teal.fm / teal
Your music, beautifully tracked. All yours. (coming soon) teal.fm
teal-fm atproto
fork atom

try fixing security

Natalie B. 9274408c 0b5a533f

options
unified split
Changed files
+361 -444
.github
actions
setup
action.yml
workflows
amethyst.yml
ci.yml
release.yml
security.yml
+76
.github/actions/setup/action.yml
··· 1 + name: 'Setup Teal Environment' 2 + description: 'Sets up the common environment for Teal builds including Node.js, Rust, pnpm, and lexicons' 3 + 4 + inputs: 5 + setup-rust: 6 + description: 'Whether to setup Rust toolchain' 7 + required: false 8 + default: 'false' 9 + rust-components: 10 + description: 'Rust components to install (e.g., "rustfmt,clippy")' 11 + required: false 12 + default: 'rustfmt,clippy' 13 + setup-node: 14 + description: 'Whether to setup Node.js and pnpm' 15 + required: false 16 + default: 'true' 17 + node-version: 18 + description: 'Node.js version to use' 19 + required: false 20 + default: '20' 21 + lexicons-only-rust: 22 + description: 'Generate only Rust lexicons' 23 + required: false 24 + default: 'false' 25 + cache-key-suffix: 26 + description: 'Additional suffix for cache keys' 27 + required: false 28 + default: '' 29 + 30 + runs: 31 + using: 'composite' 32 + steps: 33 + - name: Setup lexicons 34 + shell: bash 35 + run: ./scripts/setup-lexicons.sh 36 + 37 + - name: Install pnpm 38 + if: inputs.setup-node == 'true' 39 + uses: pnpm/action-setup@v4 40 + 41 + - name: Setup Node.js 42 + if: inputs.setup-node == 'true' 43 + uses: actions/setup-node@v4 44 + with: 45 + node-version: ${{ inputs.node-version }} 46 + cache: 'pnpm' 47 + 48 + - name: Install Node dependencies 49 + if: inputs.setup-node == 'true' 50 + shell: bash 51 + run: pnpm install --frozen-lockfile 52 + 53 + - name: Generate lexicons 54 + if: inputs.setup-node == 'true' 55 + shell: bash 56 + run: | 57 + if [ "${{ inputs.lexicons-only-rust }}" = "true" ]; then 58 + pnpm lex:gen --rust-only 59 + else 60 + pnpm lex:gen 61 + fi 62 + 63 + - name: Install Rust toolchain 64 + if: inputs.setup-rust == 'true' 65 + uses: dtolnay/rust-toolchain@stable 66 + with: 67 + components: ${{ inputs.rust-components }} 68 + 69 + - name: Cache Rust dependencies 70 + if: inputs.setup-rust == 'true' 71 + uses: Swatinem/rust-cache@v2 72 + with: 73 + workspaces: | 74 + services 75 + apps/aqua 76 + key: ${{ inputs.cache-key-suffix }}
+20 -55
.github/workflows/amethyst.yml
··· 23 23 - ".github/workflows/amethyst.yml" 24 24 25 25 jobs: 26 - build-web: 27 - name: Build Web 26 + build: 27 + name: Build Amethyst 28 28 runs-on: ubuntu-latest 29 + outputs: 30 + build-cache-key: ${{ steps.cache-key.outputs.key }} 29 31 steps: 30 32 - name: Checkout repository 31 33 uses: actions/checkout@v4 32 34 33 - - name: Install pnpm 34 - uses: pnpm/action-setup@v4 35 - 36 - - name: Setup Node.js 37 - uses: actions/setup-node@v4 35 + - name: Setup environment 36 + uses: ./.github/actions/setup 38 37 with: 39 - node-version: "20" 40 - cache: "pnpm" 41 - 42 - - name: Install dependencies 43 - run: pnpm install --frozen-lockfile 38 + setup-node: "true" 44 39 45 - - name: Generate lexicons 46 - run: pnpm lex:gen-server 40 + - name: Generate cache key 41 + id: cache-key 42 + run: echo "key=amethyst-build-${{ hashFiles('apps/amethyst/**', 'packages/**', 'lexicons/**') }}" >> $GITHUB_OUTPUT 47 43 48 44 - name: Build web 49 45 run: pnpm turbo build:web --filter=@teal/amethyst 50 46 47 + - name: Type check 48 + run: pnpm turbo check-types --filter=@teal/amethyst 49 + 50 + - name: Run tests 51 + run: pnpm turbo test --filter=@teal/amethyst 52 + 51 53 - name: Upload web build artifacts 52 54 uses: actions/upload-artifact@v4 