rustdesk-server
rustdesk-server copied to clipboard
rustdesk
Ci: Multiple actions update; Container signing; Merge ghcr workflow to one; arm64 runner
Summary
runner
- ubuntu-20.04 or ubuntu-22.04 to ubuntu-24.04
- windows-2019 to windows-2022
Actions update
- actions/checkout@v3 to v4
- actions/ download / upload -artifact@v3 to v4
- Replace actions-rs/toolchain@v1 with dtolnay/rust-toolchain@v1 except Windows, it will cause "Build UI setup file" error.(But CI still passed, be careful)
- actions/setup-node@v3 to v4
- softprops/action-gh-release@v1 to v2
- docker/setup-qemu-action@v2 to v3
- docker/setup-buildx-action@v2 to v3
- docker/login-action@v2 to v3
- docker/metadata-action@v4 to v5
Actions add
- Add Swatinem/rust-cache@v2
Actions clean
- docker/setup-qemu-action is not needed to build Debian packages
EOL
I didn't touch anything here
- actions-rs/cargo@v1: Itself is using deprecated Node.js
- Windows UI is using Node.js 16, which is already EOL https://nodejs.org/en/about/previous-releases
The workflow is tested here: https://github.com/xlionjuan/rustdesk-server/actions/runs/11281222928
Full logs of the "Build UI setup file" if I replace actions-rs/toolchain@v1 with dtolnay/rust-toolchain@v1
https://github.com/xlionjuan/rustdesk-server/actions/runs/11278688217/job/31367721153
Run rustup default nightly
info: syncing channel updates for 'nightly-x86_64-pc-windows-msvc'
info: latest update on 2024-10-10, rust version 1.83.0-nightly (eb4e23467 2024-10-09)
info: downloading component 'cargo'
info: downloading component 'rust-std'
info: downloading component 'rustc'
info: installing component 'cargo'
info: installing component 'rust-std'
info: installing component 'rustc'
info: default toolchain set to 'nightly-x86_64-pc-windows-msvc'
nightly-x86_64-pc-windows-msvc installed - rustc 1.83.0-nightly (eb4e23467 2024-10-09)
Updating crates.io index
Downloading crates ...
Downloaded adler v1.0.2
Downloaded anyhow v1.0.69
Downloaded async-channel v1.8.0
Downloaded async-process v1.6.0
Downloaded block-buffer v0.10.3
Downloaded async-std v1.12.0
Downloaded brotli-decompressor v2.3.4
Downloaded cfb v0.6.1
Downloaded cpufeatures v0.2.5
Downloaded cssparser v0.27.2
Downloaded darling_core v0.13.4
Downloaded dtoa v0.4.8
Downloaded event-listener v2.5.3
Downloaded futf v0.1.5
Downloaded futures-task v0.3.26
Downloaded glob v0.3.1
Downloaded http-range v0.1.5
Downloaded ignore v0.4.18
Downloaded json-patch v0.2.7
Downloaded lock_api v0.4.9
Downloaded miniz_oxide v0.6.2
Downloaded notify v5.1.0
Downloaded once_cell v1.17.0
Downloaded parking_lot v0.12.1
Downloaded phf v0.10.1
Downloaded phf_macros v0.10.0
Downloaded ppv-lite86 v0.2.17
Downloaded proc-macro2 v1.0.51
Downloaded rand_core v0.6.4
Downloaded rustc_version v0.4.0
Downloaded semver v1.0.16
Downloaded serde_repr v0.1.10
Downloaded servo_arc v0.1.1
Downloaded serialize-to-javascript-impl v0.1.1
Downloaded socket2 v0.4.7
Downloaded strsim v0.10.0
Downloaded syn v1.0.107
Downloaded tauri-macros v1.2.1
Downloaded tendril v0.4.3
Downloaded tinyvec_macros v0.1.1
Downloaded unicode-bidi v0.3.10
Downloaded url v2.3.1
Downloaded webview2-com v0.19.1
Downloaded widestring v1.0.2
Downloaded windows-service v0.5.0
