This moves our current GCP infra to a new firezone/environments repo.
The existing Git history is preserved, and CI config is updated to clone
this submodule before running any terraform jobs.
To my knowledge we don't rely on this particular functionality from
hackney. Unfortunately, we don't control the `hackney` version used by
deps, and there is no non-vulnerable version ready yet, so we ignore the
advisory for now.
A fuse has been set to fire one week from now.
This publishes the windows headless client using the same convention set
forth by the linux headless client.
Docs and website changes will come in a subsequent PR.
Related: #3782Resolves: #8046
Bumps
[taiki-e/install-action](https://github.com/taiki-e/install-action) from
2.47.30 to 2.47.32.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/taiki-e/install-action/releases">taiki-e/install-action's
releases</a>.</em></p>
<blockquote>
<h2>2.47.32</h2>
<ul>
<li>Update <code>typos@latest</code> to 1.29.5.</li>
</ul>
<h2>2.47.31</h2>
<ul>
<li>Fix checksum error with <code>wash@0.38.0</code> on macOS. (They
rebuilt binaries for some reason.)</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md">taiki-e/install-action's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<p>All notable changes to this project will be documented in this
file.</p>
<p>This project adheres to <a href="https://semver.org">Semantic
Versioning</a>.</p>
<!-- raw HTML omitted -->
<h2>[Unreleased]</h2>
<h2>[2.47.32] - 2025-01-31</h2>
<ul>
<li>Update <code>typos@latest</code> to 1.29.5.</li>
</ul>
<h2>[2.47.31] - 2025-01-30</h2>
<ul>
<li>Fix checksum error with <code>wash@0.38.0</code> on macOS. (They
rebuilt binaries for some reason.)</li>
</ul>
<h2>[2.47.30] - 2025-01-28</h2>
<ul>
<li>
<p>Support <code>cargo-cyclonedx</code> on x86_64 Linux (musl).</p>
</li>
<li>
<p>Support installing native binary for <code>cargo-cyclonedx</code> on
AArch64 macOS. (Previously x86_64 macOS binary is used as fallback.)</p>
</li>
<li>
<p>Update <code>cargo-cyclonedx@latest</code> to 0.5.7.</p>
</li>
</ul>
<h2>[2.47.29] - 2025-01-28</h2>
<ul>
<li>
<p>Support <code>cargo-semver-checks</code> on AArch64 Linux.</p>
</li>
<li>
<p>Support <code>cargo-zigbuild</code> on x86_64 macOS.</p>
</li>
<li>
<p>Support installing native binary for <code>mdbook</code> and
<code>shellcheck</code> on AArch64 macOS. (Previously x86_64 macOS
binary is used as fallback.)</p>
</li>
<li>
<p>Support installing native binary for <code>just</code> and
<code>sccache</code> on AArch64 Windows. (Previously x86_64 Windows
binary is used as fallback.)</p>
</li>
<li>
<p>Update <code>mdbook@latest</code> to 0.4.44.</p>
</li>
<li>
<p>Update <code>cargo-semver-checks@latest</code> to 0.39.0.</p>
</li>
</ul>
<h2>[2.47.28] - 2025-01-28</h2>
<p>No change on the <code>install-action</code> itself.</p>
<ul>
<li>
<p>Provide <code>install-action-manifest-schema</code> crate to access
to the <code>install-action</code> manifests from Rust code. (<a
href="https://redirect.github.com/taiki-e/install-action/pull/657">#657</a>,
thanks <a
href="https://github.com/NobodyXu"><code>@NobodyXu</code></a>)</p>
<p>This is being considered for use to speed up
<code>cargo-binstall</code> in the future.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="65835784ac"><code>6583578</code></a>
Release 2.47.32</li>
<li><a
href="01f3d2d227"><code>01f3d2d</code></a>
Update <code>typos@latest</code> to 1.29.5</li>
<li><a
href="76a1fec160"><code>76a1fec</code></a>
Release 2.47.31</li>
<li><a
href="78b9ec82a6"><code>78b9ec8</code></a>
Update changelog</li>
<li><a
href="be22d29d34"><code>be22d29</code></a>
Fix clippy::unnecessary_semicolon warning</li>
<li><a
href="e466aa8e34"><code>e466aa8</code></a>
Update wash manifest</li>
<li>See full diff in <a
href="afbe5c1715...65835784ac">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
We have recently merged the two Sentry projects for the GUI client into
just one, i.e. both the GUI client and its IPC service use the same DSN
to report errors.
