From 6d84cd7666e5d53c7a600e749126ecb1fef9764f Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Tue, 28 Oct 2025 09:42:50 +0100
Subject: [PATCH 1/8] release ubuntu client
---
.github/workflows/release.yaml | 887 +++++++++++++++++----------------
1 file changed, 471 insertions(+), 416 deletions(-)
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 67e125a6..3cd5a0e2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,42 +1,42 @@
name: "Build app and create release"
on:
push:
- tags:
- - v*.*.*
+ # tags:
+ # - v*.*.*
jobs:
- build-wireguard-go:
- strategy:
- fail-fast: false
- matrix:
- architecture: [arm64, amd64]
- runs-on: [self-hosted, macOS]
- steps:
- - uses: actions/checkout@v5
- with:
- repository: WireGuard/wireguard-go
- ref: master
- fetch-depth: 0
- - name: Set up Go
- uses: actions/setup-go@v5
- with:
- go-version: "1.24"
- - name: Build wireguard-go binary
- run: make
- env:
- GOOS: darwin
- GOARCH: ${{ matrix.architecture }}
- - name: Upload binary artifact arm64
- if: matrix.architecture == 'arm64'
- uses: actions/upload-artifact@v4
- with:
- name: wireguard-go-aarch64-apple-darwin
- path: wireguard-go
- - name: Upload binary artifact amd64
- if: matrix.architecture == 'amd64'
- uses: actions/upload-artifact@v4
- with:
- name: wireguard-go-x86_64-apple-darwin
- path: wireguard-go
+ # build-wireguard-go:
+ # strategy:
+ # fail-fast: false
+ # matrix:
+ # architecture: [arm64, amd64]
+ # runs-on: [self-hosted, macOS]
+ # steps:
+ # - uses: actions/checkout@v5
+ # with:
+ # repository: WireGuard/wireguard-go
+ # ref: master
+ # fetch-depth: 0
+ # - name: Set up Go
+ # uses: actions/setup-go@v5
+ # with:
+ # go-version: "1.24"
+ # - name: Build wireguard-go binary
+ # run: make
+ # env:
+ # GOOS: darwin
+ # GOARCH: ${{ matrix.architecture }}
+ # - name: Upload binary artifact arm64
+ # if: matrix.architecture == 'arm64'
+ # uses: actions/upload-artifact@v4
+ # with:
+ # name: wireguard-go-aarch64-apple-darwin
+ # path: wireguard-go
+ # - name: Upload binary artifact amd64
+ # if: matrix.architecture == 'amd64'
+ # uses: actions/upload-artifact@v4
+ # with:
+ # name: wireguard-go-x86_64-apple-darwin
+ # path: wireguard-go
create-release:
name: create-release
@@ -51,11 +51,11 @@ jobs:
draft: true
generate_release_notes: true
- create-sbom:
- needs: [create-release]
- uses: ./.github/workflows/sbom.yml
- with:
- upload_url: ${{ needs.create-release.outputs.upload_url }}
+ # create-sbom:
+ # needs: [create-release]
+ # uses: ./.github/workflows/sbom.yml
+ # with:
+ # upload_url: ${{ needs.create-release.outputs.upload_url }}
ubuntu-22-04-build:
needs:
- create-release
@@ -100,11 +100,16 @@ jobs:
- name: Get pnpm store directory
run: |
echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
+ # - name: Write release version
+ # run: |
+ # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+ # echo Version: $VERSION
+ # echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- name: Write release version
run: |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
echo Version: $VERSION
- echo "VERSION=$VERSION" >> ${GITHUB_ENV}
+ echo "VERSION=$1.5.2" >> ${GITHUB_ENV}
- uses: actions/cache@v4
name: Setup pnpm cache
with:
@@ -133,389 +138,439 @@ jobs:
asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb
asset_content_type: application/octet-stream
-
- build-linux:
- needs:
- - create-release
- runs-on:
- - self-hosted
- - Linux
- - ${{ matrix.architecture }}
- strategy:
- fail-fast: false
- matrix:
- architecture: [ARM64, X64]
- include:
- - architecture: ARM64
- deb_arch: arm64
- binary_arch: aarch64
- - architecture: X64
- deb_arch: amd64
- binary_arch: x86_64
- steps:
- - uses: actions/checkout@v5
- with:
- submodules: "recursive"
- - name: Write release version
+ - name: Install ruby with deb-s3
+ if: matrix.build != 'freebsd'
run: |
- VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
- echo Version: $VERSION
- echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- - uses: actions/setup-node@v5
- with:
- node-version: "24"
- - uses: pnpm/action-setup@v4
- with:
- version: 10.17
- run_install: false
- - name: Get pnpm store directory
- shell: bash
- run: |
- echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
- - uses: actions/cache@v4
- name: Setup pnpm cache
- with:
- path: ${{ env.STORE_PATH }}
- key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
- restore-keys: |
- ${{ runner.os }}-pnpm-build-store-
- - name: Install Node dependencies
- run: pnpm install --frozen-lockfile
- - uses: dtolnay/rust-toolchain@stable
- - name: Install Linux dependencies
+ sudo apt-get install -y ruby
+ gem install deb-s3
+ echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH
+ - name: Upload DEB to APT repository
run: |
- sudo apt-get update
- sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm
- - name: Build packages
- uses: tauri-apps/tauri-action@v0
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- args: "--bundles deb,rpm"
- - name: Upload RPM
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.create-release.outputs.upload_url }}
- asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm
- asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm
- asset_content_type: application/octet-stream
- - name: Upload DEB
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.create-release.outputs.upload_url }}
- asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
- asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
- asset_content_type: application/octet-stream
- - name: Rename client binary
- run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- - name: Tar client binary
- uses: a7ul/tar-action@v1.2.0
- with:
- command: c
- files: |
- defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- - name: Upload client archive
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.create-release.outputs.upload_url }}
- asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- asset_content_type: application/octet-stream
- - name: Rename daemon binary
- run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- - name: Tar daemon binary
- uses: a7ul/tar-action@v1.2.0
- with:
- command: c
- files: |
- defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- - name: Upload daemon archive
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.create-release.outputs.upload_url }}
- asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- asset_content_type: application/octet-stream
+ # COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.
