Build release without cross

.fpm

@@ -1,5 +1,5 @@
 -s dir
 --name defguard-proxy
---description "defguard proxy service"
+--description "Defguard Edge service"
 --url "https://defguard.net/"
---maintainer "teonite"
+--maintainer "Defguard"

.github/workflows/lint-web.yml

@@ -30,7 +30,7 @@ jobs:
           submodules: recursive
       - uses: actions/setup-node@v6
         with:
-          node-version: 24
+          node-version: 25
       - name: install deps
         working-directory: ./web
         run: |

.github/workflows/publish-docker-latest.yml

@@ -0,0 +1,54 @@
+name: Publish Docker latest tag
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  tag-docker-latest:
+    # Only run when the release is marked as "Latest release" in the GitHub UI
+    if: github.event.release.make_latest == 'true'
+    runs-on: [self-hosted, Linux]
+
+    env:
+      GHCR_REPO: ghcr.io/defguard/defguard-proxy
+
+    permissions:
+      packages: write
+      id-token: write # needed for Cosign keyless signing
+
+    steps:
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v4.1.1
+
+      - name: Login to GitHub container registry
+        uses: docker/login-action@v4
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+
+      - name: Derive semver tag
+        run: |
+          # Strip the leading 'v' from the release tag name (e.g. v1.2.3 -> 1.2.3)
+          VERSION="${{ github.event.release.tag_name }}"
+          echo "VERSION=${VERSION#v}" >> $GITHUB_ENV
+
+      - name: Tag image as latest
+        run: |
+          docker buildx imagetools create \
+            --tag ${{ env.GHCR_REPO }}:latest \
+            ${{ env.GHCR_REPO }}:${{ env.VERSION }}
+
+      - name: Sign the latest tag with GitHub OIDC Token
+        run: cosign sign --yes ${{ env.GHCR_REPO }}:latest
+
+      - name: Verify image signature
+        run: |
+          cosign verify ${{ env.GHCR_REPO }}:latest \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp="https://github.com/DefGuard/proxy" \
+            -o text

.github/workflows/release.yml

@@ -8,6 +8,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  SQLX_OFFLINE: "1"
+  # sccache
+  SCCACHE_GHA_ENABLED: "true"
+  RUSTC_WRAPPER: "sccache"
+
 jobs:
   build-docker-release:
     # Ignore tags with -, like v1.0.0-alpha
@@ -45,41 +51,26 @@ jobs:
     steps:
       - name: Create GitHub release
         id: release
-        uses: softprops/action-gh-release@v2
-        if: startsWith(github.ref, 'refs/tags/')
+        uses: shogo82148/actions-create-release@v1
         with:
           draft: true
           generate_release_notes: true
 
   create-sbom:
-    needs: [create-release, build-docker-release]
+    needs:
+      - create-release
+      - build-docker-release
     uses: ./.github/workflows/sbom.yml
     with:
       upload_url: ${{ needs.create-release.outputs.upload_url }}
 
   build-binaries:
-    needs: [create-release]
+    needs:
+      - create-release
     runs-on:
       - self-hosted
-      - ${{ matrix.os }}
+      - Linux
       - X64
-    strategy:
-      fail-fast: false
-      matrix:
-        build: [linux, linux-arm64, freebsd]
-        include:
-          - build: linux
-            arch: amd64
-            os: Linux
-            target: x86_64-unknown-linux-gnu
-          - build: linux-arm64
-            arch: arm64
-            os: Linux
-            target: aarch64-unknown-linux-gnu
-          - build: freebsd
-            arch: amd64
-            os: Linux
-            target: x86_64-unknown-freebsd
     steps:
       # Store the version, stripping any v-prefix
       - name: Write release version
@@ -93,104 +84,177 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Install NodeJS
+        uses: actions/setup-node@v6
+        with:
+          node-version: 25
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v6
+        with:
+          cache: true
+          version: 10
+
+      # Change to '--frozen-lockfile' once this gets fixed:
+      # https://github.com/pnpm/action-setup/issues/40
+      - name: Build frontend
+        run: pnpm install --ignore-scripts --no-frozen-lockfile && pnpm build
+        working-directory: web
+
       - name: Install Rust stable
-        uses: actions-rs/toolchain@v1
+        uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: 1.89.0 # "stable" causes rust-lld: error on aarch64-linux          target: ${{ matrix.target }}
-          override: true
+          targets: "aarch64-unknown-linux-gnu"
 
-      - name: Setup `packer`
-        uses: hashicorp/setup-packer@main
-        id: setup
+      - name: Run sccache-cache
+        uses: mozilla-actions/sccache-action@v0.0.9
 
