aboutsummaryrefslogtreecommitdiff
path: root/.github
diff options
context:
space:
mode:
authorMathijs van Veluw <[email protected]>2023-12-04 20:26:11 +0100
committerGitHub <[email protected]>2023-12-04 20:26:11 +0100
commit34e00e1478c919f725b1f94534245a55d0f5a005 (patch)
tree2567f46a4acc0c5aea4702687f39a1b73e4bfb71 /.github
parent0fdda3bc2f22b1881ac265d08e24ab9ef9402f9e (diff)
downloadvaultwarden-34e00e1478c919f725b1f94534245a55d0f5a005.tar.gz
vaultwarden-34e00e1478c919f725b1f94534245a55d0f5a005.zip
Update Rust, Crates, Profile and Actions (#4126)
- Updated Rust to v1.74.0 - Updated all crates (where possible) - Changed release profile to use * fat lto * 1 codegen-unit This should optimize a bit for speed and a lot for size ~15MB smaller - Updated Github actions to use caching for the bake process - Added a schedule to clean the cache every week to prevent stale Debian/Alpine base images - During the release action, the Alpine/static binaries are added as artifects. Later we could also automatically add them to the releases maybe. - Added CODEWONERS to prevent unchecked changes to github actions workflows
Diffstat (limited to '.github')
-rw-r--r--.github/CODEOWNERS3
-rw-r--r--.github/workflows/build.yml2
-rw-r--r--.github/workflows/hadolint.yml2
-rw-r--r--.github/workflows/release.yml118
-rw-r--r--.github/workflows/releasecache-cleanup.yml25
-rw-r--r--.github/workflows/trivy.yml3
6 files changed, 139 insertions, 14 deletions
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 00000000..3d036b84
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,3 @@
+/.github @dani-garcia @BlackDex
+/.github/CODEOWNERS @dani-garcia @BlackDex
+/.github/workflows/** @dani-garcia @BlackDex
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 908a769f..74282eb1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,7 +46,7 @@ jobs:
steps:
# Checkout the repo
- name: "Checkout"
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
# End Checkout the repo
diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml
index 5c475665..82acc926 100644
--- a/.github/workflows/hadolint.yml
+++ b/.github/workflows/hadolint.yml
@@ -13,7 +13,7 @@ jobs:
steps:
# Checkout the repo
- name: Checkout
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# End Checkout the repo
# Download hadolint - https://github.com/hadolint/hadolint/releases
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ae68bc1d..4beab82c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,7 +14,6 @@ on:
branches: # Only on paths above
- main
- - release-build-revision
tags: # Always, regardless of paths above
- '*'
@@ -31,7 +30,7 @@ jobs:
steps:
- name: Skip Duplicates Actions
id: skip_check
- uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281 # v5.3.0
+ uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
with:
cancel_others: 'true'
# Only run this when not creating a tag
@@ -42,12 +41,12 @@ jobs:
timeout-minutes: 120
needs: skip_check
if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
- # TODO: Start a local docker registry to be used to extract the final Alpine static build images
- # services:
- # registry:
- # image: registry:2
- # ports:
- # - 5000:5000
+ # Start a local docker registry to extract the final Alpine static build binaries
+ services:
+ registry:
+ image: registry:2
+ ports:
+ - 5000:5000
env:
SOURCE_COMMIT: ${{ github.sha }}
SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
@@ -69,7 +68,7 @@ jobs:
steps:
# Checkout the repo
- name: Checkout
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
@@ -140,6 +139,12 @@ jobs:
run: |
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
+ - name: Add registry for ghcr.io
+ if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+ shell: bash
+ run: |
+ echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
+
# Login to Quay.io
- name: Login to Quay.io
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -155,8 +160,28 @@ jobs:
run: |
echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}"
+ - name: Configure build cache from/to
+ shell: bash
+ run: |
+ #
+ # Check if there is a GitHub Container Registry Login and use it for caching
+ if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
+ echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}"
+ echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},mode=max" | tee -a "${GITHUB_ENV}"
+ else
+ echo "BAKE_CACHE_FROM="
+ echo "BAKE_CACHE_TO="
+ fi
+ #
+
+ - name: Add localhost registry
+ if: ${{ matrix.base_image == 'alpine' }}
+ shell: bash
+ run: |
+ echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
+
- name: Bake ${{ matrix.base_image }} containers
- uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 # v4.0.0
+ uses: docker/bake-action@849707117b03d39aba7924c50a10376a69e88d7d # v4.1.0
env:
BASE_TAGS: "${{ env.BASE_TAGS }}"
SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
@@ -168,3 +193,76 @@ jobs:
push: true
files: docker/docker-bake.hcl
targets: "${{ matrix.base_image }}-multi"
+ set: |
+ *.cache-from=${{ env.BAKE_CACHE_FROM }}
+ *.cache-to=${{ env.BAKE_CACHE_TO }}
+
+
+ # Extract the Alpine binaries from the containers
+ - name: Extract binaries
+ if: ${{ matrix.base_image == 'alpine' }}
+ shell: bash
+ run: |
+ # Check which main tag we are going to build determined by github.ref_type
+ if [[ "${{ github.ref_type }}" == "tag" ]]; then
+ EXTRACT_TAG="latest"
+ elif [[ "${{ github.ref_type }}" == "branch" ]]; then
+ EXTRACT_TAG="testing"
+ fi
+
+ # After each extraction the image is removed.
