Make CodeQL a part of CI workflow (#2492)

.github/workflows/_codeql.yml

@@ -1,9 +1,6 @@
 name: "CodeQL"
 on:
-  push:
-    branches:
-      - main
-  pull_request:
+  workflow_call:
 
 jobs:
   analyze:
@@ -18,10 +15,10 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - language: 'javascript-typescript'
-            working-directory: 'website/'
-          - language: 'javascript-typescript'
-            working-directory: 'elixir/apps/web/assets/'
+          - language: "javascript-typescript"
+            working-directory: "website/"
+          - language: "javascript-typescript"
+            working-directory: "elixir/apps/web/assets/"
           # TODO
           # - language: 'java-kotlin'
           #   working-directory: 'kotlin/android'

.github/workflows/ci.yml

@@ -12,19 +12,22 @@ concurrency:
 
 jobs:
   elixir:
-    uses: ./.github/workflows/elixir.yml
+    uses: ./.github/workflows/_elixir.yml
   rust:
-    uses: ./.github/workflows/rust.yml
+    uses: ./.github/workflows/_rust.yml
   kotlin:
-    uses: ./.github/workflows/kotlin.yml
+    uses: ./.github/workflows/_kotlin.yml
     secrets: inherit
   swift:
-    uses: ./.github/workflows/swift.yml
+    uses: ./.github/workflows/_swift.yml
     secrets: inherit
   static-analysis:
-    uses: ./.github/workflows/static-analysis.yml
+    uses: ./.github/workflows/_static-analysis.yml
   terraform:
-    uses: ./.github/workflows/terraform.yml
+    uses: ./.github/workflows/_terraform.yml
+    secrets: inherit
+  codeql:
+    uses: ./.github/workflows/_codeql.yml
     secrets: inherit
 
   # We could build these in GCP with Cloud Build, but for now it's

rust/Dockerfile

@@ -1,52 +1,86 @@
 # Global args to use in build commands
 ARG ALPINE_VERSION="3.18"
-ARG PACKAGE
+ARG CARGO_CHEF_VERSION="0.1.62"
 
-FROM lukemathwalker/cargo-chef:latest-rust-alpine${ALPINE_VERSION} as chef
+# This image is used to prepare Cargo Chef which is used to cache dependencies
+FROM rust:1-alpine${ALPINE_VERSION} as chef
 
-# See https://github.com/LukeMathWalker/cargo-chef/issues/231.
+ARG CARGO_CHEF_VERSION
+RUN set -xe \
+  && apk add --no-cache musl-dev  \
+  && cargo install cargo-chef --locked --version=${CARGO_CHEF_VERSION} \
+  && rm -rf $CARGO_HOME/registry/
+
+## See https://github.com/LukeMathWalker/cargo-chef/issues/231.
 COPY rust-toolchain.toml rust-toolchain.toml
-RUN rustup show
+
+RUN set -xe \
+  && rustup show
 
 WORKDIR /build
 
+# Create a cache recipe for dependencies, which allows
+# to levearge Docker layer caching in a later build stage
 FROM chef as planner
+
 COPY . .
+
 RUN cargo chef prepare --recipe-path recipe.json
 
+# Build dependencies and application application
 FROM chef as builder
+
 COPY --from=planner /build/recipe.json .
-RUN cargo chef cook --recipe-path recipe.json
+
+RUN set -xe \
+  && cargo chef cook --recipe-path recipe.json
+
 COPY . .
+
 ARG TARGET
 ARG PACKAGE
 RUN cargo build -p ${PACKAGE} $([ -v "${TARGET}" ] && "--target ${TARGET}")
 
-# Minimal test image for GH actions
-FROM alpine:${ALPINE_VERSION} AS debug
+# Image which is used to run the application binary
+FROM alpine:${ALPINE_VERSION} AS runtime
+
+# Important!  Update this no-op ENV variable when this Dockerfile
+# is updated with the current date. It will force refresh of all
+# of the base images and things like `apk add` won't be using
+# old cached versions when the Dockerfile is built.
+ENV REFRESHED_AT=2023-10-23 \
+  LANG=C.UTF-8 \
+  TERM=xterm \
+  RUST_BACKTRACE=1
+
 WORKDIR /bin
-ENV RUST_BACKTRACE=1
+
+## curl is needed by the entrypoint script
+RUN set -xe \
+  && apk add --no-cache curl
+
 COPY ./docker-init.sh .
+
+## iptables are needed only by gateway for masquerading
 ARG PACKAGE
-# Needed only by gateway for masquerading
-RUN \[ "${PACKAGE}" = "firezone-gateway" ] && apk add --no-cache iptables ip6tables curl || true
-ARG TARGET
-COPY --from=builder /build/target/${TARGET}/debug/${PACKAGE} .
+RUN set -xe \
+  && \[ "${PACKAGE}" = "firezone-gateway" ] && apk add --no-cache iptables ip6tables || true
+
 ENTRYPOINT ["docker-init.sh"]
+
 ENV PACKAGE=${PACKAGE}
+
 CMD $PACKAGE
 
-# Minimal platform-agnostic release image
-FROM alpine:${ALPINE_VERSION} AS release
-WORKDIR /bin
-ENV RUST_BACKTRACE=1
-COPY ./docker-init.sh .
-ARG PACKAGE
-# Needed only by gateway for masquerading
-RUN \[ "${PACKAGE}" = "firezone-gateway" ] && apk add --no-cache iptables ip6tables curl || true
+# Build an image for GitHub Actions which includes debug asserts
+FROM runtime AS debug
+
 ARG TARGET
-# Build first with `cross build --target ${TARGET} -p ${PACKAGE} --release && mv /target/${TARGET}/release/${PACKAGE} .`
+COPY --from=builder /build/target/${TARGET}/debug/${PACKAGE} .
+
+# Build a production image from including a binary compiled on the host
+FROM runtime AS release
+
+ARG TARGET
+## Build first with `cross build --target ${TARGET} -p ${PACKAGE} --release && mv /target/${TARGET}/release/${PACKAGE} .`
 COPY ${PACKAGE} .
-ENTRYPOINT ["docker-init.sh"]
-ENV PACKAGE=${PACKAGE}
-CMD $PACKAGE

terraform/modules/elixir-app/main.tf

@@ -317,6 +317,7 @@ resource "google_compute_region_instance_group_manager" "application" {
   wait_for_instances_status = "STABLE"
 
   version {
+    name              = local.application_version
     instance_template = google_compute_instance_template.application.self_link
   }
 

terraform/modules/gateway-google-cloud-compute/main.tf

@@ -206,6 +206,7 @@ resource "google_compute_region_instance_group_manager" "application" {
   wait_for_instances_status = "STABLE"
 
   version {
+    name              = local.application_version
     instance_template = google_compute_instance_template.application.self_link
   }
 

terraform/modules/relay-app/main.tf

@@ -311,6 +311,7 @@ resource "google_compute_region_instance_group_manager" "application" {
   wait_for_instances_status = "STABLE"
 
   version {
+    name              = local.application_version
     instance_template = google_compute_instance_template.application[each.key].self_link
   }