+ COMPONENT="release"
- - name: Rename dg binary
- run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- - name: Tar dg binary
- uses: a7ul/tar-action@v1.2.0
- with:
- command: c
- files: |
- dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- - name: Upload dg archive
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.create-release.outputs.upload_url }}
- asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- asset_content_type: application/octet-stream
- - name: Build dg deb
- uses: defGuard/fpm-action@main
- with:
- fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf"
- fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb"
- - name: Upload DEB
- uses: actions/upload-release-asset@v1.0.2
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.create-release.outputs.upload_url }}
- asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb
- asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb
- asset_content_type: application/octet-stream
- - name: Build dg rpm
- uses: defGuard/fpm-action@main
- with:
- fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf"
- fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm"
- - name: Upload RPM
- uses: actions/upload-release-asset@v1.0.2
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.create-release.outputs.upload_url }}
- asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm
- asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm
- asset_content_type: application/octet-stream
+ deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=bookworm --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
+
- build-macos:
- needs:
- - create-release
- - build-wireguard-go
- strategy:
- fail-fast: false
- matrix:
- target: [aarch64-apple-darwin, x86_64-apple-darwin]
- runs-on:
- - self-hosted
- - macOS
- env:
- APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)"
- APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)"
- APPLE_ID: "kamil@defguard.net"
- APPLE_TEAM_ID: "82GZ7KN29J"
- steps:
- - uses: actions/checkout@v5
- with:
- submodules: "recursive"
- - name: Write release version
- run: |
- VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
- echo Version: $VERSION
- echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- - uses: actions/setup-node@v4
- with:
- node-version: "22"
- - uses: pnpm/action-setup@v4
- with:
- version: 10
- run_install: false
- - name: Get pnpm store directory
- shell: bash
- run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
- - uses: actions/cache@v4
- name: Setup pnpm cache
- with:
- path: ${{ env.STORE_PATH }}
- key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
- restore-keys: |
- ${{ runner.os }}-pnpm-build-store-
- - name: Install deps
- run: pnpm install --frozen-lockfile
- - uses: dtolnay/rust-toolchain@stable
- - name: Install protobuf compiler
- run: brew install protobuf
- - name: Install ARM target
- run: rustup target add aarch64-apple-darwin
- - name: Download wireguard-go binary
- uses: actions/download-artifact@v4
- with:
- name: wireguard-go-${{ matrix.target }}
- path: src-tauri/resources-macos/binaries
- - name: Rename wireguard-go binary
- run: |
- ls -l src-tauri/resources-macos/binaries
- mv src-tauri/resources-macos/binaries/wireguard-go src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }}
- - name: Unlock keychain
- run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain
- - name: Build app
- uses: tauri-apps/tauri-action@v0
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }}
- APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
- APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
- APPLE_ID: ${{ env.APPLE_ID }}
- APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }}
- APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }}
- with:
- args: --target ${{ matrix.target }} -v
- - name: Build installation package
- run: |
- bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain
- xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
- xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
- - name: Upload installation package
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.create-release.outputs.upload_url }}
- asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
- asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg
- asset_content_type: application/octet-stream
+ # build-linux:
+ # needs:
+ # - create-release
+ # runs-on:
+ # - self-hosted
+ # - Linux
+ # - ${{ matrix.architecture }}
+ # strategy:
+ # fail-fast: false
+ # matrix:
+ # architecture: [ARM64, X64]
+ # include:
+ # - architecture: ARM64
+ # deb_arch: arm64
+ # binary_arch: aarch64
+ # - architecture: X64
+ # deb_arch: amd64
+ # binary_arch: x86_64
+ # steps:
+ # - uses: actions/checkout@v5
+ # with:
+ # submodules: "recursive"
+ # - name: Write release version
+ # run: |
+ # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+ # echo Version: $VERSION
+ # echo "VERSION=$VERSION" >> ${GITHUB_ENV}
+ # - uses: actions/setup-node@v5
+ # with:
+ # node-version: "24"
+ # - uses: pnpm/action-setup@v4
+ # with:
+ # version: 10.17
+ # run_install: false
+ # - name: Get pnpm store directory
+ # shell: bash
+ # run: |
+ # echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
+ # - uses: actions/cache@v4
+ # name: Setup pnpm cache
+ # with:
+ # path: ${{ env.STORE_PATH }}
+ # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+ # restore-keys: |
+ # ${{ runner.os }}-pnpm-build-store-
+ # - name: Install Node dependencies
+ # run: pnpm install --frozen-lockfile
+ # - uses: dtolnay/rust-toolchain@stable
+ # - name: Install Linux dependencies
+ # run: |
+ # sudo apt-get update
+ # sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm
+ # - name: Build packages
+ # uses: tauri-apps/tauri-action@v0
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # with:
+ # args: "--bundles deb,rpm"
+ # - name: Upload RPM
+ # uses: actions/upload-release-asset@v1
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # with:
+ # upload_url: ${{ needs.create-release.outputs.upload_url }}
+ # asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm
+ # asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm
+ # asset_content_type: application/octet-stream
+ # - name: Upload DEB
+ # uses: actions/upload-release-asset@v1
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # with:
+ # upload_url: ${{ needs.create-release.outputs.upload_url }}
+ # asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
+ # asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
+ # asset_content_type: application/octet-stream
+ # - name: Rename client binary
+ # run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ # - name: Tar client binary
+ # uses: a7ul/tar-action@v1.2.0
+ # with:
+ # command: c
+ # files: |
+ # defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ # outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ # - name: Upload client archive
+ # uses: actions/upload-release-asset@v1
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # with:
+ # upload_url: ${{ needs.create-release.outputs.upload_url }}
+ # asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ # asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ # asset_content_type: application/octet-stream
+ # - name: Rename daemon binary
