From 854a2cc91fc1f35316e483a73b4ef6f603586d00 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 08:58:11 +0200 Subject: [PATCH 1/4] CI sbom implementation --- .github/workflows/release.yml | 321 +++++++++++++++++----------------- .github/workflows/sbom.yml | 68 +++++++ 2 files changed, 232 insertions(+), 157 deletions(-) create mode 100644 .github/workflows/sbom.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f7071a71..6d978cc5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -52,160 +52,167 @@ jobs: draft: true generate_release_notes: true - build-binaries: - needs: [create-release] - runs-on: - - self-hosted - - ${{ matrix.os }} - - X64 - strategy: - fail-fast: false - matrix: - build: [linux, linux-arm64, freebsd] - include: - - build: linux - arch: amd64 - os: Linux - target: x86_64-unknown-linux-gnu - - build: linux-arm64 - arch: arm64 - os: Linux - target: aarch64-unknown-linux-gnu - - build: freebsd - arch: amd64 - os: Linux - target: x86_64-unknown-freebsd - steps: - # Store the version, stripping any v-prefix - - name: Write release version - run: | - VERSION=${GITHUB_REF_NAME#v} - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - - name: Checkout - uses: actions/checkout@v4 - with: - submodules: recursive - - - name: Install Rust stable - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - target: ${{ matrix.target }} - override: true - - - name: Setup `packer` - uses: hashicorp/setup-packer@main - id: setup - - - name: Set up Docker BuildX - uses: docker/setup-buildx-action@v3 - with: - config-inline: | - [registry."docker.io"] - mirrors = ["dockerhub-proxy.teonite.net"] - - - name: Install pnpm - uses: pnpm/action-setup@v4 - with: - version: 10 - - - name: Use Node.js - uses: actions/setup-node@v4 - with: - node-version: 24 - cache: "pnpm" - cache-dependency-path: ./webnext/pnpm-lock.yaml - - - name: Install frontend dependencies - run: pnpm install --ignore-scripts --frozen-lockfile - working-directory: webnext - - - name: Build frontend - run: pnpm build - working-directory: webnext - - - name: Build release binary - uses: actions-rs/cargo@v1 - with: - use-cross: true - command: build - args: --locked --release --target ${{ matrix.target }} - - - name: Rename binary - run: mv target/${{ matrix.target }}/release/defguard-proxy defguard-proxy-${{ github.ref_name }}-${{ matrix.target }} - - - name: Tar - uses: a7ul/tar-action@v1.1.0 - with: - command: c - files: | - defguard-proxy-${{ github.ref_name }}-${{ matrix.target }} - outPath: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - - name: Upload release archive - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - asset_name: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - asset_content_type: application/octet-stream - - - name: Build DEB package - if: matrix.build == 'linux' - uses: bpicode/github-action-fpm@master - with: - fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb" - - - name: Upload DEB - if: matrix.build == 'linux' - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb - asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb - asset_content_type: application/octet-stream - - - name: Run `packer init` - if: matrix.build == 'linux' && matrix.arch == 'amd64' - id: init - run: "packer init ./images/ami/proxy.pkr.hcl" - - - name: Build AMI images for multiple regions - if: matrix.build == 'linux' && matrix.arch == 'amd64' - run: | - regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - for region in "${regions[@]}"; do - echo "Building AMI for region: $region" - echo "Running packer validate for $region..." - packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl - echo "Building AMI image for $region..." - packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl - done - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - - name: Build RPM package - if: matrix.build == 'linux' - uses: bpicode/github-action-fpm@master - with: - fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" - fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm" - - - name: Upload RPM - if: matrix.build == 'linux' - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm - asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm - asset_content_type: application/octet-stream + create-sbom: + # TODO change to build-docker-release + needs: [create-release, build-docker-prerelease] + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + + # build-binaries: + # needs: [create-release] + # runs-on: + # - self-hosted + # - ${{ matrix.os }} + # - X64 + # strategy: + # fail-fast: false + # matrix: + # build: [linux, linux-arm64, freebsd] + # include: + # - build: linux + # arch: amd64 + # os: Linux + # target: x86_64-unknown-linux-gnu + # - build: linux-arm64 + # arch: arm64 + # os: Linux + # target: aarch64-unknown-linux-gnu + # - build: freebsd + # arch: amd64 + # os: Linux + # target: x86_64-unknown-freebsd + # steps: + # # Store the version, stripping any v-prefix + # - name: Write release version + # run: | + # VERSION=${GITHUB_REF_NAME#v} + # echo Version: $VERSION + # echo "VERSION=$VERSION" >> $GITHUB_ENV + + # - name: Checkout + # uses: actions/checkout@v4 + # with: + # submodules: recursive + + # - name: Install Rust stable + # uses: actions-rs/toolchain@v1 + # with: + # toolchain: stable + # target: ${{ matrix.target }} + # override: true + + # - name: Setup `packer` + # uses: hashicorp/setup-packer@main + # id: setup + + # - name: Set up Docker BuildX + # uses: docker/setup-buildx-action@v3 + # with: + # config-inline: | + # [registry."docker.io"] + # mirrors = ["dockerhub-proxy.teonite.net"] + + # - name: Install pnpm + # uses: pnpm/action-setup@v4 + # with: + # version: 10 + + # - name: Use Node.js + # uses: actions/setup-node@v4 + # with: + # node-version: 24 + # cache: "pnpm" + # cache-dependency-path: ./webnext/pnpm-lock.yaml + + # - name: Install frontend dependencies + # run: pnpm install --ignore-scripts --frozen-lockfile + # working-directory: webnext + + # - name: Build frontend + # run: pnpm build + # working-directory: webnext + + # - name: Build release binary + # uses: actions-rs/cargo@v1 + # with: + # use-cross: true + # command: build + # args: --locked --release --target ${{ matrix.target }} + + # - name: Rename binary + # run: mv target/${{ matrix.target }}/release/defguard-proxy defguard-proxy-${{ github.ref_name }}-${{ matrix.target }} + + # - name: Tar + # uses: a7ul/tar-action@v1.1.0 + # with: + # command: c + # files: | + # defguard-proxy-${{ github.ref_name }}-${{ matrix.target }} + # outPath: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + + # - name: Upload release archive + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + # asset_name: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + # asset_content_type: application/octet-stream + + # - name: Build DEB package + # if: matrix.build == 'linux' + # uses: bpicode/github-action-fpm@master + # with: + # fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb" + + # - name: Upload DEB + # if: matrix.build == 'linux' + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb + # asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb + # asset_content_type: application/octet-stream + + # - name: Run `packer init` + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # id: init + # run: "packer init ./images/ami/proxy.pkr.hcl" + + # - name: Build AMI images for multiple regions + # if: matrix.build == 'linux' && matrix.arch == 'amd64' + # run: | + # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + # for region in "${regions[@]}"; do + # echo "Building AMI for region: $region" + # echo "Running packer validate for $region..." + # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl + # echo "Building AMI image for $region..." + # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl + # done + # env: + # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # - name: Build RPM package + # if: matrix.build == 'linux' + # uses: bpicode/github-action-fpm@master + # with: + # fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" + # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm" + + # - name: Upload RPM + # if: matrix.build == 'linux' + # uses: actions/upload-release-asset@v1.0.2 + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} + # asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm + # asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm + # asset_content_type: application/octet-stream diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 00000000..7a9ada9c --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,68 @@ +name: Create SBOM files + +on: + workflow_call: + inputs: + upload_url: + description: "Release assets upload url" + required: true + type: string + +jobs: + create-sbom: + runs-on: + - codebuild-defguard-proxy-runner-${{ github.run_id }}-${{ github.run_attempt }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Create SBOM with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + format: 'spdx-json' + output: "defguard-proxy-${{ env.VERSION }}.sbom.json" + scan-ref: '.' + severity: "CRITICAL,HIGH,MEDIUM" + + - name: Create docker image SBOM with Trivy + uses: aquasecurity/trivy-action@0.33.1 + with: + image-ref: "ghcr.io/defguard/defguard-proxy:${{ env.VERSION }}" + scan-type: 'image' + format: 'spdx-json' + output: "defguard-proxy-${{ env.VERSION }}-docker.sbom.json" + severity: "CRITICAL,HIGH,MEDIUM" + scanners: "vuln" + + - name: Upload SBOM + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ inputs.upload_url }} + asset_path: "defguard-proxy-${{ env.VERSION }}.sbom.json" + asset_name: "defguard-proxy-${{ env.VERSION }}.sbom.json" + asset_content_type: application/octet-stream + scanners: "vuln" + + - name: Upload docker SBOM + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ inputs.upload_url }} + asset_path: "defguard-proxy-${{ env.VERSION }}-docker.sbom.json" + asset_name: "defguard-proxy-${{ env.VERSION }}-docker.sbom.json" + asset_content_type: application/octet-stream + From 3a1c6ba4f47c8f58f8f73e83d7475e4336d72c1f Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Thu, 