53 55 with: ··· 58 60 build-ios: 59 61 name: Build iOS 60 62 runs-on: macos-latest 63 + needs: build 61 64 if: github.event_name == 'push' && github.ref == 'refs/heads/main' 62 65 steps: 63 66 - name: Checkout repository 64 67 uses: actions/checkout@v4 65 68 66 - - name: Install pnpm 67 - uses: pnpm/action-setup@v4 68 - 69 - - name: Setup Node.js 70 - uses: actions/setup-node@v4 69 + - name: Setup environment 70 + uses: ./.github/actions/setup 71 71 with: 72 - node-version: "20" 73 - cache: "pnpm" 74 - 75 - - name: Install dependencies 76 - run: pnpm install --frozen-lockfile 77 - 78 - - name: Generate lexicons 79 - run: pnpm lex:gen-server 72 + setup-node: "true" 80 73 81 74 - name: Setup Expo CLI 82 75 run: npm install -g @expo/cli ··· 90 83 name: amethyst-ios-build 91 84 path: apps/amethyst/build/ 92 85 retention-days: 7 93 - 94 - lint-and-test: 95 - name: Lint and Test 96 - runs-on: ubuntu-latest 97 - steps: 98 - - name: Checkout repository 99 - uses: actions/checkout@v4 100 - 101 - - name: Install pnpm 102 - uses: pnpm/action-setup@v4 103 - 104 - - name: Setup Node.js 105 - uses: actions/setup-node@v4 106 - with: 107 - node-version: "20" 108 - cache: "pnpm" 109 - 110 - - name: Install dependencies 111 - run: pnpm install --frozen-lockfile 112 - 113 - - name: Generate lexicons 114 - run: pnpm lex:gen-server 115 - 116 - - name: Type check 117 - run: pnpm turbo check-types --filter=@teal/amethyst 118 - 119 - - name: Run tests 120 - run: pnpm turbo test --filter=@teal/amethyst
+145 -77
.github/workflows/ci.yml
··· 13 13 SQLX_OFFLINE: true 14 14 15 15 jobs: 16 - rust-check: 17 - name: Rust Check 16 + setup-and-build: 17 + name: Setup and Build All 18 18 runs-on: ubuntu-latest 19 + outputs: 20 + rust-cache-key: ${{ steps.rust-cache.outputs.cache-hit }} 21 + node-cache-key: ${{ steps.node-cache.outputs.cache-hit }} 19 22 steps: 20 23 - name: Checkout repository 21 24 uses: actions/checkout@v4 22 25 23 - - name: Setup lexicons 24 - run: ./scripts/setup-lexicons.sh 26 + - name: Setup environment 27 + uses: ./.github/actions/setup 28 + with: 29 + setup-rust: "true" 30 + setup-node: "true" 31 + cache-key-suffix: "ci-build" 25 32 26 - - name: Install pnpm 27 - uses: pnpm/action-setup@v4 33 + - name: Build Node packages 34 + run: pnpm build 28 35 29 - - name: Setup Node.js 30 - uses: actions/setup-node@v4 31 - with: 32 - node-version: "20" 33 - cache: "pnpm" 36 + - name: Build Rust services (x86_64) 37 + run: | 38 + cd services 39 + cargo build --release --all-features 34 40 35 - - name: Install dependencies and generate lexicons 41 + - name: Build Rust apps (x86_64) 36 42 run: | 37 - pnpm install --frozen-lockfile 38 - pnpm lex:gen --rust-only 43 + cd apps/aqua 44 + cargo build --release --all-features 39 45 40 - - name: Install Rust toolchain 41 - uses: dtolnay/rust-toolchain@stable 46 + - name: Upload Node build artifacts 47 + uses: actions/upload-artifact@v4 42 48 with: 43 - components: rustfmt, clippy 49 + name: node-builds 50 + path: | 51 + packages/*/dist/ 52 + apps/amethyst/build/ 53 + retention-days: 1 54 + 55 + - name: Upload Rust build artifacts 56 + uses: actions/upload-artifact@v4 57 + with: 58 + name: rust-builds-x86_64 59 + path: | 60 + target/release/ 61 + apps/aqua/target/release/ 62 + retention-days: 1 63 + 64 + rust-cross-compile: 65 + name: Cross-compile Rust 66 + runs-on: ubuntu-latest 67 + needs: setup-and-build 68 + strategy: 69 + matrix: 70 + target: [aarch64-unknown-linux-gnu] 71 + steps: 72 + - name: Checkout repository 73 + uses: actions/checkout@v4 44 74 45 - - name: Cache Rust dependencies 46 - uses: Swatinem/rust-cache@v2 75 + - name: Setup environment 76 + uses: ./.github/actions/setup 47 77 with: 48 - workspaces: | 49 - services 50 - apps/aqua 78 + setup-rust: "true" 79 + setup-node: "true" 80 + lexicons-only-rust: "true" 81 + cache-key-suffix: "cross-${{ matrix.target }}" 51 82 52 - - name: Check Rust formatting (services) 83 + - name: Install cross-compilation tools 84 + run: | 85 + cargo install cross 86 + rustup target add ${{ matrix.target }} 87 + 88 + - name: Cross-compile services 53 89 run: | 54 90 cd services 55 - cargo fmt --all -- --check 91 + cross build --release --all-features --target ${{ matrix.target }} 56 92 57 - - name: Check Rust formatting (apps) 93 + - name: Cross-compile apps 58 94 run: | 59 - for dir in apps/*/; do 60 - if [ -f "$dir/Cargo.toml" ]; then 61 - echo "Checking formatting for $dir" 62 - cd "$dir" 63 - cargo fmt --all -- --check 64 - cd ../.. 65 - fi 66 - done 95 + cd apps/aqua 96 + cross build --release --all-features --target ${{ matrix.target }} 97 + 98 + - name: Upload cross-compiled artifacts 99 + uses: actions/upload-artifact@v4 100 + with: 101 + name: rust-builds-${{ matrix.target }} 102 + path: | 103 + target/${{ matrix.target }}/release/ 104 + apps/aqua/target/${{ matrix.target }}/release/ 105 + retention-days: 1 67 106 68 - - name: Run Clippy (services) 107 + rust-quality: 108 + name: Rust Quality Checks 109 + runs-on: ubuntu-latest 110 + needs: setup-and-build 111 + steps: 112 + - name: Checkout repository 113 + uses: actions/checkout@v4 114 + 115 + - name: Setup environment 116 + uses: ./.github/actions/setup 117 + with: 118 + setup-rust: "true" 119 + setup-node: "true" 120 + lexicons-only-rust: "true" 121 + cache-key-suffix: "ci-build" 122 + 123 + - name: Check Rust formatting 69 124 run: | 70 - cd services 71 - cargo clippy --all-targets --all-features -- -D warnings 125 + cd services && cargo fmt --all -- --check 126 + cd ../apps/aqua && cargo fmt --all -- --check 72 127 73 - - name: Run Clippy (apps) 128 + - name: Run Clippy 74 129 run: | 75 - for dir in apps/*/; do 76 - if [ -f "$dir/Cargo.toml" ]; then 77 - echo "Running clippy for $dir" 78 - cd "$dir" 79 - cargo clippy --all-targets --all-features -- -D warnings 80 - cd ../.. 81 - fi 82 - done 130 + cd services && cargo clippy --all-targets --all-features -- -D warnings 131 + cd ../apps/aqua && cargo clippy --all-targets --all-features -- -D warnings 83 132 84 - - name: Run Rust tests (services) 133 + - name: Run Rust tests 85 134 run: | 86 - cd services 87 - cargo test --all-features 135 + cd services && cargo test --all-features 88 136 89 - node-check: 90 - name: Node.js Check 137 + node-quality: 138 + name: Node.js Quality Checks 91 139 runs-on: ubuntu-latest 140 + needs: setup-and-build 92 141 steps: 93 142 - name: Checkout repository 94 143 uses: actions/checkout@v4 95 144 96 - - name: Install pnpm 97 - uses: pnpm/action-setup@v4 98 - 99 - - name: Setup Node.js 100 - uses: actions/setup-node@v4 145 + - name: Setup environment 146 + uses: ./.github/actions/setup 101 147 with: 102 - node-version: "20" 103 - cache: "pnpm" 148 + setup-node: "true" 149 + cache-key-suffix: "ci-build" 104 150 105 - - name: Install dependencies 106 - run: pnpm install --frozen-lockfile 151 + - name: Download Node build artifacts 152 + uses: actions/download-artifact@v4 153 + with: 154 + name: node-builds 155 + path: . 