diff options
author | Mathijs van Veluw <[email protected]> | 2023-12-04 20:26:11 +0100 |
---|---|---|
committer | GitHub <[email protected]> | 2023-12-04 20:26:11 +0100 |
commit | 34e00e1478c919f725b1f94534245a55d0f5a005 (patch) | |
tree | 2567f46a4acc0c5aea4702687f39a1b73e4bfb71 /.github | |
parent | 0fdda3bc2f22b1881ac265d08e24ab9ef9402f9e (diff) | |
download | vaultwarden-34e00e1478c919f725b1f94534245a55d0f5a005.tar.gz vaultwarden-34e00e1478c919f725b1f94534245a55d0f5a005.zip |
Update Rust, Crates, Profile and Actions (#4126)
- Updated Rust to v1.74.0
- Updated all crates (where possible)
- Changed release profile to use
* fat lto
* 1 codegen-unit
This should optimize a bit for speed and a lot for size ~15MB smaller
- Updated Github actions to use caching for the bake process
- Added a schedule to clean the cache every week to prevent stale Debian/Alpine base images
- During the release action, the Alpine/static binaries are added as artifects.
Later we could also automatically add them to the releases maybe.
- Added CODEWONERS to prevent unchecked changes to github actions workflows
Diffstat (limited to '.github')
-rw-r--r-- | .github/CODEOWNERS | 3 | ||||
-rw-r--r-- | .github/workflows/build.yml | 2 | ||||
-rw-r--r-- | .github/workflows/hadolint.yml | 2 | ||||
-rw-r--r-- | .github/workflows/release.yml | 118 | ||||
-rw-r--r-- | .github/workflows/releasecache-cleanup.yml | 25 | ||||
-rw-r--r-- | .github/workflows/trivy.yml | 3 |
6 files changed, 139 insertions, 14 deletions
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..3d036b84 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,3 @@ +/.github @dani-garcia @BlackDex +/.github/CODEOWNERS @dani-garcia @BlackDex +/.github/workflows/** @dani-garcia @BlackDex diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 908a769f..74282eb1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,7 +46,7 @@ jobs: steps: # Checkout the repo - name: "Checkout" - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 # End Checkout the repo diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml index 5c475665..82acc926 100644 --- a/.github/workflows/hadolint.yml +++ b/.github/workflows/hadolint.yml @@ -13,7 +13,7 @@ jobs: steps: # Checkout the repo - name: Checkout - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # End Checkout the repo # Download hadolint - https://github.com/hadolint/hadolint/releases diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ae68bc1d..4beab82c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,6 @@ on: branches: # Only on paths above - main - - release-build-revision tags: # Always, regardless of paths above - '*' @@ -31,7 +30,7 @@ jobs: steps: - name: Skip Duplicates Actions id: skip_check - uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281 # v5.3.0 + uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1 with: cancel_others: 'true' # Only run this when not creating a tag @@ -42,12 +41,12 @@ jobs: timeout-minutes: 120 needs: skip_check if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }} - # TODO: Start a local docker registry to be used to extract the final Alpine static build images - # services: - # registry: - # image: registry:2 - # ports: - # - 5000:5000 + # Start a local docker registry to extract the final Alpine static build binaries + services: + registry: + image: registry:2 + ports: + - 5000:5000 env: SOURCE_COMMIT: ${{ github.sha }} SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}" @@ -69,7 +68,7 @@ jobs: steps: # Checkout the repo - name: Checkout - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 @@ -140,6 +139,12 @@ jobs: run: | echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}" + - name: Add registry for ghcr.io + if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} + shell: bash + run: | + echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}" + # Login to Quay.io - name: Login to Quay.io uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -155,8 +160,28 @@ jobs: run: | echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}" + - name: Configure build cache from/to + shell: bash + run: | + # + # Check if there is a GitHub Container Registry Login and use it for caching + if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then + echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}" + echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},mode=max" | tee -a "${GITHUB_ENV}" + else + echo "BAKE_CACHE_FROM=" + echo "BAKE_CACHE_TO=" + fi + # + + - name: Add localhost registry + if: ${{ matrix.base_image == 'alpine' }} + shell: bash + run: | + echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}" + - name: Bake ${{ matrix.base_image }} containers - uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 # v4.0.0 + uses: docker/bake-action@849707117b03d39aba7924c50a10376a69e88d7d # v4.1.0 env: BASE_TAGS: "${{ env.BASE_TAGS }}" SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}" @@ -168,3 +193,76 @@ jobs: push: true files: docker/docker-bake.hcl targets: "${{ matrix.base_image }}-multi" + set: | + *.cache-from=${{ env.BAKE_CACHE_FROM }} + *.cache-to=${{ env.BAKE_CACHE_TO }} + + + # Extract the Alpine binaries from the containers + - name: Extract binaries + if: ${{ matrix.base_image == 'alpine' }} + shell: bash + run: | + # Check which main tag we are going to build determined by github.ref_type + if [[ "${{ github.ref_type }}" == "tag" ]]; then + EXTRACT_TAG="latest" + elif [[ "${{ github.ref_type }}" == "branch" ]]; then + EXTRACT_TAG="testing" + fi + + # After each extraction the image is removed. + # This is needed because using different platforms doesn't trigger a new pull/download + + # Extract amd64 binary + docker create --name amd64 --platform=linux/amd64 "vaultwarden/server:${EXTRACT_TAG}-alpine" + docker cp amd64:/vaultwarden vaultwarden-amd64 + docker rm --force amd64 + docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine" + + # Extract arm64 binary + docker create --name arm64 --platform=linux/arm64 "vaultwarden/server:${EXTRACT_TAG}-alpine" + docker cp arm64:/vaultwarden vaultwarden-arm64 + docker rm --force arm64 + docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine" + + # Extract armv7 binary + docker create --name armv7 --platform=linux/arm/v7 "vaultwarden/server:${EXTRACT_TAG}-alpine" + docker cp armv7:/vaultwarden vaultwarden-armv7 + docker rm --force armv7 + docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine" + + # Extract armv6 binary + docker create --name armv6 --platform=linux/arm/v6 "vaultwarden/server:${EXTRACT_TAG}-alpine" + docker cp armv6:/vaultwarden vaultwarden-armv6 + docker rm --force armv6 + docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine" + + # Upload artifacts to Github Actions + - name: "Upload amd64 artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + if: ${{ matrix.base_image == 'alpine' }} + with: + name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64 + path: vaultwarden-amd64 + + - name: "Upload arm64 artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + if: ${{ matrix.base_image == 'alpine' }} + with: + name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64 + path: vaultwarden-arm64 + + - name: "Upload armv7 artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + if: ${{ matrix.base_image == 'alpine' }} + with: + name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7 + path: vaultwarden-armv7 + + - name: "Upload armv6 artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + if: ${{ matrix.base_image == 'alpine' }} + with: + name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6 + path: vaultwarden-armv6 + # End Upload artifacts to Github Actions diff --git a/.github/workflows/releasecache-cleanup.yml b/.github/workflows/releasecache-cleanup.yml new file mode 100644 index 00000000..6e66a3c1 --- /dev/null +++ b/.github/workflows/releasecache-cleanup.yml @@ -0,0 +1,25 @@ +on: + workflow_dispatch: + inputs: + manual_trigger: + description: "Manual trigger buildcache cleanup" + required: false + default: "" + + schedule: + - cron: '0 1 * * FRI' + +name: Cleanup +jobs: + releasecache-cleanup: + name: Releasecache Cleanup + runs-on: ubuntu-22.04 + timeout-minutes: 30 + steps: + - name: Delete vaultwarden-buildcache containers + uses: actions/delete-package-versions@0d39a63126868f5eefaa47169615edd3c0f61e20 # v4.1.1 + with: + package-name: 'vaultwarden-buildcache' + package-type: 'container' + min-versions-to-keep: 0 + delete-only-untagged-versions: 'false' diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 777fefe5..b59e2ad6 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -4,7 +4,6 @@ on: push: branches: - main - - release-build-revision tags: - '*' pull_request: @@ -29,7 +28,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.13.1 + uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0 with: scan-type: repo ignore-unfixed: true |