chore(deps): Bump clap_complete from 4.5.66 to 4.6.0 #1600
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| branches: | |
| - main | |
| permissions: | |
| attestations: write | |
| contents: read | |
| id-token: write | |
| jobs: | |
| py_linux: | |
| runs-on: ${{ matrix.platform.runner }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| platform: | |
| - runner: ubuntu-22.04 | |
| target: x86_64 | |
| manylinux: 2_28 | |
| - runner: ubuntu-22.04 | |
| target: x86 | |
| manylinux: 2_28 | |
| - runner: ubuntu-22.04-arm | |
| target: aarch64 | |
| manylinux: 2_28 | |
| - runner: ubuntu-22.04-arm | |
| target: armv7 | |
| manylinux: 2_28 | |
| - runner: ubuntu-22.04 | |
| target: ppc64le | |
| manylinux: 2_28 | |
| - runner: ubuntu-22.04 | |
| target: riscv64 | |
| manylinux: 2_31 | |
| - runner: ubuntu-22.04 | |
| target: loongarch64 | |
| manylinux: 2_36 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| archive.ubuntu.com:443 | |
| astral.sh:443 | |
| cdn01.quay.io:443 | |
| files.pythonhosted.org:443 | |
| index.crates.io:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| pypi.org:443 | |
| quay.io:443 | |
| release-assets.githubusercontent.com:443 | |
| security.ubuntu.com:443 | |
| sh.rustup.rs:443 | |
| static.crates.io:443 | |
| static.rust-lang.org:443 | |
| vault.almalinux.org:443 | |
| vault.centos.org:443 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 #v1 | |
| - name: Build Linux ${{ matrix.platform.target }} wheels | |
| uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 | |
| with: | |
| target: ${{ matrix.platform.target }} | |
| manylinux: ${{ matrix.platform.manylinux }} | |
| args: --release --strip --out dist --manifest-path client-py/Cargo.toml --interpreter '3.12 3.13' | |
| sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| - name: Upload Linux ${{ matrix.platform.target }} wheels | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: wheels-linux-${{ matrix.platform.target }} | |
| path: dist | |
| retention-days: 5 | |
| py_musllinux: | |
| runs-on: ${{ matrix.platform.runner }} | |
| strategy: | |
| matrix: | |
| platform: | |
| - runner: ubuntu-22.04 | |
| target: x86_64 | |
| - runner: ubuntu-22.04 | |
| target: x86 | |
| - runner: ubuntu-22.04-arm | |
| target: aarch64 | |
| - runner: ubuntu-22.04-arm | |
| target: armv7 | |
| - runner: ubuntu-22.04 | |
| target: ppc64le | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| archive.ubuntu.com:443 | |
| astral.sh:443 | |
| cdn01.quay.io:443 | |
| files.pythonhosted.org:443 | |
| index.crates.io:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| objects.githubusercontent.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| pypi.org:443 | |
| quay.io:443 | |
| release-assets.githubusercontent.com:443 | |
| security.ubuntu.com:443 | |
| sh.rustup.rs:443 | |
| static.crates.io:443 | |
| static.rust-lang.org:443 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 #v1 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: | | |
| 3.12 | |
| 3.13 | |
| 3.13t | |
| - name: Build musl Linux ${{ matrix.platform.target }} wheels | |
| uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 | |
| with: | |
| target: ${{ matrix.platform.target }} | |
| args: --release --strip --out dist --manifest-path client-py/Cargo.toml --interpreter '3.12 3.13 3.13t' | |
| sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| manylinux: musllinux_1_2 | |
| - name: Upload musl Linux ${{ matrix.platform.target }} wheels | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: wheels-musllinux-${{ matrix.platform.target }} | |
| path: dist | |
| retention-days: 5 | |
| py_windows: | |
| runs-on: ${{ matrix.platform.runner }} | |
| strategy: | |
| matrix: | |
| platform: | |
| - runner: windows-latest | |
| target: x64 | |
| - runner: windows-latest | |
| target: x86 | |
| - runner: windows-11-arm | |
| target: arm64 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: '>=3.7' | |
| architecture: ${{ matrix.platform.target }} | |
