As according to the docs:
https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/control-deployments#using-environments-without-deployments
This is useful when you want to use environments for:
Organizing secrets—group related secrets under an environment name without creating deployment records.
Access control—restrict which branches can use certain secrets via environment branch policies, without deployment tracking.
CI and testing jobs—reference an environment for its configuration without adding noise to the deployment history.
From the `attest-build-provenance` changelog:
> As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.
> Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead. Please see the actions/attest repository for usage information.
Updated all crates which are possible.
Updated all GitHub Actions to their latest version.
There was a supply-chain attack on the trivy action to which we were not exposed since we were using pinned sha hashes.
The latest version v0.35.0 is not vulnerable and that version will be used with this commit.
Also removed `dtolnay/rust-toolchain` as suggested by zizmor and adjusted the way to install the correct toolchain.
Since this GitHub Action did not used any version tagging, it was also cumbersome to update.
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated all crates
- Updated web-vault to v2025.12.2
- Updated all JavaScript files
- Updated all GitHub Action Workflows
Also added the `concurrency` option to all workflows.
Signed-off-by: BlackDex <black.dex@gmail.com>
- zstd support has been added in Docker v23
- Debian Bookworm/Bullseye ships with Docker v20.10
- Revert for now to maintain compatibility with older releases
- Updated all the crates except for Diesel.
Diesel is pinned at v2.3.3 since newer versions break MySQL/MariaDB.
- Updated all the GHA workflows
- Fixed an issue with a migration breaking on an empty MySQL/MariaDB database.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use an older version of mariadb to prevent a panic
The Debian builds use a newer version of libmariadb which causes Diesel to panic on certain queries.
This commit prevents this by using an older version of libmariadb which doesn't cause this panic.
The Alpine based versions use a patched version which reverts the commit in the libmariadb library which causes this panic.
In the future this might be fixed in Diesel it self (https://github.com/dani-garcia/vaultwarden/issues/6416#issuecomment-3508822097), but until then, we use an older version of the library.
Fixes#6416
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update GHA versions
Signed-off-by: BlackDex <black.dex@gmail.com>
* Resolve docker build check issue
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Optimizations and build speedup
With this commit I have changed several components to be more efficient.
This can be less llvm-lines generated or less `clone()` calls.
### Config
- Re-ordered the `make_config` macro to be more efficient
- Created a custom Deserializer for `ConfigBuilder` less code and more efficient
- Use struct's for the `prepare_json` function instead of generating a custom JSON object.
This generates less code and is more efficient.
- Updated the `get_support_string` function to handle the masking differently.
This generates less code and also was able to remove some sub-macro-calls
### Error
- Added an extra new call to prevent duplicate Strings in generated macro code.
This generated less llvm-lines and seems to be more efficient.
- Created a custom Serializer for `ApiError` and `CompactApiError`
This makes that struct smaller in size, so better for memory, but also less llvm-lines.
### General
- Removed `once_lock` and replace it all with Rust's std LazyLock
- Added and fixed some Clippy lints which reduced `clone()` calls for example.
- Updated build profiles for more efficiency
Also added a new profile specifically for CI, which should decrease the build check
- Updated several GitHub Workflows for better security and use the new `ci` build profile
- Updated to Rust v1.90.0 which uses a new linker `rust-lld` which should help in faster building
- Updated the Cargo.toml for all crates to better use the `workspace` variables
- Added a `typos` Workflow and Pre-Commit, which should help in detecting spell error's.
Also fixed a few found by it.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix release profile
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update typos and remove mimalloc check from pre-commit checks
Signed-off-by: BlackDex <black.dex@gmail.com>
* Misc fixes and updated typos
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update crates and workflows
Signed-off-by: BlackDex <black.dex@gmail.com>
* Fix formating and pre-commit
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update to Rust v1.91 and update crates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update web-vault to v2025.10.1 and xx to v1.8.0
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
* Use Diesels MultiConnections Derive
With this PR we remove almost all custom macro's to create the multiple database type code. This is now handled by Diesel it self.
This removed the need of the following functions/macro's:
- `db_object!`
- `::to_db`
- `.from_db()`
It is also possible to just use one schema instead of multiple per type.
Also done:
- Refactored the SQLite backup function
- Some formatting of queries so every call is one a separate line, this looks a bit better
- Declare `conn` as mut inside each `db_run!` instead of having to declare it as `mut` in functions or calls
- Added an `ACTIVE_DB_TYPE` static which holds the currently active database type
- Removed `diesel_logger` crate and use Diesel's `set_default_instrumentation()`
If you want debug queries you can now simply change the log level of `vaultwarden::db::query_logger`
- Use PostgreSQL v17 in the Alpine images to match the Debian Trixie version
- Optimized the Workflows since `diesel_logger` isn't needed anymore
And on the extra plus-side, this lowers the compile-time and binary size too.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjust query_logger and some other small items
Signed-off-by: BlackDex <black.dex@gmail.com>
* Remove macro, replaced with an function
Signed-off-by: BlackDex <black.dex@gmail.com>
* Implement custom connection manager
Signed-off-by: BlackDex <black.dex@gmail.com>
* Updated some crates to keep up2date
Signed-off-by: BlackDex <black.dex@gmail.com>
* Small adjustment
Signed-off-by: BlackDex <black.dex@gmail.com>
* crate updates
Signed-off-by: BlackDex <black.dex@gmail.com>
* Update crates
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
- Update crates to the latest version (Some are yanked and downgraded)
- Update GHA's
- Update web-vault to v2025.8.0
Signed-off-by: BlackDex <black.dex@gmail.com>
- Updated all the crates, which probably fixes#5959
- Updated all the workflows and tested it with zizmor
Also added zizmor as a workflow it self.
- Updated the issue template to better mention to search first.
Signed-off-by: BlackDex <black.dex@gmail.com>
Updated all the crates to the latest version.
We can unpin mimalloc, since the musl issues have been fixed
Also fix a RUSTSEC https://osv.dev/vulnerability/RUSTSEC-2025-0023 for tokio
Fixed some clippy lints reported by nightly.
Ensure lints and are also run on the macro crate.
This resulted in some lints being triggered, which I fixed.
Updated some GHA uses.
Signed-off-by: BlackDex <black.dex@gmail.com>
This commit updates the workflow files and also fixes some security issues which were reported by using zizmor https://github.com/woodruffw/zizmor
Signed-off-by: BlackDex <black.dex@gmail.com>
* Add Attestations for containers and artifacts
This commit will add attestation actions to sign the containers and binaries which can be verified via the gh cli.
https://cli.github.com/manual/gh_attestation_verify
The binaries from both Alpine and Debian based images are extracted and attested so that you can verify the binaries of all the containers.
Signed-off-by: BlackDex <black.dex@gmail.com>
* Adjust attest to use globbing
Signed-off-by: BlackDex <black.dex@gmail.com>
---------
Signed-off-by: BlackDex <black.dex@gmail.com>
Mathijs van Veluw
Daniel
Daniel García
Jason Yang
Timshel
Stefan Melmuk