mirror of
				https://github.com/dani-garcia/vaultwarden.git
				synced 2025-10-26 07:50:02 +02:00 
			
		
		
		
	Update Rust, Crates, Profile and Actions (#4126)
- Updated Rust to v1.74.0 - Updated all crates (where possible) - Changed release profile to use * fat lto * 1 codegen-unit This should optimize a bit for speed and a lot for size ~15MB smaller - Updated Github actions to use caching for the bake process - Added a schedule to clean the cache every week to prevent stale Debian/Alpine base images - During the release action, the Alpine/static binaries are added as artifects. Later we could also automatically add them to the releases maybe. - Added CODEWONERS to prevent unchecked changes to github actions workflows
This commit is contained in:
		
				
					committed by
					
						 GitHub
						GitHub
					
				
			
			
				
	
			
			
			
						parent
						
							0fdda3bc2f
						
					
				
				
					commit
					34e00e1478
				
			
							
								
								
									
										3
									
								
								.github/CODEOWNERS
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								.github/CODEOWNERS
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | ||||
| /.github @dani-garcia @BlackDex | ||||
| /.github/CODEOWNERS @dani-garcia @BlackDex | ||||
| /.github/workflows/** @dani-garcia @BlackDex | ||||
							
								
								
									
										2
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.github/workflows/build.yml
									
									
									
									
										vendored
									
									
								
							| @@ -46,7 +46,7 @@ jobs: | ||||
|     steps: | ||||
|       # Checkout the repo | ||||
|       - name: "Checkout" | ||||
|         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | ||||
|         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | ||||
|       # End Checkout the repo | ||||
|  | ||||
|  | ||||
|   | ||||
							
								
								
									
										2
									
								
								.github/workflows/hadolint.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.github/workflows/hadolint.yml
									
									
									
									
										vendored
									
									
								
							| @@ -13,7 +13,7 @@ jobs: | ||||
|     steps: | ||||
|       # Checkout the repo | ||||
|       - name: Checkout | ||||
|         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | ||||
|         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||||
|       # End Checkout the repo | ||||
|  | ||||
|       # Download hadolint - https://github.com/hadolint/hadolint/releases | ||||
|   | ||||
							
								
								
									
										118
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										118
									
								
								.github/workflows/release.yml
									
									
									
									
										vendored
									
									
								