| - name: Install rustup (Windows 11 ARM64) # rust is currently missing from the windows-11-arm runner | |
| if: matrix.platform.runner == 'windows-11-arm' | |
| shell: pwsh | |
| run: | | |
| Invoke-WebRequest -Uri "https://static.rust-lang.org/rustup/dist/aarch64-pc-windows-msvc/rustup-init.exe" -OutFile rustup-init.exe | |
| .\rustup-init.exe --default-toolchain none -y | |
| "$env:USERPROFILE\.cargo\bin" | Out-File -Append -Encoding ascii $env:GITHUB_PATH | |
| "CARGO_HOME=$env:USERPROFILE\.cargo" | Out-File -Append -Encoding ascii $env:GITHUB_ENV | |
| - name: Install Rust (Windows 11 ARM64) | |
| if: matrix.platform.runner == 'windows-11-arm' | |
| shell: pwsh | |
| run: | | |
| rustup install stable | |
| rustup target add aarch64-pc-windows-msvc | |
| - name: Build Windows ${{ matrix.platform.target }} wheels | |
| if: matrix.platform.runner != 'windows-11-arm' | |
| uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 | |
| with: | |
| target: ${{ matrix.platform.target }} | |
| args: --release --strip --out dist --manifest-path client-py/Cargo.toml | |
| sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| - name: Build Windows ${{ matrix.platform.target }} wheels | |
| if: matrix.platform.runner == 'windows-11-arm' | |
| uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 | |
| with: | |
| target: aarch64-pc-windows-msvc | |
| args: --release --strip --out dist --manifest-path client-py/Cargo.toml | |
| sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| #- name: Build free-threaded Windows ${{ matrix.platform.target }} wheels | |
| # uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 | |
| # with: | |
| # target: ${{ matrix.platform.target }} | |
| # args: --release --strip --out dist --manifest-path client-py/Cargo.toml -i python3.13t | |
| # sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| - name: Upload Windows ${{ matrix.platform.target }} wheels | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: wheels-windows-${{ matrix.platform.target }} | |
| path: dist | |
| retention-days: 5 | |
| py_macos: | |
| runs-on: macos-14 | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: '>=3.7' | |
| - name: Build arm64 macOS wheels | |
| uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 | |
| with: | |
| target: aarch64 | |
| args: --release --strip --out dist --manifest-path client-py/Cargo.toml | |
| sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| - name: Install x86_64 Toolchain | |
| run: rustup target add x86_64-apple-darwin | |
| - name: Build x86_64 macOS wheels | |
| uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 | |
| with: | |
| target: x86_64 | |
| args: --release --strip --out dist --manifest-path client-py/Cargo.toml | |
| sccache: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| - name: Upload macOS wheels | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: wheels-macos | |
| path: dist | |
| retention-days: 5 | |
| py_sdist: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Build sdist | |
| uses: PyO3/maturin-action@04ac600d27cdf7a9a280dadf7147097c42b757ad # v1.50.1 | |
| with: | |
| command: sdist | |
| args: --out dist --manifest-path client-py/Cargo.toml | |
| - name: Upload sdist | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: wheels-sdist | |
| path: dist | |
| retention-days: 5 | |
| linux_x86: | |
| if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: audit | |
| allowed-endpoints: > | |
| azure.archive.ubuntu.com:80 | |
| cdn.fwupd.org:443 | |
| crates.io:443 | |
| esm.ubuntu.com:443 | |
| github.com:443 | |
| index.crates.io:443 | |
| motd.ubuntu.com:443 | |
| ppa.launchpadcontent.net:443 | |
| static.crates.io:443 | |
| static.rust-lang.org:443 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 #v1 | |
| - name: Setup Rust toolchain | |
| run: | | |
| rustup target install x86_64-unknown-linux-musl | |
| sudo apt-get update | |
| sudo apt-get install -y musl musl-dev musl-tools dpkg-dev | |
| - name: Install cargo-deb | |