107 156 108 157 - name: Type check 109 158 run: pnpm typecheck ··· 111 160 - name: Lint and format check 112 161 run: pnpm fix --check 113 162 114 - - name: Build packages 115 - run: pnpm build 116 - 117 163 - name: Run tests 118 164 run: pnpm test 119 165 120 - lexicon-check: 166 + lexicon-validation: 121 167 name: Lexicon Validation 122 168 runs-on: ubuntu-latest 123 169 steps: 124 170 - name: Checkout repository 125 171 uses: actions/checkout@v4 126 172 127 - - name: Setup lexicons 128 - run: ./scripts/setup-lexicons.sh 129 - 130 - - name: Install pnpm 131 - uses: pnpm/action-setup@v4 132 - 133 - - name: Setup Node.js 134 - uses: actions/setup-node@v4 173 + - name: Setup environment 174 + uses: ./.github/actions/setup 135 175 with: 136 - node-version: "20" 137 - cache: "pnpm" 138 - 139 - - name: Install dependencies 140 - run: pnpm install --frozen-lockfile 176 + setup-node: "true" 141 177 142 178 - name: Validate lexicons 143 179 run: pnpm lex:validate 144 180 145 - - name: Check lexicon generation 181 + - name: Check lexicon generation consistency 146 182 run: | 147 183 pnpm lex:gen 148 184 git diff --exit-code || (echo "Lexicon files are out of sync. Run 'pnpm lex:gen' locally." && exit 1) 185 + 186 + security-audit: 187 + name: Security Audit 188 + runs-on: ubuntu-latest 189 + steps: 190 + - name: Checkout repository 191 + uses: actions/checkout@v4 192 + 193 + - name: Setup environment 194 + uses: ./.github/actions/setup 195 + with: 196 + setup-rust: "true" 197 + setup-node: "true" 198 + rust-components: "rustfmt,clippy" 199 + cache-key-suffix: "security" 200 + 201 + - name: Install and configure cargo-audit 202 + run: | 203 + cargo install cargo-audit 204 + cargo audit fetch 205 + 206 + - name: Run Rust security audit 207 + run: | 208 + for dir in services/ apps/aqua/; do 209 + if [ -f "$dir/Cargo.toml" ]; then 210 + echo "Running security audit for $dir" 211 + (cd "$dir" && cargo audit --deny-warnings --deny-unmaintained) 212 + fi 213 + done 214 + 215 + - name: Run Node.js security audit 216 + run: pnpm audit --audit-level=high
+99 -204
.github/workflows/release.yml
··· 25 25 outputs: 26 26 release_id: ${{ steps.create_release.outputs.id }} 27 27 upload_url: ${{ steps.create_release.outputs.upload_url }} 28 + tag: ${{ steps.tag.outputs.tag }} 28 29 steps: 29 30 - name: Checkout repository 30 31 uses: actions/checkout@v4 ··· 60 61 draft: false 61 62 prerelease: ${{ contains(steps.tag.outputs.tag, '-') }} 62 63 63 - build-and-release-aqua: 64 - name: Release Aqua 64 + build-all: 65 + name: Build All Artifacts 65 66 runs-on: ubuntu-latest 66 67 needs: create-release 67 - permissions: 68 - contents: read 69 - packages: write 68 + outputs: 69 + rust-artifacts: ${{ steps.upload-rust.outputs.artifact-id }} 70 + node-artifacts: ${{ steps.upload-node.outputs.artifact-id }} 70 71 steps: 71 72 - name: Checkout repository 72 73 uses: actions/checkout@v4 73 74 74 - - name: Setup lexicons 75 - run: ./scripts/setup-lexicons.sh 76 - 77 - - name: Install pnpm 78 - uses: pnpm/action-setup@v4 79 - 80 - - name: Setup Node.js 81 - uses: actions/setup-node@v4 75 + - name: Setup environment 76 + uses: ./.github/actions/setup 82 77 with: 83 - node-version: "20" 84 - cache: "pnpm" 78 + setup-rust: "true" 79 + setup-node: "true" 80 + cache-key-suffix: "release-${{ needs.create-release.outputs.tag }}" 85 81 86 - - name: Install dependencies and generate lexicons 82 + - name: Install cross-compilation tools 87 83 run: | 88 - pnpm install --frozen-lockfile 89 - pnpm lex:gen --rust-only 90 - 91 - - name: Log in to Container Registry 92 - uses: docker/login-action@v3 93 - with: 94 - registry: ${{ env.REGISTRY }} 95 - username: ${{ github.actor }} 96 - password: ${{ secrets.GITHUB_TOKEN }} 84 + cargo install cross 85 + rustup target add aarch64-unknown-linux-gnu 97 86 98 - - name: Get tag name 99 - id: tag 87 + - name: Build Node.js artifacts 100 88 run: | 101 - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then 102 - echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT 103 - else 104 - echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT 105 - fi 106 - 107 - - name: Extract metadata 108 - id: meta 109 - uses: docker/metadata-action@v5 110 - with: 111 - images: ${{ env.REGISTRY }}/${{ github.repository }}/aqua 112 - tags: | 113 - type=raw,value=latest 114 - type=raw,value=${{ steps.tag.outputs.tag }} 115 - 116 - - name: Set up Docker Buildx 117 - uses: docker/setup-buildx-action@v3 89 + pnpm build 90 + cd apps/amethyst && pnpm build 118 91 119 - - name: Build and push Docker image 120 - uses: docker/build-push-action@v5 121 - with: 122 - context: . 123 - file: ./apps/aqua/Dockerfile 124 - push: true 125 - tags: ${{ steps.meta.outputs.tags }} 126 - labels: ${{ steps.meta.outputs.labels }} 127 - platforms: linux/amd64,linux/arm64 128 - cache-from: type=gha 129 - cache-to: type=gha,mode=max 130 - 131 - build-and-release-cadet: 132 - name: Release Cadet 133 - runs-on: ubuntu-latest 134 - needs: create-release 135 - permissions: 136 - contents: read 137 - packages: write 138 - steps: 139 - - name: Checkout repository 140 - uses: actions/checkout@v4 92 + - name: Build Rust services (x86_64) 93 + run: | 94 + cd services 95 + cargo build --release --all-features 141 96 142 - - name: Setup lexicons 143 - run: ./scripts/setup-lexicons.sh 97 + - name: Build Rust services (aarch64) 98 + run: | 99 + cd services 100 + cross build --release --all-features --target aarch64-unknown-linux-gnu 144 101 145 - - name: Install pnpm 146 - uses: pnpm/action-setup@v4 102 + - name: Build Rust apps (x86_64) 103 + run: | 104 + cd apps/aqua 105 + cargo build --release --all-features 147 106 148 - - name: Setup Node.js 149 - uses: actions/setup-node@v4 150 - with: 151 - node-version: "20" 152 - cache: "pnpm" 107 + - name: Build Rust apps (aarch64) 108 + run: | 109 + cd apps/aqua 110 + cross build --release --all-features --target aarch64-unknown-linux-gnu 153 111 154 - - name: Install dependencies and generate lexicons 112 + - name: Create Amethyst build archive 155 113 run: | 156 - pnpm install --frozen-lockfile 157 - pnpm lex:gen --rust-only 114 + cd apps/amethyst 115 + tar -czf amethyst-${{ needs.create-release.outputs.tag }}.tar.gz build/ 158 116 159 - - name: Log in to Container Registry 160 - uses: docker/login-action@v3 117 + - name: Upload Rust build artifacts 118 + id: upload-rust 119 + uses: actions/upload-artifact@v4 161 120 with: 162 - registry: ${{ env.REGISTRY }} 163 - username: ${{ github.actor }} 164 - password: ${{ secrets.GITHUB_TOKEN }} 165 - 166 - - name: Get tag name 167 - id: tag 168 - run: | 169 - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then 170 - echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT 171 - else 172 - echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT 173 - fi 121 + name: rust-release-builds 122 + path: | 123 + target/release/ 124 + target/aarch64-unknown-linux-gnu/release/ 125 + apps/aqua/target/release/ 126 + apps/aqua/target/aarch64-unknown-linux-gnu/release/ 127 + retention-days: 7 174 128 175 - - name: Extract metadata 176 - id: meta 177 - uses: docker/metadata-action@v5 129 + - name: Upload Node build artifacts 130 + id: upload-node 131 + uses: actions/upload-artifact@v4 178 132 with: 179 - images: ${{ env.REGISTRY }}/${{ github.repository }}/cadet 180 - tags: | 181 - type=raw,value=latest 182 - type=raw,value=${{ steps.tag.outputs.tag }} 183 - 184 - - name: Set up Docker Buildx 185 - uses: docker/setup-buildx-action@v3 133 + name: node-release-builds 134 + path: | 135 + packages/*/dist/ 136 + apps/amethyst/build/ 137 + apps/amethyst/amethyst-${{ needs.create-release.outputs.tag }}.tar.gz 138 + retention-days: 7 186 139 187 - - name: Build and push Docker image 188 - uses: docker/build-push-action@v5 140 + - name: Upload Amethyst build to release 141 + uses: actions/upload-release-asset@v1 142 + env: 143 + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 189 144 with: 190 - context: . 