What we forgot to change is that these are also referenced in the CI
workflow when we upload debug symbols.
Bumps
[docker/build-push-action](https://github.com/docker/build-push-action)
from 6.11.0 to 6.13.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/docker/build-push-action/releases">docker/build-push-action's
releases</a>.</em></p>
<blockquote>
<h2>v6.13.0</h2>
<ul>
<li>Bump <code>@docker/actions-toolkit</code> from 0.51.0 to 0.53.0 in
<a
href="https://redirect.github.com/docker/build-push-action/pull/1308">docker/build-push-action#1308</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v6.12.0...v6.13.0">https://github.com/docker/build-push-action/compare/v6.12.0...v6.13.0</a></p>
<h2>v6.12.0</h2>
<ul>
<li>Bump <code>@docker/actions-toolkit</code> from 0.49.0 to 0.51.0 in
<a
href="https://redirect.github.com/docker/build-push-action/pull/1300">docker/build-push-action#1300</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/docker/build-push-action/compare/v6.11.0...v6.12.0">https://github.com/docker/build-push-action/compare/v6.11.0...v6.12.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ca877d9245"><code>ca877d9</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1308">#1308</a>
from docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a
href="d2fe919bb5"><code>d2fe919</code></a>
chore: update generated content</li>
<li><a
href="f0fc9ece82"><code>f0fc9ec</code></a>
chore(deps): Bump <code>@docker/actions-toolkit</code> from 0.51.0 to
0.53.0</li>
<li><a
href="67a2d409c0"><code>67a2d40</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1300">#1300</a>
from docker/dependabot/npm_and_yarn/docker/actions-t...</li>
<li><a
href="0b1b1c9c43"><code>0b1b1c9</code></a>
chore: update generated content</li>
<li><a
href="b6a7c2c4ee"><code>b6a7c2c</code></a>
chore(deps): Bump <code>@docker/actions-toolkit</code> from 0.49.0 to
0.51.0</li>
<li><a
href="31ca4e5d51"><code>31ca4e5</code></a>
Merge pull request <a
href="https://redirect.github.com/docker/build-push-action/issues/1296">#1296</a>
from crazy-max/bake-v6</li>
<li><a
href="e613db9d5a"><code>e613db9</code></a>
update bake-action to v6</li>
<li>See full diff in <a
href="b32b51a8ed...ca877d9245">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[taiki-e/install-action](https://github.com/taiki-e/install-action) from
2.47.11 to 2.47.30.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/taiki-e/install-action/releases">taiki-e/install-action's
releases</a>.</em></p>
<blockquote>
<h2>2.47.30</h2>
<ul>
<li>
<p>Support <code>cargo-cyclonedx</code> on x86_64 Linux (musl).</p>
</li>
<li>
<p>Support installing native binary for <code>cargo-cyclonedx</code> on
AArch64 macOS. (Previously x86_64 macOS binary is used as fallback.)</p>
</li>
<li>
<p>Update <code>cargo-cyclonedx@latest</code> to 0.5.7.</p>
</li>
</ul>
<h2>2.47.29</h2>
<ul>
<li>
<p>Support <code>cargo-semver-checks</code> on AArch64 Linux.</p>
</li>
<li>
<p>Support <code>cargo-zigbuild</code> on x86_64 macOS.</p>
</li>
<li>
<p>Support installing native binary for <code>mdbook</code> and
<code>shellcheck</code> on AArch64 macOS. (Previously x86_64 macOS
binary is used as fallback.)</p>
</li>
<li>
<p>Support installing native binary for <code>just</code> and
<code>sccache</code> on AArch64 Windows. (Previously x86_64 Windows
binary is used as fallback.)</p>
</li>
<li>
<p>Update <code>mdbook@latest</code> to 0.4.44.</p>
</li>
<li>
<p>Update <code>cargo-semver-checks@latest</code> to 0.39.0.</p>
</li>
</ul>
<h2>2.47.28</h2>
<p>No change on the <code>install-action</code> itself.</p>
<ul>
<li>
<p>Provide <code>install-action-manifest-schema</code> crate to access
to the <code>install-action</code> manifests from Rust code. (<a
href="https://redirect.github.com/taiki-e/install-action/pull/657">#657</a>,
thanks <a
href="https://github.com/NobodyXu"><code>@NobodyXu</code></a>)</p>
<p>This is being considered for use to speed up
<code>cargo-binstall</code> in the future.</p>
</li>
</ul>
<h2>2.47.27</h2>
<ul>
<li>
<p>Update <code>editorconfig-checker@latest</code> to 3.2.0.</p>
</li>
<li>
<p>Update <code>cargo-lambda@latest</code> to 1.6.3.</p>
</li>
</ul>
<h2>2.47.26</h2>
<ul>
<li>Update <code>wash@latest</code> to 0.38.0.</li>
</ul>
<h2>2.47.25</h2>
<ul>
<li>
<p>Update <code>release-plz@latest</code> to 0.3.114.</p>
</li>
<li>
<p>Update <code>git-cliff@latest</code> to 2.8.0.</p>
</li>
</ul>
<h2>2.47.24</h2>
<ul>
<li>
<p>Update <code>syft@latest</code> to 1.19.0.</p>
</li>
<li>
<p>Update <code>just@latest</code> to 1.39.0.</p>
</li>
</ul>
<h2>2.47.23</h2>
<ul>
<li>Update <code>wasmtime@latest</code> to 29.0.1.</li>
</ul>
<h2>2.47.22</h2>
<ul>
<li>Update <code>trunk@latest</code> to 0.21.7.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md">taiki-e/install-action's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<p>All notable changes to this project will be documented in this
file.</p>
<p>This project adheres to <a href="https://semver.org">Semantic
Versioning</a>.</p>
<!-- raw HTML omitted -->
<h2>[Unreleased]</h2>
<h2>[2.47.30] - 2025-01-28</h2>
<ul>
<li>
<p>Support <code>cargo-cyclonedx</code> on x86_64 Linux (musl).</p>
</li>
<li>
<p>Support installing native binary for <code>cargo-cyclonedx</code> on
AArch64 macOS. (Previously x86_64 macOS binary is used as fallback.)</p>
</li>
<li>
<p>Update <code>cargo-cyclonedx@latest</code> to 0.5.7.</p>
</li>
</ul>
<h2>[2.47.29] - 2025-01-28</h2>
<ul>
<li>
<p>Support <code>cargo-semver-checks</code> on AArch64 Linux.</p>
</li>
<li>
<p>Support <code>cargo-zigbuild</code> on x86_64 macOS.</p>
</li>
<li>
<p>Support installing native binary for <code>mdbook</code> and
<code>shellcheck</code> on AArch64 macOS. (Previously x86_64 macOS
binary is used as fallback.)</p>
</li>
<li>
<p>Support installing native binary for <code>just</code> and
<code>sccache</code> on AArch64 Windows. (Previously x86_64 Windows
binary is used as fallback.)</p>
</li>
<li>
<p>Update <code>mdbook@latest</code> to 0.4.44.</p>
</li>
<li>
<p>Update <code>cargo-semver-checks@latest</code> to 0.39.0.</p>
</li>
</ul>
<h2>[2.47.28] - 2025-01-28</h2>
<p>No change on the <code>install-action</code> itself.</p>
<ul>
<li>
<p>Provide <code>install-action-manifest-schema</code> crate to access
to the <code>install-action</code> manifests from Rust code. (<a
href="https://redirect.github.com/taiki-e/install-action/pull/657">#657</a>,
thanks <a
href="https://github.com/NobodyXu"><code>@NobodyXu</code></a>)</p>
<p>This is being considered for use to speed up
<code>cargo-binstall</code> in the future.</p>
</li>
</ul>
<h2>[2.47.27] - 2025-01-28</h2>
<ul>
<li>
<p>Update <code>editorconfig-checker@latest</code> to 3.2.0.</p>
</li>
<li>
<p>Update <code>cargo-lambda@latest</code> to 1.6.3.</p>
</li>
</ul>
<h2>[2.47.26] - 2025-01-27</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="afbe5c1715"><code>afbe5c1</code></a>
Release 2.47.30</li>
<li><a
href="6fde044d27"><code>6fde044</code></a>
codegen: Address cargo-cyclonedx 0.5.1 asset change</li>
<li><a
href="544f616845"><code>544f616</code></a>
ci: Remove not triggered manifest_sync workflow</li>
<li><a
href="3b94b1e00e"><code>3b94b1e</code></a>
Release 2.47.29</li>
<li><a
href="f07d824129"><code>f07d824</code></a>
Update .gitattributes</li>
<li><a
href="fc5961fb83"><code>fc5961f</code></a>
codegen: cargo-zigbuild's macOS binary is universal binary</li>
<li><a
href="df3b728223"><code>df3b728</code></a>
codegen: Sort platform</li>
<li><a
href="58e7e8a24b"><code>58e7e8a</code></a>
codegen: Mark go's static-linked linux binaries as musl</li>
<li><a
href="1d9ff62a86"><code>1d9ff62</code></a>
codegen: shellcheck 0.10.0+ provides AArch64 macOS binary</li>
<li><a
href="85a4a5fd84"><code>85a4a5f</code></a>
codegen: sccache 0.8.2+ provides AArch64 Windows binary</li>
<li>Additional commits viewable in <a
href="c87777c316...afbe5c1715">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
We don't use the `Package.swift` in `FirezoneKit` because it only
applies to that module. Instead, we use Xcode's package management which
tracks things in
`swift/apple/Firezone.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved`.