+ # run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ # - name: Tar daemon binary
+ # uses: a7ul/tar-action@v1.2.0
+ # with:
+ # command: c
+ # files: |
+ # defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ # outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ # - name: Upload daemon archive
+ # uses: actions/upload-release-asset@v1
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # with:
+ # upload_url: ${{ needs.create-release.outputs.upload_url }}
+ # asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ # asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ # asset_content_type: application/octet-stream
- # Building signed Windows bundle involves a few steps as described here:
- # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line
- # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows)
- # 2. Detach the burn engine from the bundle so that it can be signed (also Windows)
- # 3. Sign the burn engine (Linux)
- # 4. Reattach the burn engine back to the bundle (Windows again)
- # 5. Sign the whole bundle (Linux)
- build-windows:
- needs:
- - create-release
- runs-on: windows-latest
- steps:
- - uses: actions/checkout@v5
- with:
- submodules: "recursive"
- - name: Write release version
- run: |
- $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0]
- echo Version: $env:VERSION
- echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV
- - uses: actions/setup-node@v4
- with:
- node-version: "22"
- - uses: pnpm/action-setup@v4
- with:
- version: 10
- run_install: false
- - name: Get pnpm store directory
- shell: bash
- run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
- - uses: actions/cache@v4
- name: Setup pnpm cache
- with:
- path: ${{ env.STORE_PATH }}
- key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
- restore-keys: |
- ${{ runner.os }}-pnpm-build-store-
- - name: Install deps
- run: pnpm install --frozen-lockfile
- - uses: dtolnay/rust-toolchain@stable
- - name: Install Protoc
- uses: arduino/setup-protoc@v2
- with:
- repo-token: ${{ secrets.GITHUB_TOKEN }}
- - name: Remove "default-run" line from Cargo.toml
- run: |
- Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch)
- - name: Build packages
- uses: tauri-apps/tauri-action@v0
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- - name: Bundle application
- run: |
- dotnet tool install --global wix --version 4.0.5
- wix extension add WixToolset.Bal.wixext/4
- wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
- wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe
- - name: Upload unsigned bundle and burn-engine
- uses: actions/upload-artifact@v4
- with:
- name: unsigned-bundle-and-burnengine
- path: |
- src-tauri/resources-windows/defguard-client.exe
- src-tauri/resources-windows/burnengine.exe
- sign-burn-engine:
- needs:
- - build-windows
- runs-on:
- - self-hosted
- - Linux
- - X64
- steps:
- - name: Write release version
- run: |
- VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
- echo Version: $VERSION
- echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- - name: Download unsigned bundle & burn-engine
- uses: actions/download-artifact@v4
- with:
- name: unsigned-bundle-and-burnengine
- - name: Sign burn-engine
- run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe
- - name: Upload bundle and burn-engine artifact
- uses: actions/upload-artifact@v4
- with:
- name: unsigned-bundle-and-signed-burnengine
- path: |
- defguard-client.exe
- burnengine-signed.exe
- reattach-burn-engine:
- needs:
- - sign-burn-engine
- runs-on: windows-latest
- steps:
- - name: Download unsigned bundle and signed burn-engine
- uses: actions/download-artifact@v4
- with:
- name: unsigned-bundle-and-signed-burnengine
- - name: Reattach burn-engine
- run: |
- dotnet tool install --global wix --version 4.0.5
- wix extension add WixToolset.Bal.wixext/4
- wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe
- - name: Upload bundle with reattached burn-engine
- uses: actions/upload-artifact@v4
- with:
- name: unsigned-bundle-with-reattached-signed-burn-engine
- path: defguard-client-reattached.exe
- sign-bundle:
- needs:
- - create-release
- - reattach-burn-engine
+ # - name: Rename dg binary
+ # run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ # - name: Tar dg binary
+ # uses: a7ul/tar-action@v1.2.0
+ # with:
+ # command: c
+ # files: |
+ # dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ # outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ # - name: Upload dg archive
+ # uses: actions/upload-release-asset@v1
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # with:
+ # upload_url: ${{ needs.create-release.outputs.upload_url }}
+ # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ # asset_content_type: application/octet-stream
+ # - name: Build dg deb
+ # uses: defGuard/fpm-action@main
+ # with:
+ # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf"
+ # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb"
+ # - name: Upload DEB
+ # uses: actions/upload-release-asset@v1.0.2
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # with:
+ # upload_url: ${{ needs.create-release.outputs.upload_url }}
+ # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb
+ # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb
+ # asset_content_type: application/octet-stream
+ # - name: Build dg rpm
+ # uses: defGuard/fpm-action@main
+ # with:
+ # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf"
+ # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm"
+ # - name: Upload RPM
+ # uses: actions/upload-release-asset@v1.0.2
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # with:
+ # upload_url: ${{ needs.create-release.outputs.upload_url }}
+ # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm
+ # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm
+ # asset_content_type: application/octet-stream
+
+ # build-macos:
+ # needs:
+ # - create-release
+ # - build-wireguard-go
+ # strategy:
+ # fail-fast: false
+ # matrix:
+ # target: [aarch64-apple-darwin, x86_64-apple-darwin]
+ # runs-on:
+ # - self-hosted
+ # - macOS
+ # env:
+ # APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)"
+ # APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)"
+ # APPLE_ID: "kamil@defguard.net"
+ # APPLE_TEAM_ID: "82GZ7KN29J"
+ # steps:
+ # - uses: actions/checkout@v5
+ # with:
+ # submodules: "recursive"
+ # - name: Write release version
+ # run: |
+ # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+ # echo Version: $VERSION
+ # echo "VERSION=$VERSION" >> ${GITHUB_ENV}
+ # - uses: actions/setup-node@v4
+ # with:
+ # node-version: "22"
+ # - uses: pnpm/action-setup@v4
+ # with:
+ # version: 10
+ # run_install: false
+ # - name: Get pnpm store directory
+ # shell: bash
+ # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
+ # - uses: actions/cache@v4
+ # name: Setup pnpm cache
+ # with:
+ # path: ${{ env.STORE_PATH }}
+ # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+ # restore-keys: |
+ # ${{ runner.os }}-pnpm-build-store-
+ # - name: Install deps
+ # run: pnpm install --frozen-lockfile
+ # - uses: dtolnay/rust-toolchain@stable
+ # - name: Install protobuf compiler
+ # run: brew install protobuf
+ # - name: Install ARM target
+ # run: rustup target add aarch64-apple-darwin
+ # - name: Download wireguard-go binary
+ # uses: actions/download-artifact@v4