Downloaded windows-targets v0.42.1
Downloaded waker-fn v1.1.0
Downloaded unicode-xid v0.2.4
Downloaded typenum v1.16.0
Downloaded thread_local v1.1.4
Downloaded tauri-utils v1.2.1
Downloaded windows_x86_64_msvc v0.42.1
Downloaded async-lock v2.6.0
Downloaded base64 v0.13.1
Downloaded bytemuck v1.13.0
Downloaded cc v1.0.79
Downloaded crc32fast v1.3.2
Downloaded cssparser-macros v0.6.0
Downloaded darling_macro v0.13.4
Downloaded dtoa-short v0.3.3
Downloaded tauri v1.2.4
Downloaded fastrand v1.8.0
Downloaded futures-io v0.3.26
Downloaded generic-array v0.14.6
Downloaded heck v0.4.1
Downloaded ident_case v1.0.1
Downloaded itoa v0.4.8
Downloaded kv-log-macro v1.0.7
Downloaded matches v0.1.10
Downloaded num-rational v0.4.1
Downloaded parking v2.0.0
Downloaded phf_codegen v0.8.0
Downloaded smallvec v1.10.0
Downloaded phf_shared v0.8.0
Downloaded proc-macro-error v1.0.4
Downloaded rand v0.7.3
Downloaded raw-window-handle v0.5.0
Downloaded ryu v1.0.12
Downloaded serde_derive v1.0.152
Downloaded serialize-to-javascript v0.1.1
Downloaded slab v0.4.7
Downloaded string_cache v0.8.4
Downloaded serde_json v1.0.93
Downloaded regex-syntax v0.6.28
Downloaded rand_core v0.5.1
Downloaded proc-macro-hack v0.5.20+deprecated
Downloaded polling v2.5.2
Downloaded phf_macros v0.8.0
Downloaded phf v0.8.0
Downloaded libc v0.2.139
Downloaded image v0.24.5
Downloaded http v0.2.8
Downloaded getrandom v0.2.8
Downloaded futures-macro v0.3.26
Downloaded form_urlencoded v1.1.0
Downloaded err-derive v0.3.1
Downloaded tao v0.15.8
Downloaded value-bag v1.0.0-alpha.9
Downloaded wepoll-ffi v0.1.2
Downloaded digest v0.10.6
Downloaded darling v0.13.4
Downloaded crypto-common v0.1.6
Downloaded convert_case v0.4.0
Downloaded bstr v1.2.0
Downloaded async-attributes v1.1.2
Downloaded aho-corasick v0.7.20
Downloaded windows v0.39.0
Downloaded async-io v1.12.0
Downloaded async-task v4.3.0
Downloaded bytes v1.4.0
Downloaded concurrent-queue v2.1.0
Downloaded windows-metadata v0.39.0
Downloaded dunce v1.0.3
Downloaded filetime v0.2.20
Downloaded getrandom v0.1.16
Downloaded ico v0.2.0
Downloaded itoa v1.0.5
Downloaded markup5ever v0.10.1
Downloaded num_cpus v1.15.0
Downloaded percent-encoding v2.2.0
Downloaded phf_shared v0.10.0
Downloaded proc-macro-error-attr v1.0.4
Downloaded rand_pcg v0.2.1
Downloaded serde_with v1.14.0
Downloaded stable_deref_trait v1.2.0
Downloaded tar v0.4.38
Downloaded thin-slice v0.1.1
Downloaded siphasher v0.3.10
Downloaded regex v1.7.1
Downloaded tauri-build v1.2.1
Downloaded unicode-segmentation v1.10.1
Downloaded webview2-com-macros v0.6.0
Downloaded tokio v1.25.0
Downloaded encoding_rs v0.8.32
Downloaded ctor v0.1.26
Downloaded windows-sys v0.45.0
Downloaded async-executor v1.5.0
Downloaded webview2-com-sys v0.19.0
Downloaded color_quant v1.1.0
Downloaded crossbeam-utils v0.8.14
Downloaded futures-lite v1.12.0
Downloaded futures-core v0.3.26
Downloaded idna v0.3.0
Downloaded open v3.2.0
Downloaded phf_generator v0.10.0
Downloaded quote v1.0.23
Downloaded selectors v0.22.0
Downloaded sha2 v0.10.6
Downloaded synstructure v0.12.6
Downloaded tauri-runtime-wry v0.12.2
Downloaded toml v0.5.11
Downloaded unicode-normalization v0.1.22
