From ec1f72516f9e48ad0f0851947b1e2e90d77da3d8 Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 11:42:59 +0200 Subject: [PATCH 01/11] build in container/test --- .github/workflows/release.yml | 238 ++++++++++++++++++---------------- 1 file changed, 126 insertions(+), 112 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 450117cb9..e3236e1d4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,8 @@ on: push: tags: - v*.*.* + branches: + - debian-12-deb permissions: contents: write @@ -20,36 +22,36 @@ env: RUSTC_WRAPPER: "sccache" jobs: - build-docker-release: - # Ignore tags with -, like v1.0.0-alpha - # This job will build the docker container with the "latest" tag which - # is a tag used in production, thus it should only be run for full releases. - if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') - name: Build Release Docker image - uses: ./.github/workflows/build-docker.yml - with: - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha - # Explicitly disable latest tag. It will be added otherwise. - flavor: | - latest=false + # build-docker-release: + # # Ignore tags with -, like v1.0.0-alpha + # # This job will build the docker container with the "latest" tag which + # # is a tag used in production, thus it should only be run for full releases. + # if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') + # name: Build Release Docker image + # uses: ./.github/workflows/build-docker.yml + # with: + # tags: | + # type=semver,pattern={{version}} + # type=semver,pattern={{major}}.{{minor}} + # type=semver,pattern={{major}} + # type=sha + # # Explicitly disable latest tag. It will be added otherwise. + # flavor: | + # latest=false - build-docker-prerelease: - # Only build tags with -, like v1.0.0-alpha - if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') - name: Build Pre-release Docker image - uses: ./.github/workflows/build-docker.yml - with: - tags: | - type=raw,value=pre-release - type=semver,pattern={{version}} - type=sha - # Explicitly disable latest tag. It will be added otherwise. - flavor: | - latest=false + # build-docker-prerelease: + # # Only build tags with -, like v1.0.0-alpha + # if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') + # name: Build Pre-release Docker image + # uses: ./.github/workflows/build-docker.yml + # with: + # tags: | + # type=raw,value=pre-release + # type=semver,pattern={{version}} + # type=sha + # # Explicitly disable latest tag. It will be added otherwise. + # flavor: | + # latest=false create-release: name: create-release @@ -64,13 +66,13 @@ jobs: draft: true generate_release_notes: true - create-sbom: - needs: - - create-release - - build-docker-release - uses: ./.github/workflows/sbom.yml - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} + # create-sbom: + # needs: + # - create-release + # - build-docker-release + # uses: ./.github/workflows/sbom.yml + # with: + # upload_url: ${{ needs.create-release.outputs.upload_url }} build-binaries: needs: @@ -79,8 +81,33 @@ jobs: - self-hosted - Linux - X64 + container: + image: debian:12 + env: + DEBIAN_FRONTEND: noninteractive + HOME: /root + RUSTUP_HOME: /root/.rustup + CARGO_HOME: /root/.cargo + env: + SCCACHE_GHA_ENABLED: "false" + RUSTC_WRAPPER: "" steps: + - name: Install dependencies + run: | + dpkg --add-architecture arm64 + apt-get update + apt-get install -y \ + git curl ca-certificates \ + build-essential pkg-config \ + libssl-dev libssl-dev:arm64 \ + gcc-aarch64-linux-gnu \ + protobuf-compiler libprotobuf-dev \ + rsync openssh-client \ + ruby ruby-dev rubygems rpm + gem install fpm --no-document + git config --global --add safe.directory '*' + # Store the version, stripping any v-prefix - name: Write release version run: | @@ -116,9 +143,6 @@ jobs: with: targets: "aarch64-unknown-linux-gnu" - - name: Run sccache-cache - uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - - name: Build Linux x86_64 binary run: | cargo build --locked --release --target x86_64-unknown-linux-gnu @@ -145,87 +169,77 @@ jobs: defguard-${{ env.VERSION }}-x86_64-unknown-freebsd - name: Build x86_64 DEB package - uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main - with: - fpm_args: - "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard - linux/defguard.service=/usr/lib/systemd/system/defguard.service - .env.example=/etc/defguard/core.conf" - fpm_opts: - "--architecture amd64 - --output-type deb - --version ${{ env.VERSION }} - --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb - --before-install linux/preinst - --after-install linux/postinst - --before-remove linux/prerm - --after-remove linux/postrm" + run: | + fpm \ + --output-type deb \ + --version "${{ env.VERSION }}" \ + --architecture amd64 \ + --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb \ + --before-install linux/preinst \ + --after-install linux/postinst \ + --before-remove linux/prerm \ + --after-remove linux/postrm \ + "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard" \ + "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ + ".env.example=/etc/defguard/core.conf" - name: Build aarch64 DEB package - uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main - with: - fpm_args: - "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard - linux/defguard.service=/usr/lib/systemd/system/defguard.service - .env.example=/etc/defguard/core.conf" - fpm_opts: - "--architecture arm64 - --output-type deb - --version ${{ env.VERSION }} - --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb - --before-install linux/preinst - --after-install linux/postinst - --before-remove linux/prerm - --after-remove linux/postrm" + run: | + fpm \ + --output-type deb \ + --version "${{ env.VERSION }}" \ + --architecture arm64 \ + --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb \ + --before-install linux/preinst \ + --after-install linux/postinst \ + --before-remove linux/prerm \ + --after-remove linux/postrm \ + "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard" \ + "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ + ".env.example=/etc/defguard/core.conf" - name: Build x86_64 RPM package - uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main - with: - fpm_args: - "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard - linux/defguard.service=/usr/lib/systemd/system/defguard.service - .env.example=/etc/defguard/core.conf" - fpm_opts: - "--architecture amd64 - --output-type rpm - --version ${{ env.VERSION }} - --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm - --before-install linux/preinst - --after-install linux/postinst - --before-remove linux/prerm - --after-remove linux/postrm" + run: | + fpm \ + --output-type rpm \ + --version "${{ env.VERSION }}" \ + --architecture amd64 \ + --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm \ + --before-install linux/preinst \ + --after-install linux/postinst \ + --before-remove linux/prerm \ + --after-remove linux/postrm \ + "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard" \ + "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ + ".env.example=/etc/defguard/core.conf" - name: Build aarch64 RPM package - uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main - with: - fpm_args: - "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard - linux/defguard.service=/usr/lib/systemd/system/defguard.service - .env.example=/etc/defguard/core.conf" - fpm_opts: - "--architecture arm64 - --output-type rpm - --version ${{ env.VERSION }} - --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm - --before-install linux/preinst - --after-install linux/postinst - --before-remove linux/prerm - --after-remove linux/postrm" + run: | + fpm \ + --output-type rpm \ + --version "${{ env.VERSION }}" \ + --architecture arm64 \ + --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm \ + --before-install linux/preinst \ + --after-install linux/postinst \ + --before-remove linux/prerm \ + --after-remove linux/postrm \ + "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard" \ + "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ + ".env.example=/etc/defguard/core.conf" - name: Build FreeBSD package - uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main - with: - fpm_args: - "defguard-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard - freebsd/defguard=/usr/local/etc/rc.d/defguard - .env.example=/etc/defguard/core.conf" - fpm_opts: - "--architecture amd64 - --output-type freebsd - --version ${{ env.VERSION }} - --package defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg - --freebsd-osversion '*' - --depends openssl" + run: | + fpm \ + --output-type freebsd \ + --version "${{ env.VERSION }}" \ + --architecture amd64 \ + --package defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg \ + --freebsd-osversion '*' \ + --depends openssl \ + "defguard-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard" \ + "freebsd/defguard=/usr/local/etc/rc.d/defguard" \ + ".env.example=/etc/defguard/core.conf" - name: Upload Linux x86_64 archive uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 From 4f18b71fe32852a55168557f8135fdc30dc2950b Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 11:59:05 +0200 Subject: [PATCH 02/11] test --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e3236e1d4..27cac0aa9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,6 +63,7 @@ jobs: id: release uses: shogo82148/actions-create-release@6a396031bc74c57403da1018fec74d24c6aa03cd # v1 with: + tag_name: v2.0.1-test draft: true generate_release_notes: true @@ -111,7 +112,8 @@ jobs: # Store the version, stripping any v-prefix - name: Write release version run: | - VERSION=${GITHUB_REF_NAME#v} + # VERSION=${GITHUB_REF_NAME#v} + VERSION="v2.0.1-test" echo Version: $VERSION echo "VERSION=$VERSION" >> $GITHUB_ENV From 97ee90b32778596cccc83e3e6a2d85f864cd8889 Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 12:44:49 +0200 Subject: [PATCH 03/11] split job --- .github/workflows/release.yml | 160 ++++++++++++++++++++++------------ 1 file changed, 105 insertions(+), 55 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 27cac0aa9..b33fc8a98 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -82,13 +82,6 @@ jobs: - self-hosted - Linux - X64 - container: - image: debian:12 - env: - DEBIAN_FRONTEND: noninteractive - HOME: /root - RUSTUP_HOME: /root/.rustup - CARGO_HOME: /root/.cargo env: SCCACHE_GHA_ENABLED: "false" RUSTC_WRAPPER: "" @@ -96,9 +89,9 @@ jobs: steps: - name: Install dependencies run: | - dpkg --add-architecture arm64 - apt-get update - apt-get install -y \ + sudo dpkg --add-architecture arm64 + sudo apt-get update + sudo apt-get install -y \ git curl ca-certificates \ build-essential pkg-config \ libssl-dev libssl-dev:arm64 \ @@ -106,14 +99,14 @@ jobs: protobuf-compiler libprotobuf-dev \ rsync openssh-client \ ruby ruby-dev rubygems rpm - gem install fpm --no-document + sudo gem install fpm --no-document git config --global --add safe.directory '*' # Store the version, stripping any v-prefix - name: Write release version run: | # VERSION=${GITHUB_REF_NAME#v} - VERSION="v2.0.1-test" + VERSION="2.0.1-test" echo Version: $VERSION echo "VERSION=$VERSION" >> $GITHUB_ENV @@ -155,7 +148,8 @@ jobs: - name: Build Linux aarch64 binary env: CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc - PKG_CONFIG_SYSROOT_DIR: /usr/lib/aarch64-linux-gnu + PKG_CONFIG_ALLOW_CROSS: "1" + PKG_CONFIG_LIBDIR: /usr/lib/aarch64-linux-gnu/pkgconfig run: | cargo build --locked --release --target aarch64-unknown-linux-gnu mv target/aarch64-unknown-linux-gnu/release/defguard defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu @@ -170,36 +164,6 @@ jobs: tar -zcf defguard-${{ env.VERSION }}-x86_64-unknown-freebsd.tar.gz \ defguard-${{ env.VERSION }}-x86_64-unknown-freebsd - - name: Build x86_64 DEB package - run: | - fpm \ - --output-type deb \ - --version "${{ env.VERSION }}" \ - --architecture amd64 \ - --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb \ - --before-install linux/preinst \ - --after-install linux/postinst \ - --before-remove linux/prerm \ - --after-remove linux/postrm \ - "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard" \ - "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ - ".env.example=/etc/defguard/core.conf" - - - name: Build aarch64 DEB package - run: | - fpm \ - --output-type deb \ - --version "${{ env.VERSION }}" \ - --architecture arm64 \ - --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb \ - --before-install linux/preinst \ - --after-install linux/postinst \ - --before-remove linux/prerm \ - --after-remove linux/postrm \ - "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard" \ - "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ - ".env.example=/etc/defguard/core.conf" - - name: Build x86_64 RPM package run: | fpm \ @@ -243,6 +207,22 @@ jobs: "freebsd/defguard=/usr/local/etc/rc.d/defguard" \ ".env.example=/etc/defguard/core.conf" + - name: Upload binaries for deb job + uses: actions/upload-artifact@v4 + with: + name: binaries-for-deb + path: | + defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu + defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu + linux/preinst + linux/postinst + linux/prerm + linux/postrm + linux/defguard.service + .env.example + include-hidden-files: true + retention-days: 1 + - name: Upload Linux x86_64 archive uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: @@ -273,52 +253,122 @@ jobs: asset_content_type: application/gzip overwrite: true - - name: Upload Linux x86_64 DEB + - name: Upload Linux x86_64 RPM uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb + asset_path: defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm asset_content_type: application/gzip overwrite: true - - name: Upload Linux aarch64 DEB + - name: Upload Linux aarch64 RPM uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb + asset_path: defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm asset_content_type: application/gzip overwrite: true - - name: Upload Linux x86_64 RPM + - name: Upload FreeBSD package uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm - asset_content_type: application/gzip + asset_path: defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg + asset_content_type: application/x-pkg overwrite: true - - name: Upload Linux aarch64 RPM + build-deb-packages: + needs: + - create-release + - build-binaries + runs-on: + - self-hosted + - Linux + - X64 + container: + image: debian:12 + env: + DEBIAN_FRONTEND: noninteractive + + steps: + - name: Install dependencies + run: | + apt-get update + apt-get install -y \ + ca-certificates \ + ruby ruby-dev rubygems \ + build-essential + gem install fpm --no-document + + - name: Write release version + run: | + # VERSION=${GITHUB_REF_NAME#v} + VERSION="2.0.1-test" + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Download binaries from build job + uses: actions/download-artifact@v4 + with: + name: binaries-for-deb + + - name: Restore executable permissions + run: | + chmod +x defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu + chmod +x defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu + + - name: Build x86_64 DEB package + run: | + fpm \ + --output-type deb \ + --version "${{ env.VERSION }}" \ + --architecture amd64 \ + --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb \ + --before-install linux/preinst \ + --after-install linux/postinst \ + --before-remove linux/prerm \ + --after-remove linux/postrm \ + "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard" \ + "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ + ".env.example=/etc/defguard/core.conf" + + - name: Build aarch64 DEB package + run: | + fpm \ + --output-type deb \ + --version "${{ env.VERSION }}" \ + --architecture arm64 \ + --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb \ + --before-install linux/preinst \ + --after-install linux/postinst \ + --before-remove linux/prerm \ + --after-remove linux/postrm \ + "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard" \ + "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ + ".env.example=/etc/defguard/core.conf" + + - name: Upload Linux x86_64 DEB uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm + asset_path: defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb asset_content_type: application/gzip overwrite: true - - name: Upload FreeBSD package + - name: Upload Linux aarch64 DEB uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg - asset_content_type: application/x-pkg + asset_path: defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb + asset_content_type: application/gzip overwrite: true From 7aff673412df2b159faaa6494dbc03098c3863ba Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 13:47:23 +0200 Subject: [PATCH 04/11] build binary in container --- .github/workflows/release.yml | 241 ++++++++++++++++++++-------------- 1 file changed, 140 insertions(+), 101 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b33fc8a98..982dae44f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -75,9 +75,96 @@ jobs: # with: # upload_url: ${{ needs.create-release.outputs.upload_url }} + build-deb-binaries: + needs: + - create-release + runs-on: + - self-hosted + - Linux + - X64 + container: + image: debian:12 + env: + DEBIAN_FRONTEND: noninteractive + env: + SCCACHE_GHA_ENABLED: "false" + RUSTC_WRAPPER: "" + + steps: + - name: Install dependencies + run: | + dpkg --add-architecture arm64 + apt-get update + apt-get install -y \ + git curl ca-certificates \ + build-essential pkg-config \ + libssl-dev libssl-dev:arm64 \ + gcc-aarch64-linux-gnu \ + protobuf-compiler libprotobuf-dev + git config --global --add safe.directory '*' + + - name: Write release version + run: | + # VERSION=${GITHUB_REF_NAME#v} + VERSION="2.0.1-test" + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + submodules: recursive + + - name: Install NodeJS + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + with: + node-version: 25 + + - name: Install pnpm + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + with: + version: 10 + + - name: Build frontend + working-directory: web + run: | + pnpm install --ignore-scripts --no-frozen-lockfile + pnpm build + + - name: Install Rust stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable + with: + targets: "aarch64-unknown-linux-gnu" + + - name: Build Linux x86_64 binary (for DEB) + run: | + cargo build --locked --release --target x86_64-unknown-linux-gnu + mv target/x86_64-unknown-linux-gnu/release/defguard \ + defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu + + - name: Build Linux aarch64 binary (for DEB) + env: + CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc + PKG_CONFIG_ALLOW_CROSS: "1" + PKG_CONFIG_LIBDIR: /usr/lib/aarch64-linux-gnu/pkgconfig + run: | + cargo build --locked --release --target aarch64-unknown-linux-gnu + mv target/aarch64-unknown-linux-gnu/release/defguard \ + defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu + + - name: Upload DEB binaries + uses: actions/upload-artifact@v4 + with: + name: deb-binaries + path: | + defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu + defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu + retention-days: 1 + build-binaries: needs: - create-release + - build-deb-binaries runs-on: - self-hosted - Linux @@ -102,7 +189,6 @@ jobs: sudo gem install fpm --no-document git config --global --add safe.directory '*' - # Store the version, stripping any v-prefix - name: Write release version run: | # VERSION=${GITHUB_REF_NAME#v} @@ -125,8 +211,6 @@ jobs: with: version: 10 - # Change to '--frozen-lockfile' once this gets fixed: - # https://github.com/pnpm/action-setup/issues/40 - name: Build frontend working-directory: web run: | @@ -164,6 +248,47 @@ jobs: tar -zcf defguard-${{ env.VERSION }}-x86_64-unknown-freebsd.tar.gz \ defguard-${{ env.VERSION }}-x86_64-unknown-freebsd + - name: Download DEB binaries (built on debian:12) + uses: actions/download-artifact@v4 + with: + name: deb-binaries + path: deb-binaries + + - name: Restore executable permissions on DEB binaries + run: | + chmod +x deb-binaries/defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu + chmod +x deb-binaries/defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu + + - name: Build x86_64 DEB package + run: | + fpm \ + --output-type deb \ + --version "${{ env.VERSION }}" \ + --architecture amd64 \ + --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb \ + --before-install linux/preinst \ + --after-install linux/postinst \ + --before-remove linux/prerm \ + --after-remove linux/postrm \ + "deb-binaries/defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard" \ + "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ + ".env.example=/etc/defguard/core.conf" + + - name: Build aarch64 DEB package + run: | + fpm \ + --output-type deb \ + --version "${{ env.VERSION }}" \ + --architecture arm64 \ + --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb \ + --before-install linux/preinst \ + --after-install linux/postinst \ + --before-remove linux/prerm \ + --after-remove linux/postrm \ + "deb-binaries/defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard" \ + "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ + ".env.example=/etc/defguard/core.conf" + - name: Build x86_64 RPM package run: | fpm \ @@ -207,22 +332,6 @@ jobs: "freebsd/defguard=/usr/local/etc/rc.d/defguard" \ ".env.example=/etc/defguard/core.conf" - - name: Upload binaries for deb job - uses: actions/upload-artifact@v4 - with: - name: binaries-for-deb - path: | - defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu - defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu - linux/preinst - linux/postinst - linux/prerm - linux/postrm - linux/defguard.service - .env.example - include-hidden-files: true - retention-days: 1 - - name: Upload Linux x86_64 archive uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: @@ -253,122 +362,52 @@ jobs: asset_content_type: application/gzip overwrite: true - - name: Upload Linux x86_64 RPM + - name: Upload Linux x86_64 DEB uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm + asset_path: defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb asset_content_type: application/gzip overwrite: true - - name: Upload Linux aarch64 RPM + - name: Upload Linux aarch64 DEB uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm + asset_path: defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb asset_content_type: application/gzip overwrite: true - - name: Upload FreeBSD package + - name: Upload Linux x86_64 RPM uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg - asset_content_type: application/x-pkg + asset_path: defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm + asset_content_type: application/gzip overwrite: true - build-deb-packages: - needs: - - create-release - - build-binaries - runs-on: - - self-hosted - - Linux - - X64 - container: - image: debian:12 - env: - DEBIAN_FRONTEND: noninteractive - - steps: - - name: Install dependencies - run: | - apt-get update - apt-get install -y \ - ca-certificates \ - ruby ruby-dev rubygems \ - build-essential - gem install fpm --no-document - - - name: Write release version - run: | - # VERSION=${GITHUB_REF_NAME#v} - VERSION="2.0.1-test" - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - - name: Download binaries from build job - uses: actions/download-artifact@v4 - with: - name: binaries-for-deb - - - name: Restore executable permissions - run: | - chmod +x defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu - chmod +x defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu - - - name: Build x86_64 DEB package - run: | - fpm \ - --output-type deb \ - --version "${{ env.VERSION }}" \ - --architecture amd64 \ - --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb \ - --before-install linux/preinst \ - --after-install linux/postinst \ - --before-remove linux/prerm \ - --after-remove linux/postrm \ - "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard" \ - "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ - ".env.example=/etc/defguard/core.conf" - - - name: Build aarch64 DEB package - run: | - fpm \ - --output-type deb \ - --version "${{ env.VERSION }}" \ - --architecture arm64 \ - --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb \ - --before-install linux/preinst \ - --after-install linux/postinst \ - --before-remove linux/prerm \ - --after-remove linux/postrm \ - "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard" \ - "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ - ".env.example=/etc/defguard/core.conf" - - - name: Upload Linux x86_64 DEB + - name: Upload Linux aarch64 RPM uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb + asset_path: defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm asset_content_type: application/gzip overwrite: true - - name: Upload Linux aarch64 DEB + - name: Upload FreeBSD package uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb - asset_content_type: application/gzip + asset_path: defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg + asset_content_type: application/x-pkg overwrite: true From 096c420c501b966d67d596d03eee3e55b38ed25f Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 14:03:07 +0200 Subject: [PATCH 05/11] change config --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 982dae44f..fb52d14ce 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -146,7 +146,7 @@ jobs: env: CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc PKG_CONFIG_ALLOW_CROSS: "1" - PKG_CONFIG_LIBDIR: /usr/lib/aarch64-linux-gnu/pkgconfig + PKG_CONFIG_LIBDIR_aarch64_unknown_linux_gnu: /usr/lib/aarch64-linux-gnu/pkgconfig run: | cargo build --locked --release --target aarch64-unknown-linux-gnu mv target/aarch64-unknown-linux-gnu/release/defguard \ From cae04156a99ae57ccb0e3fdc661a43f4106f9c40 Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 14:19:20 +0200 Subject: [PATCH 06/11] use specific runners --- .github/workflows/release.yml | 48 ++++++++++++++++------------------- 1 file changed, 22 insertions(+), 26 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fb52d14ce..4873ad1f8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -81,7 +81,18 @@ jobs: runs-on: - self-hosted - Linux - - X64 + - ${{ matrix.architecture }} + strategy: + fail-fast: false + matrix: + architecture: [ARM64, X64] + include: + - architecture: ARM64 + deb_arch: arm64 + rust_target: aarch64-unknown-linux-gnu + - architecture: X64 + deb_arch: amd64 + rust_target: x86_64-unknown-linux-gnu container: image: debian:12 env: @@ -93,13 +104,11 @@ jobs: steps: - name: Install dependencies run: | - dpkg --add-architecture arm64 apt-get update apt-get install -y \ git curl ca-certificates \ build-essential pkg-config \ - libssl-dev libssl-dev:arm64 \ - gcc-aarch64-linux-gnu \ + libssl-dev \ protobuf-compiler libprotobuf-dev git config --global --add safe.directory '*' @@ -133,32 +142,18 @@ jobs: - name: Install Rust stable uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable - with: - targets: "aarch64-unknown-linux-gnu" - - - name: Build Linux x86_64 binary (for DEB) - run: | - cargo build --locked --release --target x86_64-unknown-linux-gnu - mv target/x86_64-unknown-linux-gnu/release/defguard \ - defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu - - name: Build Linux aarch64 binary (for DEB) - env: - CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc - PKG_CONFIG_ALLOW_CROSS: "1" - PKG_CONFIG_LIBDIR_aarch64_unknown_linux_gnu: /usr/lib/aarch64-linux-gnu/pkgconfig + - name: Build binary (for DEB) run: | - cargo build --locked --release --target aarch64-unknown-linux-gnu - mv target/aarch64-unknown-linux-gnu/release/defguard \ - defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu + cargo build --locked --release --target ${{ matrix.rust_target }} + mv target/${{ matrix.rust_target }}/release/defguard \ + defguard-${{ env.VERSION }}-${{ matrix.rust_target }} - - name: Upload DEB binaries + - name: Upload DEB binary uses: actions/upload-artifact@v4 with: - name: deb-binaries - path: | - defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu - defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu + name: deb-binaries-${{ matrix.rust_target }} + path: defguard-${{ env.VERSION }}-${{ matrix.rust_target }} retention-days: 1 build-binaries: @@ -251,8 +246,9 @@ jobs: - name: Download DEB binaries (built on debian:12) uses: actions/download-artifact@v4 with: - name: deb-binaries + pattern: deb-binaries-* path: deb-binaries + merge-multiple: true - name: Restore executable permissions on DEB binaries run: | From 1eae483c109339d0de274e1d22dc15a2887447b2 Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 15:58:24 +0200 Subject: [PATCH 07/11] add new job / build new deb --- .github/workflows/release.yml | 365 +++++++++++++++++----------------- 1 file changed, 186 insertions(+), 