diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0202e681..86e5213f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,4 +1,5 @@ name: Build +permissions: {} on: push: @@ -13,6 +14,7 @@ on: - "diesel.toml" - "docker/Dockerfile.j2" - "docker/DockerSettings.yaml" + pull_request: paths: - ".github/workflows/build.yml" @@ -28,13 +30,17 @@ on: jobs: build: + name: Build and Test ${{ matrix.channel }} + permissions: + actions: write + contents: read # We use Ubuntu 22.04 here because this matches the library versions used within the Debian docker containers runs-on: ubuntu-22.04 timeout-minutes: 120 # Make warnings errors, this is to prevent warnings slipping through. # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes. env: - RUSTFLAGS: "-D warnings" + RUSTFLAGS: "-Dwarnings" strategy: fail-fast: false matrix: @@ -42,20 +48,19 @@ jobs: - "rust-toolchain" # The version defined in rust-toolchain - "msrv" # The supported MSRV - name: Build and Test ${{ matrix.channel }} - steps: - # Checkout the repo - - name: "Checkout" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - # End Checkout the repo - - # Install dependencies - name: "Install dependencies Ubuntu" run: sudo apt-get update && sudo apt-get install -y --no-install-recommends openssl build-essential libmariadb-dev-compat libpq-dev libssl-dev pkg-config # End Install dependencies + # Checkout the repo + - name: "Checkout" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false + fetch-depth: 0 + # End Checkout the repo # Determine rust-toolchain version - name: Init Variables @@ -75,7 +80,7 @@ jobs: # Only install the clippy and rustfmt components on the default rust-toolchain - name: "Install rust-toolchain version" - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # master @ Dec 14, 2024, 5:49 AM GMT+1 + uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c # master @ Jan 30, 2025, 8:16 PM GMT+1 if: ${{ matrix.channel == 'rust-toolchain' }} with: toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}" @@ -85,7 +90,7 @@ jobs: # Install the any other channel to be used for which we do not execute clippy and rustfmt - name: "Install MSRV version" - uses: dtolnay/rust-toolchain@a54c7afa936fefeb4456b2dd8068152669aa8203 # master @ Dec 14, 2024, 5:49 AM GMT+1 + uses: dtolnay/rust-toolchain@c5a29ddb4d9d194e7c84ec8c3fba61b1c31fee8c # master @ Jan 30, 2025, 8:16 PM GMT+1 if: ${{ matrix.channel != 'rust-toolchain' }} with: toolchain: "${{steps.toolchain.outputs.RUST_TOOLCHAIN}}" @@ -93,11 +98,13 @@ jobs: # Set the current matrix toolchain version as default - name: "Set toolchain ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} as default" + env: + RUST_TOOLCHAIN: ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} run: | # Remove the rust-toolchain.toml rm rust-toolchain.toml # Set the default - rustup default ${{steps.toolchain.outputs.RUST_TOOLCHAIN}} + rustup default "${RUST_TOOLCHAIN}" # Show environment - name: "Show environment" @@ -161,7 +168,7 @@ jobs: id: clippy if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }} run: | - cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings + cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc # End Run cargo clippy @@ -178,22 +185,31 @@ jobs: # This is useful so all test/clippy/fmt actions are done, and they can all be addressed - name: "Some checks failed" if: ${{ failure() }} + env: + TEST_DB_M_L: ${{ steps.test_sqlite_mysql_postgresql_mimalloc_logger.outcome }} + TEST_DB_M: ${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }} + TEST_DB: ${{ steps.test_sqlite_mysql_postgresql.outcome }} + TEST_SQLITE: ${{ steps.test_sqlite.outcome }} + TEST_MYSQL: ${{ steps.test_mysql.outcome }} + TEST_POSTGRESQL: ${{ steps.test_postgresql.outcome }} + CLIPPY: ${{ steps.clippy.outcome }} + FMT: ${{ steps.formatting.outcome }} run: | - echo "### :x: Checks Failed!" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "|Job|Status|" >> $GITHUB_STEP_SUMMARY - echo "|---|------|" >> $GITHUB_STEP_SUMMARY - echo "|test (sqlite,mysql,postgresql,enable_mimalloc,query_logger)|${{ steps.test_sqlite_mysql_postgresql_mimalloc_logger.outcome }}|" >> $GITHUB_STEP_SUMMARY - echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.test_sqlite_mysql_postgresql_mimalloc.outcome }}|" >> $GITHUB_STEP_SUMMARY - echo "|test (sqlite,mysql,postgresql)|${{ steps.test_sqlite_mysql_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY - echo "|test (sqlite)|${{ steps.test_sqlite.outcome }}|" >> $GITHUB_STEP_SUMMARY - echo "|test (mysql)|${{ steps.test_mysql.outcome }}|" >> $GITHUB_STEP_SUMMARY - echo "|test (postgresql)|${{ steps.test_postgresql.outcome }}|" >> $GITHUB_STEP_SUMMARY - echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${{ steps.clippy.outcome }}|" >> $GITHUB_STEP_SUMMARY - echo "|fmt|${{ steps.formatting.outcome }}|" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "Please check the failed jobs and fix where needed." >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY + echo "### :x: Checks Failed!" >> "${GITHUB_STEP_SUMMARY}" + echo "" >> "${GITHUB_STEP_SUMMARY}" + echo "|Job|Status|" >> "${GITHUB_STEP_SUMMARY}" + echo "|---|------|" >> "${GITHUB_STEP_SUMMARY}" + echo "|test (sqlite,mysql,postgresql,enable_mimalloc,query_logger)|${TEST_DB_M_L}|" >> "${GITHUB_STEP_SUMMARY}" + echo "|test (sqlite,mysql,postgresql,enable_mimalloc)|${TEST_DB_M}|" >> "${GITHUB_STEP_SUMMARY}" + echo "|test (sqlite,mysql,postgresql)|${TEST_DB}|" >> "${GITHUB_STEP_SUMMARY}" + echo "|test (sqlite)|${TEST_SQLITE}|" >> "${GITHUB_STEP_SUMMARY}" + echo "|test (mysql)|${TEST_MYSQL}|" >> "${GITHUB_STEP_SUMMARY}" + echo "|test (postgresql)|${TEST_POSTGRESQL}|" >> "${GITHUB_STEP_SUMMARY}" + echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc)|${CLIPPY}|" >> "${GITHUB_STEP_SUMMARY}" + echo "|fmt|${FMT}|" >> "${GITHUB_STEP_SUMMARY}" + echo "" >> "${GITHUB_STEP_SUMMARY}" + echo "Please check the failed jobs and fix where needed." >> "${GITHUB_STEP_SUMMARY}" + echo "" >> "${GITHUB_STEP_SUMMARY}" exit 1 @@ -202,5 +218,5 @@ jobs: - name: "All checks passed" if: ${{ success() }} run: | - echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY + echo "### :tada: Checks Passed!" >> "${GITHUB_STEP_SUMMARY}" + echo "" >> "${GITHUB_STEP_SUMMARY}" diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml index 787feeec..240d6dbf 100644 --- a/.github/workflows/hadolint.yml +++ b/.github/workflows/hadolint.yml @@ -1,21 +1,17 @@ name: Hadolint +permissions: {} -on: [ - push, - pull_request - ] +on: [ push, pull_request ] jobs: hadolint: name: Validate Dockerfile syntax + permissions: + contents: read runs-on: ubuntu-24.04 timeout-minutes: 30 - steps: - # Checkout the repo - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - # End Checkout the repo + steps: # Start Docker Buildx - name: Setup Docker Buildx uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 @@ -37,6 +33,12 @@ jobs: env: HADOLINT_VERSION: 2.12.0 # End Download hadolint + # Checkout the repo + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false + # End Checkout the repo # Test Dockerfiles with hadolint - name: Run hadolint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b760f207..d155c159 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,5 @@ name: Release +permissions: {} on: push: @@ -6,17 +7,23 @@ on: - main tags: - - '*' + # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet + - '[1-2].[0-9]+.[0-9]+' jobs: # https://github.com/marketplace/actions/skip-duplicate-actions # Some checks to determine if we need to continue with building a new docker. # We will skip this check if we are creating a tag, because that has the same hash as a previous run already. skip_check: - runs-on: ubuntu-24.04 + # Only run this in the upstream repo and not on forks if: ${{ github.repository == 'dani-garcia/vaultwarden' }} + name: Cancel older jobs when running + permissions: + actions: write + runs-on: ubuntu-24.04 outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} + steps: - name: Skip Duplicates Actions id: skip_check @@ -27,6 +34,9 @@ jobs: if: ${{ github.ref_type == 'branch' }} docker-build: + needs: skip_check + if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }} + name: Build Vaultwarden containers permissions: packages: write contents: read @@ -34,8 +44,6 @@ jobs: id-token: write runs-on: ubuntu-24.04 timeout-minutes: 120 - needs: skip_check - if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }} # Start a local docker registry to extract the compiled binaries to upload as artifacts and attest them services: registry: @@ -61,12 +69,6 @@ jobs: base_image: ["debian","alpine"] steps: - # Checkout the repo - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - with: - fetch-depth: 0 - - name: Initialize QEMU binfmt support uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 with: @@ -78,20 +80,31 @@ jobs: # https://github.com/moby/buildkit/issues/3969 # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills with: + cache-binary: false buildkitd-config-inline: | [worker.oci] max-parallelism = 2 driver-opts: | network=host + # Checkout the repo + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + # We need fetch-depth of 0 so we also get all the tag metadata + with: + persist-credentials: false + fetch-depth: 0 + # Determine Base Tags and Source Version - name: Determine Base Tags and Source Version shell: bash + env: + REF_TYPE: ${{ github.ref_type }} run: | - # Check which main tag we are going to build determined by github.ref_type - if [[ "${{ github.ref_type }}" == "tag" ]]; then + # Check which main tag we are going to build determined by ref_type + if [[ "${REF_TYPE}" == "tag" ]]; then echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}" - elif [[ "${{ github.ref_type }}" == "branch" ]]; then + elif [[ "${REF_TYPE}" == "branch" ]]; then echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}" fi @@ -116,8 +129,10 @@ jobs: - name: Add registry for DockerHub if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }} shell: bash + env: + DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO }} run: | - echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}" + echo "CONTAINER_REGISTRIES=${DOCKERHUB_REPO}" | tee -a "${GITHUB_ENV}" # Login to GitHub Container Registry - name: Login to GitHub Container Registry @@ -131,8 +146,10 @@ jobs: - name: Add registry for ghcr.io if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} shell: bash + env: + GHCR_REPO: ${{ vars.GHCR_REPO }} run: | - echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}" + echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${GHCR_REPO}" | tee -a "${GITHUB_ENV}" # Login to Quay.io - name: Login to Quay.io @@ -146,17 +163,22 @@ jobs: - name: Add registry for Quay.io if: ${{ env.HAVE_QUAY_LOGIN == 'true' }} shell: bash + env: + QUAY_REPO: ${{ vars.QUAY_REPO }} run: | - echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}" + echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${QUAY_REPO}" | tee -a "${GITHUB_ENV}" - name: Configure build cache from/to shell: bash + env: + GHCR_REPO: ${{ vars.GHCR_REPO }} + BASE_IMAGE: ${{ matrix.base_image }} run: | # # Check if there is a GitHub Container Registry Login and use it for caching if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then - echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}" - echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}" + echo "BAKE_CACHE_FROM=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE}" | tee -a "${GITHUB_ENV}" + echo "BAKE_CACHE_TO=type=registry,ref=${GHCR_REPO}-buildcache:${BASE_IMAGE},compression=zstd,mode=max" | tee -a "${GITHUB_ENV}" else echo "BAKE_CACHE_FROM=" echo "BAKE_CACHE_TO=" @@ -170,7 +192,7 @@ jobs: - name: Bake ${{ matrix.base_image }} containers id: bake_vw - uses: docker/bake-action@5ca506d06f70338a4968df87fd8bfee5cbfb84c7 # v6.0.0 + uses: docker/bake-action@7bff531c65a5cda33e52e43950a795b91d450f63 # v6.3.0 env: BASE_TAGS: "${{ env.BASE_TAGS }}" SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}" @@ -189,14 +211,16 @@ jobs: - name: Extract digest SHA shell: bash + env: + BAKE_METADATA: ${{ steps.bake_vw.outputs.metadata }} run: | - GET_DIGEST_SHA="$(jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"' <<< '${{ steps.bake_vw.outputs.metadata }}')" + GET_DIGEST_SHA="$(jq -r '.