diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 52ced44..8359de2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,16 +4,26 @@ on: pull_request: workflow_dispatch: jobs: - shellcheck: + lint: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 - name: Shellcheck run: make shellcheck - build: + - name: Update README + run: make update-readme + + - name: Check if README is up-to date + run: git diff --exit-code README.md + + snapshot: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4 with: @@ -32,13 +42,121 @@ jobs: version: latest args: release --snapshot --clean - test: + build: + if: github.event_name != 'pull_request' runs-on: ubuntu-latest + permissions: + actions: read + contents: write + packages: write + id-token: write + outputs: + manifest-digest: ${{ steps.get-manifest-digest.outputs.digest }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 persist-credentials: false - - name: Build docker image - run: make docker + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Install Cosign + uses: sigstore/cosign-installer@v3.4.0 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: GoReleaser + uses: goreleaser/goreleaser-action@v5 + id: goreleaser + with: + version: latest + args: release --clean --skip validate + env: + # Overrde to avoid tagging. + GORELEASER_CURRENT_TAG: 7.5.1-debug1 + + - name: Get Manifest Digest + id: get-manifest-digest + run: | + set -euo pipefail + digest=$(jq -r --arg img ghcr.io/tprasadtp/protonwire:${{github.sha}} '.[] | select (.name==$img) | .extra.Digest' ${{steps.goreleaser.outputs.artifacts}} + if [[ -z $digest ]]; then + echo "failed to get digest" + exit 1 + fi + echo "hash=${digest}" >> "$GITHUB_OUTPUT" + + provenance: + if: github.event_name != 'pull_request' + needs: + - build + permissions: + contents: read + actions: read + id-token: write + packages: write + strategy: + fail-fast: false + matrix: + image: + - ghcr.io/tprasadtp/protonwire + - ghcr.io/tprasadtp/protonvpn + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0 + with: + registry-username: ${{ github.actor }} + digest: ${{ needs.build.outputs.manifest-digest }} + image: ${{ matrix.image }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + verification: + if: github.event_name != 'pull_request' + needs: + - build + - provenance + runs-on: ubuntu-latest + permissions: + contents: read + packages: read + strategy: + fail-fast: false + matrix: + image: + - ghcr.io/tprasadtp/protonwire + - ghcr.io/tprasadtp/protonvpn + steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3 + + - name: Install SLSA verifier + uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Verify SLSA Provenance + run: | + slsa-verifier \ + --source-uri github.com/${{ github.repository }} \ + verify-image ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }} + + - name: Verify Cosign Signature + run: | + cosign verify ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }} \ + --certificate-identity-regexp "^https://github.com/${{ github.repository }}" \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + --certificate-github-workflow-repository "${{ github.repository }}" \ + --certificate-github-workflow-sha ${{ github.sha }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml deleted file mode 100644 index a2458b5..0000000 --- a/.github/workflows/docs.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: docs -on: - push: - pull_request: - workflow_dispatch: -jobs: - update-readme: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: Update README - run: make update-readme - - - name: Check if README is up-to date - run: git diff --exit-code README.md diff --git a/.github/workflows/metadata-gh-pages.yml b/.github/workflows/metadata-gh-pages.yml deleted file mode 100644 index 9e6ce2b..0000000 --- a/.github/workflows/metadata-gh-pages.yml +++ /dev/null @@ -1,63 +0,0 @@ -name: metadata-gh-pages -on: - workflow_dispatch: - inputs: - DEBUG: - description: Enable debug logs for metadata - required: false - default: "no" - type: choice - options: - - "yes" - - "no" - push: - branches: - - "**" - tags-ignore: - - "**" - schedule: - - cron: "30 * * * *" -jobs: - deploy: - # exclude dependabot from running this workflow. - if: ${{ github.actor != 'dependabot[bot]' }} - runs-on: ubuntu-latest - permissions: - contents: write - pages: write - id-token: write - - environment: - name: github-pages - url: ${{ steps.deployment.outputs.page_url }} - - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: Install python dependencies - run: | - sudo apt-get install -y \ - python3-gnupg \ - python3-requests \ - python3-bcrypt \ - python3-coloredlogs - - - name: Generate metadata - run: ./scripts/generate-server-metadata --output ./metadata - env: - PROTON_USERNAME: ${{ secrets.PROTON_USERNAME }} - PROTON_PASSWORD: ${{ secrets.PROTON_PASSWORD }} - DEBUG: ${{ inputs.DEBUG }} - - - name: Upload GitHub Pages artifact - uses: actions/upload-pages-artifact@v3 - with: - path: metadata - - - name: Deploy to GitHub Pages (if on master) - if: github.ref == 'refs/heads/master' - id: deployment - uses: actions/deploy-pages@v4 diff --git a/.github/workflows/metadata.yml b/.github/workflows/metadata.yml index dcfdc2d..499b183 100644 --- a/.github/workflows/metadata.yml +++ b/.github/workflows/metadata.yml @@ -22,6 +22,12 @@ jobs: runs-on: ubuntu-latest # exclude dependabot from running this workflow. if: ${{ github.actor != 'dependabot[bot]' }} + permissions: + pages: write + id-token: write + environment: + name: github-pages + url: ${{ steps.github-pages-deploy.outputs.page_url }} steps: - name: Checkout project repo uses: actions/checkout@v4 @@ -47,17 +53,17 @@ jobs: uses: actions/create-github-app-token@v1 id: bot-token with: - app-id: ${{ vars.METADATA_BOT_APP_ID }} - repositories: ${{ vars.METADATA_REPO_NAME }} owner: ${{ vars.METADATA_REPO_OWNER }} + app-id: ${{ vars.METADATA_BOT_APP_ID }} private-key: ${{ secrets.METADATA_BOT_APP_PRIVATE_KEY }} + repositories: ${{ vars.METADATA_REPO_NAME }} - name: Checkout metadata repo to protonwire-api-deploy uses: actions/checkout@v4 with: - repository: ${{ vars.METADATA_REPO }} path: protonwire-api-deploy token: ${{ steps.bot-token.outputs.token }} + repository: ${{ vars.METADATA_REPO }} persist-credentials: true - name: Configure git and remove stale data @@ -75,6 +81,11 @@ jobs: ./metadata/ \ ${GITHUB_WORKSPACE}/protonwire-api-deploy/ + - name: Upload GitHub Pages artifact + uses: actions/upload-pages-artifact@v3 + with: + path: metadata + - name: Push Metadata (if on master) working-directory: protonwire-api-deploy if: github.ref == 'refs/heads/master' @@ -82,3 +93,8 @@ jobs: git add --all git commit -m "Updated at - $(date)" git push -u origin master + + - name: Deploy to GitHub Pages (if on master) + if: github.ref == 'refs/heads/master' + id: github-pages-deploy + uses: actions/deploy-pages@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aa11b2a..a52a780 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,18 +5,8 @@ on: tags: - "**" jobs: - shellcheck: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - uses: actions/checkout@v4 - - name: Shellcheck - run: make shellcheck build: runs-on: ubuntu-latest - needs: - - shellcheck permissions: contents: write packages: write diff --git a/.goreleaser.yml b/.goreleaser.yml index 288052c..b249322 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -3,14 +3,13 @@ project_name: protonwire snapshot: # This should be semver otherwise triggers https://github.com/goreleaser/goreleaser/issues/2081 - name_template: "{{ .Version }}-SNAPSHOT-{{.ShortCommit}}" + name_template: "{{ .Version }}-{{.ShortCommit}}-dev" builds: - - id: build-binary - goos: - - linux + - goos: + - linux # ignored goarch: - - amd64 # ignored for builds + - amd64 # ignored binary: protonwire gobinary: ./scripts/goreleaser-wrapper mod_timestamp: '{{ .CommitTimestamp }}' @@ -22,6 +21,7 @@ archives: - format: binary changelog: + disable: true sort: asc groups: - title: "🍒 Features & Enhancements" @@ -36,21 +36,19 @@ changelog: - title: "🖥️ Metadata API" regexp: "^.