chore(mise): add mise config

ggguardian · ggguardian · commit 40822c8ce918 · 2025-06-26T15:27:23.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,8 @@
 .DS_Store
 .local/
 
+build/
+
 melange.rsa*
 cosign.key
 cosign.pub
diff --git a/dagger/src/ggbridge/main.py b/dagger/src/ggbridge/main.py
@@ -254,7 +254,7 @@ async def client(
         server: Annotated[str, Doc("Server address")],
         ca: Annotated[dagger.File | None, Doc("Certificate authority")] = None,
         cert: Annotated[dagger.File | None, Doc("Client certificate")] = None,
-        key: Annotated[dagger.File | None, Doc("Client certificate key")] = None,
+        key: Annotated[dagger.Secret | None, Doc("Client certificate key")] = None,
         tunnel_health_port: Annotated[int, Doc("Health tunnel port")] = 9081,
     ) -> dagger.Container:
         """Return the ggbridge client container"""
@@ -273,9 +273,15 @@ async def client(
         )
         if tls_enabled:
             container = (
-                container.with_mounted_file("/etc/ggbridge/tls/ca.crt", source=ca)
-                .with_mounted_file("/etc/ggbridge/tls/client.crt", source=cert)
-                .with_mounted_file("/etc/ggbridge/tls/client.key", source=key)
+                container.with_mounted_file(
+                    "/etc/ggbridge/tls/ca.crt", source=ca, owner="nonroot"
+                )
+                .with_mounted_file(
+                    "/etc/ggbridge/tls/client.crt", source=cert, owner="nonroot"
+                )
+                .with_mounted_secret(
+                    "/etc/ggbridge/tls/client.key", source=key, owner="nonroot"
+                )
             )
         return container
 
@@ -284,7 +290,7 @@ async def server(
         self,
         ca: Annotated[dagger.File | None, Doc("Certificate authority")] = None,
         cert: Annotated[dagger.File | None, Doc("Client certificate")] = None,
-        key: Annotated[dagger.File | None, Doc("Client certificate key")] = None,
+        key: Annotated[dagger.Secret | None, Doc("Client certificate key")] = None,
         port: Annotated[int, Doc("Server port")] = 9000,
         tunnel_health_port: Annotated[int, Doc("Health port")] = 9081,
         tunnel_socks_port: Annotated[int, Doc("Socks port")] = 9180,
@@ -318,9 +324,15 @@ async def server(
         )
         if tls_enabled:
             container = (
-                container.with_mounted_file("/etc/ggbridge/tls/ca.crt", source=ca)
-                .with_mounted_file("/etc/ggbridge/tls/server.crt", source=cert)
-                .with_mounted_file("/etc/ggbridge/tls/server.key", source=key)
+                container.with_mounted_file(
+                    "/etc/ggbridge/tls/ca.crt", source=ca, owner="nonroot"
+                )
+                .with_mounted_file(
+                    "/etc/ggbridge/tls/server.crt", source=cert, owner="nonroot"
+                )
+                .with_mounted_secret(
+                    "/etc/ggbridge/tls/server.key", source=key, owner="nonroot"
+                )
             )
         return container
 
@@ -360,7 +372,7 @@ async def scan(
         output_format: Annotated[str, Doc("Report output formatter")] = "table",
     ) -> dagger.File:
         """Scan the ggbridge image using grype"""
-        return self.image().scan(
+        return await self.image().scan(
             variant=variant, severity=severity, output_format=output_format
         )
 
diff --git a/mise.toml b/mise.toml
@@ -0,0 +1,68 @@
+[tools]
+"aqua:dagger/dagger" = { version = "0.18.11" }
+"aqua:helm" = { version = "3.18.3"}
+"aqua:norwoodj/helm-docs" = { version = "1.14.2"}
+"pipx:ggshield" = { version = "1.41.0", uvx_args = "--python-preference=system" }
+"pipx:pre-commit" = { version = "4.2.0", uvx_args = "--python-preference=system" }
+
+[tasks.build]
+description = "Build ggbridge (images + chart)"
+run = "dagger call build $@ export --path={{ config_root }}/build"
+
+[tasks.scan]
+description = "Scan ggbridge Docker image"
+usage = '''
+flag "--variant <variant>" help="the variant to build" default="prod"
+'''
+run = 'dagger call scan --variant={{flag(name="variant")}} $@ contents'
+
+[tasks.publish]
+description = "Publish ggbridge (images + chart) on ttl.sh"
+usage = '''
+flag "-v --version <version>" help="ggbridge version" default="0.1.0"
+'''
+run = 'dagger call publish --version={{flag(name="version")}} $@'
+
+[tasks.build-chart]
+description = "Build ggbridge Helm chart"
+usage = '''
+flag "-v --version <version>" help="ggbridge version" default="0.1.0"
+'''
+run = 'dagger call chart build --version={{flag(name="version")}} $@ export --path={{ config_root }}/build/chart/ggbridge-{{arg(name="version")}}.tgz'
+
+[tasks.build-image]
+description = "Build ggbridge Docker image"
+usage = '''
+flag "--variant <variant>" help="the variant to build" default="prod"
+'''
+run = 'dagger call image build --variant={{flag(name="variant")}} export --path={{ config_root }}/build/image/{{flag(name="variant")}}'
+
+[tasks.terminal]
+description = "Build ggbridge shell variant Docker image and open a terminal"
+run = "dagger call container $@ terminal"
+
+[tasks.client]
+description = "Run ggbridge client"
+usage = '''
+flag "--server <server>" help="the server address"
+flag "--ca <ca>" help="the CA cert"
+flag "--cert <cert>" help="the client cert"
+flag "--key <key>" help="the client private key"
+'''
+run = 'dagger call client --server={{flag(name="server")}} --ca={{flag(name="ca")}} --cert={{flag(name="cert")}} --key={{flag(name="key")}} up'
+
+[tasks.lint]
+description = "Lint ggbridge Helm chart"
+run = "helm lint --strict helm/ggbridge"
+
+[tasks.test]
+description = "Test ggbridge and print the report"
+run = "dagger call test $@ contents"
+
+[tasks.cleanup]
+description = "Cleanup ggbridge"
+run = "rm -rf {{ config_root }}/build"
+
+[tasks.prune]
+description = "Prune dagger engine cache"
+run = "dagger core engine local-cache prune"