Downloaded windows-bindgen v0.39.0
Downloaded windows-tokens v0.39.0
Downloaded crossbeam-channel v0.5.6
Downloaded blocking v1.3.0
Downloaded wry v0.23.4
Downloaded cargo_toml v0.13.3
Downloaded infer v0.7.0
Downloaded globset v0.4.10
Downloaded kuchiki v0.8.1
Downloaded png v0.17.7
Downloaded serde_with_macros v1.5.2
Downloaded thiserror v1.0.38
Downloaded uuid v1.3.0
Downloaded alloc-no-stdlib v2.0.4
Downloaded cty v0.2.2
Downloaded mac v0.1.1
Downloaded parking_lot_core v0.9.7
Downloaded rustversion v1.0.11
Downloaded tauri-codegen v1.2.1
Downloaded unicode-ident v1.0.6
Downloaded winres v0.1.12
Downloaded uuid v0.8.2
Downloaded brotli v3.3.4
Downloaded flate2 v1.0.25
Downloaded nodrop v0.1.14
Downloaded string_cache_codegen v0.5.2
Downloaded windows_x86_64_msvc v0.39.0
Downloaded state v0.5.3
Downloaded derive-new v0.5.9
Downloaded precomputed-hash v0.1.1
Downloaded tauri-runtime v0.12.1
Downloaded treediff v3.0.2
Downloaded atomic-waker v1.1.0
Downloaded rand_chacha v0.2.2
Downloaded alloc-stdlib v0.2.2
Downloaded new_debug_unreachable v1.0.4
Downloaded async-global-executor v2.3.1
Downloaded windows-implement v0.39.0
Downloaded serde v1.0.152
Downloaded futures-util v0.3.26
Downloaded thiserror-impl v1.0.38
Downloaded phf_generator v0.8.0
Downloaded html5ever v0.25.2
Downloaded derive_more v0.99.17
Downloaded windows-sys v0.42.0
Compiling proc-macro2 v1.0.51
Compiling unicode-ident v1.0.6
Compiling quote v1.0.23
Compiling syn v1.0.107
Compiling autocfg v1.1.0
Compiling cfg-if v1.0.0
Compiling serde v1.0.152
Compiling serde_derive v1.0.152
error[E0635]: unknown feature `proc_macro_span_shrink`
--> C:\Users\runneradmin\.cargo\registry\src\index.crates.io-6f17d22bba15001f\proc-macro2-1.0.51\src\lib.rs:92:30
|
92 | feature(proc_macro_span, proc_macro_span_shrink)
| ^^^^^^^^^^^^^^^^^^^^^^
Compiling windows_x86_64_msvc v0.42.1
Compiling ppv-lite86 v0.2.17
Compiling siphasher v0.3.10
Compiling version_check v0.9.4
For more information about this error, try `rustc --explain E0635`.
error: could not compile `proc-macro2` (lib) due to 1 previous error
warning: build failed, waiting for other jobs to finish...
..\target\x86_64-pc-windows-msvc\release\hbbr.exe
..\target\x86_64-pc-windows-msvc\release\hbbs.exe
..\target\x86_64-pc-windows-msvc\release\rustdesk-utils.exe
3 File(s) copied
File not found - *.exe
0 File(s) copied
Directory: D:\a\rustdesk-server\rustdesk-server\ui\setup
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/10/2024 5:10 PM logs
Directory: D:\a\rustdesk-server\rustdesk-server\ui
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/10/2024 5:10 PM SignOutput
B2w, I don't know why you made container names secret, it confused me for a little times when doing CI tests.
${{ secrets.DOCKER_IMAGE }}
${{ secrets.DOCKER_IMAGE_CLASSIC }}
I will add
- [x] Try arm64 runner to build arm64 binaries, reduce build time and footprint
- [x] Merge
ghcr.ymlto single workflow - [x] Cosign for container signing
- [x] GitHub Attestations for binary signing
- [ ] ~~GitHub Attestations for container signing~~ (Didn't support recursive signing, give up.)
Cosign verify explain
I don't wanna explain what Cosign is, check their README and doc first.
