From b23ea6e599f3b5d8b2a952db994b669e85ba9b3c Mon Sep 17 00:00:00 2001 From: "Mauro D." Date: Mon, 24 Mar 2025 16:28:19 +0100 Subject: [PATCH 1/3] Cosign artifacts (closes #1039) --- .github/workflows/ci.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fe20050c..b773d9fd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,6 +41,8 @@ jobs: needs: [linux] if: github.event_name == 'push' || inputs.Docker steps: + - name: Install Cosign + uses: sigstore/cosign-installer@v3 - name: Log In to GitHub Container Registry uses: docker/login-action@v3 with: @@ -82,6 +84,8 @@ jobs: echo "GHCR_DIGEST_SHA=$(cat GHCR_DIGEST_SHA)" | tee -a "${GITHUB_ENV}" docker buildx imagetools inspect --format '{{json .Manifest}}' index.docker.io/${{github.repository}}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' ${{ runner.temp }}/${{matrix.variant}}/bake-meta.json) | jq -r '.digest' > DOCKERHUB_DIGEST_SHA echo "DOCKERHUB_DIGEST_SHA=$(cat DOCKERHUB_DIGEST_SHA)" | tee -a "${GITHUB_ENV}" + cosign sign --yes $(jq --arg GHCR_DIGEST_SHA "$(cat GHCR_DIGEST_SHA)" -cr '.target."docker-metadata-action".tags | map(select(startswith("ghcr.io/${{github.repository}}")) | . + "@" + $GHCR_DIGEST_SHA) | join(" ")' ${{ runner.temp }}/${{matrix.variant}}/bake-meta.json) + cosign sign --yes $(jq --arg DOCKERHUB_DIGEST_SHA "$(cat DOCKERHUB_DIGEST_SHA)" -cr '.target."docker-metadata-action".tags | map(select(startswith("index.docker.io/${{github.repository}}")) | . + "@" + $DOCKERHUB_DIGEST_SHA) | join(" ")' ${{ runner.temp }}/${{matrix.variant}}/bake-meta.json) - name: Attest GHCR uses: actions/attest-build-provenance@v2 @@ -411,16 +415,25 @@ jobs: archive/**/*.tar.gz archive/**/*.zip + - name: Use cosign to sign existing artifacts + uses: sigstore/gh-action-sigstore-python@v3.0.0 + with: + inputs: | + archive/**/*.tar.gz + archive/**/*.zip + - name: Release uses: softprops/action-gh-release@v2 with: files: | archive/**/*.tar.gz archive/**/*.zip + archive/**/*.sigstore.json prerelease: ${{!startsWith(github.ref, 'refs/tags/') || null}} tag_name: ${{!startsWith(github.ref, 'refs/tags/') && 'nightly' || null}} + # TODO add instructions about using cosign to verify binary artifact append_body: true body: |
- ## Check binary attestation at [here](${{ steps.attest.outputs.attestation-url }}) + ### Check binary attestation at [here](${{ steps.attest.outputs.attestation-url }}) From 4bb28f0ee75514b9ff79a27a8a387e81a917fb20 Mon Sep 17 00:00:00 2001 From: "Mauro D." Date: Mon, 24 Mar 2025 16:29:38 +0100 Subject: [PATCH 2/3] Bump to FDB 7.3 --- crates/store/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/store/Cargo.toml b/crates/store/Cargo.toml index e402293f..cdda51ae 100644 --- a/crates/store/Cargo.toml +++ b/crates/store/Cargo.toml @@ -9,7 +9,7 @@ utils = { path = "../utils" } nlp = { path = "../nlp" } trc = { path = "../trc" } rocksdb = { version = "0.23", optional = true, features = ["multi-threaded-cf"] } -foundationdb = { version = "0.9.0", features = ["embedded-fdb-include", "fdb-7_1"], optional = true } +foundationdb = { version = "0.9.2", features = ["embedded-fdb-include", "fdb-7_3"], optional = true } rusqlite = { version = "0.32", features = ["bundled"], optional = true } rust-s3 = { version = "=0.35.0-alpha.2", default-features = false, features = ["tokio-rustls-tls", "no-verify-ssl"], optional = true } azure_core = { version = "0.21.0", optional = true } From b7d74942e253bbed4115274a464983bf444933c7 Mon Sep 17 00:00:00 2001 From: "Mauro D." Date: Mon, 24 Mar 2025 16:51:43 +0100 Subject: [PATCH 3/3] Update Dockerfile.build --- Dockerfile.build | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/Dockerfile.build b/Dockerfile.build index 0ec3b853..8883db9d 100644 --- a/Dockerfile.build +++ b/Dockerfile.build @@ -28,11 +28,6 @@ RUN \ ln -s "/usr/local/zig-linux-$(uname -m)-${ZIG_VERSION}/zig" /usr/local/bin/zig # Install cargo-binstall RUN curl --retry 5 -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash -# Install FoundationDB -# TODO According to https://github.com/apple/foundationdb/issues/11448#issuecomment-2417766293 -# Once FoundationDB v7.3.53 gets released, we should be able to build the aarch64-unknown-linux-gnu target. -# The last command is for future build use, so if you are building on a native arm64 device, please use docker qemu. -RUN curl --retry 5 -Lso /usr/lib/libfdb_c.so "$(curl --retry 5 -Ls 'https://api.github.com/repos/apple/foundationdb/releases' | jq --arg arch "$(uname -m)" -r '.[] | select(.prerelease == false) | .assets[] | select(.name | test("libfdb_c." + $arch + ".so")) | .browser_download_url' | head -n1)" # Install cargo-chef & sccache & cargo-zigbuild RUN cargo binstall --no-confirm cargo-chef sccache cargo-zigbuild @@ -56,24 +51,31 @@ ARG BUILD_ENV SHELL ["/bin/bash", "-o", "pipefail", "-c"] # Install toolchain and specify some env variables RUN \ - rustup set profile minimal && \ - rustup target add ${TARGET} && \ - mkdir -p artifact && \ - touch /env-cargo && \ - if [ ! -z "${BUILD_ENV}" ]; then \ - echo "export ${BUILD_ENV}" >> /env-cargo; \ - echo "Setting up ${BUILD_ENV}"; \ - fi + rustup set profile minimal && \ + rustup target add ${TARGET} && \ + mkdir -p artifact && \ + touch /env-cargo && \ + if [ ! -z "${BUILD_ENV}" ]; then \ + echo "export ${BUILD_ENV}" >> /env-cargo; \ + echo "Setting up ${BUILD_ENV}"; \ + fi && \ + if [[ "${TARGET}" == *gnu ]]; then \ + echo "export FDB_ARCH=${TARGET%%-*}" >> /env-cargo; \ + fi +# Install FoundationDB +RUN \ + source /env-cargo && \ + if [ ! -z "${FDB_ARCH}" ]; then \ + curl --retry 5 -Lso /usr/lib/libfdb_c.so "$(curl --retry 5 -Ls 'https://api.github.com/repos/apple/foundationdb/releases' | jq --arg FDB_ARCH "$FDB_ARCH" -r '.[] | select(.prerelease == false) | .assets[] | select(.name | test("libfdb_c." + $FDB_ARCH + ".so")) | .browser_download_url' | head -n1)"; \ + fi # Cargo-chef Cache layer RUN \ --mount=type=secret,id=ACTIONS_CACHE_URL,env=ACTIONS_CACHE_URL \ --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,env=ACTIONS_RUNTIME_TOKEN \ --mount=type=cache,target=/usr/local/cargo/registry \ --mount=type=cache,target=/usr/local/cargo/git \ - # TODO According to https://github.com/apple/foundationdb/issues/11448#issuecomment-2417766293 - # Once FoundationDB v7.3.53 gets released, we should be able to build the aarch64-unknown-linux-gnu target. source /env-cargo && \ - if [ "${TARGET}" = "x86_64-unknown-linux-gnu" ]; then \ + if [ ! -z "${FDB_ARCH}" ]; then \ RUSTFLAGS="-L /usr/lib" cargo chef cook --recipe-path recipe.json --zigbuild --release --target ${TARGET} -p mail-server --no-default-features --features "foundationdb elastic s3 redis enterprise"; \ fi RUN \ @@ -88,16 +90,14 @@ RUN \ COPY . . ENV RUSTC_WRAPPER="sccache" \ SCCACHE_GHA_ENABLED=true -# Build foundationdb version +# Build FoundationDB version RUN \ --mount=type=secret,id=ACTIONS_CACHE_URL,env=ACTIONS_CACHE_URL \ --mount=type=secret,id=ACTIONS_RUNTIME_TOKEN,env=ACTIONS_RUNTIME_TOKEN \ --mount=type=cache,target=/usr/local/cargo/registry \ --mount=type=cache,target=/usr/local/cargo/git \ - # TODO According to https://github.com/apple/foundationdb/issues/11448#issuecomment-2417766293 - # Once FoundationDB v7.3.53 gets released, we should be able to build the aarch64-unknown-linux-gnu target. source /env-cargo && \ - if [ "${TARGET}" = "x86_64-unknown-linux-gnu" ]; then \ + if [ ! -z "${FDB_ARCH}" ]; then \ RUSTFLAGS="-L /usr/lib" cargo zigbuild --release --target ${TARGET} -p mail-server --no-default-features --features "foundationdb elastic s3 redis enterprise"; \ mv /app/target/${TARGET}/release/stalwart-mail /app/artifact/stalwart-mail-foundationdb; \ fi