*metadata[(\\w)]*:+.*$" order: 4 - filters: exclude: - '^.*doc(s)?[(\\w)]*:+.*$' - '^.*release(s)?[(\\w)]*:+.*$' - '^.*bot(s)?[(\\w)]*:+.*$' -# Build docker images dockers: - - image_templates: + - use: buildx + image_templates: - 'ghcr.io/tprasadtp/{{ .ProjectName }}:{{ .Version }}-amd64' - 'ghcr.io/tprasadtp/{{ .ProjectName }}:{{ .FullCommit }}-amd64' - 'ghcr.io/tprasadtp/protonvpn:{{ .Version }}-amd64' - 'ghcr.io/tprasadtp/protonvpn:{{ .FullCommit }}-amd64' - build_flag_templates: - --label=org.opencontainers.image.created={{.Date}} - --label=org.opencontainers.image.revision={{.FullCommit}} @@ -58,11 +56,10 @@ dockers: - --label=org.opencontainers.image.vendor=Prasad Tengse - --label=org.opencontainers.image.source=https://github.com/tprasadtp/protonwire - --label=org.opencontainers.image.title=protonwire - - --label=org.opencontainers.image.description=ProtonVPN Wireguard Client for Linux + - --label=org.opencontainers.image.description=ProtonVPN Wireguard Client - --label=org.opencontainers.image.documentation=https://github.com/tprasadtp/protonvpn-docker - --label=org.opencontainers.image.licenses=GPLv3 - --label=org.opencontainers.image.url=https://ghcr.io/tprasadtp/protonwire - # Git Info - --label=io.github.tprasadtp.metadata.git.commit={{.FullCommit}} - --label=io.github.tprasadtp.metadata.git.shortCommit={{.ShortCommit}} - --label=io.github.tprasadtp.metadata.git.branch={{.Branch}} @@ -72,22 +69,14 @@ dockers: - --label=io.github.tprasadtp.metadata.version.patch={{.Patch}} - --label=io.github.tprasadtp.metadata.version.prerelease={{.Prerelease}} - --label=io.github.tprasadtp.metadata.version.snapshot={{.IsSnapshot}} - # Platform - --platform=linux/amd64 - <<: &docker_defaults - dockerfile: Dockerfile - use: buildx - extra_files: - - protonwire - - # ARM64 image - - image_templates: + - use: buildx + image_templates: - 'ghcr.io/tprasadtp/{{ .ProjectName }}:{{ .Version }}-arm64' - 'ghcr.io/tprasadtp/{{ .ProjectName }}:{{ .FullCommit }}-arm64' - 'ghcr.io/tprasadtp/protonvpn:{{ .Version }}-arm64' - 'ghcr.io/tprasadtp/protonvpn:{{ .FullCommit }}-arm64' - build_flag_templates: - --label=org.opencontainers.image.created={{.Date}} - --label=org.opencontainers.image.revision={{.FullCommit}} @@ -95,11 +84,10 @@ dockers: - --label=org.opencontainers.image.vendor=Prasad Tengse - --label=org.opencontainers.image.source=https://github.com/tprasadtp/protonwire - --label=org.opencontainers.image.title=protonwire - - --label=org.opencontainers.image.description=ProtonVPN Wireguard Client for Linux + - --label=org.opencontainers.image.description=ProtonVPN Wireguard Client - --label=org.opencontainers.image.documentation=https://github.com/tprasadtp/protonvpn-docker - --label=org.opencontainers.image.licenses=GPLv3 - --label=org.opencontainers.image.url=https://ghcr.io/tprasadtp/protonwire - # Git Info - --label=io.github.tprasadtp.metadata.git.commit={{.FullCommit}} - --label=io.github.tprasadtp.metadata.git.shortCommit={{.ShortCommit}} - --label=io.github.tprasadtp.metadata.git.branch={{.Branch}} @@ -109,13 +97,9 @@ dockers: - --label=io.github.tprasadtp.metadata.version.patch={{.Patch}} - --label=io.github.tprasadtp.metadata.version.prerelease={{.Prerelease}} - --label=io.github.tprasadtp.metadata.version.snapshot={{.IsSnapshot}} - # Platform - --platform=linux/arm64 - # Import defaults - <<: *docker_defaults - -# # Build manifests +# Build manifests docker_manifests: # Full Version - name_template: 'ghcr.io/tprasadtp/{{.ProjectName}}:{{ .Version }}' @@ -181,6 +165,7 @@ checksum: disable: true release: + disable: true mode: replace prerelease: auto