How to verify
First, install cosign, it can be install via Homebrew and Linuxbrew
Syntax:
cosign verify --rekor-url=https://rekor.sigstore.dev \
--certificate-identity-regexp "https://github.com/{USERNAME}/.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
{Container Name}
Example:
cosign verify --rekor-url=https://rekor.sigstore.dev \
--certificate-identity-regexp "https://github.com/xlionjuan/.*" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/xlionjuan/rustdesk-server:3.3.22
Example output:
Verification for ghcr.io/xlionjuan/rustdesk-server:3.3.22 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
[{"critical":{"identity":{"docker-reference":"ghcr.io/xlionjuan/rustdesk-server"},"image":{"docker-manifest-digest":"sha256:411129ba4001864968779414736a821dce4b79d4aaecd38d74b58de4b0c43917"},"type":"cosign container image signature"},"optional":{"1.3.6.1.4.1.57264.1.1":"https://token.actions.githubusercontent.com","1.3.6.1.4.1.57264.1.2":"push","1.3.6.1.4.1.57264.1.3":"1ecc66992e60c65f5c1a443f00c0305f7901d01f","1.3.6.1.4.1.57264.1.4":"build","1.3.6.1.4.1.57264.1.5":"xlionjuan/rustdesk-server","1.3.6.1.4.1.57264.1.6":"refs/tags/3.3.22","Bundle":{"SignedEntryTimestamp":"MEQCIEO297cq01/D3liQONnHr2e0n7rmD1ruz2bMlhnKhJbeAiBMb5A881n/4vetY6PEbQluDnmUVP6QwW0yv7JnwVFRPQ==","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJlZDM3NjEzODY5ZjAyYjA0Y2IwZmRhOWE4M2JjM2RlODA3N2JmODk5MGI0Y2Q2NDFjYjQwMTJjNzIyYTE1YTViIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJRUhFd2JscEkrL0xjQXhlMVVUdXoydmVIQXovSFRGQ2cvaG1XK0hRUTcyb0FpQlEwMEJOZTFNQ0VhOGNLRFFyY0pIRTRpZE9CcW14YUpwUXdVMVZpMkV6WXc9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVY3hha05EUW14MVowRjNTVUpCWjBsVlpWVXliRU5OSzNKWWNuRkhUa0pOTkRSd2MxTlRXRkEzTWpFNGQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFZkMDFVUlRWTlZFbDVUMVJSTUZkb1kwNU5hbFYzVFZSRk5VMVVTWHBQVkZFd1YycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVV2VkZoMVZtZFFlVEU0V0c5VVQybHpVU3RZWWxJeWJHVllabmt5VFRVeVUxRnpiM1FLUjJVMGRrdERTbFZGZEVkTlFXMUJhVk5qY1dWMVRrSlFVMUpPZWxGWVNGZEJRa04wWmxGRlZtWndNa3hJZDA5U2VIRlBRMEpZYjNkbloxWXlUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlZwVWxCSUNrVTRXbU5EUmpSNU5Wa3ljbXRHTDFWbVRHOUljRzVCZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJGQldVUldVakJTUVZGSUwwSkdOSGRZU1ZwaFlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROb2MyRlhPWFZoYmxab1ltazVlUXBrV0U0d1drZFdlbUY1TVhwYVdFb3lXbGhKZGt4dFpIQmtSMmd4V1drNU0ySXpTbkphYlhoMlpETk5kbGx1Vm5CaVIxRjFaVmRHZEdKRlFubGFWMXA2Q2t3elVtaGFNMDEyVFhrMGVreHFTWGxOUkd0SFEybHpSMEZSVVVKbk56aDNRVkZGUlVzeWFEQmtTRUo2VDJrNGRtUkhPWEphVnpSMVdWZE9NR0ZYT1hVS1kzazFibUZZVW05a1Ywb3hZekpXZVZreU9YVmtSMVoxWkVNMWFtSXlNSGRGWjFsTFMzZFpRa0pCUjBSMmVrRkNRV2RSUldOSVZucGhSRUV5UW1kdmNncENaMFZGUVZsUEwwMUJSVVJDUTJkNFdsZE9hazVxV1RWUFZFcHNUbXBDYWs1cVZtMU9WMDE0V1ZSUk1FMHlXWGROUjAxM1RYcEJNVnBxWXpWTlJFWnJDazFFUm0xTlFrMUhRMmx6UjBGUlVVSm5OemgzUVZGUlJVSlhTakZoVjNoclRVTmpSME5wYzBkQlVWRkNaemM0ZDBGUlZVVkhXR2h6WVZjNWRXRnVWbWdLWW1rNWVXUllUakJhUjFaNllYa3hlbHBZU2pKYVdFbDNTR2RaUzB0M1dVSkNRVWRFZG5wQlFrSm5VVkZqYlZadFkzazVNRmxYWkhwTWVrMTFUWGswZVFwTmFrRTNRbWR2Y2tKblJVVkJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveENtTXlWbmxaTWpsMVpFZFdkV1JETldwaU1qQjNZV2RaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbU5FUm5CdlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5Xb0tZakl3ZG1WSGVIQmlNalZ4WkZkR2RVd3pTakZqTTFKcldsaE9ja3hZVG14amJscHNZMms0ZFZveWJEQmhTRlpwVEROa2RtTnRkRzFpUnprelkzazVhUXBrVjJ4eldrTTFOVmxYTVhOUlNFcHNXbTVOZG1SSFJtNWplVGg2VEdwTmRVMXFTWGRQUVZsTFMzZFpRa0pCUjBSMmVrRkNRMmRSY1VSRFozaGFWMDVxQ2s1cVdUVlBWRXBzVG1wQ2FrNXFWbTFPVjAxNFdWUlJNRTB5V1hkTlIwMTNUWHBCTVZwcVl6Vk5SRVpyVFVSR2JVMUNNRWREYVhOSFFWRlJRbWMzT0hjS1FWRnpSVVIzZDA1YU1td3dZVWhXYVV4WGFIWmpNMUpzV2tSQk9FSm5iM0pDWjBWRlFWbFBMMDFCUlUxQ1F6Uk5URWRvTUdSSVFucFBhVGgyV2pKc01BcGhTRlpwVEcxT2RtSlRPVFJpUjJ4MlltMXdNVmxYTkhaamJsWjZaRWRTYkdNeWMzUmpNbFo1WkcxV2VVMUVaMGREYVhOSFFWRlJRbWMzT0hkQlVUQkZDa3RuZDI5TlYxWnFXWHBaTWs5VWEzbGFWRmwzV1hwWk1WcHFWbXBOVjBVd1RrUk9iVTFFUW1wTlJFMTNUbGRaTTA5VVFYaGFSRUY0V21wQlowSm5iM0lLUW1kRlJVRlpUeTlOUVVWUFFrSkpUVVZJU214YWJrMTJaRWRHYm1ONU9IcE1hazExVFdwSmQwZFJXVXRMZDFsQ1FrRkhSSFo2UVVKRWQxRk1SRUZyTXdwT1ZFbDVUbFJCZVU1VVZYZE1RVmxMUzNkWlFrSkJSMFIyZWtGQ1JVRlJaVVJDZUc5a1NGSjNZM3B2ZGt3eVpIQmtSMmd4V1drMWFtSXlNSFpsUjNod0NtSXlOWEZrVjBaMVRVSm5SME5wYzBkQlVWRkNaemM0ZDBGU1JVVkRaM2RKVFdwVmVVNUVUVFJQVkZGM1lXZFpTMHQzV1VKQ1FVZEVkbnBCUWtWblVtTUtSRVp3YjJSSVVuZGplbTkyVERKa2NHUkhhREZaYVRWcVlqSXdkbVZIZUhCaU1qVnhaRmRHZFV3elNqRmpNMUpyV2xoT2NreFlUbXhqYmxwc1kyazRkUXBhTW13d1lVaFdhVXd6WkhaamJYUnRZa2M1TTJONU9XbGtWMnh6V2tNMU5WbFhNWE5SU0Vwc1dtNU5kbVJIUm01amVUaDZUR3BOZFUxcVNYZFBRVmxMQ2t0M1dVSkNRVWRFZG5wQlFrVjNVWEZFUTJkNFdsZE9hazVxV1RWUFZFcHNUbXBDYWs1cVZtMU9WMDE0V1ZSUk1FMHlXWGROUjAxM1RYcEJNVnBxWXpVS1RVUkdhMDFFUm0xTlFsRkhRMmx6UjBGUlVVSm5OemgzUVZKUlJVSm5kMFZqU0ZaNllVUkNaMEpuYjNKQ1owVkZRVmxQTDAxQlJWWkNSa2xOVlVkb01BcGtTRUo2VDJrNGRsb3liREJoU0ZacFRHMU9kbUpUT1RSaVIyeDJZbTF3TVZsWE5IWmpibFo2WkVkU2JHTXljM1JqTWxaNVpHMVdlVXd5Um1wa1IyeDJDbUp1VFhaamJsWjFZM2s0ZUUxcVp6Rk5lbEV5VG5wak5VMTVPV2hrU0ZKc1lsaENNR041T0hoTlFsbEhRMmx6UjBGUlVVSm5OemgzUVZKWlJVTkJkMGNLWTBoV2FXSkhiR3BOU1VkTFFtZHZja0puUlVWQlpGbzFRV2RSUTBKSWQwVmxaMEkwUVVoWlFUTlVNSGRoYzJKSVJWUktha2RTTkdOdFYyTXpRWEZLU3dwWWNtcGxVRXN6TDJnMGNIbG5Remh3TjI4MFFVRkJSMVZtYjNCbGJsRkJRVUpCVFVGU2VrSkdRV2xGUVRWelRsRXhOVEpRZG5sa2NXOUJVR3BETTIxaUNpOVVkQzlUVm1KWFZTdG1jMjVhYm14SWEwMTBjbkYzUTBsRU4wZzBjMVJuVjBWd1RXTk9jbUZCZWtGUFRVZFpNMDVFYVdocFNtWXhjMU5LVm5OQ2RGY0tPRWd4VGsxQmIwZERRM0ZIVTAwME9VSkJUVVJCTW10QlRVZFpRMDFSUTJaMU9TOVlWR2tyU0hNMGIzQm1MMmxPWlVZMmRVbzVhMmRKUlVOd2VWSTNOZ3BXYUVkclJGSk5XbTlFT0cxS1MwNVFVM2hLYURSMmJteDFZVk14WjA1VlEwMVJRMk01WlZCblYzaE1TVWRNVEdKTWNVZEJWWEV3ZVhWbVNHMU1LMWQyQ25kblkxVm1lR2hTTDBOVVUzcFBRbVZaV2t3emMwWjBZMDVOZUUwNGVYQjNhVXhWUFFvdExTMHRMVVZPUkNCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2c9PSJ9fX19","integratedTime":1737289785,"logIndex":163595599,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"Issuer":"https://token.actions.githubusercontent.com","Subject":"https://github.com/xlionjuan/rustdesk-server/.github/workflows/build.yaml@refs/tags/3.3.22","githubWorkflowName":"build","githubWorkflowRef":"refs/tags/3.3.22","githubWorkflowRepository":"xlionjuan/rustdesk-server","githubWorkflowSha":"1ecc66992e60c65f5c1a443f00c0305f7901d01f","githubWorkflowTrigger":"push"}}]
