Merge release/1.5-alpha into main

.editorconfig

@@ -0,0 +1,12 @@
+root = true
+
+[*.{rs,sql,toml}]
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+end_of_line = lf
+
+[*.{rs}]
+indent_style = tab
+indent_size = 4
+rulers = 100

.gitattributes

@@ -0,0 +1,8 @@
+*.eot   -text
+*.ttf   -text
+*.woff  -text
+*.woff2 -text
+*.png -text
+*.pdf -text
+*.jpeg -text
+*.webm -text

.github/workflows/build-docker.yml

@@ -21,6 +21,7 @@ jobs:
       - self-hosted
       - Linux
       - ${{ matrix.runner }}
+
     strategy:
       matrix:
         cpu: [arm64, amd64]
@@ -31,23 +32,31 @@ jobs:
           - cpu: amd64
             runner: X64
             tag: amd64
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
           buildkitd-config-inline: |
             [registry."docker.io"]
               mirrors = ["dockerhub-proxy.teonite.net"]
+
       - name: Build container
         uses: docker/build-push-action@v5
         with:
@@ -59,10 +68,30 @@ jobs:
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH,MEDIUM"
+
   docker-manifest:
     runs-on: [self-hosted, Linux]
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
     needs: [build-docker]
+
     steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.9.2
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -71,12 +100,14 @@ jobs:
             ${{ env.GHCR_REPO }}
           flavor: ${{ inputs.flavor }}
           tags: ${{ inputs.tags }}
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Create and push manifests
         run: |
           tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
@@ -86,3 +117,13 @@ jobs:
             docker manifest create ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64
             docker manifest push ${tag}
           done
+
+      - name: Sign the images with GitHub OIDC Token
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign sign --yes ${images}
+
+      - name: Verify image signatures
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign verify ${images} --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/DefGuard/proxy" -o text

.github/workflows/lint-web.yml

@@ -5,23 +5,32 @@ on:
     branches:
       - main
       - dev
-    paths:
-      - "web/**"
+      - 'release/**'
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
   pull_request:
     branches:
       - main
       - dev
-    paths:
-      - "web/**"
+      - 'release/**'
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
 
 jobs:
   lint-web:
-    runs-on: self-hosted
+    runs-on:
+      - codebuild-defguard-proxy-runner-${{ github.run_id }}-${{ github.run_attempt }}
+
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 24
       - name: install deps
         working-directory: ./web
         run: |

.github/workflows/release.yml

@@ -95,6 +95,10 @@ jobs:
           target: ${{ matrix.target }}
           override: true
 
+      - name: Setup `packer`
+        uses: hashicorp/setup-packer@main
+        id: setup
+
       - name: Set up Docker BuildX
         uses: docker/setup-buildx-action@v3
         with:
@@ -168,6 +172,26 @@ jobs:
           asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
           asset_content_type: application/octet-stream
 
+      - name: Run `packer init`
+        if: matrix.build == 'linux' && matrix.arch == 'amd64'
+        id: init
+        run: "packer init ./images/ami/proxy.pkr.hcl"
+
+      - name: Build AMI images for multiple regions
+        if: matrix.build == 'linux' && matrix.arch == 'amd64'
+        run: |
+          regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1)
+          for region in "${regions[@]}"; do
+            echo "Building AMI for region: $region"
+            echo "Running packer validate for $region..."
+            packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl
+            echo "Building AMI image for $region..."
+            packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl
+          done
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
       - name: Build RPM package
         if: matrix.build == 'linux'
         uses: bpicode/github-action-fpm@master

.github/workflows/test.yml

@@ -5,13 +5,15 @@ on:
     branches:
       - main
       - dev
+      - 'release/**'
     paths-ignore:
       - "*.md"
       - "LICENSE"
   pull_request:
     branches:
       - main
       - dev
+      - 'release/**'
     paths-ignore:
       - "*.md"
       - "LICENSE"
@@ -21,8 +23,9 @@ env:
 
 jobs:
   test:
-    runs-on: [self-hosted, Linux, X64]
-    container: rust:1
+    runs-on:
+      - codebuild-defguard-proxy-runner-${{ github.run_id }}-${{ github.run_attempt }}
+    container: public.ecr.aws/docker/library/rust:1
 
     steps:
       - name: Debug
@@ -44,6 +47,8 @@ jobs:
           rustup component add clippy
           cargo clippy --all-targets --all-features -- -D warnings
       - name: Run cargo deny
-        uses: EmbarkStudios/cargo-deny-action@v2
+        run: |
+          cargo install cargo-deny
+          cargo deny check
       - name: Run tests
         run: cargo test --locked --no-fail-fast

.gitignore

@@ -1,3 +1,7 @@
 /target
 /.idea
 /*.local
+.direnv/
+.envrc
+/node_modules
+.env

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "proto"]
 	path = proto
 	url = ../proto.git
+[submodule "web/src/shared/defguard-ui"]
+	path = web/src/shared/defguard-ui
+	url = git@github.com:DefGuard/ui.git