191 - file: ./services/cadet/Dockerfile 192 - push: true 193 - tags: ${{ steps.meta.outputs.tags }} 194 - labels: ${{ steps.meta.outputs.labels }} 195 - platforms: linux/amd64,linux/arm64 196 - cache-from: type=gha 197 - cache-to: type=gha,mode=max 145 + upload_url: ${{ needs.create-release.outputs.upload_url }} 146 + asset_path: ./apps/amethyst/amethyst-${{ needs.create-release.outputs.tag }}.tar.gz 147 + asset_name: amethyst-${{ needs.create-release.outputs.tag }}.tar.gz 148 + asset_content_type: application/gzip 198 149 199 - release-other-services: 200 - name: Release Other Services 150 + release-services: 151 + name: Release Services 201 152 runs-on: ubuntu-latest 202 - needs: create-release 153 + needs: [create-release, build-all] 203 154 permissions: 204 155 contents: read 205 156 packages: write 206 157 strategy: 207 158 matrix: 208 - service: [rocketman, satellite] 159 + service: 160 + - name: aqua 161 + dockerfile: apps/aqua/Dockerfile 162 + context: . 163 + - name: cadet 164 + dockerfile: services/cadet/Dockerfile 165 + context: . 166 + - name: rocketman 167 + dockerfile: services/rocketman/Dockerfile 168 + context: . 169 + - name: satellite 170 + dockerfile: services/satellite/Dockerfile 171 + context: . 209 172 steps: 210 173 - name: Checkout repository 211 174 uses: actions/checkout@v4 ··· 213 176 - name: Check if service has Dockerfile 214 177 id: check 215 178 run: | 216 - if [ -f "services/${{ matrix.service }}/Dockerfile" ]; then 179 + if [ -f "${{ matrix.service.dockerfile }}" ]; then 217 180 echo "has_dockerfile=true" >> $GITHUB_OUTPUT 181 + echo "Service ${{ matrix.service.name }} has Dockerfile" 218 182 else 219 183 echo "has_dockerfile=false" >> $GITHUB_OUTPUT 184 + echo "Service ${{ matrix.service.name }} does not have Dockerfile, skipping" 220 185 fi 221 186 222 - - name: Setup lexicons 223 - if: steps.check.outputs.has_dockerfile == 'true' 224 - run: ./scripts/setup-lexicons.sh 225 - 226 - - name: Install pnpm 227 - if: steps.check.outputs.has_dockerfile == 'true' 228 - uses: pnpm/action-setup@v4 229 - 230 - - name: Setup Node.js 187 + - name: Setup environment 231 188 if: steps.check.outputs.has_dockerfile == 'true' 232 - uses: actions/setup-node@v4 189 + uses: ./.github/actions/setup 233 190 with: 234 - node-version: "20" 235 - cache: "pnpm" 191 + setup-node: "true" 192 + lexicons-only-rust: "true" 236 193 237 - - name: Install dependencies and generate lexicons 194 + - name: Download build artifacts 238 195 if: steps.check.outputs.has_dockerfile == 'true' 239 - run: | 240 - pnpm install --frozen-lockfile 241 - pnpm lex:gen --rust-only 196 + uses: actions/download-artifact@v4 197 + with: 198 + name: rust-release-builds 199 + path: . 242 200 243 201 - name: Log in to Container Registry 244 202 if: steps.check.outputs.has_dockerfile == 'true' ··· 248 206 username: ${{ github.actor }} 249 207 password: ${{ secrets.GITHUB_TOKEN }} 250 208 251 - - name: Get tag name 252 - if: steps.check.outputs.has_dockerfile == 'true' 253 - id: tag 254 - run: | 255 - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then 256 - echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT 257 - else 258 - echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT 259 - fi 260 - 261 209 - name: Extract metadata 262 210 if: steps.check.outputs.has_dockerfile == 