["${{ matrix.base_image }}-multi"]."containerimage.digest"' <<< "${BAKE_METADATA}")" echo "DIGEST_SHA=${GET_DIGEST_SHA}" | tee -a "${GITHUB_ENV}" # Attest container images - name: Attest - docker.io - ${{ matrix.base_image }} if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}} - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0 with: subject-name: ${{ vars.DOCKERHUB_REPO }} subject-digest: ${{ env.DIGEST_SHA }} @@ -204,7 +228,7 @@ jobs: - name: Attest - ghcr.io - ${{ matrix.base_image }} if: ${{ env.HAVE_GHCR_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}} - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0 with: subject-name: ${{ vars.GHCR_REPO }} subject-digest: ${{ env.DIGEST_SHA }} @@ -212,7 +236,7 @@ jobs: - name: Attest - quay.io - ${{ matrix.base_image }} if: ${{ env.HAVE_QUAY_LOGIN == 'true' && steps.bake_vw.outputs.metadata != ''}} - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0 with: subject-name: ${{ vars.QUAY_REPO }} subject-digest: ${{ env.DIGEST_SHA }} @@ -222,11 +246,13 @@ jobs: # Extract the Alpine binaries from the containers - name: Extract binaries shell: bash + env: + REF_TYPE: ${{ github.ref_type }} run: | - # Check which main tag we are going to build determined by github.ref_type - if [[ "${{ github.ref_type }}" == "tag" ]]; then + # Check which main tag we are going to build determined by ref_type + if [[ "${REF_TYPE}" == "tag" ]]; then EXTRACT_TAG="latest" - elif [[ "${{ github.ref_type }}" == "branch" ]]; then + elif [[ "${REF_TYPE}" == "branch" ]]; then EXTRACT_TAG="testing" fi @@ -264,31 +290,31 @@ jobs: # Upload artifacts to Github Actions and Attest the binaries - name: "Upload amd64 artifact ${{ matrix.base_image }}" - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 #v4.6.0 with: name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64-${{ matrix.base_image }} path: vaultwarden-amd64-${{ matrix.base_image }} - name: "Upload arm64 artifact ${{ matrix.base_image }}" - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 #v4.6.0 with: name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64-${{ matrix.base_image }} path: vaultwarden-arm64-${{ matrix.base_image }} - name: "Upload armv7 artifact ${{ matrix.base_image }}" - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 #v4.6.0 with: name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7-${{ matrix.base_image }} path: vaultwarden-armv7-${{ matrix.base_image }} - name: "Upload armv6 artifact ${{ matrix.base_image }}" - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 #v4.6.0 with: name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6-${{ matrix.base_image }} path: vaultwarden-armv6-${{ matrix.base_image }} - name: "Attest artifacts ${{ matrix.base_image }}" - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0 with: subject-path: vaultwarden-* # End Upload artifacts to Github Actions diff --git a/.github/workflows/releasecache-cleanup.yml b/.github/workflows/releasecache-cleanup.yml index 6fd880bb..f62fccd3 100644 --- a/.github/workflows/releasecache-cleanup.yml +++ b/.github/workflows/releasecache-cleanup.yml @@ -1,3 +1,6 @@ +name: Cleanup +permissions: {} + on: workflow_dispatch: inputs: @@ -9,10 +12,11 @@ on: schedule: - cron: '0 1 * * FRI' -name: Cleanup jobs: releasecache-cleanup: name: Releasecache Cleanup + permissions: + packages: write runs-on: ubuntu-24.04 continue-on-error: true timeout-minutes: 30 diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 4481ec6a..6cba5df4 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,34 +1,39 @@ -name: trivy +name: Trivy +permissions: {} on: push: branches: - main + tags: - '*' + pull_request: - branches: [ "main" ] + branches: + - main + schedule: - cron: '08 11 * * *' -permissions: - contents: read - jobs: trivy-scan: - # Only run this in the master repo and not on forks + # Only run this in the upstream repo and not on forks # When all forks run this at the same time, it is causing `Too Many Requests` issues if: ${{ github.repository == 'dani-garcia/vaultwarden' }} - name: Check - runs-on: ubuntu-24.04 - timeout-minutes: 30 + name: Trivy Scan permissions: contents: read - security-events: write actions: read + security-events: write + runs-on: ubuntu-24.04 + timeout-minutes: 30 + steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0