| run: cargo install cargo-deb | |
| - name: Install cargo audit, auditable, cyclonedx | |
| uses: taiki-e/install-action@5ab5d1729c22acd8f798b267eadcfe5e5be6f5c2 # v2.68.27 | |
| with: | |
| tool: cargo-audit,cargo-auditable,cargo-cyclonedx | |
| - id: version | |
| run: echo "version=$(cargo metadata --format-version=1 --no-deps | jq '.packages[] | select(.name == "malwaredb") | .version' --raw-output)" >>$GITHUB_OUTPUT | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libmagic-dev | |
| - name: Install GUI dependencies | |
| run: sudo apt-get install -y libxcb-shape0-dev libxcb-xfixes0-dev libx11-dev libxkbcommon-dev libfontconfig-dev libxext-dev libxft-dev libxinerama-dev libxcursor-dev libxrender-dev libxfixes-dev | |
| - name: Build and package client | |
| run: | | |
| cd client | |
| cargo auditable deb --target x86_64-unknown-linux-musl | |
| cd .. | |
| mv target/x86_64-unknown-linux-musl/release/mdb_client target/x86_64-unknown-linux-musl/release/mdb_client_linux_musl_x86_64 | |
| - name: Build and package server | |
| run: | | |
| cargo deb --locked --cargo-build 'auditable build' | |
| mv target/release/mdb_server target/release/mdb_server_linux_gnu_x86_64 | |
| - name: Upload mdb_server | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: mdb_server_linux_gnu_x86_64 | |
| path: target/release/mdb_server_linux_gnu_x86_64 | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Upload mdb_server deb | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: "malwaredb_${{ steps.version.outputs.version }}-1_amd64.deb" | |
| path: "target/debian/malwaredb_${{ steps.version.outputs.version }}-1_amd64.deb" | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Upload mdb_client | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: mdb_client_linux_musl_x86_64 | |
| path: target/x86_64-unknown-linux-musl/release/mdb_client_linux_musl_x86_64 | |
| retention-days: 5 | |
| - name: Upload mdb_client deb | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: "malwaredb-client_${{ steps.version.outputs.version }}-1_amd64.deb" | |
| path: "target/x86_64-unknown-linux-musl/debian/malwaredb-client_${{ steps.version.outputs.version }}-1_amd64.deb" | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Run cycloneDX and get JSON output | |
| run: cargo cyclonedx --all --all-features --format=json --override-filename sbom | |
| - name: Run cycloneDX and get XML output | |
| run: cargo cyclonedx --all --all-features --format=xml --override-filename sbom | |
| - name: Upload the JSON BOM file | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: sbom.json | |
| path: sbom.json | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Upload the XML BOM file | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: sbom.xml | |
| path: sbom.xml | |
| if-no-files-found: error | |
| retention-days: 5 | |
| linux_arm: | |
| if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push' | |
| runs-on: ubuntu-24.04-arm | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: audit | |
| allowed-endpoints: > | |
| azure.archive.ubuntu.com:80 | |
| cdn.fwupd.org:443 | |
| crates.io:443 | |
| esm.ubuntu.com:443 | |
| github.com:443 | |
| index.crates.io:443 | |
| motd.ubuntu.com:443 | |
| ppa.launchpadcontent.net:443 | |
| release-assets.githubusercontent.com:443 | |
| static.crates.io:443 | |
| static.rust-lang.org:443 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 #v1 | |
| - name: Setup Rust toolchain | |
| run: | | |
| rustup target install aarch64-unknown-linux-musl | |
| sudo apt-get update | |
| sudo apt-get install -y musl musl-dev musl-tools dpkg-dev | |
| cargo install cargo-deb | |
| - name: Install cargo audit & auditable | |
| uses: taiki-e/install-action@5ab5d1729c22acd8f798b267eadcfe5e5be6f5c2 # v2.68.27 | |
| with: | |
| tool: cargo-audit,cargo-auditable | |
| - id: version | |
| run: echo "version=$(cargo metadata --format-version=1 --no-deps | jq '.packages[] | select(.name == "malwaredb") | .version' --raw-output)" >>$GITHUB_OUTPUT | |