+ # with:
+ # name: wireguard-go-${{ matrix.target }}
+ # path: src-tauri/resources-macos/binaries
+ # - name: Rename wireguard-go binary
+ # run: |
+ # ls -l src-tauri/resources-macos/binaries
+ # mv src-tauri/resources-macos/binaries/wireguard-go src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }}
+ # - name: Unlock keychain
+ # run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain
+ # - name: Build app
+ # uses: tauri-apps/tauri-action@v0
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }}
+ # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+ # APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+ # APPLE_ID: ${{ env.APPLE_ID }}
+ # APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }}
+ # APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }}
+ # with:
+ # args: --target ${{ matrix.target }} -v
+ # - name: Build installation package
+ # run: |
+ # bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain
+ # xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
+ # xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
+ # - name: Upload installation package
+ # uses: actions/upload-release-asset@v1
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # with:
+ # upload_url: ${{ needs.create-release.outputs.upload_url }}
+ # asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
+ # asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg
+ # asset_content_type: application/octet-stream
+
+ # # Building signed Windows bundle involves a few steps as described here:
+ # # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line
+ # # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows)
+ # # 2. Detach the burn engine from the bundle so that it can be signed (also Windows)
+ # # 3. Sign the burn engine (Linux)
+ # # 4. Reattach the burn engine back to the bundle (Windows again)
+ # # 5. Sign the whole bundle (Linux)
+ # build-windows:
+ # needs:
+ # - create-release
+ # runs-on: windows-latest
+ # steps:
+ # - uses: actions/checkout@v5
+ # with:
+ # submodules: "recursive"
+ # - name: Write release version
+ # run: |
+ # $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0]
+ # echo Version: $env:VERSION
+ # echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV
+ # - uses: actions/setup-node@v4
+ # with:
+ # node-version: "22"
+ # - uses: pnpm/action-setup@v4
+ # with:
+ # version: 10
+ # run_install: false
+ # - name: Get pnpm store directory
+ # shell: bash
+ # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
+ # - uses: actions/cache@v4
+ # name: Setup pnpm cache
+ # with:
+ # path: ${{ env.STORE_PATH }}
+ # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+ # restore-keys: |
+ # ${{ runner.os }}-pnpm-build-store-
+ # - name: Install deps
+ # run: pnpm install --frozen-lockfile
+ # - uses: dtolnay/rust-toolchain@stable
+ # - name: Install Protoc
+ # uses: arduino/setup-protoc@v2
+ # with:
+ # repo-token: ${{ secrets.GITHUB_TOKEN }}
+ # - name: Remove "default-run" line from Cargo.toml
+ # run: |
+ # Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch)
+ # - name: Build packages
+ # uses: tauri-apps/tauri-action@v0
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # - name: Bundle application
+ # run: |
+ # dotnet tool install --global wix --version 4.0.5
+ # wix extension add WixToolset.Bal.wixext/4
+ # wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
+ # wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe
+ # - name: Upload unsigned bundle and burn-engine
+ # uses: actions/upload-artifact@v4
+ # with:
+ # name: unsigned-bundle-and-burnengine
+ # path: |
+ # src-tauri/resources-windows/defguard-client.exe
+ # src-tauri/resources-windows/burnengine.exe
+ # sign-burn-engine:
+ # needs:
+ # - build-windows
+ # runs-on:
+ # - self-hosted
+ # - Linux
+ # - X64
+ # steps:
+ # - name: Write release version
+ # run: |
+ # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+ # echo Version: $VERSION
+ # echo "VERSION=$VERSION" >> ${GITHUB_ENV}
+ # - name: Download unsigned bundle & burn-engine
+ # uses: actions/download-artifact@v4
+ # with:
+ # name: unsigned-bundle-and-burnengine
+ # - name: Sign burn-engine
+ # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe
+ # - name: Upload bundle and burn-engine artifact
+ # uses: actions/upload-artifact@v4
+ # with:
+ # name: unsigned-bundle-and-signed-burnengine
+ # path: |
+ # defguard-client.exe
+ # burnengine-signed.exe
+ # reattach-burn-engine:
+ # needs:
+ # - sign-burn-engine
+ # runs-on: windows-latest
+ # steps:
+ # - name: Download unsigned bundle and signed burn-engine
+ # uses: actions/download-artifact@v4
+ # with:
+ # name: unsigned-bundle-and-signed-burnengine
+ # - name: Reattach burn-engine
+ # run: |
+ # dotnet tool install --global wix --version 4.0.5
+ # wix extension add WixToolset.Bal.wixext/4
+ # wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe
+ # - name: Upload bundle with reattached burn-engine
+ # uses: actions/upload-artifact@v4
+ # with:
+ # name: unsigned-bundle-with-reattached-signed-burn-engine
+ # path: defguard-client-reattached.exe
+ # sign-bundle:
+ # needs:
+ # - create-release
+ # - reattach-burn-engine
+ # runs-on:
+ # - self-hosted
+ # - Linux
+ # - X64
+ # steps:
+ # - name: Write release version
+ # run: |
+ # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+ # echo Version: $VERSION
+ # echo "VERSION=$VERSION" >> ${GITHUB_ENV}
+ # - name: Download unsigned bundle & signed burn-engine
+ # uses: actions/download-artifact@v4
+ # with:
+ # name: unsigned-bundle-with-reattached-signed-burn-engine
+ # - name: Sign bundle
+ # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe
+ # - name: Upload installer asset
+ # uses: actions/upload-release-asset@v1
+ # env:
+ # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ # with:
+ # upload_url: ${{ needs.create-release.outputs.upload_url }}
+ # asset_path: defguard-client-signed.exe
+ # asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe
+ # asset_content_type: application/octet-stream
+
+ apt-sign:
+ needs:
+ # - build-linux
+ - ubuntu-22-04-build
runs-on:
- self-hosted
- Linux
- X64
+ strategy:
+ fail-fast: false
steps:
- - name: Write release version
+ - name: Sign APT repository
run: |
- VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
- echo Version: $VERSION
- echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- - name: Download unsigned bundle & signed burn-engine
- uses: actions/download-artifact@v4
- with:
- name: unsigned-bundle-with-reattached-signed-burn-engine
- - name: Sign bundle
- run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe
- - name: Upload installer asset
- uses: actions/upload-release-asset@v1
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- with:
- upload_url: ${{ needs.create-release.outputs.upload_url }}
- asset_path: defguard-client-signed.exe
- asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe
- asset_content_type: application/octet-stream
+ export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
+ export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
+ export AWS_REGION=eu-north-1
+ sudo apt update -y
+ sudo apt install -y awscli curl jq
+
+ for DIST in trixie bookworm; do
+ aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
+
+ curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