There isn't a good reason why we're using a Makefile instead of regular
Bash script for bumping versions, so this PR fixes that for better
maintainability.
It also reduces then chances for merge conflicts when bumping version
because the versions are longer on adjacent lines.
Fixes: #7904
Recently, we changed that we only upload binaries to the draft releases
when we actively call the workflow. This means that we may potentially
have a drift between:
- The commit that gets tagged as the release.
- The commit from which the binaries got built.
To ensure that this doesn't drift, we only update the draft releases
whenever we actually uploaded new binaries to them. In addition, we
instruct `release-drafter` to set the target of the release to the
commit SHA from when it was triggered. As a result, it is much less
error prone that these may drift apart. I believe the only race
condition here could be if somebody publishes a release between the time
the binaries get uploaded and we update the release draft, i.e. when
GitHub hasn't fully finished CI yet.
---------
Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
In #7795, we optimised our CI pipeline to only test the installation of
the GUI client whenever we actually upload to the draft release. This
trigger has been moved to `workflow_dispatch`, meaning no CI builds
neither from PRs nor `main` perform these steps.
This makes it difficult to test GUI client binaries from PRs because
they also no longer get uploaded to the artifacts of the CI run on the
PR.
To fix this, we split the testing away from the rename script and
unconditionally run the rename script, which allows us to also always
upload the binaries to the CI artifacts.
Finally, uploading to the draft releases is only done when we explicitly
trigger the workflow from `main`. This is a defense-in-depth measure: We
should never publish a code to a release that hasn't been merged to
`main`.
If the PR title violates the length check, editing it and re-running the
job wouldn't fix it because the original title was still referenced.
To fix this, we introduce a trigger for this check that runs
specifically on PR edit.
Similar to the Apple and Android clients, this PR updates the Linux and
Windows GUI clients to upload to the GitHub drafted release on manual
workflow triggers only.
This should save a few minutes off `main` builds as the extra package
testing steps will now be skipped there.
Notably, the Gateway and Headless Client workflows are unchanged because
(a) they are much faster to build / test and (b) we use the release
builds for performance testing connlib, so we need them to run on
`main`.
We try to unit test on each major platform we support in CI to reduce
the possibility a specific OS has issues with our unit tests. Now that
macos-15 is available in GitHub CI, it would be a good idea to add it to
the mix.
To improve supply-chain security, reference all GitHub actions using the
hash of the released tag. GitHub recommends to do this for third-party
actions
(https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions).
In order to make our CI more deterministic, I opted to do it for all our
actions. This means any change to our workflow configuration requires a
source code change and thus passing CI on our end.
Dependabot will automatically issue PRs for these actions and update the
comment with the new version next to them.
Resolves: #2497.
Xcode doesn't allow wildcards in input file lists, so the rules I set up
in #7488 never took effect.
Upon further investigation, it appears that the `strip` command executed
unconditionally at the end of every Rust build was the culprit. Since
Xcode already does this for us, it's a useless step that adds about 30s
to the build time.
Unfortunately there isn't a good way to tell Xcode not to build rust.
But now we don't need to -- `cargo`'s build cache is smart enough to
skip builds and we are back to the ~1-2s range for repeated builds when
only Swift code has changed.
We also add the swift bridge generated code to version control. These
doesn't change regularly, and Xcode sometimes complains that the files
don't exist _before_ it lets you run the `cargo build` to generate them
🙃 .