| - name: Install dependencies | |
| run: sudo apt-get install -y libmagic-dev | |
| - name: Install GUI dependencies | |
| run: sudo apt-get install -y libxcb-shape0-dev libxcb-xfixes0-dev libx11-dev libxkbcommon-dev libfontconfig-dev libxext-dev libxft-dev libxinerama-dev libxcursor-dev libxrender-dev libxfixes-dev | |
| - name: Build and package client | |
| run: | | |
| cd client | |
| cargo auditable deb --target aarch64-unknown-linux-musl | |
| cd .. | |
| mv target/aarch64-unknown-linux-musl/release/mdb_client target/aarch64-unknown-linux-musl/release/mdb_client_linux_musl_arm64 | |
| - name: Build and package server | |
| run: | | |
| cargo deb --locked --cargo-build 'auditable build' | |
| mv target/release/mdb_server target/release/mdb_server_linux_gnu_arm64 | |
| - name: Upload mdb_server | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: mdb_server_linux_gnu_arm64 | |
| path: target/release/mdb_server_linux_gnu_arm64 | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Upload mdb_server deb | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: "malwaredb_${{ steps.version.outputs.version }}-1_arm64.deb" | |
| path: "target/debian/malwaredb_${{ steps.version.outputs.version }}-1_arm64.deb" | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Upload mdb_client | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: mdb_client_linux_musl_arm64 | |
| path: target/aarch64-unknown-linux-musl/release/mdb_client_linux_musl_arm64 | |
| retention-days: 5 | |
| - name: Upload mdb_client deb | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: "malwaredb-client_${{ steps.version.outputs.version }}-1_arm64.deb" | |
| path: "target/aarch64-unknown-linux-musl/debian/malwaredb-client_${{ steps.version.outputs.version }}-1_arm64.deb" | |
| if-no-files-found: error | |
| retention-days: 5 | |
| macos: | |
| if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push' | |
| runs-on: macos-14 | |
| steps: | |
| - name: Update Rust | |
| run: rustup update | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install libmagic | |
| run: brew install libmagic | |
| - name: Install cargo audit & auditable | |
| uses: taiki-e/install-action@5ab5d1729c22acd8f798b267eadcfe5e5be6f5c2 # v2.68.27 | |
| with: | |
| tool: cargo-audit,cargo-auditable | |
| - name: Build client | |
| run: cargo auditable build --workspace --bin mdb_client --release | |
| - name: Build server | |
| run: cargo auditable build --features=admin,admin-gui,sqlite,vt,yara --bin mdb_server --release | |
| env: | |
| LIBRARY_PATH: "/opt/homebrew/lib:/opt/homebrew/opt/libmagic/lib" | |
| - name: Rename and prepare for signing | |
| run: | | |
| mv ./target/release/mdb_server ./target/release/mdb_server_darwin_arm64 | |
| mv ./target/release/mdb_client ./target/release/mdb_client_darwin_arm64 | |
| mkdir -p private_keys/ | |
| echo -n "${{ secrets.CERTIFICATE_P12 }}" | base64 --decode -o private_keys/cert.p12 | |
| - name: Sign server | |
| uses: indygreg/apple-code-sign-action@44d0985b7f4363198e80b6fea63ac3e9dd3e9957 # v1.1 | |
| with: | |
| input_path: ./target/release/mdb_server_darwin_arm64 | |
| p12_file: private_keys/cert.p12 | |
| p12_password: ${{ secrets.CERTIFICATE_PASSWORD }} | |
| sign_args: | | |
| --for-notarization | |
| rcodesign_version: '0.29.0' | |
| - name: Sign client | |
| uses: indygreg/apple-code-sign-action@44d0985b7f4363198e80b6fea63ac3e9dd3e9957 # v1.1 | |
| with: | |
| input_path: ./target/release/mdb_client_darwin_arm64 | |
| p12_file: private_keys/cert.p12 | |
| p12_password: ${{ secrets.CERTIFICATE_PASSWORD }} | |
| sign_args: | | |
| --for-notarization | |
| rcodesign_version: '0.29.0' | |
| - name: Upload mdb_server | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: mdb_server_darwin_arm64 | |
| path: target/release/mdb_server_darwin_arm64 | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Upload mdb_client | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: mdb_client_darwin_arm64 | |