25 Sep 2025 09:55:30 +0200 Subject: [PATCH 2/4] uncomment build-binaries job --- .github/workflows/release.yml | 317 +++++++++++++++++----------------- 1 file changed, 158 insertions(+), 159 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6d978cc5..daff50bf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,166 +53,165 @@ jobs: generate_release_notes: true create-sbom: - # TODO change to build-docker-release - needs: [create-release, build-docker-prerelease] + needs: [create-release, build-docker-release] uses: ./.github/workflows/sbom.yml with: upload_url: ${{ needs.create-release.outputs.upload_url }} - # build-binaries: - # needs: [create-release] - # runs-on: - # - self-hosted - # - ${{ matrix.os }} - # - X64 - # strategy: - # fail-fast: false - # matrix: - # build: [linux, linux-arm64, freebsd] - # include: - # - build: linux - # arch: amd64 - # os: Linux - # target: x86_64-unknown-linux-gnu - # - build: linux-arm64 - # arch: arm64 - # os: Linux - # target: aarch64-unknown-linux-gnu - # - build: freebsd - # arch: amd64 - # os: Linux - # target: x86_64-unknown-freebsd - # steps: - # # Store the version, stripping any v-prefix - # - name: Write release version - # run: | - # VERSION=${GITHUB_REF_NAME#v} - # echo Version: $VERSION - # echo "VERSION=$VERSION" >> $GITHUB_ENV - - # - name: Checkout - # uses: actions/checkout@v4 - # with: - # submodules: recursive - - # - name: Install Rust stable - # uses: actions-rs/toolchain@v1 - # with: - # toolchain: stable - # target: ${{ matrix.target }} - # override: true - - # - name: Setup `packer` - # uses: hashicorp/setup-packer@main - # id: setup - - # - name: Set up Docker BuildX - # uses: docker/setup-buildx-action@v3 - # with: - # config-inline: | - # [registry."docker.io"] - # mirrors = ["dockerhub-proxy.teonite.net"] - - # - name: Install pnpm - # uses: pnpm/action-setup@v4 - # with: - # version: 10 - - # - name: Use Node.js - # uses: actions/setup-node@v4 - # with: - # node-version: 24 - # cache: "pnpm" - # cache-dependency-path: ./webnext/pnpm-lock.yaml - - # - name: Install frontend dependencies - # run: pnpm install --ignore-scripts --frozen-lockfile - # working-directory: webnext - - # - name: Build frontend - # run: pnpm build - # working-directory: webnext - - # - name: Build release binary - # uses: actions-rs/cargo@v1 - # with: - # use-cross: true - # command: build - # args: --locked --release --target ${{ matrix.target }} - - # - name: Rename binary - # run: mv target/${{ matrix.target }}/release/defguard-proxy defguard-proxy-${{ github.ref_name }}-${{ matrix.target }} - - # - name: Tar - # uses: a7ul/tar-action@v1.1.0 - # with: - # command: c - # files: | - # defguard-proxy-${{ github.ref_name }}-${{ matrix.target }} - # outPath: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - - # - name: Upload release archive - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - # asset_name: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz - # asset_content_type: application/octet-stream - - # - name: Build DEB package - # if: matrix.build == 'linux' - # uses: bpicode/github-action-fpm@master - # with: - # fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb" - - # - name: Upload DEB - # if: matrix.build == 'linux' - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb - # asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb - # asset_content_type: application/octet-stream - - # - name: Run `packer init` - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # id: init - # run: "packer init ./images/ami/proxy.pkr.hcl" - - # - name: Build AMI images for multiple regions - # if: matrix.build == 'linux' && matrix.arch == 'amd64' - # run: | - # regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) - # for region in "${regions[@]}"; do - # echo "Building AMI for region: $region" - # echo "Running packer validate for $region..." - # packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl - # echo "Building AMI image for $region..." - # packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl - # done - # env: - # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - - # - name: Build RPM package - # if: matrix.build == 'linux' - # uses: bpicode/github-action-fpm@master - # with: - # fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" - # fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm" - - # - name: Upload RPM - # if: matrix.build == 'linux' - # uses: actions/upload-release-asset@v1.0.2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} - # asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm - # asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm - # asset_content_type: application/octet-stream + build-binaries: + needs: [create-release] + runs-on: + - self-hosted + - ${{ matrix.os }} + - X64 + strategy: + fail-fast: false + matrix: + build: [linux, linux-arm64, freebsd] + include: + - build: linux + arch: amd64 + os: Linux + target: x86_64-unknown-linux-gnu + - build: linux-arm64 + arch: arm64 + os: Linux + target: aarch64-unknown-linux-gnu + - build: freebsd + arch: amd64 + os: Linux + target: x86_64-unknown-freebsd + steps: + # Store the version, stripping any v-prefix + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + - name: Install Rust stable + uses: actions-rs/toolchain@v1 + with: + toolchain: stable + target: ${{ matrix.target }} + override: true + + - name: Setup `packer` + uses: hashicorp/setup-packer@main + id: setup + + - name: Set up Docker BuildX + uses: docker/setup-buildx-action@v3 + with: + config-inline: | + [registry."docker.io"] + mirrors = ["dockerhub-proxy.teonite.net"] + + - name: Install pnpm + uses: pnpm/action-setup@v4 + with: + version: 10 + + - name: Use Node.js + uses: actions/setup-node@v4 + with: + node-version: 24 + cache: "pnpm" + cache-dependency-path: ./webnext/pnpm-lock.yaml + + - name: Install frontend dependencies + run: pnpm install --ignore-scripts --frozen-lockfile + working-directory: webnext + + - name: Build frontend + run: pnpm build + working-directory: webnext + + - name: Build release binary + uses: actions-rs/cargo@v1 + with: + use-cross: true + command: build + args: --locked --release --target ${{ matrix.target }} + + - name: Rename binary + run: mv target/${{ matrix.target }}/release/defguard-proxy defguard-proxy-${{ github.ref_name }}-${{ matrix.target }} + + - name: Tar + uses: a7ul/tar-action@v1.1.0 + with: + command: c + files: | + defguard-proxy-${{ github.ref_name }}-${{ matrix.target }} + outPath: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + + - name: Upload release archive + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + asset_name: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz + asset_content_type: application/octet-stream + + - name: Build DEB package + if: matrix.build == 'linux' + uses: bpicode/github-action-fpm@master + with: + fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb" + + - name: Upload DEB + if: matrix.build == 'linux' + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb + asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb + asset_content_type: application/octet-stream + + - name: Run `packer init` + if: matrix.build == 'linux' && matrix.arch == 'amd64' + id: init + run: "packer init ./images/ami/proxy.pkr.hcl" + + - name: Build AMI images for multiple regions + if: matrix.build == 'linux' && matrix.arch == 'amd64' + run: | + regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1) + for region in "${regions[@]}"; do + echo "Building AMI for region: $region" + echo "Running packer validate for $region..." + packer validate --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl + echo "Building AMI image for $region..." + packer build -color=false -on-error=abort --var "package_version=${{ env.VERSION }}" --var "region=$region" ./images/ami/proxy.pkr.hcl + done + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + - name: Build RPM package + if: matrix.build == 'linux' + uses: bpicode/github-action-fpm@master + with: + fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml" + fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm" + + - name: Upload RPM + if: matrix.build == 'linux' + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm + asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm + asset_content_type: application/octet-stream From 931ee7d7fbdd15f6b714fbc5e7aad57d167c8131 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 09:02:40 +0200 Subject: [PATCH 3/4] run sbom on self-hosted workers --- .github/workflows/sbom.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 7a9ada9c..00c50999 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -10,8 +10,7 @@ on: jobs: create-sbom: - runs-on: - - codebuild-defguard-proxy-runner-${{ github.run_id }}-${{ github.run_attempt }} + runs-on: self-hosted steps: - name: Checkout From 48c2eff2c5d616f397a0e5aaeddf22a3510ae234 Mon Sep 17 00:00:00 2001 From: Jacek Chmielewski Date: Fri, 26 Sep 2025 10:22:01 +0200 Subject: [PATCH 4/4] use shogo82148/actions-upload-release-asset upload action --- .github/workflows/sbom.yml | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 00c50999..0a8b8c81 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -4,7 +4,7 @@ on: workflow_call: inputs: upload_url: - description: "Release assets upload url" + description: "Release assets upload URL" required: true type: string @@ -45,23 +45,10 @@ jobs: scanners: "vuln" - name: Upload SBOM - uses: actions/upload-release-asset@v1.0.2 + uses: shogo82148/actions-upload-release-asset@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ inputs.upload_url }} - asset_path: "defguard-proxy-${{ env.VERSION }}.sbom.json" - asset_name: "defguard-proxy-${{ env.VERSION }}.sbom.json" + asset_path: "defguard-*.sbom.json" asset_content_type: application/octet-stream - scanners: "vuln" - - - name: Upload docker SBOM - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ inputs.upload_url }} - asset_path: "defguard-proxy-${{ env.VERSION }}-docker.sbom.json" - asset_name: "defguard-proxy-${{ env.VERSION }}-docker.sbom.json" - asset_content_type: application/octet-stream -