Skip to content

build(deps): bump thiserror from 1.0.69 to 2.0.17 #47

build(deps): bump thiserror from 1.0.69 to 2.0.17

build(deps): bump thiserror from 1.0.69 to 2.0.17 #47

Workflow file for this run

name: Build Docker Image
on:
push:
branches: [main]
tags: ['v*']
paths-ignore:
- 'site/**'
- 'docs/**'
- 'samples/**'
- '*.md'
- 'LICENSE'
- '.gitleaks*'
- '.github/workflows/pages.yml'
- '.github/workflows/docs.yml'
workflow_dispatch:
schedule:
# Weekly vulnerability check (Mondays 9am UTC)
- cron: '0 9 * * 1'
permissions:
contents: read
concurrency:
group: docker-${{ github.ref }}
cancel-in-progress: true
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository_owner }}/hone-money
jobs:
# Security scans run in parallel with each other and with builds
security-scan-rust:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Install Rust
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
with:
toolchain: '1.92.0'
- name: Cache cargo-audit binary
id: cache-cargo-audit
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: ~/.cargo/bin/cargo-audit
key: cargo-audit-0.22.0
- name: Install cargo-audit
if: steps.cache-cargo-audit.outputs.cache-hit != 'true'
run: cargo install cargo-audit --version 0.22.0 --locked
- name: Rust dependency audit
run: cargo audit
security-scan-node:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
sparse-checkout: |
ui/package.json
ui/package-lock.json
- name: Setup Node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24'
- name: Node dependency audit
working-directory: ui
run: npm audit --audit-level=high
build-backend-amd64:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Install Rust
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
with:
toolchain: '1.92.0'
- name: Cache cargo
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-amd64-${{ hashFiles('**/Cargo.lock') }}
restore-keys: ${{ runner.os }}-cargo-amd64-
- name: Install OpenSSL (for SQLCipher)
run: sudo apt-get update && sudo apt-get install -y pkg-config libssl-dev
- name: Build backend
run: cargo build --release --bin hone
- name: Set executable permission
run: chmod +x target/release/hone
- name: Upload binary
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: hone-x86_64-unknown-linux-gnu
path: target/release/hone
build-backend-arm64:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Install Rust
uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
with:
toolchain: '1.92.0'
targets: aarch64-unknown-linux-gnu
- name: Cache cargo
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6.1.0
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-arm64-${{ hashFiles('**/Cargo.lock') }}
restore-keys: ${{ runner.os }}-cargo-arm64-
- name: Install cross
run: |
if ! command -v cross &> /dev/null; then
cargo install cross --git https://github.com/cross-rs/cross --tag v0.2.5
fi
- name: Build backend
run: cross build --release --bin hone --target aarch64-unknown-linux-gnu
- name: Set executable permission
run: chmod +x target/aarch64-unknown-linux-gnu/release/hone
- name: Upload binary
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: hone-aarch64-unknown-linux-gnu
path: target/aarch64-unknown-linux-gnu/release/hone
build-frontend:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Setup Node
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version: '24'
cache: 'npm'
cache-dependency-path: ui/package-lock.json
- name: Install dependencies
working-directory: ui
run: npm ci
- name: Build frontend
working-directory: ui
run: npm run build
- name: Upload frontend
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: frontend-dist
path: ui/dist
build-image:
# Wait for all builds AND security scans before pushing
needs: [security-scan-rust, security-scan-node, build-backend-amd64, build-backend-arm64, build-frontend]
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
actions: read
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Download AMD64 binary
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: hone-x86_64-unknown-linux-gnu
path: ./binaries/amd64
- name: Download ARM64 binary
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: hone-aarch64-unknown-linux-gnu
path: ./binaries/arm64
- name: Download frontend
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: frontend-dist
path: ./ui/dist
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Login to GHCR
uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata for Docker
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=sha,prefix=
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest,enable={{is_default_branch}}
- name: Set binary permissions
run: |
chmod +x binaries/amd64/hone
chmod +x binaries/arm64/hone
- name: Build image (amd64 for scanning)
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
file: Dockerfile.release
platforms: linux/amd64
load: true
tags: ${{ env.IMAGE_NAME }}:scan
- name: Scan image for vulnerabilities
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: ${{ env.IMAGE_NAME }}:scan
format: 'table'
severity: 'CRITICAL,HIGH'
trivyignores: .trivyignore
exit-code: '1'
- name: Full vulnerability report (check for newly fixed CVEs)
if: github.event_name == 'schedule'
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: ${{ env.IMAGE_NAME }}:scan
format: 'table'
severity: 'CRITICAL,HIGH'
- name: Build and push (multi-arch)
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
file: Dockerfile.release
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}