Skip to content
Make a new release

Implement "force all traffic" enterprise setting (#212) #70

Sign in to view logs

Implement "force all traffic" enterprise setting (#212)

Implement "force all traffic" enterprise setting (#212) #70

Workflow file for this run

.github/workflows/release.yml at 500b3e5
name: Make a new release
on:
push:
tags:
- v*.*.*
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build-docker-release:
# Ignore tags with -, like v1.0.0-alpha
# This job will build the docker container with the "latest" tag which
# is a tag used in production, thus it should only be run for full releases.
if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-')
name: Build Release Docker image
uses: ./.github/workflows/build-docker.yml
with:
tags: |
type=raw,value=latest
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha
build-docker-prerelease:
# Only build tags with -, like v1.0.0-alpha
if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-')
name: Build Pre-release Docker image
uses: ./.github/workflows/build-docker.yml
with:
tags: |
type=raw,value=pre-release
type=semver,pattern={{version}}
type=sha
# Explicitly disable latest tag. It will be added otherwise.
flavor: |
latest=false
create-release:
name: create-release
runs-on: self-hosted
outputs:
upload_url: ${{ steps.release.outputs.upload_url }}
steps:
- name: Create GitHub release
id: release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
draft: true
generate_release_notes: true
create-sbom:
needs: [create-release, build-docker-release]
uses: ./.github/workflows/sbom.yml
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
build-binaries:
needs: [create-release]
runs-on:
- self-hosted
- ${{ matrix.os }}
- X64
strategy:
fail-fast: false
matrix:
build: [linux, linux-arm64, freebsd]
include:
- build: linux
arch: amd64
os: Linux
target: x86_64-unknown-linux-gnu
- build: linux-arm64
arch: arm64
os: Linux
target: aarch64-unknown-linux-gnu
- build: freebsd
arch: amd64
os: Linux
target: x86_64-unknown-freebsd
steps:
# Store the version, stripping any v-prefix
- name: Write release version
run: |
VERSION=${GITHUB_REF_NAME#v}
echo Version: $VERSION
echo "VERSION=$VERSION" >> $GITHUB_ENV
- name: Checkout
uses: actions/checkout@v4
with:
submodules: recursive
- name: Install Rust stable
uses: actions-rs/toolchain@v1
with:
toolchain: stable
target: ${{ matrix.target }}
override: true
- name: Setup `packer`
uses: hashicorp/setup-packer@main
id: setup
- name: Set up Docker BuildX
uses: docker/setup-buildx-action@v3
with:
config-inline: |
[registry."docker.io"]
mirrors = ["dockerhub-proxy.teonite.net"]
- name: Install pnpm
uses: pnpm/action-setup@v4
with:
# FIXME: temporarily pinned because of https://github.com/pnpm/pnpm/pull/9959
version: 10.17
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: 24
cache: "pnpm"
cache-dependency-path: ./web/pnpm-lock.yaml
- name: Install frontend dependencies
run: pnpm install --ignore-scripts --frozen-lockfile
working-directory: web
- name: Build frontend
run: pnpm build
working-directory: web
- name: Build release binary
uses: actions-rs/cargo@v1
with:
use-cross: true
command: build
args: --locked --release --target ${{ matrix.target }}
- name: Rename binary
run: mv target/${{ matrix.target }}/release/defguard-proxy defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}
- name: Tar
uses: a7ul/[email protected]
with:
command: c
files: |
defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}
outPath: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
- name: Upload release archive
uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
asset_path: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
asset_name: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
asset_content_type: application/octet-stream
- name: Build DEB package
if: matrix.build == 'linux'
uses: bpicode/github-action-fpm@master
with:
fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml"
fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb"
- name: Upload DEB
if: matrix.build == 'linux'
uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
asset_content_type: application/octet-stream
- name: Install ruby with deb-s3
if: matrix.build == 'linux'
run: |
sudo apt-get install -y ruby
gem install deb-s3
echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH
- name: Upload DEB to apt repository
if: matrix.build == 'linux'
run: |
COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.
deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
- name: Build RPM package
if: matrix.build == 'linux'
uses: bpicode/github-action-fpm@master
with:
fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml"
fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm"
- name: Upload RPM
if: matrix.build == 'linux'
uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
asset_content_type: application/octet-stream
apt-sign:
needs:
- build-binaries
runs-on:
- self-hosted
- Linux
- X64
strategy:
fail-fast: false
steps:
- name: Sign APT repository on trixie
run: |
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
export AWS_REGION=eu-north-1
sudo apt update -y
sudo apt install -y awscli curl jq
for DIST in trixie; do
aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
-H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
-F "file=@Release" \
-o response.json
cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
done
(aws s3 ls s3://apt.defguard.net/dists/ --recursive; aws s3 ls s3://apt.defguard.net/pool/ --recursive) | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
aws s3 cp index.html s3://apt.defguard.net/ --acl public-read