| path: target/release/mdb_client_darwin_arm64 | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Cleanup | |
| run: | | |
| echo 000000000000 > private_keys/cert.p12 | |
| rm -rf private_keys/ | |
| windows: | |
| if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push' | |
| runs-on: windows-latest | |
| env: | |
| VCPKG_BUILD_TYPE: release | |
| VCPKG_LIBRARY_LINKAGE: static | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: dtolnay/rust-toolchain@d0e72ca3bfdc51937a4f81431ccbed269ef9f2a2 # stable | |
| - uses: ChristopheLav/windows-sdk-install@90bb4be1625923275c2b6fa34bb8841584313ded # v1.0.4 | |
| with: | |
| version-sdk: 22621 | |
| features: 'OptionId.DesktopCPPx64,OptionId.DesktopCPParm64' | |
| - run: | | |
| rustup update | |
| rustup target install aarch64-pc-windows-msvc | |
| # We have to update vcpkg because the version installed on the GitHub Actions runners is too old, and | |
| # we need to deal with https://github.com/microsoft/vcpkg/issues/43565, which was fixed in | |
| # https://github.com/microsoft/vcpkg/pull/43635, https://github.com/microsoft/vcpkg/commit/a0f974c | |
| # However, this is very slow (git pull), and should be removed when GitHub advances the vcpkg data in the runner | |
| - name: Install vcpkg | |
| run: | | |
| cd C:\vcpkg | |
| git pull origin master | |
| vcpkg upgrade --no-dry-run | |
| vcpkg install libmagic:x64-windows-static | |
| vcpkg install libmagic:arm64-windows-static | |
| vcpkg integrate install | |
| vcpkg list --triplet x64-windows-static | |
| vcpkg list --triplet arm64-windows-static | |
| cargo install cargo-vcpkg | |
| - name: Install cargo audit & auditable | |
| uses: taiki-e/install-action@5ab5d1729c22acd8f798b267eadcfe5e5be6f5c2 # v2.68.27 | |
| with: | |
| tool: cargo-audit,cargo-auditable | |
| - name: Build client x86_64 | |
| run: cargo auditable build --workspace --bin mdb_client --release | |
| - name: Build client arm64 | |
| run: cargo auditable build --workspace --bin mdb_client --release --target=aarch64-pc-windows-msvc | |
| - name: Build server x86_64 | |
| run: cargo auditable build --features=admin,admin-gui,sqlite,vt,yara --release | |
| - name: Build server arm64 | |
| run: cargo auditable build --features=admin,admin-gui,sqlite,vt,yara --release --target=aarch64-pc-windows-msvc | |
| - run: | | |
| copy target/release/mdb_server.exe target/release/mdb_server_amd64.exe | |
| copy target/release/mdb_client.exe target/release/mdb_client_amd64.exe | |
| copy target/aarch64-pc-windows-msvc/release/mdb_server.exe target/aarch64-pc-windows-msvc/release/mdb_server_arm64.exe | |
| copy target/aarch64-pc-windows-msvc/release/mdb_client.exe target/aarch64-pc-windows-msvc/release/mdb_client_arm64.exe | |
| - name: Upload mdb_server.exe | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: mdb_server_amd64.exe | |
| path: target/release/mdb_server_amd64.exe | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Upload mdb_server_arm64.exe | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: mdb_server_arm64.exe | |
| path: target/aarch64-pc-windows-msvc/release/mdb_server_arm64.exe | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Upload mdb_client.exe | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: mdb_client_amd64.exe | |
| path: target/release/mdb_client_amd64.exe | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Upload mdb_client_arm64.exe | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: mdb_client_arm64.exe | |
| path: target/aarch64-pc-windows-msvc/release/mdb_client_arm64.exe | |
| if-no-files-found: error | |
| retention-days: 5 | |
| release: | |
| if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push' | |
| name: GitHub Release | |
| needs: [ windows, macos, linux_x86, linux_arm ] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| attestations: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: audit | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| api.snapcraft.io:443 | |
| azure.archive.ubuntu.com:80 | |
