduino/setup-protoc@v2 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Remove "default-run" line from Cargo.toml + run: | + Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch) + - name: Build packages + uses: tauri-apps/tauri-action@v0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Bundle application + run: | + dotnet tool install --global wix --version 4.0.5 + wix extension add WixToolset.Bal.wixext/4 + wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll + wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe + - name: Upload unsigned bundle and burn-engine + uses: actions/upload-artifact@v4 + with: + name: unsigned-bundle-and-burnengine + path: | + src-tauri/resources-windows/defguard-client.exe + src-tauri/resources-windows/burnengine.exe + sign-burn-engine: + needs: + - build-windows + runs-on: + - self-hosted + - Linux + - X64 + steps: + - name: Write release version + run: | + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + echo Version: $VERSION + echo "VERSION=$VERSION" >> ${GITHUB_ENV} + - name: Download unsigned bundle & burn-engine + uses: actions/download-artifact@v4 + with: + name: unsigned-bundle-and-burnengine + - name: Sign burn-engine + run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe + - name: Upload bundle and burn-engine artifact + uses: actions/upload-artifact@v4 + with: + name: unsigned-bundle-and-signed-burnengine + path: | + defguard-client.exe + burnengine-signed.exe + reattach-burn-engine: + needs: + - sign-burn-engine + runs-on: windows-latest + steps: + - name: Download unsigned bundle and signed burn-engine + uses: actions/download-artifact@v4 + with: + name: unsigned-bundle-and-signed-burnengine + - name: Reattach burn-engine + run: | + dotnet tool install --global wix --version 4.0.5 + wix extension add WixToolset.Bal.wixext/4 + wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe + - name: Upload bundle with reattached burn-engine + uses: actions/upload-artifact@v4 + with: + name: unsigned-bundle-with-reattached-signed-burn-engine + path: defguard-client-reattached.exe + sign-bundle: + needs: + - create-release + - reattach-burn-engine + runs-on: + - self-hosted + - Linux + - X64 + steps: + - name: Write release version + run: | + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + echo Version: $VERSION + echo "VERSION=$VERSION" >> ${GITHUB_ENV} + - name: Download unsigned bundle & signed burn-engine + uses: actions/download-artifact@v4 + with: + name: unsigned-bundle-with-reattached-signed-burn-engine + - name: Sign bundle + run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe + - name: Upload installer asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-client-signed.exe + asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe + asset_content_type: application/octet-stream apt-sign: needs: - build-linux From ba76dcbc384114c2b84efc7016972b62723a8ca6 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 11:08:59 +0200 Subject: [PATCH 04/12] add comments --- .github/workflows/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7f25d0a8..6f08cd54 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -111,7 +111,7 @@ jobs: asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_content_type: application/octet-stream - - name: Upload DEB to APT repository + - name: Upload DEB to APT repository #Add this to ubuntu 22.04 job (on merge dev -> main) run: | export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. @@ -484,7 +484,7 @@ jobs: asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe asset_content_type: application/octet-stream apt-sign: - needs: + needs: #Add needs: -ubuntu-22-04-build (on merge dev -> main) - build-linux runs-on: - self-hosted From f81daa80184280a6b38b949b94b00794bf0b0bb0 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 11:25:39 +0200 Subject: [PATCH 05/12] more comments --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6f08cd54..e5bfa359 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -111,7 +111,7 @@ jobs: asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_content_type: application/octet-stream - - name: Upload DEB to APT repository #Add this to ubuntu 22.04 job (on merge dev -> main) + - name: Upload DEB to APT repository #Add this to ubuntu 22.04 job (on merge dev -> main) with --codename=bookworm run: | export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. From 44324f8e457bbaa4d204e0a6e46f2c816a1aa7c5 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 12:08:51 +0200 Subject: [PATCH 06/12] rename step --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e5bfa359..51b0f844 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -493,7 +493,7 @@ jobs: strategy: fail-fast: false steps: - - name: Sign APT repository on trixie + - name: Sign APT repository run: | export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY }} export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY }} From 6e8c3b383b5cdbada88826aec1947e7b6df7ccfb Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 15:14:35 +0200 Subject: [PATCH 07/12] Added ruby to path --- .github/workflows/release.