Merge pull request #1577 from DefGuard/release_1.5_merger

Release 1.5 merger

Author: wojcik91

.github/workflows/build-docker.yml

@@ -18,40 +18,43 @@ env:
 jobs:
   build-docker:
     runs-on:
-      - self-hosted
-      - Linux
-      - ${{ matrix.runner }}
+      - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }}
+        image:${{ matrix.os }}
+        instance-size:${{ matrix.size }}
+
     strategy:
       matrix:
-        # cpu: [arm64, amd64, arm/v7]
         cpu: [arm64, amd64]
         include:
-          - cpu: arm64
-            runner: ARM64
+          - os: arm-3.0
+            size: xlarge
+            cpu: arm64
             tag: arm64
-          - cpu: amd64
-            runner: X64
+          - os: ubuntu-7.0
+            size: xlarge
+            cpu: amd64
             tag: amd64
-          # - cpu: arm/v7
-          #   runner: ARM
-          #   tag: armv7
+
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-        with:
-          buildkitd-config-inline: |
-            [registry."docker.io"]
-              mirrors = ["dockerhub-proxy.teonite.net"]
+
       - name: Build container
         uses: docker/build-push-action@v6
         with:
@@ -60,13 +63,35 @@ jobs:
           provenance: false
           push: true
           tags: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: |
+            type=registry,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}
+            type=registry,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ github.ref_name }}
+          cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ github.ref_name }}
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH,MEDIUM"
 
   docker-manifest:
     runs-on: [self-hosted, Linux]
+
+    permissions:
+      contents: read
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+
     needs: [build-docker]
+
     steps:
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -75,12 +100,14 @@ jobs:
             ${{ env.GHCR_REPO }}
           flavor: ${{ inputs.flavor }}
           tags: ${{ inputs.tags }}
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Create and push manifests
         run: |
           tags='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
@@ -90,4 +117,13 @@ jobs:
             docker manifest create ${tag} ${{ env.GHCR_REPO }}:${{ github.sha }}-amd64 ${{ env.GHCR_REPO }}:${{ github.sha }}-arm64
             docker manifest push ${tag}
           done
-        #  ${{ env.GHCR_REPO }}:${{ github.sha }}-armv7
+
+      - name: Sign the images with GitHub OIDC Token
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign sign --yes ${images}
+
+      - name: Verify image signatures
+        run: |
+          images='${{ env.GHCR_REPO }}:${{ github.sha }} ${{ steps.meta.outputs.tags }}'
+          cosign verify ${images} --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp="https://github.com/DefGuard/defguard" -o text

.github/workflows/ci.yml

@@ -20,12 +20,14 @@ on:
 
 jobs:
   test:
-    runs-on: [self-hosted, Linux, X64]
-    container: rust:1
+    runs-on:
+      - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }}
+
+    container: public.ecr.aws/docker/library/rust:1
 
     services:
       postgres:
-        image: postgres:17-alpine
+        image: public.ecr.aws/docker/library/postgres:17-alpine
         env:
           POSTGRES_DB: defguard
           POSTGRES_USER: defguard
@@ -52,21 +54,30 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: recursive
+
       - name: Cache
         uses: Swatinem/rust-cache@v2
+
       - name: Install protoc
         run: apt-get update && apt-get -y install protobuf-compiler
+
       - name: Check format
         run: |
           rustup component add rustfmt
           cargo fmt -- --check
+
       - name: Run clippy linter
         run: |
           rustup component add clippy
           cargo clippy --all-targets --all-features -- -D warnings
+
       - name: Run cargo deny
-        uses: EmbarkStudios/cargo-deny-action@v2
+        run: |
+          cargo install cargo-deny
+          cargo deny check
+
       - name: Install nextest
         uses: taiki-e/install-action@nextest
+
       - name: Run tests
         run: cargo nextest run --locked --no-fail-fast

.github/workflows/current.yml

@@ -1,6 +1,8 @@
 name: Build current image
 permissions:
   contents: read
+  id-token: write
+  packages: write
 on:
   push:
     branches:

.github/workflows/e2e.yml

@@ -10,21 +10,22 @@ permissions:
 
 jobs:
   test:
-    runs-on: [self-hosted, Linux, X64]
+    runs-on:
+      - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }}
+        instance-size:2xlarge
+
     steps:
       - uses: actions/checkout@v4
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-        with:
-          buildkitd-config-inline: |
-            [registry."docker.io"]
-              mirrors = ["dockerhub-proxy.teonite.net"]
+
       - name: Login to GitHub container registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Export image tag
         run: |
           # strip "refs/heads.” to get just the branch name
@@ -38,16 +39,19 @@ jobs:
           fi
           echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
           echo "E2E tests will run on IMAGE_TAG=$IMAGE_TAG"
+
       - name: Set up Node
         uses: actions/setup-node@v4
         with:
           node-version-file: "./e2e/.nvmrc"
+
       - name: Install pnpm
         id: pnpm-install
         uses: pnpm/action-setup@v4
         with:
           version: 10
           run_install: false
+
       - name: Get pnpm store directory
         id: pnpm-cache
         shell: bash
@@ -61,34 +65,40 @@ jobs:
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
           restore-keys: |
             ${{ runner.os }}-pnpm-store-
+
       - name: Pull images
         run: docker compose --file './docker-compose.e2e.yaml' pull
-      - name: Start compose
-        run: docker compose --file './docker-compose.e2e.yaml' up -d
+
       - name: Install E2E dependencies
         working-directory: ./e2e
         run: pnpm install --frozen-lockfile
+
       - name: Install playwright chromium
         working-directory: ./e2e
         run: npx playwright install chromium
+
       - name: run tests
         working-directory: ./e2e
         run: pnpm test
+
       - name: Stop compose
         if: always()
         run: docker compose --file './docker-compose.e2e.yaml' down
+
       - uses: actions/upload-artifact@v4
         if: failure()
         with:
           name: playwright-report
           path: |
             ./e2e/playwright-report
           retention-days: 7
+
   trigger-dev-deploy:
     needs: test
     if: ${{ github.event_name != 'pull_request' && github.ref_name == 'dev' }}
     uses: ./.github/workflows/dev-deployment.yml
     secrets: inherit
+
   trigger-staging-deploy:
     needs: test
     if: ${{ github.event_name != 'pull_request' && startsWith(github.ref_name, 'release/') }}

.github/workflows/lint-web.yml

@@ -3,20 +3,24 @@ on:
     branches:
       - main
       - dev
-      - 'release/**'
-    paths:
-      - "web/**"
+      - "release/**"
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
   pull_request:
     branches:
       - main
       - dev
-      - 'release/**'
-    paths:
-      - "web/**"
+      - "release/**"
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
 
 jobs:
   lint-web:
-    runs-on: [self-hosted, Linux, X64]
+    runs-on:
+      - codebuild-defguard-core-runner-${{ github.run_id }}-${{ github.run_attempt }}
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -27,11 +31,11 @@ jobs:
       - name: install deps
         working-directory: ./web
         run: |
-          npm i -g pnpm
+          npm i -g npm pnpm
           pnpm i --frozen-lockfile
       - name: Lint
         working-directory: ./web
-        run: pnpm run lint-ci
+        run: pnpm run lint
       - name: Audit
         working-directory: ./web
         run: pnpm audit --prod

.github/workflows/release.yml

@@ -53,10 +53,12 @@ jobs:
 
   build-binaries:
     needs: [create-release]
+
     runs-on:
       - self-hosted
       - Linux
       - X64
+
     strategy:
       fail-fast: false
       matrix:
@@ -71,6 +73,10 @@ jobs:
           - build: freebsd
             arch: amd64
             target: x86_64-unknown-freebsd
+
+    permissions:
+      contents: write # needed to upload release assets
+
     steps:
       # Store the version, stripping any v-prefix
       - name: Write release version
@@ -105,14 +111,12 @@ jobs:
       - name: Install pnpm
         uses: pnpm/action-setup@v4
         with:
-          version: 9
+          version: 10
 
-      - name: Use Node.js 20
+      - name: Use Node.js 24
         uses: actions/setup-node@v4
         with:
-          node-version: 20
-          cache: "pnpm"
-          cache-dependency-path: ./web/pnpm-lock.yaml
+          node-version: 24
 
       - name: Install frontend dependencies
         run: pnpm install --ignore-scripts --frozen-lockfile
@@ -165,7 +169,7 @@ jobs:
       - name: Build AMI images for multiple regions
         if: matrix.build == 'linux' && matrix.arch == 'amd64'
         run: |
-          regions=(us-east-1 eu-west-1 ap-northeast-1)
+          regions=(us-east-1 eu-west-1 ap-northeast-1 eu-central-1)
           for region in "${regions[@]}"; do
             echo "Building AMI for region: $region"
             echo "Running packer validate for $region..."