| cdn.fwupd.org:443 | |
| esm.ubuntu.com:443 | |
| github.com:443 | |
| motd.ubuntu.com:443 | |
| objects.githubusercontent.com:443 | |
| release-assets.githubusercontent.com:443 | |
| uploads.github.com:443 | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - id: version | |
| run: echo "version=$(cargo metadata --format-version=1 --no-deps | jq '.packages[] | select(.name == "malwaredb") | .version' --raw-output)" >>$GITHUB_OUTPUT | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: mdb_server_darwin_arm64 | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: mdb_client_darwin_arm64 | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: mdb_server_amd64.exe | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: mdb_server_arm64.exe | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: mdb_client_amd64.exe | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: mdb_client_arm64.exe | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: mdb_server_linux_gnu_x86_64 | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: mdb_server_linux_gnu_arm64 | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: "malwaredb_${{ steps.version.outputs.version }}-1_amd64.deb" | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: "malwaredb_${{ steps.version.outputs.version }}-1_arm64.deb" | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: mdb_client_linux_musl_x86_64 | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: mdb_client_linux_musl_arm64 | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: "malwaredb-client_${{ steps.version.outputs.version }}-1_amd64.deb" | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: "malwaredb-client_${{ steps.version.outputs.version }}-1_arm64.deb" | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: sbom.xml | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: sbom.json | |
| - name: Download minisign | |
| run: | | |
| sudo apt-get install wget | |
| wget https://github.com/jedisct1/minisign/releases/download/0.11/minisign-0.11-linux.tar.gz | |
| tar xzf minisign-0.11-linux.tar.gz | |
| mv minisign-linux/x86_64/minisign . | |
| - name: Sign artifacts | |
| run: | | |
| mkdir ~/.minisign/ | |
| echo "${{ secrets.MINISIGN_KEY }}" > ~/.minisign/minisign.key | |
| echo | ./minisign -t "MalwareDB ${{ steps.version.outputs.version }}" -Sm mdb_* malwaredb* sbom.* | |
| echo | ./minisign -R | |
| - uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 | |
| with: | |
| draft: true | |
| generate_release_notes: true | |
| files: | | |
| mdb_server_darwin_arm64 | |
| mdb_server_darwin_arm64.minisig | |
| mdb_client_darwin_arm64 | |
| mdb_client_darwin_arm64.minisig | |
| mdb_server_amd64.exe | |
| mdb_server_amd64.exe.minisig | |
| mdb_server_arm64.exe | |
| mdb_server_arm64.exe.minisig | |
| mdb_client_amd64.exe | |
| mdb_client_amd64.exe.minisig | |
| mdb_client_arm64.exe | |
| mdb_client_arm64.exe.minisig | |
| mdb_server_linux_gnu_x86_64 | |
| mdb_server_linux_gnu_x86_64.minisig | |
| mdb_client_linux_musl_x86_64 | |
| mdb_client_linux_musl_x86_64.minisig | |
| mdb_server_linux_gnu_arm64 | |
| mdb_server_linux_gnu_arm64.minisig | |
| mdb_client_linux_musl_arm64 | |
| mdb_client_linux_musl_arm64.minisig | |
| malwaredb_${{ steps.version.outputs.version }}-1_amd64.deb | |
| malwaredb_${{ steps.version.outputs.version }}-1_amd64.deb.minisig | |
| malwaredb-client_${{ steps.version.outputs.version }}-1_amd64.deb | |
| malwaredb-client_${{ steps.version.outputs.version }}-1_amd64.deb.minisig | |
| malwaredb_${{ steps.version.outputs.version }}-1_arm64.deb | |
| malwaredb_${{ steps.version.outputs.version }}-1_arm64.deb.minisig | |
| malwaredb-client_${{ steps.version.outputs.version }}-1_arm64.deb | |
| malwaredb-client_${{ steps.version.outputs.version }}-1_arm64.deb.minisig | |
| sbom.xml | |
| sbom.xml.minisig | |
| sbom.json | |
| sbom.json.minisig | |
| minisign.pub | |
| - run: echo 00000 > ~/.minisign/minisign.key | |
| - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-path: | | |