							| @@ -14,7 +14,6 @@ on: | ||||
|  | ||||
|     branches: # Only on paths above | ||||
|       - main | ||||
|       - release-build-revision | ||||
|  | ||||
|     tags: # Always, regardless of paths above | ||||
|       - '*' | ||||
| @@ -31,7 +30,7 @@ jobs: | ||||
|     steps: | ||||
|       - name: Skip Duplicates Actions | ||||
|         id: skip_check | ||||
|         uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281 # v5.3.0 | ||||
|         uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1 | ||||
|         with: | ||||
|           cancel_others: 'true' | ||||
|         # Only run this when not creating a tag | ||||
| @@ -42,12 +41,12 @@ jobs: | ||||
|     timeout-minutes: 120 | ||||
|     needs: skip_check | ||||
|     if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }} | ||||
|     # TODO: Start a local docker registry to be used to extract the final Alpine static build images | ||||
|     # services: | ||||
|     #   registry: | ||||
|     #     image: registry:2 | ||||
|     #     ports: | ||||
|     #       - 5000:5000 | ||||
|     # Start a local docker registry to extract the final Alpine static build binaries | ||||
|     services: | ||||
|       registry: | ||||
|         image: registry:2 | ||||
|         ports: | ||||
|           - 5000:5000 | ||||
|     env: | ||||
|       SOURCE_COMMIT: ${{ github.sha }} | ||||
|       SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}" | ||||
| @@ -69,7 +68,7 @@ jobs: | ||||
|     steps: | ||||
|       # Checkout the repo | ||||
|       - name: Checkout | ||||
|         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | ||||
|         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | ||||
|         with: | ||||
|           fetch-depth: 0 | ||||
|  | ||||
| @@ -140,6 +139,12 @@ jobs: | ||||
|         run: | | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       - name: Add registry for ghcr.io | ||||
|         if: ${{ env.HAVE_GHCR_LOGIN == 'true' }} | ||||
|         shell: bash | ||||
|         run: | | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       # Login to Quay.io | ||||
|       - name: Login to Quay.io | ||||
|         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | ||||
| @@ -155,8 +160,28 @@ jobs: | ||||
|         run: | | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       - name: Configure build cache from/to | ||||
|         shell: bash | ||||
|         run: | | ||||
|           # | ||||
|           # Check if there is a GitHub Container Registry Login and use it for caching | ||||
|           if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then | ||||
|             echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}" | ||||
|             echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},mode=max" | tee -a "${GITHUB_ENV}" | ||||
|           else | ||||
|             echo "BAKE_CACHE_FROM=" | ||||
|             echo "BAKE_CACHE_TO=" | ||||
|           fi | ||||
|           # | ||||
|  | ||||
|       - name: Add localhost registry | ||||
|         if: ${{ matrix.base_image == 'alpine' }} | ||||
|         shell: bash | ||||
|         run: | | ||||
|           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}" | ||||
|  | ||||
|       - name: Bake ${{ matrix.base_image }} containers | ||||
|         uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 # v4.0.0 | ||||
|         uses: docker/bake-action@849707117b03d39aba7924c50a10376a69e88d7d # v4.1.0 | ||||
|         env: | ||||
|           BASE_TAGS: "${{ env.BASE_TAGS }}" | ||||
|           SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}" | ||||
| @@ -168,3 +193,76 @@ jobs: | ||||
|           push: true | ||||
|           files: docker/docker-bake.hcl | ||||
|           targets: "${{ matrix.base_image }}-multi" | ||||
|           set: | | ||||
|             *.cache-from=${{ env.BAKE_CACHE_FROM }} | ||||
|             *.cache-to=${{ env.BAKE_CACHE_TO }} | ||||
|  | ||||
|  | ||||
|       # Extract the Alpine binaries from the containers | ||||
|       - name: Extract binaries | ||||
|         if: ${{ matrix.base_image == 'alpine' }} | ||||
|         shell: bash | ||||
|         run: | | ||||
|           # Check which main tag we are going to build determined by github.ref_type | ||||
|           if [[ "${{ github.ref_type }}" == "tag" ]]; then | ||||
|             EXTRACT_TAG="latest" | ||||
|           elif [[ "${{ github.ref_type }}" == "branch" ]]; then | ||||
|             EXTRACT_TAG="testing" | ||||
|           fi | ||||
|  | ||||
|           # After each extraction the image is removed. | ||||
|           # This is needed because using different platforms doesn't trigger a new pull/download | ||||
|  | ||||
|           # Extract amd64 binary | ||||
|           docker create --name amd64 --platform=linux/amd64 "vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||
|           docker cp amd64:/vaultwarden vaultwarden-amd64 | ||||
|           docker rm --force amd64 | ||||
|           docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||
|  | ||||
|           # Extract arm64 binary | ||||
|           docker create --name arm64 --platform=linux/arm64 "vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||
|           docker cp arm64:/vaultwarden vaultwarden-arm64 | ||||
|           docker rm --force arm64 | ||||
|           docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||
|  | ||||
|           # Extract armv7 binary | ||||
|           docker create --name armv7 --platform=linux/arm/v7 "vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||
|           docker cp armv7:/vaultwarden vaultwarden-armv7 | ||||
|           docker rm --force armv7 | ||||
|           docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||
|  | ||||
|           # Extract armv6 binary | ||||
|           docker create --name armv6 --platform=linux/arm/v6 "vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||
|           docker cp armv6:/vaultwarden vaultwarden-armv6 | ||||
|           docker rm --force armv6 | ||||
|           docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine" | ||||
|  | ||||
|       # Upload artifacts to Github Actions | ||||
|       - name: "Upload amd64 artifact" | ||||
|         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||||
|         if: ${{ matrix.base_image == 'alpine' }} | ||||
|         with: | ||||
|           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64 | ||||
|           path: vaultwarden-amd64 | ||||
|  | ||||
|       - name: "Upload arm64 artifact" | ||||
|         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||||
|         if: ${{ matrix.base_image == 'alpine' }} | ||||
|         with: | ||||
|           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64 | ||||
|           path: vaultwarden-arm64 | ||||
|  | ||||
|       - name: "Upload armv7 artifact" | ||||
|         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||||
|         if: ${{ matrix.base_image == 'alpine' }} | ||||
|         with: | ||||
|           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7 | ||||
|           path: vaultwarden-armv7 | ||||
|  | ||||
|       - name: "Upload armv6 artifact" | ||||
|         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | ||||
|         if: ${{ matrix.base_image == 'alpine' }} | ||||
|         with: | ||||
|           name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6 | ||||
|           path: vaultwarden-armv6 | ||||
|       # End Upload artifacts to Github Actions | ||||
|   | ||||
							
								
								
									
										25
									
								
								.github/workflows/releasecache-cleanup.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								.github/workflows/releasecache-cleanup.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| on: | ||||
|   workflow_dispatch: | ||||
|     inputs: | ||||
|       manual_trigger: | ||||
|         description: "Manual trigger buildcache cleanup" | ||||
|         required: false | ||||
|         default: "" | ||||
|  | ||||
|   schedule: | ||||
|     - cron: '0 1 * * FRI' | ||||
|  | ||||
| name: Cleanup | ||||
| jobs: | ||||
|   releasecache-cleanup: | ||||
|     name: Releasecache Cleanup | ||||
|     runs-on: ubuntu-22.04 | ||||
|     timeout-minutes: 30 | ||||
|     steps: | ||||
|       - name: Delete vaultwarden-buildcache containers | ||||
|         uses: actions/delete-package-versions@0d39a63126868f5eefaa47169615edd3c0f61e20 # v4.1.1 | ||||
|         with: | ||||
|           package-name: 'vaultwarden-buildcache' | ||||
|           package-type: 'container' | ||||
|           min-versions-to-keep: 0 | ||||
|           delete-only-untagged-versions: 'false' | ||||
							
								
								
									
										3
									
								
								.github/workflows/trivy.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								.github/workflows/trivy.yml
									
									
									
									
										vendored
									
									
								
							| @@ -4,7 +4,6 @@ on: | ||||
|   push: | ||||
|     branches: | ||||
|       - main | ||||
|       - release-build-revision | ||||
|     tags: | ||||
|       - '*' | ||||
|   pull_request: | ||||
| @@ -29,7 +28,7 @@ jobs: | ||||
|         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | ||||
|  | ||||
|       - name: Run Trivy vulnerability scanner | ||||
|         uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.13.1 | ||||
|         uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0 | ||||
|         with: | ||||
|           scan-type: repo | ||||
|           ignore-unfixed: true | ||||
|   | ||||
		Reference in New Issue
	
	Block a user