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 51b0f844..c36c8578 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -111,9 +111,14 @@ jobs: asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb asset_content_type: application/octet-stream + - name: Install ruby with deb-s3 + if: matrix.build != 'freebsd' + run: | + sudo apt-get install -y ruby + gem install deb-s3 + echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH - name: Upload DEB to APT repository #Add this to ubuntu 22.04 job (on merge dev -> main) with --codename=bookworm run: | - export PATH="/srv/github/defguard/.local/share/gem/ruby/3.3.0/bin:$PATH" COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb From b1f4f2053c9a5ddddf6737a678842cea155d0b44 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 15 Oct 2025 15:41:42 +0200 Subject: [PATCH 08/12] Change secret name --- .github/workflows/release.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c36c8578..3e6de0f0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -121,7 +121,7 @@ jobs: run: | COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. - deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY }} --secret-access-key=${{ secrets.AWS_SECRET_KEY }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - name: Rename client binary run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - name: Tar client binary @@ -500,8 +500,8 @@ jobs: steps: - name: Sign APT repository run: | - export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY }} - export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY }} + export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }} + export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }} export AWS_REGION=eu-north-1 sudo apt update -y sudo apt install -y awscli curl jq From f9fc858a3bd7bdd3c24b8d5db4c8041ceafd7c8e Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Thu, 16 Oct 2025 13:35:46 +0200 Subject: [PATCH 09/12] for loop --- .github/workflows/release.yaml | 35 ++++++++++++++-------------------- 1 file changed, 14 insertions(+), 21 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3e6de0f0..a4170041 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -506,24 +506,17 @@ jobs: sudo apt update -y sudo apt install -y awscli curl jq - #For trixie - aws s3 cp s3://apt.defguard.net/dists/trixie/Release . - curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ - -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ - -F "file=@Release" \ - -o response.json - cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg - cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease - aws s3 cp Release.gpg s3://apt.defguard.net/dists/trixie/ --acl public-read - aws s3 cp InRelease s3://apt.defguard.net/dists/trixie/ --acl public-read - - #For bookworm - aws s3 cp s3://apt.defguard.net/dists/bookworm/Release . - curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ - -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ - -F "file=@Release" \ - -o response.json - cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg - cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease - aws s3 cp Release.gpg s3://apt.defguard.net/dists/bookworm/ --acl public-read - aws s3 cp InRelease s3://apt.defguard.net/dists/bookworm/ --acl public-read + for DIST in trixie bookworm; do + aws s3 cp s3://apt.defguard.net/dists/$DIST/Release . + + curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ + -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ + -F "file=@Release" \ + -o response.json + + cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg + cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease + + aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read + aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read + done From c87d83ed36710d26a80ef0acdfb108c5c8fb31d3 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Thu, 16 Oct 2025 13:37:10 +0200 Subject: [PATCH 10/12] typo --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a4170041..5707df13 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -507,7 +507,7 @@ jobs: sudo apt install -y awscli curl jq for DIST in trixie bookworm; do - aws s3 cp s3://apt.defguard.net/dists/$DIST/Release . + aws s3 cp s3://apt.defguard.net/dists/{$DIST}/Release . curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ From 90ac99a9c80d0e7debae091acec0982d0c4e6ce7 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Thu, 16 Oct 2025 13:39:50 +0200 Subject: [PATCH 11/12] typo 2 --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5707df13..b4ddca3d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -507,7 +507,7 @@ jobs: sudo apt install -y awscli curl jq for DIST in trixie bookworm; do - aws s3 cp s3://apt.defguard.net/dists/{$DIST}/Release . + aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release . curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ From 8e9bff8c3991b0da6afe6dd86d0e1e25d38cb756 Mon Sep 17 00:00:00 2001 From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com> Date: Fri, 17 Oct 2025 17:30:32 +0200 Subject: [PATCH 12/12] refresh html --- .github/workflows/release.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b4ddca3d..c52caa8c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -519,4 +519,7 @@ jobs: aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read + + aws s3 ls s3://apt.defguard.net/dists/ --recursive | awk '{print ""$4"
"}' > index.html + aws s3 cp index.html s3://apt.defguard.net/ --acl public-read done