diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index e8259524..8b1246a2 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -43,25 +43,25 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive - name: Login to GitHub container registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Sanitize branch name run: echo "SAFE_REF=${GITHUB_REF_NAME//\//-}" >> $GITHUB_ENV - name: Build container - uses: docker/build-push-action@v7 + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7 with: context: . platforms: linux/${{ matrix.cpu }} @@ -74,7 +74,7 @@ jobs: cache-to: type=registry,mode=max,ref=${{ env.GHCR_REPO }}:cache-${{ matrix.tag }}-${{ env.SAFE_REF }} - name: Scan image with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -98,11 +98,11 @@ jobs: steps: - name: Install Cosign - uses: sigstore/cosign-installer@v4.1.0 + uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 - name: Docker meta id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: images: | ${{ env.GHCR_REPO }} @@ -110,7 +110,7 @@ jobs: tags: ${{ inputs.tags }} - name: Login to GitHub container registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 72d3c6b5..72191ad8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,17 +3,17 @@ name: Continuous integration on: push: branches: - - main - dev - "release/**" + - "stable/**" paths-ignore: - "*.md" - "LICENSE" pull_request: branches: - - main - dev - "release/**" + - "stable/**" paths-ignore: - "*.md" - "LICENSE" @@ -32,12 +32,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive - name: Scan code with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -50,7 +50,7 @@ jobs: scanners: "vuln" - name: Run sccache-cache - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Install dependencies run: apt-get update && apt-get -y install protobuf-compiler libnftnl-dev libmnl-dev @@ -66,7 +66,7 @@ jobs: cargo clippy --all-targets --all-features -- -D warnings - name: Install cargo extensions - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@3235f8901fd37ffed0052b276cec25a362fb82e9 # v2 with: tool: cargo-deny diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml index 1587da18..1bf35ccb 100644 --- a/.github/workflows/current.yml +++ b/.github/workflows/current.yml @@ -2,9 +2,9 @@ name: Build current image on: push: branches: - - main - dev - 'release/**' + - 'stable/**' paths-ignore: - "*.md" - "LICENSE" diff --git a/.github/workflows/publish-docker-latest.yml b/.github/workflows/publish-docker-latest.yml index a7cb236e..87889f87 100644 --- a/.github/workflows/publish-docker-latest.yml +++ b/.github/workflows/publish-docker-latest.yml @@ -19,17 +19,17 @@ jobs: steps: - name: Install Cosign - uses: sigstore/cosign-installer@v4.1.1 + uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 - name: Login to GitHub container registry - uses: docker/login-action@v4 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Derive semver tag run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5bcd983c..d3fec17f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,6 +24,7 @@ jobs: tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} type=sha # Explicitly disable latest tag. It will be added by publish-docker-latest.yml. flavor: | @@ -51,7 +52,7 @@ jobs: steps: - name: Create GitHub release id: release - uses: shogo82148/actions-create-release@v1 + uses: shogo82148/actions-create-release@6a396031bc74c57403da1018fec74d24c6aa03cd # v1 with: draft: true generate_release_notes: true @@ -80,17 +81,17 @@ jobs: echo "VERSION=$VERSION" >> $GITHUB_ENV - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: recursive - name: Install Rust stable - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: targets: "aarch64-unknown-linux-gnu" - name: Run sccache-cache - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Build Linux x86_64 binary run: | @@ -118,7 +119,7 @@ jobs: defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd - name: Build x86_64 DEB package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-gateway @@ -135,7 +136,7 @@ jobs: --after-remove linux/postrm" - name: Build aarch64 DEB package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-gateway @@ -152,7 +153,7 @@ jobs: --after-remove linux/postrm" - name: Build x86_64 RPM package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-gateway @@ -169,7 +170,7 @@ jobs: --after-remove linux/postrm" - name: Build aarch64 RPM package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-gateway @@ -186,7 +187,7 @@ jobs: --after-remove linux/postrm" - name: Build FreeBSD package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway @@ -201,7 +202,7 @@ jobs: --depends openssl" - name: Build OPNsense package - uses: defGuard/fpm-action@main + uses: defGuard/fpm-action@ebb2575fbb892876fbdd326bb6d12524fbd7398c # main with: fpm_args: "defguard-gateway-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-gateway @@ -219,7 +220,7 @@ jobs: --depends openssl" - name: Upload Linux x86_64 archive - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -229,7 +230,7 @@ jobs: overwrite: true - name: Upload Linux aarch64 archive - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -239,7 +240,7 @@ jobs: overwrite: true - name: Upload FreeBSD x86_64 archive - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -249,7 +250,7 @@ jobs: overwrite: true - name: Upload Linux x86_64 DEB - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -259,7 +260,7 @@ jobs: overwrite: true - name: Upload Linux aarch64 DEB - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -269,7 +270,7 @@ jobs: overwrite: true - name: Upload Linux x86_64 RPM - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -279,7 +280,7 @@ jobs: overwrite: true - name: Upload Linux aarch64 RPM - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -289,7 +290,7 @@ jobs: overwrite: true - name: Upload FreeBSD package - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -299,7 +300,7 @@ jobs: overwrite: true - name: Upload OPNsense package - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 52080a4b..975d436b 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -27,13 +27,13 @@ jobs: echo "VERSION=$VERSION" >> $GITHUB_OUTPUT - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: ref: ${{ steps.vars.outputs.TAG_NAME }} submodules: recursive - name: Create SBOM with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -46,7 +46,7 @@ jobs: scanners: "vuln" - name: Create docker image SBOM with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -59,7 +59,7 @@ jobs: scanners: "vuln" - name: Create security advisory file with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -72,7 +72,7 @@ jobs: scanners: "vuln" - name: Create Docker image security advisory file with Trivy - uses: aquasecurity/trivy-action@v0.36.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" @@ -85,7 +85,7 @@ jobs: scanners: "vuln" - name: Upload SBOMs and advisories - uses: shogo82148/actions-upload-release-asset@v1 + uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/update-repositories.yml b/.github/workflows/update-repositories.yml index 4d3cdf95..3028b9f2 100644 --- a/.github/workflows/update-repositories.yml +++ b/.github/workflows/update-repositories.yml @@ -12,7 +12,7 @@ jobs: - X64 steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install gh cli run: | sudo apt-get install -y gh