From b1b95dcf4eb669963e8293b269e5cd34cfe1a41d Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Tue, 21 Oct 2025 10:30:25 +0200 Subject: [PATCH 1/8] simplify windows CI build & signing --- .github/workflows/release.yaml | 842 +++++++++--------- .../resources-windows/defguard-client.wxs | 42 - 2 files changed, 425 insertions(+), 459 deletions(-) delete mode 100644 src-tauri/resources-windows/defguard-client.wxs diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c52caa8c..a6f6656a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,337 +18,337 @@ jobs: draft: true generate_release_notes: true - create-sbom: - needs: [create-release] - uses: ./.github/workflows/sbom.yml - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} + # create-sbom: + # needs: [create-release] + # uses: ./.github/workflows/sbom.yml + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} - build-linux: - needs: - - create-release - outputs: - deb_sha256_amd64: ${{ steps.calculate-sha256.outputs.deb_sha256_amd64 }} - runs-on: - - self-hosted - - Linux - - ${{ matrix.architecture }} - strategy: - fail-fast: false - matrix: - architecture: [ARM64, X64] - include: - - architecture: ARM64 - deb_arch: arm64 - binary_arch: aarch64 - - architecture: X64 - deb_arch: amd64 - binary_arch: x86_64 - steps: - - uses: actions/checkout@v5 - with: - submodules: "recursive" - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - uses: actions/setup-node@v5 - with: - node-version: "24" - - uses: pnpm/action-setup@v4 - with: - version: 10.17 - run_install: false - - name: Get pnpm store directory - shell: bash - run: | - echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - - uses: actions/cache@v4 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install Node dependencies - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install Linux dependencies - run: | - sudo apt-get update - sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm - - name: Build packages - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - args: "--bundles deb,rpm" - - name: Calculate DEB SHA256 - id: calculate-sha256 - if: matrix.deb_arch == 'amd64' - run: | - DEB_FILE="src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb" - DEB_SHA256=$(sha256sum "$DEB_FILE" | cut -d ' ' -f1) - echo "DEB SHA256: $DEB_SHA256" - echo "DEB_SHA256=$DEB_SHA256" >> ${GITHUB_ENV} - echo "deb_sha256_${{ matrix.deb_arch }}=$DEB_SHA256" >> ${GITHUB_OUTPUT} - - name: Upload RPM - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - asset_content_type: application/octet-stream - - name: Upload DEB - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - asset_content_type: application/octet-stream - - name: Install ruby with deb-s3 - if: matrix.build != 'freebsd' - run: | - sudo apt-get install -y ruby - gem install deb-s3 - echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH - - name: Upload DEB to APT repository #Add this to ubuntu 22.04 job (on merge dev -> main) with --codename=bookworm - run: | - COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. + # build-linux: + # needs: + # - create-release + # outputs: + # deb_sha256_amd64: ${{ steps.calculate-sha256.outputs.deb_sha256_amd64 }} + # runs-on: + # - self-hosted + # - Linux + # - ${{ matrix.architecture }} + # strategy: + # fail-fast: false + # matrix: + # architecture: [ARM64, X64] + # include: + # - architecture: ARM64 + # deb_arch: arm64 + # binary_arch: aarch64 + # - architecture: X64 + # deb_arch: amd64 + # binary_arch: x86_64 + # steps: + # - uses: actions/checkout@v5 + # with: + # submodules: "recursive" + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - uses: actions/setup-node@v5 + # with: + # node-version: "24" + # - uses: pnpm/action-setup@v4 + # with: + # version: 10.17 + # run_install: false + # - name: Get pnpm store directory + # shell: bash + # run: | + # echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + # - uses: actions/cache@v4 + # name: Setup pnpm cache + # with: + # path: ${{ env.STORE_PATH }} + # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + # restore-keys: | + # ${{ runner.os }}-pnpm-build-store- + # - name: Install Node dependencies + # run: pnpm install --frozen-lockfile + # - uses: dtolnay/rust-toolchain@stable + # - name: Install Linux dependencies + # run: | + # sudo apt-get update + # sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm + # - name: Build packages + # uses: tauri-apps/tauri-action@v0 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # args: "--bundles deb,rpm" + # - name: Calculate DEB SHA256 + # id: calculate-sha256 + # if: matrix.deb_arch == 'amd64' + # run: | + # DEB_FILE="src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb" + # DEB_SHA256=$(sha256sum "$DEB_FILE" | cut -d ' ' -f1) + # echo "DEB SHA256: $DEB_SHA256" + # echo "DEB_SHA256=$DEB_SHA256" >> ${GITHUB_ENV} + # echo "deb_sha256_${{ matrix.deb_arch }}=$DEB_SHA256" >> ${GITHUB_OUTPUT} + # - name: Upload RPM + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + # asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + # asset_content_type: application/octet-stream + # - name: Upload DEB + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + # asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + # asset_content_type: application/octet-stream + # - name: Install ruby with deb-s3 + # if: matrix.build != 'freebsd' + # run: | + # sudo apt-get install -y ruby + # gem install deb-s3 + # echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH + # - name: Upload DEB to APT repository #Add this to ubuntu 22.04 job (on merge dev -> main) with --codename=bookworm + # run: | + # COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. - deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - - name: Rename client binary - run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar client binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload client archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream - - name: Rename daemon binary - run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar daemon binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload daemon archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream + # deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + # - name: Rename client binary + # run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # - name: Tar client binary + # uses: a7ul/tar-action@v1.2.0 + # with: + # command: c + # files: | + # defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # - name: Upload client archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_content_type: application/octet-stream + # - name: Rename daemon binary + # run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # - name: Tar daemon binary + # uses: a7ul/tar-action@v1.2.0 + # with: + # command: c + # files: | + # defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # - name: Upload daemon archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_content_type: application/octet-stream - - name: Rename dg binary - run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar dg binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload dg archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream - - name: Build dg deb - uses: defGuard/fpm-action@main - with: - fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" - - name: Upload DEB - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - asset_content_type: application/octet-stream - - name: Build dg rpm - uses: defGuard/fpm-action@main - with: - fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" - - name: Upload RPM - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - asset_content_type: application/octet-stream + # - name: Rename dg binary + # run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # - name: Tar dg binary + # uses: a7ul/tar-action@v1.2.0 + # with: + # command: c + # files: | + # dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + # outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # - name: Upload dg archive + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + # asset_content_type: application/octet-stream + # - name: Build dg deb + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" + # - name: Upload DEB + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + # asset_content_type: application/octet-stream + # - name: Build dg rpm + # uses: defGuard/fpm-action@main + # with: + # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" + # - name: Upload RPM + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + # asset_content_type: application/octet-stream - update-aur: - needs: - - create-release - - build-linux - if: "!contains(github.ref_name, '-')" - runs-on: - - self-hosted - - Linux - - ${{ matrix.architecture }} - container: archlinux:latest - strategy: - fail-fast: false - matrix: - architecture: [X64] - include: - - architecture: X64 - deb_arch: amd64 - binary_arch: x86_64 - steps: - - name: Install dependencies - run: | - pacman -Syu --noconfirm - pacman -S --noconfirm git openssh base-devel - - name: Create non-root user - run: | - useradd -m -G wheel -s /bin/bash builduser - echo 'builduser ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers - - name: Setup SSH - uses: webfactory/ssh-agent@v0.9.0 - with: - ssh-private-key: ${{ secrets.AUR_SSH_KEY }} - - name: Checkout AUR repository - run: | - mkdir -p ~/.ssh - ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts - chmod 644 ~/.ssh/known_hosts - export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new" - rm -rf aur-repo - git clone ssh://aur@aur.archlinux.org/defguard-client.git aur-repo - chown -R builduser:builduser aur-repo - - name: Update PKGBUILD version - run: | - cd aur-repo - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # update-aur: + # needs: + # - create-release + # - build-linux + # if: "!contains(github.ref_name, '-')" + # runs-on: + # - self-hosted + # - Linux + # - ${{ matrix.architecture }} + # container: archlinux:latest + # strategy: + # fail-fast: false + # matrix: + # architecture: [X64] + # include: + # - architecture: X64 + # deb_arch: amd64 + # binary_arch: x86_64 + # steps: + # - name: Install dependencies + # run: | + # pacman -Syu --noconfirm + # pacman -S --noconfirm git openssh base-devel + # - name: Create non-root user + # run: | + # useradd -m -G wheel -s /bin/bash builduser + # echo 'builduser ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers + # - name: Setup SSH + # uses: webfactory/ssh-agent@v0.9.0 + # with: + # ssh-private-key: ${{ secrets.AUR_SSH_KEY }} + # - name: Checkout AUR repository + # run: | + # mkdir -p ~/.ssh + # ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts + # chmod 644 ~/.ssh/known_hosts + # export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new" + # rm -rf aur-repo + # git clone ssh://aur@aur.archlinux.org/defguard-client.git aur-repo + # chown -R builduser:builduser aur-repo + # - name: Update PKGBUILD version + # run: | + # cd aur-repo + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo "Updating to version: $VERSION" - sed -i "s/^pkgver=.*/pkgver=$VERSION/" PKGBUILD + # echo "Updating to version: $VERSION" + # sed -i "s/^pkgver=.*/pkgver=$VERSION/" PKGBUILD - AMD64_SHA="${{ needs.build-linux.outputs.deb_sha256_amd64 }}" + # AMD64_SHA="${{ needs.build-linux.outputs.deb_sha256_amd64 }}" - echo "AMD64 DEB SHA256: $AMD64_SHA" - sed -i "s/^sha256sums_x86_64=.*/sha256sums_x86_64=('$AMD64_SHA')/" PKGBUILD - - name: Update .SRCINFO - run: | - cd aur-repo - sudo -u builduser makepkg --printsrcinfo > .SRCINFO - - name: Commit and push changes - run: | - cd aur-repo - chown -R builduser:builduser . - sudo -u builduser git config user.name "Defguard Build System" - sudo -u builduser git config user.email "community@defguard.net" - sudo -u builduser git add PKGBUILD .SRCINFO - sudo -u builduser git commit -m "Updated to $VERSION" - sudo -u builduser git push - cat PKGBUILD - cat .SRCINFO - build-macos: - needs: - - create-release - strategy: - fail-fast: false - matrix: - target: [aarch64-apple-darwin, x86_64-apple-darwin] - runs-on: - - self-hosted - - macOS - env: - APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)" - APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)" - APPLE_ID: "kamil@defguard.net" - APPLE_TEAM_ID: "82GZ7KN29J" - steps: - - uses: actions/checkout@v5 - with: - submodules: "recursive" - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - uses: actions/setup-node@v4 - with: - node-version: "22" - - uses: pnpm/action-setup@v4 - with: - version: 10 - run_install: false - - name: Get pnpm store directory - shell: bash - run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - - uses: actions/cache@v4 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install deps - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install protobuf compiler - run: brew install protobuf - - name: Install ARM target - run: rustup target add aarch64-apple-darwin - - name: Unlock keychain - run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain - - name: Build app - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} - APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} - APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - APPLE_ID: ${{ env.APPLE_ID }} - APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} - APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} - with: - args: --target ${{ matrix.target }} -v - - name: Build installation package - run: | - bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain - xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - - name: Upload installation package - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg - asset_content_type: application/octet-stream + # echo "AMD64 DEB SHA256: $AMD64_SHA" + # sed -i "s/^sha256sums_x86_64=.