| mdb_server_darwin_arm64 | |
| mdb_client_darwin_arm64 | |
| mdb_server_amd64.exe | |
| mdb_server_arm64.exe | |
| mdb_client_amd64.exe | |
| mdb_client_arm64.exe | |
| mdb_server_linux_gnu_x86_64 | |
| mdb_client_linux_musl_x86_64 | |
| mdb_server_linux_gnu_arm64 | |
| mdb_client_linux_musl_arm64 | |
| sbom.xml | |
| sbom.json | |
| py_release: | |
| name: PyPi Release | |
| runs-on: ubuntu-latest | |
| needs: [ py_linux, py_musllinux, py_windows, py_macos, py_sdist ] | |
| environment: | |
| name: pypi | |
| url: https://pypi.org/p/malwaredb | |
| permissions: | |
| # Use to sign the release artifacts | |
| id-token: write | |
| # Used to upload release artifacts | |
| contents: write | |
| # Used to generate artifact attestation | |
| attestations: write | |
| steps: | |
| - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: "wheels-*" | |
| - name: Generate artifact attestation | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-path: 'wheels-*/*' | |
| - run: | | |
| mkdir dist | |
| mv wheels-*/* dist/ | |
| ls -lah dist/ | |
| - name: Publish package distributions to PyPI | |
| uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0 | |
| if: ${{ startsWith(github.ref, 'refs/tags/') || github.event_name == 'workflow_dispatch' }} | |
| docker: | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push' | |
| permissions: | |
| contents: read | |
| packages: write | |
| # This is used to complete the identity challenge | |
| # with sigstore/fulcio when running outside of PRs. | |
| id-token: write | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: malwaredb/malwaredb | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| # Install the cosign tool except on PR | |
| # https://github.com/sigstore/cosign-installer | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 #v4.1.0 | |
| # Workaround: https://github.com/docker/build-push-action/issues/461 | |
| - name: Setup Docker buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0 | |
| # Login against a Docker registry except on PR | |
| # https://github.com/docker/login-action | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 #v4.0.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Extract metadata (tags, labels) for Docker | |
| # https://github.com/docker/metadata-action | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf #v6.0.0 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| # Build and push Docker image with Buildx (don't push on PR) | |
| # https://github.com/docker/build-push-action | |
| - name: Build and push Docker image | |
| id: build-and-push | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 #v7.0.0 | |
| with: | |
| context: . | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # Sign the resulting Docker image digest except on PRs. | |
| # https://github.com/sigstore/cosign | |
| - name: Sign the published Docker image | |
| env: | |
| # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
| # This step uses the identity token to provision an ephemeral certificate | |
| # against the sigstore community Fulcio instance. | |
| run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} | |
| crates_io_publish: | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push' | |
| name: Publish to crates.io | |
| needs: [release] | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: audit | |
| allowed-endpoints: > | |
| azure.archive.ubuntu.com:80 | |
| cdn.fwupd.org:443 | |
| crates.io:443 | |
| esm.ubuntu.com:443 | |
| github.com:443 | |
| index.crates.io:443 | |
| motd.ubuntu.com:443 | |
| ppa.launchpadcontent.net:443 | |
| static.crates.io:443 | |
| static.rust-lang.org:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install dependencies | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y libmagic-dev build-essential | |
| - uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3 | |
| id: auth | |
| - run: cargo publish --workspace | |
| env: | |
| CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }} |