GitHub Attestations explain
The biggest drawback for this is you need to login gh before you using this, but no any permissions are needed
When
- When you want to verify the files you downloaded are from expected source
Which
(Files can be used with this)
- All
hbbs,hbbrandrustdesk-utilsbinary, not including the zip files that packaging it. - Also
RustDeskServer.Setup.exefor Windows - All
.debfiles
Syntax
gh attestation verify --owner {User or Org name} --predicate-type 'https://in-toto.io/attestation/release' {File name}
Example:
gh attestation verify --owner xlionjuan --predicate-type 'https://in-toto.io/attestation/release' hbbr
Example output:
Loaded digest sha256:c63d1c87c35376152285f9ca6d878e07aeab6b097998b5199d7b9c042674b771 for file://hbbr
Loaded 3 attestations from GitHub API
The following policy criteria will be enforced:
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
- Source Repository Owner URI must match:... https://github.com/xlionjuan
- Predicate type must match:................ https://in-toto.io/attestation/release
- Subject Alternative Name must match regex: (?i)^https://github.com/xlionjuan/
✓ Verification succeeded!
sha256:c63d1c87c35376152285f9ca6d878e07aeab6b097998b5199d7b9c042674b771 was attested by:
REPO PREDICATE_TYPE WORKFLOW
xlionjuan/rustdesk-server https://in-toto.io/attestation/release .github/workflows/build.yaml@refs/tags/3.3.25
Summary2
All
- Fix
prefix-keyfor allSwatinem/rust-cache - Use GitHub Attestations to attest all binaries
- Using
ubuntu-24.04-armfor all unimportant jobs, like linking container tags or publish release, to reduce footprints - Not need to checkout submodules for non-binary build jobs
- Better naming for multiple jobs or steps name
- Change all apt to apt-get
Linux binary build
- Use
${{ matrix.job.os }}forruns-on-
ubuntu-24.04-armfor aarch64 build - No cross build toolkit for armv8 -> armv7, so still x86 runner
-
- Use matrix to define whether using cross build or not
Container building jobs
(Both Classic and s6)
- Merge
ghcr.ymltobuild.yml - Disable
ghcr.ymlbut not deleted - Use
ubuntu-24.04-armfor arm64 and armv7 - Bump S6 overlay to 3.2.0.2
- Use
docker/metadata-actionmanaging all tags and images
Docker manifest (linking tags)
- Use Cosign for container signing,
--recursivewill sign all the images that it referenced
Debian .deb package
- Use GitHub Attestations to attest all
.debs
https://github.com/xlionjuan/rustdesk-server/releases/tag/3.3.32 https://github.com/xlionjuan/rustdesk-server/actions/runs/13277208768
You can review