+ -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
+ -F "file=@Release" \
+ -o response.json
+
+ cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
+ cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
+
+ aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
+ aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
+
+ done
+ (aws s3 ls s3://apt.defguard.net/dists/ --recursive; aws s3 ls s3://apt.defguard.net/pool/ --recursive) | awk '{print ""$4"
"}' > index.html
+ aws s3 cp index.html s3://apt.defguard.net/ --acl public-read
\ No newline at end of file
From 778be2f7585ca7aeb5992b1cdd326b7d306cb378 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Tue, 28 Oct 2025 09:43:42 +0100
Subject: [PATCH 2/8] add run on branch
---
.github/workflows/release.yaml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 3cd5a0e2..a2d5f0e2 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -3,6 +3,8 @@ on:
push:
# tags:
# - v*.*.*
+ branches:
+ - release_ubuntu2204
jobs:
# build-wireguard-go:
# strategy:
From ada9704b1db3ef05f7d3b05a697791bf8e673157 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Tue, 28 Oct 2025 09:50:23 +0100
Subject: [PATCH 3/8] tauri action version change
---
.github/workflows/release.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a2d5f0e2..38a595be 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -126,7 +126,7 @@ jobs:
run: |
apt-get install -y build-essential libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm
- name: Build packages
- uses: tauri-apps/tauri-action@v0
+ uses: tauri-apps/tauri-action@v0.5.23
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
From 4cbed286253986ed92d89e2ebd8672576d1a8c46 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Tue, 28 Oct 2025 10:00:51 +0100
Subject: [PATCH 4/8] fix version variable
---
.github/workflows/release.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 38a595be..84d69ff9 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -111,7 +111,7 @@ jobs:
run: |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
echo Version: $VERSION
- echo "VERSION=$1.5.2" >> ${GITHUB_ENV}
+ echo "VERSION=1.5.2" >> ${GITHUB_ENV}
- uses: actions/cache@v4
name: Setup pnpm cache
with:
From 992ff0027ae8cea1143b461406027f1a0950a093 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Tue, 28 Oct 2025 10:13:00 +0100
Subject: [PATCH 5/8] remove sudo
---
.github/workflows/release.yaml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 84d69ff9..6ff45a23 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -143,7 +143,7 @@ jobs:
- name: Install ruby with deb-s3
if: matrix.build != 'freebsd'
run: |
- sudo apt-get install -y ruby
+ apt-get install -y ruby
gem install deb-s3
echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH
- name: Upload DEB to APT repository
@@ -556,8 +556,8 @@ jobs:
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
export AWS_REGION=eu-north-1
- sudo apt update -y
- sudo apt install -y awscli curl jq
+ apt update -y
+ apt install -y awscli curl jq
for DIST in trixie bookworm; do
aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
From 2d8f67a12d3c6d1ce422dd7174738717056812b5 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Tue, 28 Oct 2025 10:18:38 +0100
Subject: [PATCH 6/8] add sudo to apt-sign
---
.github/workflows/release.yaml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 6ff45a23..91c5feb8 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -556,8 +556,8 @@ jobs:
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
export AWS_REGION=eu-north-1
- apt update -y
- apt install -y awscli curl jq
+ sudo apt update -y
+ sudo apt install -y awscli curl jq
for DIST in trixie bookworm; do
aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
From 4677348afdc6d4ada415e838754e79abbe434400 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Tue, 28 Oct 2025 10:30:42 +0100
Subject: [PATCH 7/8] job for building ubuntu22.04 client with apt
uploading/signing
---
.github/workflows/release.yaml | 858 ++++++++++++++++-----------------
1 file changed, 425 insertions(+), 433 deletions(-)
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 91c5feb8..e44c93a4 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,44 +1,42 @@
name: "Build app and create release"
on:
push:
- # tags:
- # - v*.*.*
- branches:
- - release_ubuntu2204
+ tags:
+ - v*.*.*
jobs:
- # build-wireguard-go:
- # strategy:
- # fail-fast: false
- # matrix:
- # architecture: [arm64, amd64]
- # runs-on: [self-hosted, macOS]
- # steps:
- # - uses: actions/checkout@v5
- # with:
- # repository: WireGuard/wireguard-go
- # ref: master
- # fetch-depth: 0
- # - name: Set up Go
- # uses: actions/setup-go@v5
- # with:
- # go-version: "1.24"
- # - name: Build wireguard-go binary
- # run: make
- # env:
- # GOOS: darwin
- # GOARCH: ${{ matrix.architecture }}
- # - name: Upload binary artifact arm64
- # if: matrix.architecture == 'arm64'
- # uses: actions/upload-artifact@v4
- # with:
- # name: wireguard-go-aarch64-apple-darwin
- # path: wireguard-go
- # - name: Upload binary artifact amd64
- # if: matrix.architecture == 'amd64'
- # uses: actions/upload-artifact@v4
- # with:
- # name: wireguard-go-x86_64-apple-darwin
- # path: wireguard-go
+ build-wireguard-go:
+ strategy:
+ fail-fast: false
+ matrix:
+ architecture: [arm64, amd64]
+ runs-on: [self-hosted, macOS]
+ steps:
+ - uses: actions/checkout@v5
+ with:
+ repository: WireGuard/wireguard-go
+ ref: master
+ fetch-depth: 0
+ - name: Set up Go
+ uses: actions/setup-go@v5
+ with:
+ go-version: "1.24"
+ - name: Build wireguard-go binary
+ run: make
+ env:
+ GOOS: darwin
+ GOARCH: ${{ matrix.architecture }}
+ - name: Upload binary artifact arm64
+ if: matrix.architecture == 'arm64'
+ uses: actions/upload-artifact@v4
+ with:
+ name: wireguard-go-aarch64-apple-darwin
+ path: wireguard-go
+ - name: Upload binary artifact amd64
+ if: matrix.architecture == 'amd64'
+ uses: actions/upload-artifact@v4
+ with:
+ name: wireguard-go-x86_64-apple-darwin
+ path: wireguard-go
create-release:
name: create-release
@@ -53,11 +51,11 @@ jobs:
draft: true
generate_release_notes: true
- # create-sbom:
- # needs: [create-release]
- # uses: ./.github/workflows/sbom.yml
- # with:
- # upload_url: ${{ needs.create-release.outputs.upload_url }}
+ create-sbom:
+ needs: [create-release]
+ uses: ./.github/workflows/sbom.yml
+ with:
+ upload_url: ${{ needs.create-release.outputs.upload_url }}
ubuntu-22-04-build:
needs:
- create-release
@@ -102,16 +100,11 @@ jobs:
- name: Get pnpm store directory
run: |
echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
- # - name: Write release version
- # run: |
- # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
- # echo Version: $VERSION
- # echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- name: Write release version
run: |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
echo Version: $VERSION
- echo "VERSION=1.5.2" >> ${GITHUB_ENV}
+ echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- uses: actions/cache@v4
name: Setup pnpm cache
with:
@@ -148,401 +141,400 @@ jobs:
echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH
- name: Upload DEB to APT repository
run: |
- # COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.
- COMPONENT="release"
+ COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.
deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=bookworm --component="$COMPONENT" src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
- # build-linux:
- # needs:
- # - create-release
- # runs-on:
- # - self-hosted
- # - Linux
- # - ${{ matrix.architecture }}
- # strategy:
- # fail-fast: false
- # matrix:
- # architecture: [ARM64, X64]
- # include:
- # - architecture: ARM64
- # deb_arch: arm64
- # binary_arch: aarch64
- # - architecture: X64
- # deb_arch: amd64
- # binary_arch: x86_64
- # steps:
- # - uses: actions/checkout@v5
- # with:
- # submodules: "recursive"
- # - name: Write release version
- # run: |
- # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
- # echo Version: $VERSION
- # echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- # - uses: actions/setup-node@v5
- # with:
- # node-version: "24"
- # - uses: pnpm/action-setup@v4
- # with:
- # version: 10.17
- # run_install: false
- # - name: Get pnpm store directory
- # shell: bash
- # run: |
- # echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
- # - uses: actions/cache@v4
- # name: Setup pnpm cache
- # with:
- # path: ${{ env.STORE_PATH }}
- # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
- # restore-keys: |
- # ${{ runner.os }}-pnpm-build-store-
- # - name: Install Node dependencies
- # run: pnpm install --frozen-lockfile
- # - uses: dtolnay/rust-toolchain@stable
- # - name: Install Linux dependencies
- # run: |
- # sudo apt-get update
- # sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm
- # - name: Build packages
- # uses: tauri-apps/tauri-action@v0
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # with:
- # args: "--bundles deb,rpm"
- # - name: Upload RPM
- # uses: actions/upload-release-asset@v1
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # with:
- # upload_url: ${{ needs.create-release.outputs.upload_url }}
- # asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm
- # asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm
- # asset_content_type: application/octet-stream
- # - name: Upload DEB
- # uses: actions/upload-release-asset@v1
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # with:
- # upload_url: ${{ needs.create-release.outputs.upload_url }}
- # asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
- # asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
- # asset_content_type: application/octet-stream
- # - name: Rename client binary
- # run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- # - name: Tar client binary
- # uses: a7ul/tar-action@v1.2.0
- # with:
- # command: c
- # files: |
- # defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- # outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- # - name: Upload client archive
- # uses: actions/upload-release-asset@v1
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # with:
- # upload_url: ${{ needs.create-release.outputs.upload_url }}
- # asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- # asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- # asset_content_type: application/octet-stream
- # - name: Rename daemon binary
- # run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- # - name: Tar daemon binary
- # uses: a7ul/tar-action@v1.2.0
- # with:
- # command: c
- # files: |
- # defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- # outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- # - name: Upload daemon archive
- # uses: actions/upload-release-asset@v1
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # with:
- # upload_url: ${{ needs.create-release.outputs.upload_url }}
- # asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- # asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- # asset_content_type: application/octet-stream
+ build-linux:
+ needs:
+ - create-release
+ runs-on:
+ - self-hosted
+ - Linux
+ - ${{ matrix.architecture }}
+ strategy:
+ fail-fast: false
+ matrix:
+ architecture: [ARM64, X64]
+ include:
+ - architecture: ARM64
+ deb_arch: arm64
+ binary_arch: aarch64
+ - architecture: X64
+ deb_arch: amd64
+ binary_arch: x86_64
+ steps:
+ - uses: actions/checkout@v5
+ with:
+ submodules: "recursive"
+ - name: Write release version
+ run: |
+ VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+ echo Version: $VERSION
+ echo "VERSION=$VERSION" >> ${GITHUB_ENV}
+ - uses: actions/setup-node@v5
+ with:
+ node-version: "24"
+ - uses: pnpm/action-setup@v4
+ with:
+ version: 10.17
+ run_install: false
+ - name: Get pnpm store directory
+ shell: bash
+ run: |
+ echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
+ - uses: actions/cache@v4
+ name: Setup pnpm cache
+ with:
+ path: ${{ env.STORE_PATH }}
+ key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+ restore-keys: |
+ ${{ runner.os }}-pnpm-build-store-
+ - name: Install Node dependencies
+ run: pnpm install --frozen-lockfile
+ - uses: dtolnay/rust-toolchain@stable
+ - name: Install Linux dependencies
+ run: |
+ sudo apt-get update
+ sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.1-dev libayatana-appindicator3-dev librsvg2-dev patchelf libssl-dev libxdo-dev unzip protobuf-compiler libprotobuf-dev rpm
+ - name: Build packages
+ uses: tauri-apps/tauri-action@v0
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ args: "--bundles deb,rpm"
+ - name: Upload RPM
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ needs.create-release.outputs.upload_url }}
+ asset_path: src-tauri/target/release/bundle/rpm/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm
+ asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm
+ asset_content_type: application/octet-stream
+ - name: Upload DEB
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ needs.create-release.outputs.upload_url }}
+ asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
+ asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
+ asset_content_type: application/octet-stream
+ - name: Rename client binary
+ run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ - name: Tar client binary
+ uses: a7ul/tar-action@v1.2.0
+ with:
+ command: c
+ files: |
+ defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ - name: Upload client archive
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ needs.create-release.outputs.upload_url }}
+ asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ asset_content_type: application/octet-stream
+ - name: Rename daemon binary
+ run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ - name: Tar daemon binary
+ uses: a7ul/tar-action@v1.2.0
+ with:
+ command: c
+ files: |
+ defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ - name: Upload daemon archive
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ needs.create-release.outputs.upload_url }}
+ asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ asset_content_type: application/octet-stream
- # - name: Rename dg binary
- # run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- # - name: Tar dg binary
- # uses: a7ul/tar-action@v1.2.0
- # with:
- # command: c
- # files: |
- # dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- # outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- # - name: Upload dg archive
- # uses: actions/upload-release-asset@v1
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # with:
- # upload_url: ${{ needs.create-release.outputs.upload_url }}
- # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- # asset_content_type: application/octet-stream
- # - name: Build dg deb
- # uses: defGuard/fpm-action@main
- # with:
- # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf"
- # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb"
- # - name: Upload DEB
- # uses: actions/upload-release-asset@v1.0.2
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # with:
- # upload_url: ${{ needs.create-release.outputs.upload_url }}
- # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb
- # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb
- # asset_content_type: application/octet-stream
- # - name: Build dg rpm
- # uses: defGuard/fpm-action@main
- # with:
- # fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf"
- # fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm"
- # - name: Upload RPM
- # uses: actions/upload-release-asset@v1.0.2
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # with:
- # upload_url: ${{ needs.create-release.outputs.upload_url }}
- # asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm
- # asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm
- # asset_content_type: application/octet-stream