'true' 263 211 id: meta 264 212 uses: docker/metadata-action@v5 265 213 with: 266 - images: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.service }} 214 + images: ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.service.name }} 267 215 tags: | 268 216 type=raw,value=latest 269 - type=raw,value=${{ steps.tag.outputs.tag }} 217 + type=raw,value=${{ needs.create-release.outputs.tag }} 270 218 271 219 - name: Set up Docker Buildx 272 220 if: steps.check.outputs.has_dockerfile == 'true' ··· 276 224 if: steps.check.outputs.has_dockerfile == 'true' 277 225 uses: docker/build-push-action@v5 278 226 with: 279 - context: . 280 - file: ./services/${{ matrix.service }}/Dockerfile 227 + context: ${{ matrix.service.context }} 228 + file: ${{ matrix.service.dockerfile }} 281 229 push: true 282 230 tags: ${{ steps.meta.outputs.tags }} 283 231 labels: ${{ steps.meta.outputs.labels }} 284 232 platforms: linux/amd64,linux/arm64 285 - cache-from: type=gha,scope=${{ matrix.service }} 286 - cache-to: type=gha,mode=max,scope=${{ matrix.service }} 287 - 288 - build-and-release-amethyst: 289 - name: Release Amethyst 290 - runs-on: ubuntu-latest 291 - needs: create-release 292 - steps: 293 - - name: Checkout repository 294 - uses: actions/checkout@v4 295 - 296 - - name: Install pnpm 297 - uses: pnpm/action-setup@v4 298 - 299 - - name: Setup Node.js 300 - uses: actions/setup-node@v4 301 - with: 302 - node-version: "20" 303 - cache: "pnpm" 304 - 305 - - name: Install dependencies 306 - run: pnpm install --frozen-lockfile 307 - 308 - - name: Setup lexicons 309 - run: ./scripts/setup-lexicons.sh 310 - 311 - - name: Generate lexicons 312 - run: pnpm lex:gen 313 - 314 - - name: Build for all platforms 315 - run: | 316 - cd apps/amethyst 317 - pnpm build 318 - 319 - - name: Create build archive 320 - run: | 321 - cd apps/amethyst 322 - tar -czf amethyst-build.tar.gz build/ 323 - 324 - - name: Get tag name 325 - id: tag 326 - run: | 327 - if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then 328 - echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT 329 - else 330 - echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT 331 - fi 332 - 333 - - name: Upload Amethyst build to release 334 - uses: actions/upload-release-asset@v1 335 - env: 336 - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 337 - with: 338 - upload_url: ${{ needs.create-release.outputs.upload_url }} 339 - asset_path: ./apps/amethyst/amethyst-build.tar.gz 340 - asset_name: amethyst-${{ steps.tag.outputs.tag }}.tar.gz 341 - asset_content_type: application/gzip 233 + cache-from: type=gha,scope=${{ matrix.service.name }} 234 + cache-to: type=gha,mode=max,scope=${{ matrix.service.name }} 235 + build-args: | 236 + BUILDKIT_INLINE_CACHE=1
+21 -108
.github/workflows/security.yml
··· 12 12 - cron: "0 2 * * 0" 13 13 14 14 jobs: 15 - rust-security-audit: 16 - name: Rust Security Audit 17 - runs-on: ubuntu-latest 18 - steps: 19 - - name: Checkout repository 20 - uses: actions/checkout@v4 21 - 22 - - name: Install Rust toolchain 23 - uses: dtolnay/rust-toolchain@stable 24 - 25 - - name: Install cargo-audit 26 - run: cargo install cargo-audit 27 - 28 - - name: Cache Rust dependencies 29 - uses: Swatinem/rust-cache@v2 30 - with: 31 - workspaces: | 32 - services 33 - apps/aqua 34 - 35 - - name: Run cargo audit (services) 36 - run: | 37 - cd services 38 - cargo audit 39 - 40 - - name: Run cargo audit (apps) 41 - run: | 42 - for dir in apps/*/; do 43 - if [ -f "$dir/Cargo.toml" ]; then 44 - echo "Running security audit for $dir" 45 - cd "$dir" 46 - cargo audit 47 - cd ../.. 48 - fi 49 - done 50 - 51 - node-security-audit: 52 - name: Node.js Security Audit 53 - runs-on: ubuntu-latest 54 - steps: 55 - - name: Checkout repository 56 - uses: actions/checkout@v4 57 - 58 - - name: Install pnpm 59 - uses: pnpm/action-setup@v4 60 - 61 - - name: Setup Node.js 62 - uses: actions/setup-node@v4 63 - with: 64 - node-version: "20" 65 - cache: "pnpm" 66 - 67 - - name: Install dependencies 68 - run: pnpm install --frozen-lockfile 69 - 70 - - name: Run npm audit 71 - run: pnpm audit --prod 72 - 73 - - name: Check for known vulnerabilities 74 - run: | 75 - # Run audit and capture output 76 - pnpm audit --json > audit-results.json || true 77 - 78 - # Check if there are any high or critical vulnerabilities 79 - if jq '.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical")' audit-results.json | grep -q .; then 80 - echo "High or critical vulnerabilities found!" 81 - jq '.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical")' audit-results.json 82 - exit 1 83 - else 84 - echo "No high or critical vulnerabilities found." 85 - fi 86 - 87 15 codeql-analysis: 88 16 name: CodeQL Analysis 89 17 runs-on: ubuntu-latest ··· 91 19 actions: read 92 20 contents: read 93 21 security-events: write 94 - strategy: 95 - fail-fast: false 96 - matrix: 97 - language: ["javascript", "typescript"] 22 + 98 23 steps: 99 24 - name: Checkout repository 100 25 uses: actions/checkout@v4 ··· 102 27 - name: Initialize CodeQL 103 28 uses: github/codeql-action/init@v3 104 29 with: 105 - languages: ${{ matrix.language }} 30 + languages: "javascript,typescript,rust" 106 31 queries: security-extended,security-and-quality 107 32 108 - - name: Install pnpm 109 - uses: pnpm/action-setup@v4 110 - 111 - - name: Setup Node.js 112 - uses: actions/setup-node@v4 33 + - name: Setup environment for all languages 34 + uses: ./.github/actions/setup 113 35 with: 114 - node-version: "20" 115 - cache: "pnpm" 116 - 117 - - name: Install dependencies 118 - run: pnpm install --frozen-lockfile 36 + setup-node: "true" 37 + setup-rust: "true" 119 38 120 - - name: Build 121 - run: pnpm build 39 + - name: Perform a full build for CodeQL 40 + run: | 41 + echo "Building Node.js projects..." 42 + pnpm build 43 + echo "Building Rust projects..." 44 + (cd services && cargo build --all-features) 45 + (cd apps/aqua && cargo build --all-features) 122 46 123 47 - name: Perform CodeQL Analysis 124 48 uses: github/codeql-action/analyze@v3 125 - with: 126 - category: "/language:${{matrix.language}}" 127 49 128 50 docker-security-scan: 129 51 name: Docker Security Scan ··· 136 58 - name: Checkout repository 137 59 uses: actions/checkout@v4 138 60 139 - - name: Set up Docker Buildx 140 - uses: docker/setup-buildx-action@v3 141 - 142 - - name: Setup lexicons 143 - run: ./scripts/setup-lexicons.sh 144 - 145 - - name: Install pnpm 146 - uses: pnpm/action-setup@v4 147 - 148 - - name: Setup Node.js 149 - uses: actions/setup-node@v4 61 + - name: Setup environment 62 + uses: ./.github/actions/setup 150 63 with: 151 - node-version: "20" 152 - cache: "pnpm" 64 + setup-node: "true" 65 + lexicons-only-rust: "true" 153 66 154 - - name: Install dependencies and generate lexicons 155 - run: | 156 - pnpm install --frozen-lockfile 157 - pnpm lex:gen --rust-only 67 + - name: Set up Docker Buildx 68 + uses: docker/setup-buildx-action@v3 158 69 159 70 - name: Build Docker image 160 71 uses: docker/build-push-action@v5 ··· 172 83 image-ref: "${{ matrix.service }}:latest" 173 84 format: "sarif" 174 85 output: "trivy-results-${{ matrix.service }}.sarif" 86 + severity: "CRITICAL,HIGH" 87 + exit-code: "1" 175 88 176 89 - name: Upload Trivy scan results to GitHub Security tab 177 90 uses: github/codeql-action/upload-sarif@v3