+ # This is needed because using different platforms doesn't trigger a new pull/download
+
+ # Extract amd64 binary
+ docker create --name amd64 --platform=linux/amd64 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+ docker cp amd64:/vaultwarden vaultwarden-amd64
+ docker rm --force amd64
+ docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+
+ # Extract arm64 binary
+ docker create --name arm64 --platform=linux/arm64 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+ docker cp arm64:/vaultwarden vaultwarden-arm64
+ docker rm --force arm64
+ docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+
+ # Extract armv7 binary
+ docker create --name armv7 --platform=linux/arm/v7 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+ docker cp armv7:/vaultwarden vaultwarden-armv7
+ docker rm --force armv7
+ docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+
+ # Extract armv6 binary
+ docker create --name armv6 --platform=linux/arm/v6 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+ docker cp armv6:/vaultwarden vaultwarden-armv6
+ docker rm --force armv6
+ docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+
+ # Upload artifacts to Github Actions
+ - name: "Upload amd64 artifact"
+ uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+ if: ${{ matrix.base_image == 'alpine' }}
+ with:
+ name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64
+ path: vaultwarden-amd64
+
+ - name: "Upload arm64 artifact"
+ uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+ if: ${{ matrix.base_image == 'alpine' }}
+ with:
+ name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64
+ path: vaultwarden-arm64
+
+ - name: "Upload armv7 artifact"
+ uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+ if: ${{ matrix.base_image == 'alpine' }}
+ with:
+ name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7
+ path: vaultwarden-armv7
+
+ - name: "Upload armv6 artifact"
+ uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+ if: ${{ matrix.base_image == 'alpine' }}
+ with:
+ name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6
+ path: vaultwarden-armv6
+ # End Upload artifacts to Github Actions
diff --git a/.github/workflows/releasecache-cleanup.yml b/.github/workflows/releasecache-cleanup.yml
new file mode 100644
index 00000000..6e66a3c1
--- /dev/null
+++ b/.github/workflows/releasecache-cleanup.yml
@@ -0,0 +1,25 @@
+on:
+ workflow_dispatch:
+ inputs:
+ manual_trigger:
+ description: "Manual trigger buildcache cleanup"
+ required: false
+ default: ""
+
+ schedule:
+ - cron: '0 1 * * FRI'
+
+name: Cleanup
+jobs:
+ releasecache-cleanup:
+ name: Releasecache Cleanup
+ runs-on: ubuntu-22.04
+ timeout-minutes: 30
+ steps:
+ - name: Delete vaultwarden-buildcache containers
+ uses: actions/delete-package-versions@0d39a63126868f5eefaa47169615edd3c0f61e20 # v4.1.1
+ with:
+ package-name: 'vaultwarden-buildcache'
+ package-type: 'container'
+ min-versions-to-keep: 0
+ delete-only-untagged-versions: 'false'
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
index 777fefe5..b59e2ad6 100644
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@@ -4,7 +4,6 @@ on:
push:
branches:
- main
- - release-build-revision
tags:
- '*'
pull_request:
@@ -29,7 +28,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
- name: Run Trivy vulnerability scanner
- uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.13.1
+ uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0
with:
scan-type: repo
ignore-unfixed: true