Get rid of cross-rs (#270)

Author: moubctez

.github/workflows/lint-web.yml

@@ -30,7 +30,7 @@ jobs:
           submodules: recursive
       - uses: actions/setup-node@v6
         with:
-          node-version: 24
+          node-version: 25
       - name: install deps
         working-directory: ./web
         run: |

.github/workflows/release.yml

@@ -8,6 +8,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  SQLX_OFFLINE: "1"
+  # sccache
+  SCCACHE_GHA_ENABLED: "true"
+  RUSTC_WRAPPER: "sccache"
+
 jobs:
   build-docker-release:
     # Ignore tags with -, like v1.0.0-alpha
@@ -45,41 +51,26 @@ jobs:
     steps:
       - name: Create GitHub release
         id: release
-        uses: softprops/action-gh-release@v2
-        if: startsWith(github.ref, 'refs/tags/')
+        uses: shogo82148/actions-create-release@v1
         with:
           draft: true
           generate_release_notes: true
 
   create-sbom:
-    needs: [create-release, build-docker-release]
+    needs:
+      - create-release
+      - build-docker-release
     uses: ./.github/workflows/sbom.yml
     with:
       upload_url: ${{ needs.create-release.outputs.upload_url }}
 
   build-binaries:
-    needs: [create-release]
+    needs:
+      - create-release
     runs-on:
       - self-hosted
-      - ${{ matrix.os }}
+      - Linux
       - X64
-    strategy:
-      fail-fast: false
-      matrix:
-        build: [linux, linux-arm64, freebsd]
-        include:
-          - build: linux
-            arch: amd64
-            os: Linux
-            target: x86_64-unknown-linux-gnu
-          - build: linux-arm64
-            arch: arm64
-            os: Linux
-            target: aarch64-unknown-linux-gnu
-          - build: freebsd
-            arch: amd64
-            os: Linux
-            target: x86_64-unknown-freebsd
     steps:
       # Store the version, stripping any v-prefix
       - name: Write release version
@@ -93,104 +84,177 @@ jobs:
         with:
           submodules: recursive
 
+      - name: Install NodeJS
+        uses: actions/setup-node@v6
+        with:
+          node-version: 25
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v6
+        with:
+          cache: true
+          version: 10
+
+      # Change to '--frozen-lockfile' once this gets fixed:
+      # https://github.com/pnpm/action-setup/issues/40
+      - name: Build frontend
+        run: pnpm install --ignore-scripts --no-frozen-lockfile && pnpm build
+        working-directory: web
+
       - name: Install Rust stable
-        uses: actions-rs/toolchain@v1
+        uses: dtolnay/rust-toolchain@stable
         with:
-          toolchain: 1.89.0 # "stable" causes rust-lld: error on aarch64-linux          target: ${{ matrix.target }}
-          override: true
+          targets: "aarch64-unknown-linux-gnu"
 
-      - name: Setup `packer`
-        uses: hashicorp/setup-packer@main
-        id: setup
+      - name: Run sccache-cache
+        uses: mozilla-actions/sccache-action@v0.0.9
 
-      - name: Set up Docker BuildX
-        uses: docker/setup-buildx-action@v4
+      - name: Build Linux x86_64 binary
+        run: |
+          cargo build --locked --release --target x86_64-unknown-linux-gnu
+          mv target/x86_64-unknown-linux-gnu/release/defguard-proxy defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu
+          tar -zcf defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.tar.gz \
+            defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu
+
+      - name: Build Linux aarch64 binary
+        env:
+          CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
+          PKG_CONFIG_SYSROOT_DIR: /usr/lib/aarch64-linux-gnu
+        run: |
+          cargo build --locked --release --target aarch64-unknown-linux-gnu
+          mv target/aarch64-unknown-linux-gnu/release/defguard-proxy defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu
+          tar -zcf defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.tar.gz \
+            defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu
+
+      - name: Build FreeBSD binary
+        run: |
+          rsync -rlptxzH -e 'ssh -l root' --del ./ freebsd:work/
+          ssh root@freebsd 'cd work && cargo build --locked --release'
+          scp root@freebsd:work/target/release/defguard-proxy defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd
+          tar -zcf defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd.tar.gz \
+            defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd
+
+      - name: Build x86_64 DEB package
+        uses: defGuard/fpm-action@main
         with:
-          config-inline: |
-            [registry."docker.io"]
-              mirrors = ["dockerhub-proxy.teonite.net"]
+          fpm_args:
+            "defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-proxy
+            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            example-config.toml=/etc/defguard/proxy.toml"
+          fpm_opts: "--architecture amd64 --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb"
 
-      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+      - name: Build aarch64 DEB package
+        uses: defGuard/fpm-action@main
         with:
-          # FIXME: temporarily pinned because of https://github.com/pnpm/pnpm/pull/9959
-          version: 10.17
+          fpm_args:
+            "defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-proxy
+            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            example-config.toml=/etc/defguard/proxy.toml"
+          fpm_opts: "--architecture arm64 --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb"
 
-      - name: Use Node.js
-        uses: actions/setup-node@v6
+      - name: Build x86_64 RPM package
+        uses: defGuard/fpm-action@main
         with:
-          node-version: 25
-          cache: "pnpm"
-          cache-dependency-path: ./web/pnpm-lock.yaml
+          fpm_args:
+            "defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu=/usr/bin/defguard-proxy
+            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            example-config.toml=/etc/defguard/proxy.toml"
+          fpm_opts: "--architecture amd64 --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm"
 