*/sha256sums_x86_64=('$AMD64_SHA')/" PKGBUILD + # - name: Update .SRCINFO + # run: | + # cd aur-repo + # sudo -u builduser makepkg --printsrcinfo > .SRCINFO + # - name: Commit and push changes + # run: | + # cd aur-repo + # chown -R builduser:builduser . + # sudo -u builduser git config user.name "Defguard Build System" + # sudo -u builduser git config user.email "community@defguard.net" + # sudo -u builduser git add PKGBUILD .SRCINFO + # sudo -u builduser git commit -m "Updated to $VERSION" + # sudo -u builduser git push + # cat PKGBUILD + # cat .SRCINFO + # build-macos: + # needs: + # - create-release + # strategy: + # fail-fast: false + # matrix: + # target: [aarch64-apple-darwin, x86_64-apple-darwin] + # runs-on: + # - self-hosted + # - macOS + # env: + # APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)" + # APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)" + # APPLE_ID: "kamil@defguard.net" + # APPLE_TEAM_ID: "82GZ7KN29J" + # steps: + # - uses: actions/checkout@v5 + # with: + # submodules: "recursive" + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - uses: actions/setup-node@v4 + # with: + # node-version: "22" + # - uses: pnpm/action-setup@v4 + # with: + # version: 10 + # run_install: false + # - name: Get pnpm store directory + # shell: bash + # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + # - uses: actions/cache@v4 + # name: Setup pnpm cache + # with: + # path: ${{ env.STORE_PATH }} + # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + # restore-keys: | + # ${{ runner.os }}-pnpm-build-store- + # - name: Install deps + # run: pnpm install --frozen-lockfile + # - uses: dtolnay/rust-toolchain@stable + # - name: Install protobuf compiler + # run: brew install protobuf + # - name: Install ARM target + # run: rustup target add aarch64-apple-darwin + # - name: Unlock keychain + # run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain + # - name: Build app + # uses: tauri-apps/tauri-action@v0 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} + # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} + # APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + # APPLE_ID: ${{ env.APPLE_ID }} + # APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} + # APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} + # with: + # args: --target ${{ matrix.target }} -v + # - name: Build installation package + # run: | + # bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain + # xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + # xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + # - name: Upload installation package + # uses: actions/upload-release-asset@v1 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + # asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg + # asset_content_type: application/octet-stream # Building signed Windows bundle involves a few steps as described here: # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line @@ -370,7 +370,7 @@ jobs: $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] echo Version: $env:VERSION echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV - - uses: actions/setup-node@v4 + - uses: actions/setup-node@v6 with: node-version: "22" - uses: pnpm/action-setup@v4 @@ -391,7 +391,7 @@ jobs: run: pnpm install --frozen-lockfile - uses: dtolnay/rust-toolchain@stable - name: Install Protoc - uses: arduino/setup-protoc@v2 + uses: arduino/setup-protoc@v3 with: repo-token: ${{ secrets.GITHUB_TOKEN }} - name: Remove "default-run" line from Cargo.toml @@ -401,68 +401,67 @@ jobs: uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Bundle application - run: | - dotnet tool install --global wix --version 4.0.5 - wix extension add WixToolset.Bal.wixext/4 - wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll - wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe - - name: Upload unsigned bundle and burn-engine + # - name: Bundle application + # run: | + # dotnet tool install --global wix --version 4.0.5 + # wix extension add WixToolset.Bal.wixext/4 + # wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll + # wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe + - name: Upload unsigned bundle uses: actions/upload-artifact@v4 with: - name: unsigned-bundle-and-burnengine - path: | - src-tauri/resources-windows/defguard-client.exe - src-tauri/resources-windows/burnengine.exe - sign-burn-engine: - needs: - - build-windows - runs-on: - - self-hosted - - Linux - - X64 - steps: - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - name: Download unsigned bundle & burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-and-burnengine - - name: Sign burn-engine - run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe - - name: Upload bundle and burn-engine artifact - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-and-signed-burnengine - path: | - defguard-client.exe - burnengine-signed.exe - reattach-burn-engine: - needs: - - sign-burn-engine - runs-on: windows-latest - steps: - - name: Download unsigned bundle and signed burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-and-signed-burnengine - - name: Reattach burn-engine - run: | - dotnet tool install --global wix --version 4.0.5 - wix extension add WixToolset.Bal.wixext/4 - wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe - - name: Upload bundle with reattached burn-engine - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-with-reattached-signed-burn-engine - path: defguard-client-reattached.exe + name: unsigned-bundle + path: src-tauri/target/release/bundle/defguard-client_${{ env.VERSION }}_x64_en-US.msi + # sign-burn-engine: + # needs: + # - build-windows + # runs-on: + # - self-hosted + # - Linux + # - X64 + # steps: + # - name: Write release version + # run: | + # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> ${GITHUB_ENV} + # - name: Download unsigned bundle & burn-engine + # uses: actions/download-artifact@v4 + # with: + # name: unsigned-bundle-and-burnengine + # - name: Sign burn-engine + # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe + # - name: Upload bundle and burn-engine artifact + # uses: actions/upload-artifact@v4 + # with: + # name: unsigned-bundle-and-signed-burnengine + # path: | + # defguard-client.exe + # burnengine-signed.exe + # reattach-burn-engine: + # needs: + # - sign-burn-engine + # runs-on: windows-latest + # steps: + # - name: Download unsigned bundle and signed burn-engine + # uses: actions/download-artifact@v4 + # with: + # name: unsigned-bundle-and-signed-burnengine + # - name: Reattach burn-engine + # run: | + # dotnet tool install --global wix --version 4.0.5 + # wix extension add WixToolset.Bal.wixext/4 + # wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe + # - name: Upload bundle with reattached burn-engine + # uses: actions/upload-artifact@v4 + # with: + # name: unsigned-bundle-with-reattached-signed-burn-engine + # path: defguard-client-reattached.exe sign-bundle: needs: - create-release - - reattach-burn-engine + # - reattach-burn-engine + - build-windows runs-on: - self-hosted - Linux @@ -476,50 +475,59 @@ jobs: - name: Download unsigned bundle & signed burn-engine uses: actions/download-artifact@v4 with: - name: unsigned-bundle-with-reattached-signed-burn-engine + name: unsigned-bundle - name: Sign bundle - run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe + run: osslsigncode sign \ + -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so \ + -pkcs11cert ${{ secrets.CODESIGN_KEYID }} \ + -key ${{ secrets.CODESIGN_KEYID }} \ + -pass ${{ secrets.CODESIGN_PIN }} \ + -h sha256 \ + -t http://time.certum.pl/ \ + -in defguard-client_${{ env.VERSION }}_x64_en-US.msi \ + -out defguard-client-signed.msi - name: Upload installer asset uses: actions/upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-client-signed.exe - asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe + asset_path: defguard-client-signed.msi + asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.msi