-      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v4
+      - name: Build Linux x86_64 binary
+        run: |
+          cargo build --locked --release --target x86_64-unknown-linux-gnu
+          mv target/x86_64-unknown-linux-gnu/release/defguard-proxy defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu
+          tar -zcf defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.tar.gz \
+            defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu
+
+      - name: Build Linux aarch64 binary
+        env:
+          CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
+          PKG_CONFIG_SYSROOT_DIR: /usr/lib/aarch64-linux-gnu
+        run: |
+          cargo build --locked --release --target aarch64-unknown-linux-gnu
+          mv target/aarch64-unknown-linux-gnu/release/defguard-proxy defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu
+          tar -zcf defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.tar.gz \
+            defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu
+
+      - name: Build FreeBSD binary
+        run: |
+          rsync -rlptxzH -e 'ssh -l root' --del ./ freebsd:work/
+          ssh root@freebsd 'cd work && cargo build --locked --release'
+          scp root@freebsd:work/target/release/defguard-proxy defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd
+          tar -zcf defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd.tar.gz \
+            defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd
+
+      - name: Build x86_64 DEB package
+        uses: defGuard/fpm-action@main
         with:
-          config-inline: |
-            [registry."docker.io"]
-              mirrors = ["dockerhub-proxy.teonite.net"]
+          fpm_args:
+            "defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-proxy
+            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            example-config.toml=/etc/defguard/proxy.toml"
+          fpm_opts: "--architecture amd64 --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb"
 
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+      - name: Build aarch64 DEB package
+        uses: defGuard/fpm-action@main
         with:
-          # FIXME: temporarily pinned because of https://github.com/pnpm/pnpm/pull/9959
-          version: 10.17
+          fpm_args:
+            "defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-proxy
+            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            example-config.toml=/etc/defguard/proxy.toml"
+          fpm_opts: "--architecture arm64 --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb"
 
-      - name: Use Node.js
-        uses: actions/setup-node@v6
+      - name: Build x86_64 RPM package
+        uses: defGuard/fpm-action@main
         with:
-          node-version: 25
-          cache: "pnpm"
-          cache-dependency-path: ./web/pnpm-lock.yaml
+          fpm_args:
+            "defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-proxy
+            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            example-config.toml=/etc/defguard/proxy.toml"
+          fpm_opts: "--architecture amd64 --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm"
 
-      - name: Install frontend dependencies
-        run: pnpm install --ignore-scripts --frozen-lockfile
-        working-directory: web
+      - name: Build aarch64 RPM package
+        uses: defGuard/fpm-action@main
+        with:
+          fpm_args:
+            "defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-proxy
+            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            example-config.toml=/etc/defguard/proxy.toml"
+          fpm_opts: "--architecture arm64 --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-aarch64-unknown-freebsd.rpm"
 
-      - name: Build frontend
-        run: pnpm build
-        working-directory: web
+      - name: Build FreeBSD package
+        uses: defGuard/fpm-action@main
+        with:
+          fpm_args:
+            "defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-proxy
+            defguard-proxy.service.freebsd=/usr/local/etc/rc.d/defguard-proxy
+            example-config.toml=/etc/defguard/proxy.toml"
+          fpm_opts: "--architecture amd64 --output-type freebsd --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg --freebsd-osversion '*' --depends openssl"
 
-      - name: Build release binary
-        uses: actions-rs/cargo@v1
+      - name: Upload Linux x86_64 archive
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          use-cross: true
-          command: build
-          args: --locked --release --target ${{ matrix.target }}
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.tar.gz
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Rename binary
-        run: mv target/${{ matrix.target }}/release/defguard-proxy defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}
+      - name: Upload Linux aarch64 archive
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.tar.gz
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Tar
-        uses: a7ul/tar-action@v1.2.0
+      - name: Upload FreeBSD x86_64 archive
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          command: c
-          files: |
-            defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}
-          outPath: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd.tar.gz
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Upload release archive
-        uses: actions/upload-release-asset@v1.0.2
+      - name: Upload Linux x86_64 DEB
+        uses: shogo82148/actions-upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
-          asset_name: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
-          asset_content_type: application/octet-stream
+          asset_path: defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Build DEB package
-        if: matrix.build == 'linux'
-        uses: bpicode/github-action-fpm@master
+      - name: Upload Linux aarch64 DEB
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml"
-          fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb"
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Upload DEB
-        if: matrix.build == 'linux'
-        uses: actions/upload-release-asset@v1.0.2
+      - name: Upload Linux x86_64 RPM
+        uses: shogo82148/actions-upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
-          asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
-          asset_content_type: application/octet-stream
+          asset_path: defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Build RPM package
-        if: matrix.build == 'linux'
-        uses: bpicode/github-action-fpm@master
+      - name: Upload Linux aarch64 RPM
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml"
-          fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm"
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Upload RPM
-        if: matrix.build == 'linux'
-        uses: actions/upload-release-asset@v1.0.2
+      - name: Upload FreeBSD package
+        uses: shogo82148/actions-upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
-          asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
-          asset_content_type: application/octet-stream
+          asset_path: defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg
+          asset_content_type: application/x-pkg
+          overwrite: true