-      - name: Install frontend dependencies
-        run: pnpm install --ignore-scripts --frozen-lockfile
-        working-directory: web
+      - name: Build aarch64 RPM package
+        uses: defGuard/fpm-action@main
+        with:
+          fpm_args:
+            "defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu=/usr/bin/defguard-proxy
+            defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service
+            example-config.toml=/etc/defguard/proxy.toml"
+          fpm_opts: "--architecture arm64 --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-aarch64-unknown-freebsd.rpm"
 
-      - name: Build frontend
-        run: pnpm build
-        working-directory: web
+      - name: Build FreeBSD package
+        uses: defGuard/fpm-action@main
+        with:
+          fpm_args:
+            "defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd=/usr/local/bin/defguard-proxy
+            defguard-proxy.service.freebsd=/usr/local/etc/rc.d/defguard-proxy
+            example-config.toml=/etc/defguard/proxy.toml"
+          fpm_opts: "--architecture amd64 --output-type freebsd --version ${{ env.VERSION }} --package defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg --freebsd-osversion '*' --depends openssl"
 
-      - name: Build release binary
-        uses: actions-rs/cargo@v1
+      - name: Upload Linux x86_64 archive
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          use-cross: true
-          command: build
-          args: --locked --release --target ${{ matrix.target }}
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.tar.gz
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Rename binary
-        run: mv target/${{ matrix.target }}/release/defguard-proxy defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}
+      - name: Upload Linux aarch64 archive
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.tar.gz
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Tar
-        uses: a7ul/tar-action@v1.2.0
+      - name: Upload FreeBSD x86_64 archive
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          command: c
-          files: |
-            defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}
-          outPath: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: defguard-proxy-${{ env.VERSION }}-x86_64-unknown-freebsd.tar.gz
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Upload release archive
-        uses: actions/upload-release-asset@v1.0.2
+      - name: Upload Linux x86_64 DEB
+        uses: shogo82148/actions-upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
-          asset_name: defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}.tar.gz
-          asset_content_type: application/octet-stream
+          asset_path: defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.deb
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Build DEB package
-        if: matrix.build == 'linux'
-        uses: bpicode/github-action-fpm@master
+      - name: Upload Linux aarch64 DEB
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml"
-          fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type deb --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb"
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.deb
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Upload DEB
-        if: matrix.build == 'linux'
-        uses: actions/upload-release-asset@v1.0.2
+      - name: Upload Linux x86_64 RPM
+        uses: shogo82148/actions-upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
-          asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
-          asset_content_type: application/octet-stream
+          asset_path: defguard-proxy-${{ env.VERSION }}-x86_64-unknown-linux-gnu.rpm
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Build RPM package
-        if: matrix.build == 'linux'
-        uses: bpicode/github-action-fpm@master
+      - name: Upload Linux aarch64 RPM
+        uses: shogo82148/actions-upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          fpm_args: "defguard-proxy-${{ github.ref_name }}-${{ matrix.target }}=/usr/bin/defguard-proxy defguard-proxy.service=/usr/lib/systemd/system/defguard-proxy.service example-config.toml=/etc/defguard/proxy.toml"
-          fpm_opts: "--architecture ${{ matrix.arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm"
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: defguard-proxy-${{ env.VERSION }}-aarch64-unknown-linux-gnu.rpm
+          asset_content_type: application/gzip
+          overwrite: true
 
-      - name: Upload RPM
-        if: matrix.build == 'linux'
-        uses: actions/upload-release-asset@v1.0.2
+      - name: Upload FreeBSD package
+        uses: shogo82148/actions-upload-release-asset@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
-          asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
-          asset_content_type: application/octet-stream
+          asset_path: defguard-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg
+          asset_content_type: application/x-pkg
+          overwrite: true

.github/workflows/sbom.yml

@@ -42,7 +42,7 @@ jobs:
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
-      - name: Create docker image SBOM with Trivy
+      - name: Create Docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@0.35.0
         with:
           image-ref: "ghcr.io/defguard/defguard-proxy:${{ steps.vars.outputs.VERSION }}"
@@ -62,7 +62,7 @@ jobs:
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
-      - name: Create docker image security advisory file with Trivy
+      - name: Create Docker image security advisory file with Trivy
         uses: aquasecurity/trivy-action@0.35.0
         with:
           image-ref: "ghcr.io/defguard/defguard-proxy:${{ steps.vars.outputs.VERSION }}"
@@ -79,5 +79,5 @@ jobs:
         with:
           upload_url: ${{ inputs.upload_url }}
           asset_path: "defguard-*.json"
-          asset_content_type: application/octet-stream
+          asset_content_type: application/json
           overwrite: true

.github/workflows/update-repositories.yml

@@ -47,7 +47,7 @@ jobs:
             else
               codename="trixie"
             fi
-            
+
             echo "Uploading $deb_file to $codename"
             deb-s3 upload -l \
               --bucket=apt.defguard.net \
@@ -73,8 +73,8 @@ jobs:
           export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
           export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
           export AWS_REGION=eu-north-1
-          sudo apt update -y
-          sudo apt install -y awscli curl jq
+          sudo apt-get update -y
+          sudo apt-get install -y awscli curl jq
 
           for DIST in trixie bookworm; do
             aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .