Update Rust, Crates, Profile and Actions (#4126)

- Updated Rust to v1.74.0
- Updated all crates (where possible)
- Changed release profile to use
  * fat lto
  * 1 codegen-unit
  This should optimize a bit for speed and a lot for size ~15MB smaller
- Updated Github actions to use caching for the bake process
- Added a schedule to clean the cache every week to prevent stale Debian/Alpine base images
- During the release action, the Alpine/static binaries are added as artifects.
  Later we could also automatically add them to the releases maybe.
- Added CODEWONERS to prevent unchecked changes to github actions workflows

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+/.github @dani-garcia @BlackDex
+/.github/CODEOWNERS @dani-garcia @BlackDex
+/.github/workflows/** @dani-garcia @BlackDex

.github/workflows/build.yml

@@ -46,7 +46,7 @@ jobs:
     steps:
       # Checkout the repo
       - name: "Checkout"
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
       # End Checkout the repo
 
 

.github/workflows/hadolint.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       # End Checkout the repo
 
       # Download hadolint - https://github.com/hadolint/hadolint/releases

.github/workflows/release.yml

@@ -14,7 +14,6 @@ on:
 
     branches: # Only on paths above
       - main
-      - release-build-revision
 
     tags: # Always, regardless of paths above
       - '*'
@@ -31,7 +30,7 @@ jobs:
     steps:
       - name: Skip Duplicates Actions
         id: skip_check
-        uses: fkirc/skip-duplicate-actions@12aca0a884f6137d619d6a8a09fcc3406ced5281 # v5.3.0
+        uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
         with:
           cancel_others: 'true'
         # Only run this when not creating a tag
@@ -42,12 +41,12 @@ jobs:
     timeout-minutes: 120
     needs: skip_check
     if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
-    # TODO: Start a local docker registry to be used to extract the final Alpine static build images
-    # services:
-    #   registry:
-    #     image: registry:2
-    #     ports:
-    #       - 5000:5000
+    # Start a local docker registry to extract the final Alpine static build binaries
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
     env:
       SOURCE_COMMIT: ${{ github.sha }}
       SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
@@ -69,7 +68,7 @@ jobs:
     steps:
       # Checkout the repo
       - name: Checkout
-        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
@@ -140,6 +139,12 @@ jobs:
         run: |
           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
 
+      - name: Add registry for ghcr.io
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        shell: bash
+        run: |
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
+
       # Login to Quay.io
       - name: Login to Quay.io
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -155,8 +160,28 @@ jobs:
         run: |
           echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}"
 
+      - name: Configure build cache from/to
+        shell: bash
+        run: |
+          #
+          # Check if there is a GitHub Container Registry Login and use it for caching
+          if [[ -n "${HAVE_GHCR_LOGIN}" ]]; then
+            echo "BAKE_CACHE_FROM=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }}" | tee -a "${GITHUB_ENV}"
+            echo "BAKE_CACHE_TO=type=registry,ref=${{ vars.GHCR_REPO }}-buildcache:${{ matrix.base_image }},mode=max" | tee -a "${GITHUB_ENV}"
+          else
+            echo "BAKE_CACHE_FROM="
+            echo "BAKE_CACHE_TO="
+          fi
+          #
+
+      - name: Add localhost registry
+        if: ${{ matrix.base_image == 'alpine' }}
+        shell: bash
+        run: |
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}localhost:5000/vaultwarden/server" | tee -a "${GITHUB_ENV}"
+
       - name: Bake ${{ matrix.base_image }} containers
-        uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 # v4.0.0
+        uses: docker/bake-action@849707117b03d39aba7924c50a10376a69e88d7d # v4.1.0
         env:
           BASE_TAGS: "${{ env.BASE_TAGS }}"
           SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
@@ -168,3 +193,76 @@ jobs:
           push: true
           files: docker/docker-bake.hcl
           targets: "${{ matrix.base_image }}-multi"
+          set: |
+            *.cache-from=${{ env.BAKE_CACHE_FROM }}
+            *.cache-to=${{ env.BAKE_CACHE_TO }}
+
+
+      # Extract the Alpine binaries from the containers
+      - name: Extract binaries
+        if: ${{ matrix.base_image == 'alpine' }}
+        shell: bash
+        run: |
+          # Check which main tag we are going to build determined by github.ref_type
+          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+            EXTRACT_TAG="latest"
+          elif [[ "${{ github.ref_type }}" == "branch" ]]; then
+            EXTRACT_TAG="testing"
+          fi
+
+          # After each extraction the image is removed.
+          # This is needed because using different platforms doesn't trigger a new pull/download
+
+          # Extract amd64 binary
+          docker create --name amd64 --platform=linux/amd64 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker cp amd64:/vaultwarden vaultwarden-amd64
+          docker rm --force amd64
+          docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+
+          # Extract arm64 binary
+          docker create --name arm64 --platform=linux/arm64 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker cp arm64:/vaultwarden vaultwarden-arm64
+          docker rm --force arm64
+          docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+
+          # Extract armv7 binary
+          docker create --name armv7 --platform=linux/arm/v7 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker cp armv7:/vaultwarden vaultwarden-armv7
+          docker rm --force armv7
+          docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+
+          # Extract armv6 binary
+          docker create --name armv6 --platform=linux/arm/v6 "vaultwarden/server:${EXTRACT_TAG}-alpine"
+          docker cp armv6:/vaultwarden vaultwarden-armv6
+          docker rm --force armv6
+          docker rmi --force "vaultwarden/server:${EXTRACT_TAG}-alpine"
+
+      # Upload artifacts to Github Actions
+      - name: "Upload amd64 artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        if: ${{ matrix.base_image == 'alpine' }}
+        with:
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-amd64
+          path: vaultwarden-amd64
+
+      - name: "Upload arm64 artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        if: ${{ matrix.base_image == 'alpine' }}
+        with:
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-arm64
+          path: vaultwarden-arm64
+
+      - name: "Upload armv7 artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        if: ${{ matrix.base_image == 'alpine' }}
+        with:
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv7
+          path: vaultwarden-armv7
+
+      - name: "Upload armv6 artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        if: ${{ matrix.base_image == 'alpine' }}
+        with:
+          name: vaultwarden-${{ env.SOURCE_VERSION }}-linux-armv6
+          path: vaultwarden-armv6
+      # End Upload artifacts to Github Actions

.github/workflows/releasecache-cleanup.yml

@@ -0,0 +1,25 @@
+on:
+  workflow_dispatch:
+    inputs:
+      manual_trigger:
+        description: "Manual trigger buildcache cleanup"
+        required: false
+        default: ""
+
+  schedule:
+    - cron: '0 1 * * FRI'
+
+name: Cleanup
+jobs:
+  releasecache-cleanup:
+    name: Releasecache Cleanup
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    steps:
+      - name: Delete vaultwarden-buildcache containers
+        uses: actions/delete-package-versions@0d39a63126868f5eefaa47169615edd3c0f61e20 # v4.1.1
+        with:
+          package-name: 'vaultwarden-buildcache'
+          package-type: 'container'
+          min-versions-to-keep: 0
+          delete-only-untagged-versions: 'false'

.github/workflows/trivy.yml

@@ -4,7 +4,6 @@ on:
   push:
     branches:
       - main
-      - release-build-revision
     tags:
       - '*'
   pull_request:
@@ -29,7 +28,7 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.13.1
+        uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # v0.14.0
         with:
           scan-type: repo
           ignore-unfixed: true

Cargo.toml

@@ -3,7 +3,7 @@ name = "vaultwarden"
 version = "1.0.0"
 authors = ["Daniel García <dani-garcia@users.noreply.github.com>"]
 edition = "2021"
-rust-version = "1.71.1"
+rust-version = "1.72.1"
 resolver = "2"
 
 repository = "https://github.com/dani-garcia/vaultwarden"
@@ -55,8 +55,8 @@ num-traits = "0.2.17"
 num-derive = "0.4.1"
 
 # Web framework
-rocket = { version = "0.5.0-rc.4", features = ["tls", "json"], default-features = false }
-rocket_ws = { version ="0.1.0-rc.4" }
+rocket = { version = "0.5.0", features = ["tls", "json"], default-features = false }
+rocket_ws = { version ="0.1.0" }
 
 # WebSockets libraries
 tokio-tungstenite = "0.20.1"
@@ -70,7 +70,7 @@ futures = "0.3.29"
 tokio = { version = "1.34.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal"] }
 
 # A generic serialization/deserialization framework
-serde = { version = "1.0.192", features = ["derive"] }
+serde = { version = "1.0.193", features = ["derive"] }
 serde_json = "1.0.108"
 
 # A safe, extensible ORM and Query builder
@@ -83,10 +83,10 @@ libsqlite3-sys = { version = "0.27.0", features = ["bundled"], optional = true }
 
 # Crypto-related libraries
 rand = { version = "0.8.5", features = ["small_rng"] }
-ring = "0.17.5"
+ring = "0.17.6"
 
 # UUID generation
-uuid = { version = "1.5.0", features = ["v4"] }
+uuid = { version = "1.6.1", features = ["v4"] }
 
 # Date and time libraries
 chrono = { version = "0.4.31", features = ["clock", "serde"], default-features = false }
@@ -97,10 +97,10 @@ time = "0.3.30"
 job_scheduler_ng = "2.0.4"
 
 # Data encoding library Hex/Base32/Base64
-data-encoding = "2.4.0"
+data-encoding = "2.5.0"
 
 # JWT library
-jsonwebtoken = "9.1.0"
+jsonwebtoken = "9.2.0"
 
 # TOTP library
 totp-lite = "2.0.1"
@@ -112,11 +112,11 @@ yubico = { version = "0.11.0", features = ["online-tokio"], default-features = f
 webauthn-rs = "0.3.2"
 
 # Handling of URL's for WebAuthn and favicons
-url = "2.4.1"
+url = "2.5.0"
 
 # Email libraries
-lettre = { version = "0.11.1", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
-percent-encoding = "2.3.0" # URL encoding library used for URL's in the emails
+lettre = { version = "0.11.2", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails
 email_address = "0.2.4"
 
 # HTML Template library
@@ -128,7 +128,7 @@ reqwest = { version = "0.11.22", features = ["stream", "json", "deflate", "gzip"
 # Favicon extraction libraries
 html5gum = "0.5.7"
 regex = { version = "1.10.2", features = ["std", "perf", "unicode-perl"], default-features = false }
-data-url = "0.3.0"
+data-url = "0.3.1"
 bytes = "1.5.0"
 
 # Cache function results (Used for version check and favicon fetching)
@@ -167,10 +167,12 @@ rpassword = "7.3.1"
 
 
 # Strip debuginfo from the release builds
-# Also enable thin LTO for some optimizations
+# The symbols are the provide better panic traces
+# Also enable fat LTO and use 1 codegen unit for optimizations
 [profile.release]
 strip = "debuginfo"
-lto = "thin"
+lto = "fat"
+codegen-units = 1
 
 
 # A little bit of a speedup

docker/DockerSettings.yaml

@@ -4,7 +4,7 @@ vault_image_digest: "sha256:419e4976921f98f1124f296ed02e68bf7f8ff29b3f1fba59e7e7
 # Cross Compile Docker Helper Scripts v1.3.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 xx_image_digest: "sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc"
-rust_version: 1.73.0 # Rust version to be used
+rust_version: 1.74.0 # Rust version to be used
 debian_version: bookworm # Debian release name to be used
 alpine_version: 3.18 # Alpine version to be used
 # For which platforms/architectures will we try to build images

docker/Dockerfile.alpine

@@ -31,10 +31,10 @@ FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:419e4976921f9
 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
 ## And for Alpine we define all build images here, they will only be loaded when actually used
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.73.0 as build_amd64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.73.0 as build_arm64
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.73.0 as build_armv7
-FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.73.0 as build_armv6
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:x86_64-musl-stable-1.74.0 as build_amd64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:aarch64-musl-stable-1.74.0 as build_arm64
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:armv7-musleabihf-stable-1.74.0 as build_armv7
+FROM --platform=linux/amd64 ghcr.io/blackdex/rust-musl:arm-musleabi-stable-1.74.0 as build_armv6
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006

docker/Dockerfile.debian

@@ -35,7 +35,7 @@ FROM --platform=linux/amd64 docker.io/tonistiigi/xx@sha256:c9609ace652bbe51dd4ce
 
 ########################## BUILD IMAGE ##########################
 # hadolint ignore=DL3006
-FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.73.0-slim-bookworm as build
+FROM --platform=$BUILDPLATFORM docker.io/library/rust:1.74.0-slim-bookworm as build
 COPY --from=xx / /
 ARG TARGETARCH
 ARG TARGETVARIANT

rust-toolchain.toml

@@ -1,4 +1,4 @@
 [toolchain]
-channel = "1.73.0"
+channel = "1.74.0"
 components = [ "rustfmt", "clippy" ]
 profile = "minimal"