asset_content_type: application/octet-stream - apt-sign: - needs: #Add needs: -ubuntu-22-04-build (on merge dev -> main) - - build-linux - runs-on: - - self-hosted - - Linux - - X64 - strategy: - fail-fast: false - steps: - - name: Sign APT repository - run: | - export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }} - export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }} - export AWS_REGION=eu-north-1 - sudo apt update -y - sudo apt install -y awscli curl jq - for DIST in trixie bookworm; do - aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release . + # apt-sign: + # needs: #Add needs: -ubuntu-22-04-build (on merge dev -> main) + # - build-linux + # runs-on: + # - self-hosted + # - Linux + # - X64 + # strategy: + # fail-fast: false + # steps: + # - name: Sign APT repository + # run: | + # export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }} + # export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }} + # export AWS_REGION=eu-north-1 + # sudo apt update -y + # sudo apt install -y awscli curl jq + + # for DIST in trixie bookworm; do + # aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release . - curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ - -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ - -F "file=@Release" \ - -o response.json + # curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ + # -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ + # -F "file=@Release" \ + # -o response.json - cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg - cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease + # cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg + # cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease - aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read - aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read + # aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read + # aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read - aws s3 ls s3://apt.defguard.net/dists/ --recursive | awk '{print ""$4"
"}' > index.html - aws s3 cp index.html s3://apt.defguard.net/ --acl public-read - done + # aws s3 ls s3://apt.defguard.net/dists/ --recursive | awk '{print ""$4"
"}' > index.html + # aws s3 cp index.html s3://apt.defguard.net/ --acl public-read + # done diff --git a/src-tauri/resources-windows/defguard-client.wxs b/src-tauri/resources-windows/defguard-client.wxs deleted file mode 100644 index a045af0a..00000000 --- a/src-tauri/resources-windows/defguard-client.wxs +++ /dev/null @@ -1,42 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - From 51aaa6d20e44317ac11d7f2327364ef2a22d7695 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Tue, 21 Oct 2025 11:08:16 +0200 Subject: [PATCH 2/8] fix bundle path --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a6f6656a..f5c87670 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -411,7 +411,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: unsigned-bundle - path: src-tauri/target/release/bundle/defguard-client_${{ env.VERSION }}_x64_en-US.msi + path: src-tauri/target/release/bundle/msi/defguard-client_${{ env.VERSION }}_x64_en-US.msi # sign-burn-engine: # needs: # - build-windows From 6cd2a99ee147c1bc4e5178dff49c2b922c4648e1 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Tue, 21 Oct 2025 11:40:54 +0200 Subject: [PATCH 3/8] fix sign command --- .github/workflows/release.yaml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f5c87670..c4cbc6ee 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -477,15 +477,7 @@ jobs: with: name: unsigned-bundle - name: Sign bundle - run: osslsigncode sign \ - -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so \ - -pkcs11cert ${{ secrets.CODESIGN_KEYID }} \ - -key ${{ secrets.CODESIGN_KEYID }} \ - -pass ${{ secrets.CODESIGN_PIN }} \ - -h sha256 \ - -t http://time.certum.pl/ \ - -in defguard-client_${{ env.VERSION }}_x64_en-US.msi \ - -out defguard-client-signed.msi + run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client_${{ env.VERSION }}_x64_en-US.msi -out defguard-client-signed.msi - name: Upload installer asset uses: actions/upload-release-asset@v1 env: From 7cf11139fd2dfadd29f494d16743027fc10b38ce Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Tue, 21 Oct 2025 12:22:30 +0200 Subject: [PATCH 4/8] uncomment other build jobs, cleanup --- .github/workflows/release.yaml | 782 +++++++++++++++------------------ 1 file changed, 364 insertions(+), 418 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c4cbc6ee..e9632ddd 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,345 +18,376 @@ jobs: draft: true generate_release_notes: true - # create-sbom: - # needs: [create-release] - # uses: ./.github/workflows/sbom.yml - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} + create-sbom: + needs: [create-release] + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} - # build-linux: - # needs: - # - create-release - # outputs: - # deb_sha256_amd64: ${{ steps.calculate-sha256.outputs.deb_sha256_amd64 }} - # runs-on: - # - self-hosted - # - Linux - # - ${{ matrix.architecture }} - # strategy: - # fail-fast: false - # matrix: - # architecture: [ARM64, X64] - # include: - # - architecture: ARM64 - # deb_arch: arm64 - # binary_arch: aarch64 - # - architecture: X64 - # deb_arch: amd64 - # binary_arch: x86_64 - # steps: - # - uses: actions/checkout@v5 - # with: - # submodules: "recursive" - # - name: Write release version - # run: | - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - # - uses: actions/setup-node@v5 - # with: - # node-version: "24" - # - uses: pnpm/action-setup@v4 - # with: - # version: 10.17 - # run_install: false - # - name: Get pnpm store directory - # shell: bash - # run: | - # echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - # - uses: actions/cache@v4 - # name: Setup pnpm cache - # with: - # path: ${{ env.STORE_PATH }} - # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - # restore-keys: | - # ${{ runner.os }}-pnpm-build-store- - # - name: Install Node dependencies - # run: pnpm install --frozen-lockfile - # - uses: dtolnay/rust-toolchain@stable - # - name: Install Linux dependencies - # run: | - # sudo apt-get update - # sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm - # - name: Build packages - # uses: tauri-apps/tauri-action@v0 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # args: "--bundles deb,rpm" - # - name: Calculate DEB SHA256 - # id: calculate-sha256 - # if: matrix.deb_arch == 'amd64' - # run: | - # DEB_FILE="src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb" - # DEB_SHA256=$(sha256sum "$DEB_FILE" | cut -d ' ' -f1) - # echo "DEB SHA256: $DEB_SHA256" - # echo "DEB_SHA256=$DEB_SHA256" >> ${GITHUB_ENV} - # echo "deb_sha256_${{ matrix.deb_arch }}=$DEB_SHA256" >> ${GITHUB_OUTPUT} - # - name: Upload RPM - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - # asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - # asset_content_type: application/octet-stream - # - name: Upload DEB - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - # asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - # asset_content_type: application/octet-stream - # - name: Install ruby with deb-s3 - # if: matrix.build != 'freebsd' - # run: | - # sudo apt-get install -y ruby - # gem install deb-s3 - # echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH - # - name: Upload DEB to APT repository #Add this to ubuntu 22.04 job (on merge dev -> main) with --codename=bookworm - # run: | - # COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. + build-linux: + needs: + - create-release + outputs: + deb_sha256_amd64: ${{ steps.calculate-sha256.outputs.deb_sha256_amd64 }} + runs-on: + - self-hosted + - Linux + - ${{ matrix.architecture }} + strategy: + fail-fast: false + matrix: + architecture: [ARM64, X64] + include: + - architecture: ARM64 + deb_arch: arm64 + binary_arch: aarch64 + - architecture: X64 + deb_arch: amd64 + binary_arch: x86_64 + steps: + - uses: actions/checkout@v5 + with: + submodules: "recursive" + - name: Write release version + run: | + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + echo Version: $VERSION + echo "VERSION=$VERSION" >> ${GITHUB_ENV} + - uses: actions/setup-node@v5 + with: + node-version: "24" + - uses: pnpm/action-setup@v4 + with: + version: 10.17 + run_install: false + - name: Get pnpm store directory + shell: bash + run: | + echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + - uses: actions/cache@v4 + name: Setup pnpm cache + with: + path: ${{ env.STORE_PATH }} + key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + restore-keys: | + ${{ runner.os }}-pnpm-build-store- + - name: Install Node dependencies + run: pnpm install --frozen-lockfile + - uses: dtolnay/rust-toolchain@stable + - name: Install Linux dependencies + run: | + sudo apt-get update + sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm + - name: Build packages + uses: tauri-apps/tauri-action@v0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + args: "--bundles deb,rpm" + - name: Calculate DEB SHA256 + id: calculate-sha256 + if: matrix.deb_arch == 'amd64' + run: | + DEB_FILE="src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb" + DEB_SHA256=$(sha256sum "$DEB_FILE" | cut -d ' ' -f1) + echo "DEB SHA256: $DEB_SHA256" + echo "DEB_SHA256=$DEB_SHA256" >> ${GITHUB_ENV} + echo "deb_sha256_${{ matrix.deb_arch }}=$DEB_SHA256" >> ${GITHUB_OUTPUT} + - name: Upload RPM + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + asset_content_type: application/octet-stream + - name: Upload DEB + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + asset_content_type: application/octet-stream + - name: Install ruby with deb-s3 + if: matrix.build != 'freebsd' + run: | + sudo apt-get install -y ruby + gem install deb-s3 + echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH + - name: Upload DEB to APT repository #Add this to ubuntu 22.04 job (on merge dev -> main) with --codename=bookworm + run: | + COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release. - # deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - # - name: Rename client binary - # run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # - name: Tar client binary - # uses: a7ul/tar-action@v1.2.0 - # with: - # command: c - # files: | - # defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # - name: Upload client archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_content_type: application/octet-stream - # - name: Rename daemon binary - # run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # - name: Tar daemon binary - # uses: a7ul/tar-action@v1.2.0 - # with: - # command: c - # files: | - # defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # - name: Upload daemon archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_content_type: application/octet-stream + deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + - name: Rename client binary + run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + - name: Tar client binary + uses: a7ul/tar-action@v1.2.0 + with: + command: c + files: | + defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + - name: Upload client archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_content_type: application/octet-stream + - name: Rename daemon binary + run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + - name: Tar daemon binary + uses: a7ul/tar-action@v1.2.0 + with: + command: c + files: | + defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + - name: Upload daemon archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_content_type: application/octet-stream - # - name: Rename dg binary - # run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # - name: Tar dg binary - # uses: a7ul/tar-action@v1.2.0 - # with: - # command: c - # files: | - # dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - # outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # - name: Upload dg archive - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - # asset_content_type: application/octet-stream - # - name: Build dg deb - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" - # - name: Upload DEB - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - # asset_content_type: application/octet-stream - # - name: Build dg rpm - # uses: defGuard/fpm-action@main - # with: - # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" - # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" - # - name: Upload RPM - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - # asset_content_type: application/octet-stream + - name: Rename dg binary + run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + - name: Tar dg binary + uses: a7ul/tar-action@v1.2.0 + with: + command: c + files: | + dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + - name: Upload dg archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_content_type: application/octet-stream + - name: Build dg deb + uses: defGuard/fpm-action@main + with: + fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb" + - name: Upload DEB + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + asset_content_type: application/octet-stream + - name: Build dg rpm + uses: defGuard/fpm-action@main + with: + fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf" + fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm" + - name: Upload RPM + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + asset_content_type: application/octet-stream + + apt-sign: + needs: #Add needs: -ubuntu-22-04-build (on merge dev -> main) + - build-linux + runs-on: + - self-hosted + - Linux + - X64 + strategy: + fail-fast: false + steps: + - name: Sign APT repository + run: | + export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }} + export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }} + export AWS_REGION=eu-north-1 + sudo apt update -y + sudo apt install -y awscli curl jq + + for DIST in trixie bookworm; do + aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release . + + curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ + -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ + -F "file=@Release" \ + -o response.json + + cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg + cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease + + aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read + aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read - # update-aur: - # needs: - # - create-release - # - build-linux - # if: "!contains(github.ref_name, '-')" - # runs-on: - # - self-hosted - # - Linux - # - ${{ matrix.architecture }} - # container: archlinux:latest - # strategy: - # fail-fast: false - # matrix: - # architecture: [X64] - # include: - # - architecture: X64 - # deb_arch: amd64 - # binary_arch: x86_64 - # steps: - # - name: Install dependencies - # run: | - # pacman -Syu --noconfirm - # pacman -S --noconfirm git openssh base-devel - # - name: Create non-root user - # run: | - # useradd -m -G wheel -s /bin/bash builduser - # echo 'builduser ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers - # - name: Setup SSH - # uses: webfactory/ssh-agent@v0.9.0 - # with: - # ssh-private-key: ${{ secrets.AUR_SSH_KEY }} - # - name: Checkout AUR repository - # run: | - # mkdir -p ~/.ssh - # ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts - # chmod 644 ~/.ssh/known_hosts - # export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new" - # rm -rf aur-repo - # git clone ssh://aur@aur.archlinux.org/defguard-client.git aur-repo - # chown -R builduser:builduser aur-repo - # - name: Update PKGBUILD version - # run: | - # cd aur-repo - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + aws s3 ls s3://apt.defguard.net/dists/ --recursive | awk '{print ""$4"
"}' > index.html + aws s3 cp index.html s3://apt.defguard.net/ --acl public-read + done + + update-aur: + needs: + - create-release + - build-linux + if: "!contains(github.ref_name, '-')" + runs-on: + - self-hosted + - Linux + - ${{ matrix.architecture }} + container: archlinux:latest + strategy: + fail-fast: false + matrix: + architecture: [X64] + include: + - architecture: X64 + deb_arch: amd64 + binary_arch: x86_64 + steps: + - name: Install dependencies + run: | + pacman -Syu --noconfirm + pacman -S --noconfirm git openssh base-devel + - name: Create non-root user + run: | + useradd -m -G wheel -s /bin/bash builduser + echo 'builduser ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers + - name: Setup SSH + uses: webfactory/ssh-agent@v0.9.0 + with: + ssh-private-key: ${{ secrets.AUR_SSH_KEY }} + - name: Checkout AUR repository + run: | + mkdir -p ~/.ssh + ssh-keyscan -H aur.archlinux.org >> ~/.ssh/known_hosts + chmod 644 ~/.ssh/known_hosts + export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new" + rm -rf aur-repo + git clone ssh://aur@aur.archlinux.org/defguard-client.git aur-repo + chown -R builduser:builduser aur-repo + - name: Update PKGBUILD version + run: | + cd aur-repo + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo "Updating to version: $VERSION" - # sed -i "s/^pkgver=.*/pkgver=$VERSION/" PKGBUILD + echo "Updating to version: $VERSION" + sed -i "s/^pkgver=.*/pkgver=$VERSION/" PKGBUILD - # AMD64_SHA="${{ needs.build-linux.outputs.deb_sha256_amd64 }}" + AMD64_SHA="${{ needs.build-linux.outputs.deb_sha256_amd64 }}" - # echo "AMD64 DEB SHA256: $AMD64_SHA" - # sed -i "s/^sha256sums_x86_64=.*/sha256sums_x86_64=('$AMD64_SHA')/" PKGBUILD - # - name: Update .SRCINFO - # run: | - # cd aur-repo - # sudo -u builduser makepkg --printsrcinfo > .SRCINFO - # - name: Commit and push changes - # run: | - # cd aur-repo - # chown -R builduser:builduser . - # sudo -u builduser git config user.name "Defguard Build System" - # sudo -u builduser git config user.email "community@defguard.net" - # sudo -u builduser git add PKGBUILD .SRCINFO - # sudo -u builduser git commit -m "Updated to $VERSION" - # sudo -u builduser git push - # cat PKGBUILD - # cat .SRCINFO - # build-macos: - # needs: - # - create-release - # strategy: - # fail-fast: false - # matrix: - # target: [aarch64-apple-darwin, x86_64-apple-darwin] - # runs-on: - # - self-hosted - # - macOS - # env: - # APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)" - # APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)" - # APPLE_ID: "kamil@defguard.net" - # APPLE_TEAM_ID: "82GZ7KN29J" - # steps: - # - uses: actions/checkout@v5 - # with: - # submodules: "recursive" - # - name: Write release version - # run: | - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - # - uses: actions/setup-node@v4 - # with: - # node-version: "22" - # - uses: pnpm/action-setup@v4 - # with: - # version: 10 - # run_install: false - # - name: Get pnpm store directory - # shell: bash - # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} - # - uses: actions/cache@v4 - # name: Setup pnpm cache - # with: - # path: ${{ env.STORE_PATH }} - # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - # restore-keys: | - # ${{ runner.os }}-pnpm-build-store- - # - name: Install deps - # run: pnpm install --frozen-lockfile - # - uses: dtolnay/rust-toolchain@stable - # - name: Install protobuf compiler - # run: brew install protobuf - # - name: Install ARM target - # run: rustup target add aarch64-apple-darwin - # - name: Unlock keychain - # run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain - # - name: Build app - # uses: tauri-apps/tauri-action@v0 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} - # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} - # APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - # APPLE_ID: ${{ env.APPLE_ID }} - # APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} - # APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} - # with: - # args: --target ${{ matrix.target }} -v - # - name: Build installation package - # run: | - # bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain - # xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - # xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - # - name: Upload installation package - # uses: actions/upload-release-asset@v1 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - # asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg - # asset_content_type: application/octet-stream + echo "AMD64 DEB SHA256: $AMD64_SHA" + sed -i "s/^sha256sums_x86_64=.*/sha256sums_x86_64=('$AMD64_SHA')/" PKGBUILD + - name: Update .SRCINFO + run: | + cd aur-repo + sudo -u builduser makepkg --printsrcinfo > .SRCINFO + - name: Commit and push changes + run: | + cd aur-repo + chown -R builduser:builduser . + sudo -u builduser git config user.name "Defguard Build System" + sudo -u builduser git config user.email "community@defguard.net" + sudo -u builduser git add PKGBUILD .SRCINFO + sudo -u builduser git commit -m "Updated to $VERSION" + sudo -u builduser git push + cat PKGBUILD + cat .SRCINFO + + build-macos: + needs: + - create-release + strategy: + fail-fast: false + matrix: + target: [aarch64-apple-darwin, x86_64-apple-darwin] + runs-on: + - self-hosted + - macOS + env: + APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)" + APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)" + APPLE_ID: "kamil@defguard.net" + APPLE_TEAM_ID: "82GZ7KN29J" + steps: + - uses: actions/checkout@v5 + with: + submodules: "recursive" + - name: Write release version + run: | + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + echo Version: $VERSION + echo "VERSION=$VERSION" >> ${GITHUB_ENV} + - uses: actions/setup-node@v4 + with: + node-version: "22" + - uses: pnpm/action-setup@v4 + with: + version: 10 + run_install: false + - name: Get pnpm store directory + shell: bash + run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV} + - uses: actions/cache@v4 + name: Setup pnpm cache + with: + path: ${{ env.STORE_PATH }} + key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + restore-keys: | + ${{ runner.os }}-pnpm-build-store- + - name: Install deps + run: pnpm install --frozen-lockfile + - uses: dtolnay/rust-toolchain@stable + - name: Install protobuf compiler + run: brew install protobuf + - name: Install ARM target + run: rustup target add aarch64-apple-darwin + - name: Unlock keychain + run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain + - name: Build app + uses: tauri-apps/tauri-action@v0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} + APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + APPLE_ID: ${{ env.APPLE_ID }} + APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} + APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} + with: + args: --target ${{ matrix.target }} -v + - name: Build installation package + run: | + bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain + xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + - name: Upload installation package + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg + asset_content_type: application/octet-stream - # Building signed Windows bundle involves a few steps as described here: - # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line - # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows) - # 2. Detach the burn engine from the bundle so that it can be signed (also Windows) - # 3. Sign the burn engine (Linux) - # 4. Reattach the burn engine back to the bundle (Windows again) - # 5. Sign the whole bundle (Linux) + # Builds Windows MSI and uploads it as artifact build-windows: needs: - create-release @@ -401,66 +432,16 @@ jobs: uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # - name: Bundle application - # run: | - # dotnet tool install --global wix --version 4.0.5 - # wix extension add WixToolset.Bal.wixext/4 - # wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll - # wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe - name: Upload unsigned bundle uses: actions/upload-artifact@v4 with: name: unsigned-bundle path: src-tauri/target/release/bundle/msi/defguard-client_${{ env.VERSION }}_x64_en-US.msi - # sign-burn-engine: - # needs: - # - build-windows - # runs-on: - # - self-hosted - # - Linux - # - X64 - # steps: - # - name: Write release version - # run: | - # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> ${GITHUB_ENV} - # - name: Download unsigned bundle & burn-engine - # uses: actions/download-artifact@v4 - # with: - # name: unsigned-bundle-and-burnengine - # - name: Sign burn-engine - # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe - # - name: Upload bundle and burn-engine artifact - # uses: actions/upload-artifact@v4 - # with: - # name: unsigned-bundle-and-signed-burnengine - # path: | - # defguard-client.exe - # burnengine-signed.exe - # reattach-burn-engine: - # needs: - # - sign-burn-engine - # runs-on: windows-latest - # steps: - # - name: Download unsigned bundle and signed burn-engine - # uses: actions/download-artifact@v4 - # with: - # name: unsigned-bundle-and-signed-burnengine - # - name: Reattach burn-engine - # run: | - # dotnet tool install --global wix --version 4.0.5 - # wix extension add WixToolset.Bal.wixext/4 - # wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe - # - name: Upload bundle with reattached burn-engine - # uses: actions/upload-artifact@v4 - # with: - # name: unsigned-bundle-with-reattached-signed-burn-engine - # path: defguard-client-reattached.exe + + # Signs the MSI and uploads it as release asset sign-bundle: needs: - create-release - # - reattach-burn-engine - build-windows runs-on: - self-hosted @@ -488,38 +469,3 @@ jobs: asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.msi asset_content_type: application/octet-stream - # apt-sign: - # needs: #Add needs: -ubuntu-22-04-build (on merge dev -> main) - # - build-linux - # runs-on: - # - self-hosted - # - Linux - # - X64 - # strategy: - # fail-fast: false - # steps: - # - name: Sign APT repository - # run: | - # export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }} - # export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }} - # export AWS_REGION=eu-north-1 - # sudo apt update -y - # sudo apt install -y awscli curl jq - - # for DIST in trixie bookworm; do - # aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release . - - # curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \ - # -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \ - # -F "file=@Release" \ - # -o response.json - - # cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg - # cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease - - # aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read - # aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read - - # aws s3 ls s3://apt.defguard.net/dists/ --recursive | awk '{print ""$4"
"}' > index.html - # aws s3 cp index.html s3://apt.defguard.net/ --acl public-read - # done From b023c38d3b3ee8f783a0887d121bf3351d8394af Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Tue, 21 Oct 2025 10:04:05 +0200 Subject: [PATCH 5/8] bump version to 1.6.0 --- nix/package.nix | 2 +- package.json | 2 +- src-tauri/Cargo.lock | 6 +++--- src-tauri/Cargo.toml | 2 +- src-tauri/tauri.conf.json | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/nix/package.nix b/nix/package.nix index 814cb749..e974817e 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -8,7 +8,7 @@ makeDesktopItem, }: let pname = "defguard-client"; - version = "1.5.2"; # TODO: Get this from Cargo.toml or git + version = "1.6.0"; # TODO: Get this from Cargo.toml or git desktopItem = makeDesktopItem { name = pname; diff --git a/package.json b/package.json index 8d048ab7..ecc6c437 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "defguard-client", "private": false, - "version": "1.5.2", + "version": "1.6.0", "type": "module", "scripts": { "dev": "npm-run-all --parallel vite typesafe-i18n", diff --git a/src-tauri/Cargo.lock b/src-tauri/Cargo.lock index 42417ff6..1d4cbbd2 100644 --- a/src-tauri/Cargo.lock +++ b/src-tauri/Cargo.lock @@ -1013,7 +1013,7 @@ dependencies = [ [[package]] name = "common" -version = "1.5.2" +version = "1.6.0" dependencies = [ "nix", ] @@ -1368,7 +1368,7 @@ checksum = "be1e0bca6c3637f992fc1cc7cbc52a78c1ef6db076dbf1059c4323d6a2048376" [[package]] name = "defguard-client" -version = "1.5.2" +version = "1.6.0" dependencies = [ "anyhow", "base64 0.22.1", @@ -1426,7 +1426,7 @@ dependencies = [ [[package]] name = "defguard-dg" -version = "1.5.2" +version = "1.6.0" dependencies = [ "clap", "common", diff --git a/src-tauri/Cargo.toml b/src-tauri/Cargo.toml index 78b66bc4..e2d361c6 100644 --- a/src-tauri/Cargo.toml +++ b/src-tauri/Cargo.toml @@ -31,7 +31,7 @@ edition = "2021" homepage = "https://github.com/DefGuard/client" license-file = "../LICENSE.md" rust-version = "1.80" -version = "1.5.2" +version = "1.6.0" [package] name = "defguard-client" diff --git a/src-tauri/tauri.conf.json b/src-tauri/tauri.conf.json index 9d071f3a..fc4470f0 100644 --- a/src-tauri/tauri.conf.json +++ b/src-tauri/tauri.conf.json @@ -72,7 +72,7 @@ "productName": "defguard-client", "mainBinaryName": "defguard-client", "identifier": "net.defguard", - "version": "1.5.2", + "version": "1.6.0", "app": { "security": { "capabilities": [ From ec4d7e4d652d18180ff6d52a06b19037f9050e74 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Tue, 21 Oct 2025 13:24:05 +0200 Subject: [PATCH 6/8] fix job name --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e9632ddd..333398e7 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -453,7 +453,7 @@ jobs: VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) echo Version: $VERSION echo "VERSION=$VERSION" >> ${GITHUB_ENV} - - name: Download unsigned bundle & signed burn-engine + - name: Download unsigned bundle uses: actions/download-artifact@v4 with: name: unsigned-bundle From a6bfa5b9a73bbe3c2b3ee68dd7b6a1a2976bc0f7 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Tue, 21 Oct 2025 13:44:27 +0200 Subject: [PATCH 7/8] cargo update --- src-tauri/Cargo.lock | 58 ++++++++++++++++++++++---------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/src-tauri/Cargo.lock b/src-tauri/Cargo.lock index 1d4cbbd2..95bd80ca 100644 --- a/src-tauri/Cargo.lock +++ b/src-tauri/Cargo.lock @@ -948,9 +948,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.49" +version = "4.5.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4512b90fa68d3a9932cea5184017c5d200f5921df706d45e853537dea51508f" +checksum = "0c2cfd7bf8a6017ddaa4e32ffe7403d547790db06bd171c1c53926faab501623" dependencies = [ "clap_builder", "clap_derive", @@ -958,9 +958,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.49" +version = "4.5.50" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0025e98baa12e766c67ba13ff4695a887a1eba19569aad00a472546795bd6730" +checksum = "0a4c05b9e80c5ccd3a7ef080ad7b6ba7d6fc00a985b8b157197075677c82c7a0" dependencies = [ "anstream", "anstyle", @@ -4069,9 +4069,9 @@ checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e" [[package]] name = "openssl-src" -version = "300.5.3+3.5.4" +version = "300.5.4+3.5.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dc6bad8cd0233b63971e232cc9c5e83039375b8586d2312f31fda85db8f888c2" +checksum = "a507b3792995dae9b0df8a1c1e3771e8418b7c2d9f0baeba32e6fe8b06c7cb72" dependencies = [ "cc", ] @@ -6229,9 +6229,9 @@ dependencies = [ [[package]] name = "tao" -version = "0.34.4" +version = "0.34.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6121216ff67fe4bcfe64508ea1700bc15f74937d835a07b4a209cc00a8926a84" +checksum = "f3a753bdc39c07b192151523a3f77cd0394aa75413802c883a0f6f6a0e5ee2e7" dependencies = [ "bitflags 2.10.0", "block2 0.6.2", @@ -6292,9 +6292,9 @@ checksum = "61c41af27dd6d1e27b1b16b489db798443478cef1f06a660c96db617ba5de3b1" [[package]] name = "tauri" -version = "2.8.5" +version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4d1d3b3dc4c101ac989fd7db77e045cc6d91a25349cd410455cb5c57d510c1c" +checksum = "7f07c6590706b2fc0ab287b041cf5ce9c435b3850bdae5571e19d9d27584e89d" dependencies = [ "anyhow", "bytes", @@ -6345,9 +6345,9 @@ dependencies = [ [[package]] name = "tauri-build" -version = "2.4.1" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c432ccc9ff661803dab74c6cd78de11026a578a9307610bbc39d3c55be7943f" +checksum = "f71be1f494b683ac439e6d61c16ab5c472c6f9c6ee78995b29556d9067c021a1" dependencies = [ "anyhow", "cargo_toml", @@ -6367,9 +6367,9 @@ dependencies = [ [[package]] name = "tauri-codegen" -version = "2.4.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ab3a62cf2e6253936a8b267c2e95839674e7439f104fa96ad0025e149d54d8a" +checksum = "6c1fe64c74cc40f90848281a90058a6db931eb400b60205840e09801ee30f190" dependencies = [ "base64 0.22.1", "brotli", @@ -6394,9 +6394,9 @@ dependencies = [ [[package]] name = "tauri-macros" -version = "2.4.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4368ea8094e7045217edb690f493b55b30caf9f3e61f79b4c24b6db91f07995e" +checksum = "260c5d2eb036b76206b9fca20b7be3614cfd21046c5396f7959e0e64a4b07f2f" dependencies = [ "heck 0.5.0", "proc-macro2", @@ -6408,9 +6408,9 @@ dependencies = [ [[package]] name = "tauri-plugin" -version = "2.4.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9946a3cede302eac0c6eb6c6070ac47b1768e326092d32efbb91f21ed58d978f" +checksum = "3d7ce9aab979296b2f91e6fbf154207c2e3512b12ddca0b24bfa0e0cde6b2976" dependencies = [ "anyhow", "glob", @@ -6637,9 +6637,9 @@ dependencies = [ [[package]] name = "tauri-runtime" -version = "2.8.0" +version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4cfc9ad45b487d3fded5a4731a567872a4812e9552e3964161b08edabf93846" +checksum = "3367f0b47df90e9195cd9f04a56b0055a2cba45aa11923c6c253d748778176fc" dependencies = [ "cookie", "dpi", @@ -6662,9 +6662,9 @@ dependencies = [ [[package]] name = "tauri-runtime-wry" -version = "2.8.1" +version = "2.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c1fe9d48bd122ff002064e88cfcd7027090d789c4302714e68fcccba0f4b7807" +checksum = "80d91d29ca680c545364cf75ba2f2e3c7ea2ab6376bfa3be26b56fa2463a5b5e" dependencies = [ "gtk", "http", @@ -6689,9 +6689,9 @@ dependencies = [ [[package]] name = "tauri-utils" -version = "2.7.0" +version = "2.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "41a3852fdf9a4f8fbeaa63dc3e9a85284dd6ef7200751f0bd66ceee30c93f212" +checksum = "f6b8bbe426abdbf52d050e52ed693130dbd68375b9ad82a3fb17efb4c8d85673" dependencies = [ "anyhow", "brotli", @@ -7297,9 +7297,9 @@ dependencies = [ [[package]] name = "tray-icon" -version = "0.21.1" +version = "0.21.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a0d92153331e7d02ec09137538996a7786fe679c629c279e82a6be762b7e6fe2" +checksum = "e3d5572781bee8e3f994d7467084e1b1fd7a93ce66bd480f8156ba89dee55a2b" dependencies = [ "crossbeam-channel", "dirs", @@ -7314,7 +7314,7 @@ dependencies = [ "png 0.17.16", "serde", "thiserror 2.0.17", - "windows-sys 0.59.0", + "windows-sys 0.60.2", ] [[package]] @@ -7419,9 +7419,9 @@ checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5" [[package]] name = "unicode-ident" -version = "1.0.19" +version = "1.0.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f63a545481291138910575129486daeaf8ac54aee4387fe7906919f7830c7d9d" +checksum = "462eeb75aeb73aea900253ce739c8e18a67423fadf006037cd3ff27e82748a06" [[package]] name = "unicode-normalization" From be4feb05f4aa77cc464ea3dbb3c50a35d202133f Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Tue, 21 Oct 2025 13:52:28 +0200 Subject: [PATCH 8/8] new advisories for tauri dependencies --- src-tauri/deny.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src-tauri/deny.toml b/src-tauri/deny.toml index 9e62bad1..b6298cda 100644 --- a/src-tauri/deny.toml +++ b/src-tauri/deny.toml @@ -87,6 +87,11 @@ ignore = [ { id = "RUSTSEC-2024-0420", reason = "Tauri v2 GTK3 dependency (unmaintained)" }, { id = "RUSTSEC-2025-0052", reason = "Discontinued, but dark-light v2.0.0 needs it" }, { id = "RUSTSEC-2025-0057", reason = "Tauri needs it" }, + { id = "RUSTSEC-2025-0075", reason = "Tauri v2 GTK3 dependency (unmaintained)" }, + { id = "RUSTSEC-2025-0080", reason = "Tauri v2 GTK3 dependency (unmaintained)" }, + { id = "RUSTSEC-2025-0081", reason = "Tauri v2 GTK3 dependency (unmaintained)" }, + { id = "RUSTSEC-2025-0098", reason = "Tauri v2 GTK3 dependency (unmaintained)" }, + { id = "RUSTSEC-2025-0100", reason = "Tauri v2 GTK3 dependency (unmaintained)" }, ] # If this is true, then cargo deny will use the git executable to fetch advisory database. # If this is false, then it uses a built-in git library.