+ - name: Rename dg binary
+ run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ - name: Tar dg binary
+ uses: a7ul/tar-action@v1.2.0
+ with:
+ command: c
+ files: |
+ dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
+ outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ - name: Upload dg archive
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ needs.create-release.outputs.upload_url }}
+ asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
+ asset_content_type: application/octet-stream
+ - name: Build dg deb
+ uses: defGuard/fpm-action@main
+ with:
+ fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf"
+ fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb"
+ - name: Upload DEB
+ uses: actions/upload-release-asset@v1.0.2
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ needs.create-release.outputs.upload_url }}
+ asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb
+ asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb
+ asset_content_type: application/octet-stream
+ - name: Build dg rpm
+ uses: defGuard/fpm-action@main
+ with:
+ fpm_args: "dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf"
+ fpm_opts: "--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm"
+ - name: Upload RPM
+ uses: actions/upload-release-asset@v1.0.2
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ needs.create-release.outputs.upload_url }}
+ asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm
+ asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm
+ asset_content_type: application/octet-stream
- # build-macos:
- # needs:
- # - create-release
- # - build-wireguard-go
- # strategy:
- # fail-fast: false
- # matrix:
- # target: [aarch64-apple-darwin, x86_64-apple-darwin]
- # runs-on:
- # - self-hosted
- # - macOS
- # env:
- # APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)"
- # APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)"
- # APPLE_ID: "kamil@defguard.net"
- # APPLE_TEAM_ID: "82GZ7KN29J"
- # steps:
- # - uses: actions/checkout@v5
- # with:
- # submodules: "recursive"
- # - name: Write release version
- # run: |
- # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
- # echo Version: $VERSION
- # echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- # - uses: actions/setup-node@v4
- # with:
- # node-version: "22"
- # - uses: pnpm/action-setup@v4
- # with:
- # version: 10
- # run_install: false
- # - name: Get pnpm store directory
- # shell: bash
- # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
- # - uses: actions/cache@v4
- # name: Setup pnpm cache
- # with:
- # path: ${{ env.STORE_PATH }}
- # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
- # restore-keys: |
- # ${{ runner.os }}-pnpm-build-store-
- # - name: Install deps
- # run: pnpm install --frozen-lockfile
- # - uses: dtolnay/rust-toolchain@stable
- # - name: Install protobuf compiler
- # run: brew install protobuf
- # - name: Install ARM target
- # run: rustup target add aarch64-apple-darwin
- # - name: Download wireguard-go binary
- # uses: actions/download-artifact@v4
- # with:
- # name: wireguard-go-${{ matrix.target }}
- # path: src-tauri/resources-macos/binaries
- # - name: Rename wireguard-go binary
- # run: |
- # ls -l src-tauri/resources-macos/binaries
- # mv src-tauri/resources-macos/binaries/wireguard-go src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }}
- # - name: Unlock keychain
- # run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain
- # - name: Build app
- # uses: tauri-apps/tauri-action@v0
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }}
- # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
- # APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
- # APPLE_ID: ${{ env.APPLE_ID }}
- # APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }}
- # APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }}
- # with:
- # args: --target ${{ matrix.target }} -v
- # - name: Build installation package
- # run: |
- # bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain
- # xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
- # xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
- # - name: Upload installation package
- # uses: actions/upload-release-asset@v1
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # with:
- # upload_url: ${{ needs.create-release.outputs.upload_url }}
- # asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
- # asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg
- # asset_content_type: application/octet-stream
+ build-macos:
+ needs:
+ - create-release
+ - build-wireguard-go
+ strategy:
+ fail-fast: false
+ matrix:
+ target: [aarch64-apple-darwin, x86_64-apple-darwin]
+ runs-on:
+ - self-hosted
+ - macOS
+ env:
+ APPLE_SIGNING_IDENTITY_APPLICATION: "Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)"
+ APPLE_SIGNING_IDENTITY_INSTALLER: "Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)"
+ APPLE_ID: "kamil@defguard.net"
+ APPLE_TEAM_ID: "82GZ7KN29J"
+ steps:
+ - uses: actions/checkout@v5
+ with:
+ submodules: "recursive"
+ - name: Write release version
+ run: |
+ VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+ echo Version: $VERSION
+ echo "VERSION=$VERSION" >> ${GITHUB_ENV}
+ - uses: actions/setup-node@v4
+ with:
+ node-version: "22"
+ - uses: pnpm/action-setup@v4
+ with:
+ version: 10
+ run_install: false
+ - name: Get pnpm store directory
+ shell: bash
+ run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
+ - uses: actions/cache@v4
+ name: Setup pnpm cache
+ with:
+ path: ${{ env.STORE_PATH }}
+ key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+ restore-keys: |
+ ${{ runner.os }}-pnpm-build-store-
+ - name: Install deps
+ run: pnpm install --frozen-lockfile
+ - uses: dtolnay/rust-toolchain@stable
+ - name: Install protobuf compiler
+ run: brew install protobuf
+ - name: Install ARM target
+ run: rustup target add aarch64-apple-darwin
+ - name: Download wireguard-go binary
+ uses: actions/download-artifact@v4
+ with:
+ name: wireguard-go-${{ matrix.target }}
+ path: src-tauri/resources-macos/binaries
+ - name: Rename wireguard-go binary
+ run: |
+ ls -l src-tauri/resources-macos/binaries
+ mv src-tauri/resources-macos/binaries/wireguard-go src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }}
+ - name: Unlock keychain
+ run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain
+ - name: Build app
+ uses: tauri-apps/tauri-action@v0
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }}
+ APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+ APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+ APPLE_ID: ${{ env.APPLE_ID }}
+ APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }}
+ APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }}
+ with:
+ args: --target ${{ matrix.target }} -v
+ - name: Build installation package
+ run: |
+ bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain
+ xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
+ xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
+ - name: Upload installation package
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ needs.create-release.outputs.upload_url }}
+ asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
+ asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg
+ asset_content_type: application/octet-stream
- # # Building signed Windows bundle involves a few steps as described here:
- # # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line
- # # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows)
- # # 2. Detach the burn engine from the bundle so that it can be signed (also Windows)
- # # 3. Sign the burn engine (Linux)
- # # 4. Reattach the burn engine back to the bundle (Windows again)
- # # 5. Sign the whole bundle (Linux)
- # build-windows:
- # needs:
- # - create-release
- # runs-on: windows-latest
- # steps:
- # - uses: actions/checkout@v5
- # with:
- # submodules: "recursive"
- # - name: Write release version
- # run: |
- # $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0]
- # echo Version: $env:VERSION
- # echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV
- # - uses: actions/setup-node@v4
- # with:
- # node-version: "22"
- # - uses: pnpm/action-setup@v4
- # with:
- # version: 10
- # run_install: false
- # - name: Get pnpm store directory
- # shell: bash
- # run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
- # - uses: actions/cache@v4
- # name: Setup pnpm cache
- # with:
- # path: ${{ env.STORE_PATH }}
- # key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
- # restore-keys: |
- # ${{ runner.os }}-pnpm-build-store-
- # - name: Install deps
- # run: pnpm install --frozen-lockfile
- # - uses: dtolnay/rust-toolchain@stable
- # - name: Install Protoc
- # uses: arduino/setup-protoc@v2
- # with:
- # repo-token: ${{ secrets.GITHUB_TOKEN }}
- # - name: Remove "default-run" line from Cargo.toml
- # run: |
- # Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch)
- # - name: Build packages
- # uses: tauri-apps/tauri-action@v0
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # - name: Bundle application
- # run: |
- # dotnet tool install --global wix --version 4.0.5
- # wix extension add WixToolset.Bal.wixext/4
- # wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
- # wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe
- # - name: Upload unsigned bundle and burn-engine
- # uses: actions/upload-artifact@v4
- # with:
- # name: unsigned-bundle-and-burnengine
- # path: |
- # src-tauri/resources-windows/defguard-client.exe
- # src-tauri/resources-windows/burnengine.exe
- # sign-burn-engine:
- # needs:
- # - build-windows
- # runs-on:
- # - self-hosted
- # - Linux
- # - X64
- # steps:
- # - name: Write release version
- # run: |
- # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
- # echo Version: $VERSION
- # echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- # - name: Download unsigned bundle & burn-engine
- # uses: actions/download-artifact@v4
- # with:
- # name: unsigned-bundle-and-burnengine
- # - name: Sign burn-engine
- # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe
- # - name: Upload bundle and burn-engine artifact
- # uses: actions/upload-artifact@v4
- # with:
- # name: unsigned-bundle-and-signed-burnengine
- # path: |
- # defguard-client.exe
- # burnengine-signed.exe
- # reattach-burn-engine:
- # needs:
- # - sign-burn-engine
- # runs-on: windows-latest
- # steps:
- # - name: Download unsigned bundle and signed burn-engine
- # uses: actions/download-artifact@v4
- # with:
- # name: unsigned-bundle-and-signed-burnengine
- # - name: Reattach burn-engine
- # run: |
- # dotnet tool install --global wix --version 4.0.5
- # wix extension add WixToolset.Bal.wixext/4
- # wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe
- # - name: Upload bundle with reattached burn-engine
- # uses: actions/upload-artifact@v4
- # with:
- # name: unsigned-bundle-with-reattached-signed-burn-engine
- # path: defguard-client-reattached.exe
- # sign-bundle:
- # needs:
- # - create-release
- # - reattach-burn-engine
- # runs-on:
- # - self-hosted
- # - Linux
- # - X64
- # steps:
- # - name: Write release version
- # run: |
- # VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
- # echo Version: $VERSION
- # echo "VERSION=$VERSION" >> ${GITHUB_ENV}
- # - name: Download unsigned bundle & signed burn-engine
- # uses: actions/download-artifact@v4
- # with:
- # name: unsigned-bundle-with-reattached-signed-burn-engine
- # - name: Sign bundle
- # run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe
- # - name: Upload installer asset
- # uses: actions/upload-release-asset@v1
- # env:
- # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # with:
- # upload_url: ${{ needs.create-release.outputs.upload_url }}
- # asset_path: defguard-client-signed.exe
- # asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe
- # asset_content_type: application/octet-stream
+ # Building signed Windows bundle involves a few steps as described here:
+ # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line
+ # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows)
+ # 2. Detach the burn engine from the bundle so that it can be signed (also Windows)
+ # 3. Sign the burn engine (Linux)
+ # 4. Reattach the burn engine back to the bundle (Windows again)
+ # 5. Sign the whole bundle (Linux)
+ build-windows:
+ needs:
+ - create-release
+ runs-on: windows-latest
+ steps:
+ - uses: actions/checkout@v5
+ with:
+ submodules: "recursive"
+ - name: Write release version
+ run: |
+ $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0]
+ echo Version: $env:VERSION
+ echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV
+ - uses: actions/setup-node@v4
+ with:
+ node-version: "22"
+ - uses: pnpm/action-setup@v4
+ with:
+ version: 10
+ run_install: false
+ - name: Get pnpm store directory
+ shell: bash
+ run: echo "STORE_PATH=$(pnpm store path --silent)" >> ${GITHUB_ENV}
+ - uses: actions/cache@v4
+ name: Setup pnpm cache
+ with:
+ path: ${{ env.STORE_PATH }}
+ key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+ restore-keys: |
+ ${{ runner.os }}-pnpm-build-store-
+ - name: Install deps
+ run: pnpm install --frozen-lockfile
+ - uses: dtolnay/rust-toolchain@stable
+ - name: Install Protoc
+ uses: arduino/setup-protoc@v2
+ with:
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ - name: Remove "default-run" line from Cargo.toml
+ run: |
+ Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch)
+ - name: Build packages
+ uses: tauri-apps/tauri-action@v0
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ - name: Bundle application
+ run: |
+ dotnet tool install --global wix --version 4.0.5
+ wix extension add WixToolset.Bal.wixext/4
+ wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
+ wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe
+ - name: Upload unsigned bundle and burn-engine
+ uses: actions/upload-artifact@v4
+ with:
+ name: unsigned-bundle-and-burnengine
+ path: |
+ src-tauri/resources-windows/defguard-client.exe
+ src-tauri/resources-windows/burnengine.exe
+ sign-burn-engine:
+ needs:
+ - build-windows
+ runs-on:
+ - self-hosted
+ - Linux
+ - X64
+ steps:
+ - name: Write release version
+ run: |
+ VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+ echo Version: $VERSION
+ echo "VERSION=$VERSION" >> ${GITHUB_ENV}
+ - name: Download unsigned bundle & burn-engine
+ uses: actions/download-artifact@v4
+ with:
+ name: unsigned-bundle-and-burnengine
+ - name: Sign burn-engine
+ run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe
+ - name: Upload bundle and burn-engine artifact
+ uses: actions/upload-artifact@v4
+ with:
+ name: unsigned-bundle-and-signed-burnengine
+ path: |
+ defguard-client.exe
+ burnengine-signed.exe
+ reattach-burn-engine:
+ needs:
+ - sign-burn-engine
+ runs-on: windows-latest
+ steps:
+ - name: Download unsigned bundle and signed burn-engine
+ uses: actions/download-artifact@v4
+ with:
+ name: unsigned-bundle-and-signed-burnengine
+ - name: Reattach burn-engine
+ run: |
+ dotnet tool install --global wix --version 4.0.5
+ wix extension add WixToolset.Bal.wixext/4
+ wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe
+ - name: Upload bundle with reattached burn-engine
+ uses: actions/upload-artifact@v4
+ with:
+ name: unsigned-bundle-with-reattached-signed-burn-engine
+ path: defguard-client-reattached.exe
+ sign-bundle:
+ needs:
+ - create-release
+ - reattach-burn-engine
+ runs-on:
+ - self-hosted
+ - Linux
+ - X64
+ steps:
+ - name: Write release version
+ run: |
+ VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
+ echo Version: $VERSION
+ echo "VERSION=$VERSION" >> ${GITHUB_ENV}
+ - name: Download unsigned bundle & signed burn-engine
+ uses: actions/download-artifact@v4
+ with:
+ name: unsigned-bundle-with-reattached-signed-burn-engine
+ - name: Sign bundle
+ run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.71-MS.so -pkcs11cert ${{ secrets.CODESIGN_KEYID }} -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe
+ - name: Upload installer asset
+ uses: actions/upload-release-asset@v1
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ upload_url: ${{ needs.create-release.outputs.upload_url }}
+ asset_path: defguard-client-signed.exe
+ asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe
+ asset_content_type: application/octet-stream
apt-sign:
needs:
- # - build-linux
+ - build-linux
- ubuntu-22-04-build
runs-on:
- self-hosted
From 2e990798d4f2244e076fa27568cd8828c17065c0 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 29 Oct 2025 16:04:19 +0100
Subject: [PATCH 8/8] Update release.yaml
---
.github/workflows/release.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e44c93a4..036564bc 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -567,4 +567,4 @@ jobs:
done
(aws s3 ls s3://apt.defguard.net/dists/ --recursive; aws s3 ls s3://apt.defguard.net/pool/ --recursive) | awk '{print ""$4"
"}' > index.html
- aws s3 cp index.html s3://apt.defguard.net/ --acl public-read
\ No newline at end of file
+ aws s3 cp index.html s3://apt.defguard.net/ --acl public-read