179 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4873ad1f8..314eeeac6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -75,119 +75,19 @@ jobs: # with: # upload_url: ${{ needs.create-release.outputs.upload_url }} - build-deb-binaries: - needs: - - create-release - runs-on: - - self-hosted - - Linux - - ${{ matrix.architecture }} - strategy: - fail-fast: false - matrix: - architecture: [ARM64, X64] - include: - - architecture: ARM64 - deb_arch: arm64 - rust_target: aarch64-unknown-linux-gnu - - architecture: X64 - deb_arch: amd64 - rust_target: x86_64-unknown-linux-gnu - container: - image: debian:12 - env: - DEBIAN_FRONTEND: noninteractive - env: - SCCACHE_GHA_ENABLED: "false" - RUSTC_WRAPPER: "" - - steps: - - name: Install dependencies - run: | - apt-get update - apt-get install -y \ - git curl ca-certificates \ - build-essential pkg-config \ - libssl-dev \ - protobuf-compiler libprotobuf-dev - git config --global --add safe.directory '*' - - - name: Write release version - run: | - # VERSION=${GITHUB_REF_NAME#v} - VERSION="2.0.1-test" - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - with: - submodules: recursive - - - name: Install NodeJS - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 - with: - node-version: 25 - - - name: Install pnpm - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 - with: - version: 10 - - - name: Build frontend - working-directory: web - run: | - pnpm install --ignore-scripts --no-frozen-lockfile - pnpm build - - - name: Install Rust stable - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable - - - name: Build binary (for DEB) - run: | - cargo build --locked --release --target ${{ matrix.rust_target }} - mv target/${{ matrix.rust_target }}/release/defguard \ - defguard-${{ env.VERSION }}-${{ matrix.rust_target }} - - - name: Upload DEB binary - uses: actions/upload-artifact@v4 - with: - name: deb-binaries-${{ matrix.rust_target }} - path: defguard-${{ env.VERSION }}-${{ matrix.rust_target }} - retention-days: 1 - build-binaries: needs: - create-release - - build-deb-binaries runs-on: - self-hosted - Linux - X64 - env: - SCCACHE_GHA_ENABLED: "false" - RUSTC_WRAPPER: "" steps: - - name: Install dependencies - run: | - sudo dpkg --add-architecture arm64 - sudo apt-get update - sudo apt-get install -y \ - git curl ca-certificates \ - build-essential pkg-config \ - libssl-dev libssl-dev:arm64 \ - gcc-aarch64-linux-gnu \ - protobuf-compiler libprotobuf-dev \ - rsync openssh-client \ - ruby ruby-dev rubygems rpm - sudo gem install fpm --no-document - git config --global --add safe.directory '*' - + # Store the version, stripping any v-prefix - name: Write release version run: | - # VERSION=${GITHUB_REF_NAME#v} - VERSION="2.0.1-test" + VERSION=${GITHUB_REF_NAME#v} echo Version: $VERSION echo "VERSION=$VERSION" >> $GITHUB_ENV @@ -206,6 +106,8 @@ jobs: with: version: 10 + # Change to '--frozen-lockfile' once this gets fixed: + # https://github.com/pnpm/action-setup/issues/40 - name: Build frontend working-directory: web run: | @@ -217,6 +119,9 @@ jobs: with: targets: "aarch64-unknown-linux-gnu" + - name: Run sccache-cache + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 + - name: Build Linux x86_64 binary run: | cargo build --locked --release --target x86_64-unknown-linux-gnu @@ -227,8 +132,7 @@ jobs: - name: Build Linux aarch64 binary env: CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc - PKG_CONFIG_ALLOW_CROSS: "1" - PKG_CONFIG_LIBDIR: /usr/lib/aarch64-linux-gnu/pkgconfig + PKG_CONFIG_SYSROOT_DIR: /usr/lib/aarch64-linux-gnu run: | cargo build --locked --release --target aarch64-unknown-linux-gnu mv target/aarch64-unknown-linux-gnu/release/defguard defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu @@ -243,90 +147,88 @@ jobs: tar -zcf defguard-${{ env.VERSION }}-x86_64-unknown-freebsd.tar.gz \ defguard-${{ env.VERSION }}-x86_64-unknown-freebsd - - name: Download DEB binaries (built on debian:12) - uses: actions/download-artifact@v4 - with: - pattern: deb-binaries-* - path: deb-binaries - merge-multiple: true - - - name: Restore executable permissions on DEB binaries - run: | - chmod +x deb-binaries/defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu - chmod +x deb-binaries/defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu - - name: Build x86_64 DEB package - run: | - fpm \ - --output-type deb \ - --version "${{ env.VERSION }}" \ - --architecture amd64 \ - --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb \ - --before-install linux/preinst \ - --after-install linux/postinst \ - --before-remove linux/prerm \ - --after-remove linux/postrm \ - "deb-binaries/defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard" \ - "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ - ".env.example=/etc/defguard/core.conf" + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main + with: + fpm_args: + "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard + linux/defguard.service=/usr/lib/systemd/system/defguard.service + .env.example=/etc/defguard/core.conf" + fpm_opts: + "--architecture amd64 + --output-type deb + --version ${{ env.VERSION }} + --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb + --before-install linux/preinst + --after-install linux/postinst + --before-remove linux/prerm + --after-remove linux/postrm" - name: Build aarch64 DEB package - run: | - fpm \ - --output-type deb \ - --version "${{ env.VERSION }}" \ - --architecture arm64 \ - --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb \ - --before-install linux/preinst \ - --after-install linux/postinst \ - --before-remove linux/prerm \ - --after-remove linux/postrm \ - "deb-binaries/defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard" \ - "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ - ".env.example=/etc/defguard/core.conf" + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main + with: + fpm_args: + "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard + linux/defguard.service=/usr/lib/systemd/system/defguard.service + .env.example=/etc/defguard/core.conf" + fpm_opts: + "--architecture arm64 + --output-type deb + --version ${{ env.VERSION }} + --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb + --before-install linux/preinst + --after-install linux/postinst + --before-remove linux/prerm + --after-remove linux/postrm" - name: Build x86_64 RPM package - run: | - fpm \ - --output-type rpm \ - --version "${{ env.VERSION }}" \ - --architecture amd64 \ - --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm \ - --before-install linux/preinst \ - --after-install linux/postinst \ - --before-remove linux/prerm \ - --after-remove linux/postrm \ - "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard" \ - "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ - ".env.example=/etc/defguard/core.conf" + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main + with: + fpm_args: + "defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard + linux/defguard.service=/usr/lib/systemd/system/defguard.service + .env.example=/etc/defguard/core.conf" + fpm_opts: + "--architecture amd64 + --output-type rpm + --version ${{ env.VERSION }} + --package defguard-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm + --before-install linux/preinst + --after-install linux/postinst + --before-remove linux/prerm + --after-remove linux/postrm" - name: Build aarch64 RPM package - run: | - fpm \ - --output-type rpm \ - --version "${{ env.VERSION }}" \ - --architecture arm64 \ - --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm \ - --before-install linux/preinst \ - --after-install linux/postinst \ - --before-remove linux/prerm \ - --after-remove linux/postrm \ - "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard" \ - "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ - ".env.example=/etc/defguard/core.conf" + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main + with: + fpm_args: + "defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard + linux/defguard.service=/usr/lib/systemd/system/defguard.service + .env.example=/etc/defguard/core.conf" + fpm_opts: + "--architecture arm64 + --output-type rpm + --version ${{ env.VERSION }} + --package defguard-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm + --before-install linux/preinst + --after-install linux/postinst + --before-remove linux/prerm + --after-remove linux/postrm" - name: Build FreeBSD package - run: | - fpm \ - --output-type freebsd \ - --version "${{ env.VERSION }}" \ - --architecture amd64 \ - --package defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg \ - --freebsd-osversion '*' \ - --depends openssl \ - "defguard-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard" \ - "freebsd/defguard=/usr/local/etc/rc.d/defguard" \ - ".env.example=/etc/defguard/core.conf" + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main + with: + fpm_args: + "defguard-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard + freebsd/defguard=/usr/local/etc/rc.d/defguard + .env.example=/etc/defguard/core.conf" + fpm_opts: + "--architecture amd64 + --output-type freebsd + --version ${{ env.VERSION }} + --package defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg + --freebsd-osversion '*' + --depends openssl" - name: Upload Linux x86_64 archive uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 @@ -407,3 +309,108 @@ jobs: asset_path: defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg asset_content_type: application/x-pkg overwrite: true + + ubuntu-22-04-build: + needs: + - create-release + runs-on: + - self-hosted + - Linux + - ${{ matrix.architecture }} + strategy: + fail-fast: false + matrix: + architecture: [ARM64, X64] + include: + - architecture: ARM64 + deb_arch: arm64 + rust_target: aarch64-unknown-linux-gnu + - architecture: X64 + deb_arch: amd64 + rust_target: x86_64-unknown-linux-gnu + container: + image: ubuntu:22.04 + env: + DEBIAN_FRONTEND: noninteractive + HOME: /root + RUSTUP_HOME: /root/.rustup + CARGO_HOME: /root/.cargo + env: + RUSTC_WRAPPER: "" + + steps: + - name: Install git + run: | + apt-get update + apt-get install -y git curl ca-certificates + git config --global --add safe.directory '*' + + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + submodules: recursive + + - name: Write release version + run: | + VERSION=${GITHUB_REF_NAME#v} + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Install NodeJS + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + with: + node-version: 25 + + - name: Install pnpm + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + with: + version: 10 + + # Change to '--frozen-lockfile' once this gets fixed: + # https://github.com/pnpm/action-setup/issues/40 + - name: Build frontend + working-directory: web + run: | + pnpm install --ignore-scripts --no-frozen-lockfile + pnpm build + + - name: Install Rust stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable + + - name: Install build dependencies + run: | + apt-get install -y \ + build-essential pkg-config \ + libssl-dev \ + protobuf-compiler libprotobuf-dev \ + ruby ruby-dev rubygems rpm + gem install fpm --no-document + + - name: Build binary + run: | + cargo build --locked --release --target ${{ matrix.rust_target }} + + - name: Build DEB package (ubuntu-22-04-lts) + run: | + fpm \ + --output-type deb \ + --version "${{ env.VERSION }}" \ + --architecture ${{ matrix.deb_arch }} \ + --package defguard-${{ env.VERSION }}-${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb \ + --before-install linux/preinst \ + --after-install linux/postinst \ + --before-remove linux/prerm \ + --after-remove linux/postrm \ + "target/${{ matrix.rust_target }}/release/defguard=/usr/bin/defguard" \ + "linux/defguard.service=/usr/lib/systemd/system/defguard.service" \ + ".env.example=/etc/defguard/core.conf" + + - name: Upload ubuntu-22-04-lts DEB + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-${{ env.VERSION }}-${{ matrix.deb_arch }}_ubuntu-22-04-lts.deb + asset_content_type: application/gzip + overwrite: true From 028f9a84b50180e9fbf2c5a2c3804991b707ea8a Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 16:02:42 +0200 Subject: [PATCH 08/11] add dep --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 314eeeac6..b226f0ddd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -342,7 +342,7 @@ jobs: - name: Install git run: | apt-get update - apt-get install -y git curl ca-certificates + apt-get install -y git curl ca-certificates libatomic1 git config --global --add safe.directory '*' - name: Checkout From f800aac6b5e2df76a7c24ff2ceeed3a499842493 Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 16:29:34 +0200 Subject: [PATCH 09/11] mock version, test workflow --- .github/workflows/release.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b226f0ddd..90bd121b0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -87,7 +87,8 @@ jobs: # Store the version, stripping any v-prefix - name: Write release version run: | - VERSION=${GITHUB_REF_NAME#v} + # VERSION=${GITHUB_REF_NAME#v} + VERSION="2.0.1-test" echo Version: $VERSION echo "VERSION=$VERSION" >> $GITHUB_ENV @@ -352,7 +353,8 @@ jobs: - name: Write release version run: | - VERSION=${GITHUB_REF_NAME#v} + # VERSION=${GITHUB_REF_NAME#v} + VERSION="2.0.1-test" echo Version: $VERSION echo "VERSION=$VERSION" >> $GITHUB_ENV From 62b4c6c5557e59f3cd05daef087b30acdddd92b9 Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 17:10:54 +0200 Subject: [PATCH 10/11] ready to release --- .github/workflows/release.yml | 82 +++++++++++++++++------------------ 1 file changed, 39 insertions(+), 43 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 90bd121b0..cc2e47c8d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,8 +3,6 @@ on: push: tags: - v*.*.* - branches: - - debian-12-deb permissions: contents: write @@ -22,36 +20,36 @@ env: RUSTC_WRAPPER: "sccache" jobs: - # build-docker-release: - # # Ignore tags with -, like v1.0.0-alpha - # # This job will build the docker container with the "latest" tag which - # # is a tag used in production, thus it should only be run for full releases. - # if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') - # name: Build Release Docker image - # uses: ./.github/workflows/build-docker.yml - # with: - # tags: | - # type=semver,pattern={{version}} - # type=semver,pattern={{major}}.{{minor}} - # type=semver,pattern={{major}} - # type=sha - # # Explicitly disable latest tag. It will be added otherwise. - # flavor: | - # latest=false - - # build-docker-prerelease: - # # Only build tags with -, like v1.0.0-alpha - # if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') - # name: Build Pre-release Docker image - # uses: ./.github/workflows/build-docker.yml - # with: - # tags: | - # type=raw,value=pre-release - # type=semver,pattern={{version}} - # type=sha - # # Explicitly disable latest tag. It will be added otherwise. - # flavor: | - # latest=false + build-docker-release: + # Ignore tags with -, like v1.0.0-alpha + # This job will build the docker container with the "latest" tag which + # is a tag used in production, thus it should only be run for full releases. + if: startsWith(github.ref, 'refs/tags/') && !contains(github.ref, '-') + name: Build Release Docker image + uses: ./.github/workflows/build-docker.yml + with: + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha + # Explicitly disable latest tag. It will be added otherwise. + flavor: | + latest=false + + build-docker-prerelease: + # Only build tags with -, like v1.0.0-alpha + if: startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') + name: Build Pre-release Docker image + uses: ./.github/workflows/build-docker.yml + with: + tags: | + type=raw,value=pre-release + type=semver,pattern={{version}} + type=sha + # Explicitly disable latest tag. It will be added otherwise. + flavor: | + latest=false create-release: name: create-release @@ -67,13 +65,13 @@ jobs: draft: true generate_release_notes: true - # create-sbom: - # needs: - # - create-release - # - build-docker-release - # uses: ./.github/workflows/sbom.yml - # with: - # upload_url: ${{ needs.create-release.outputs.upload_url }} + create-sbom: + needs: + - create-release + - build-docker-release + uses: ./.github/workflows/sbom.yml + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} build-binaries: needs: @@ -87,8 +85,7 @@ jobs: # Store the version, stripping any v-prefix - name: Write release version run: | - # VERSION=${GITHUB_REF_NAME#v} - VERSION="2.0.1-test" + VERSION=${GITHUB_REF_NAME#v} echo Version: $VERSION echo "VERSION=$VERSION" >> $GITHUB_ENV @@ -353,8 +350,7 @@ jobs: - name: Write release version run: | - # VERSION=${GITHUB_REF_NAME#v} - VERSION="2.0.1-test" + VERSION=${GITHUB_REF_NAME#v} echo Version: $VERSION echo "VERSION=$VERSION" >> $GITHUB_ENV From 563262f16a14a81e3ef5c9b8638a10a823d54573 Mon Sep 17 00:00:00 2001 From: Kuba <78603704+jakub-tldr@users.noreply.github.com> Date: Wed, 20 May 2026 17:11:21 +0200 Subject: [PATCH 11/11] remove debug tag --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cc2e47c8d..78b55862d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -61,7 +61,6 @@ jobs: id: release uses: shogo82148/actions-create-release@6a396031bc74c57403da1018fec74d24c6aa03cd # v1 with: - tag_name: v2.0.1-test draft: true generate_release_notes: true