diff --git a/.github/workflows/codeql.yml b/.github/workflows/_codeql.yml similarity index 81% rename from .github/workflows/codeql.yml rename to .github/workflows/_codeql.yml index 0497836c3..4e2a0b7c1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/_codeql.yml @@ -1,9 +1,6 @@ name: "CodeQL" on: - push: - branches: - - main - pull_request: + workflow_call: jobs: analyze: @@ -18,10 +15,10 @@ jobs: fail-fast: false matrix: include: - - language: 'javascript-typescript' - working-directory: 'website/' - - language: 'javascript-typescript' - working-directory: 'elixir/apps/web/assets/' + - language: "javascript-typescript" + working-directory: "website/" + - language: "javascript-typescript" + working-directory: "elixir/apps/web/assets/" # TODO # - language: 'java-kotlin' # working-directory: 'kotlin/android' diff --git a/.github/workflows/elixir.yml b/.github/workflows/_elixir.yml similarity index 100% rename from .github/workflows/elixir.yml rename to .github/workflows/_elixir.yml diff --git a/.github/workflows/kotlin.yml b/.github/workflows/_kotlin.yml similarity index 100% rename from .github/workflows/kotlin.yml rename to .github/workflows/_kotlin.yml diff --git a/.github/workflows/rust.yml b/.github/workflows/_rust.yml similarity index 100% rename from .github/workflows/rust.yml rename to .github/workflows/_rust.yml diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/_static-analysis.yml similarity index 100% rename from .github/workflows/static-analysis.yml rename to .github/workflows/_static-analysis.yml diff --git a/.github/workflows/swift.yml b/.github/workflows/_swift.yml similarity index 100% rename from .github/workflows/swift.yml rename to .github/workflows/_swift.yml diff --git a/.github/workflows/terraform.yml b/.github/workflows/_terraform.yml similarity index 100% rename from .github/workflows/terraform.yml rename to .github/workflows/_terraform.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6c3b66ff6..4d55fee6a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,19 +12,22 @@ concurrency: jobs: elixir: - uses: ./.github/workflows/elixir.yml + uses: ./.github/workflows/_elixir.yml rust: - uses: ./.github/workflows/rust.yml + uses: ./.github/workflows/_rust.yml kotlin: - uses: ./.github/workflows/kotlin.yml + uses: ./.github/workflows/_kotlin.yml secrets: inherit swift: - uses: ./.github/workflows/swift.yml + uses: ./.github/workflows/_swift.yml secrets: inherit static-analysis: - uses: ./.github/workflows/static-analysis.yml + uses: ./.github/workflows/_static-analysis.yml terraform: - uses: ./.github/workflows/terraform.yml + uses: ./.github/workflows/_terraform.yml + secrets: inherit + codeql: + uses: ./.github/workflows/_codeql.yml secrets: inherit # We could build these in GCP with Cloud Build, but for now it's diff --git a/rust/Dockerfile b/rust/Dockerfile index bcef65a0e..e607aaec4 100644 --- a/rust/Dockerfile +++ b/rust/Dockerfile @@ -1,52 +1,86 @@ # Global args to use in build commands ARG ALPINE_VERSION="3.18" -ARG PACKAGE +ARG CARGO_CHEF_VERSION="0.1.62" -FROM lukemathwalker/cargo-chef:latest-rust-alpine${ALPINE_VERSION} as chef +# This image is used to prepare Cargo Chef which is used to cache dependencies +FROM rust:1-alpine${ALPINE_VERSION} as chef -# See https://github.com/LukeMathWalker/cargo-chef/issues/231. +ARG CARGO_CHEF_VERSION +RUN set -xe \ + && apk add --no-cache musl-dev \ + && cargo install cargo-chef --locked --version=${CARGO_CHEF_VERSION} \ + && rm -rf $CARGO_HOME/registry/ + +## See https://github.com/LukeMathWalker/cargo-chef/issues/231. COPY rust-toolchain.toml rust-toolchain.toml -RUN rustup show + +RUN set -xe \ + && rustup show WORKDIR /build +# Create a cache recipe for dependencies, which allows +# to levearge Docker layer caching in a later build stage FROM chef as planner + COPY . . + RUN cargo chef prepare --recipe-path recipe.json +# Build dependencies and application application FROM chef as builder + COPY --from=planner /build/recipe.json . -RUN cargo chef cook --recipe-path recipe.json + +RUN set -xe \ + && cargo chef cook --recipe-path recipe.json + COPY . . + ARG TARGET ARG PACKAGE RUN cargo build -p ${PACKAGE} $([ -v "${TARGET}" ] && "--target ${TARGET}") -# Minimal test image for GH actions -FROM alpine:${ALPINE_VERSION} AS debug +# Image which is used to run the application binary +FROM alpine:${ALPINE_VERSION} AS runtime + +# Important! Update this no-op ENV variable when this Dockerfile +# is updated with the current date. It will force refresh of all +# of the base images and things like `apk add` won't be using +# old cached versions when the Dockerfile is built. +ENV REFRESHED_AT=2023-10-23 \ + LANG=C.UTF-8 \ + TERM=xterm \ + RUST_BACKTRACE=1 + WORKDIR /bin -ENV RUST_BACKTRACE=1 + +## curl is needed by the entrypoint script +RUN set -xe \ + && apk add --no-cache curl + COPY ./docker-init.sh . + +## iptables are needed only by gateway for masquerading ARG PACKAGE -# Needed only by gateway for masquerading -RUN \[ "${PACKAGE}" = "firezone-gateway" ] && apk add --no-cache iptables ip6tables curl || true -ARG TARGET -COPY --from=builder /build/target/${TARGET}/debug/${PACKAGE} . +RUN set -xe \ + && \[ "${PACKAGE}" = "firezone-gateway" ] && apk add --no-cache iptables ip6tables || true + ENTRYPOINT ["docker-init.sh"] + ENV PACKAGE=${PACKAGE} + CMD $PACKAGE -# Minimal platform-agnostic release image -FROM alpine:${ALPINE_VERSION} AS release -WORKDIR /bin -ENV RUST_BACKTRACE=1 -COPY ./docker-init.sh . -ARG PACKAGE -# Needed only by gateway for masquerading -RUN \[ "${PACKAGE}" = "firezone-gateway" ] && apk add --no-cache iptables ip6tables curl || true +# Build an image for GitHub Actions which includes debug asserts +FROM runtime AS debug + ARG TARGET -# Build first with `cross build --target ${TARGET} -p ${PACKAGE} --release && mv /target/${TARGET}/release/${PACKAGE} .` +COPY --from=builder /build/target/${TARGET}/debug/${PACKAGE} . + +# Build a production image from including a binary compiled on the host +FROM runtime AS release + +ARG TARGET +## Build first with `cross build --target ${TARGET} -p ${PACKAGE} --release && mv /target/${TARGET}/release/${PACKAGE} .` COPY ${PACKAGE} . -ENTRYPOINT ["docker-init.sh"] -ENV PACKAGE=${PACKAGE} -CMD $PACKAGE diff --git a/terraform/modules/elixir-app/main.tf b/terraform/modules/elixir-app/main.tf index e3994db5e..fae0c7383 100644 --- a/terraform/modules/elixir-app/main.tf +++ b/terraform/modules/elixir-app/main.tf @@ -317,6 +317,7 @@ resource "google_compute_region_instance_group_manager" "application" { wait_for_instances_status = "STABLE" version { + name = local.application_version instance_template = google_compute_instance_template.application.self_link } diff --git a/terraform/modules/gateway-google-cloud-compute/main.tf b/terraform/modules/gateway-google-cloud-compute/main.tf index 2c3a63ef2..bdd5ed2ce 100644 --- a/terraform/modules/gateway-google-cloud-compute/main.tf +++ b/terraform/modules/gateway-google-cloud-compute/main.tf @@ -206,6 +206,7 @@ resource "google_compute_region_instance_group_manager" "application" { wait_for_instances_status = "STABLE" version { + name = local.application_version instance_template = google_compute_instance_template.application.self_link } diff --git a/terraform/modules/relay-app/main.tf b/terraform/modules/relay-app/main.tf index 8b3f46e8e..4af3fdbca 100644 --- a/terraform/modules/relay-app/main.tf +++ b/terraform/modules/relay-app/main.tf @@ -311,6 +311,7 @@ resource "google_compute_region_instance_group_manager" "application" { wait_for_instances_status = "STABLE" version { + name = local.application_version instance_template = google_compute_instance_template.application[each.key].self_link }