l3montree-dev
diff --git a/‎.github/workflows/devguard-scanner.yaml‎
Lines changed: 28 additions & 69 deletions b/‎.github/workflows/devguard-scanner.yaml‎
Lines changed: 28 additions & 69 deletions
diff --git a/‎.github/workflows/mirror-to-gitlab.yml‎
Lines changed: 30 additions & 0 deletions b/‎.github/workflows/mirror-to-gitlab.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/postgresql.yaml‎
Lines changed: 14 additions & 59 deletions b/‎.github/workflows/postgresql.yaml‎
Lines changed: 14 additions & 59 deletions
diff --git a/‎.gitlab-ci.yml‎
Lines changed: 63 additions & 0 deletions b/‎.gitlab-ci.yml‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎.vscode/settings.json‎
Lines changed: 1 addition & 0 deletions b/‎.vscode/settings.json‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Dockerfile‎
Lines changed: 0 additions & 43 deletions b/‎Dockerfile‎
Lines changed: 0 additions & 43 deletions
@@ -52,13 +52,11 @@ jobs:
         path: coverage.out
 
 
-  devguard:
-    uses: l3montree-dev/devguard-action/.github/workflows/full.yml@main
+  code-scanning:
+    uses: l3montree-dev/devguard-action/.github/workflows/code-scanning.yml@nix
     permissions:
-      contents: write
-      actions: read
+      contents: read
       security-events: write
-      packages: write
     with:
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
       api-url: https://api.main.devguard.org
@@ -67,91 +65,52 @@ jobs:
       web-ui: https://main.devguard.org
       continue-on-open-code-risk: true
     secrets:
-      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}       
-      build-args: "--context=. --dockerfile=Dockerfile --build-arg GITHUB_REF_NAME=$GITHUB_REF_NAME --build-arg GITHUB_SHA=$GITHUB_SHA"       
+      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
 
 
-  build-scanner-image:
-    uses: l3montree-dev/devguard-action/.github/workflows/build-image.yml@main
+  api-pipeline:
+    uses: l3montree-dev/devguard-action/.github/workflows/full-nix.yml@nix
     permissions:
       contents: read
       packages: write
-    with:
-      artifact-name: "pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
-      asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
-      api-url: https://api.main.devguard.org
-      image-suffix: "scanner"
-    secrets:
-      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}  
-      build-args: "--context=. --dockerfile=Dockerfile.scanner --build-arg GITHUB_REF_NAME=$GITHUB_REF_NAME --build-arg GITHUB_SHA=$GITHUB_SHA"
-
-
-  # Image scanning job to detect vulnerabilities in the built Docker image
-  scanner-container-scanning:
-    uses: l3montree-dev/devguard-action/.github/workflows/container-scanning.yml@main
-    permissions:
-      contents: read
       security-events: write
-    needs: 
-    - build-scanner-image
     with:
+      nix-target-amd64: devguard-amd64
+      nix-target-arm64: devguard-arm64
+      image-name: ghcr.io/${{ github.repository }}
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
       api-url: https://api.main.devguard.org
-      artifact-name: "pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
       web-ui: https://main.devguard.org
       fail-on-cvss: high
       fail-on-risk: high
-      image-suffix: "scanner"
-    secrets:
-      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
-      
-  deploy-scanner:
-    needs:
-    - build-scanner-image
-    - scanner-container-scanning
-    - tests
-    uses: l3montree-dev/devguard-action/.github/workflows/deploy.yml@main
-    permissions:
-      contents: read
-      packages: write
-    with:
-      asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
-      api-url: https://api.main.devguard.org
-      image-suffix: "scanner"
-    secrets:
-      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}     
-  
-  sign-scanner:
-    needs:
-    - build-scanner-image
-    - scanner-container-scanning
-    - tests
-    uses: l3montree-dev/devguard-action/.github/workflows/sign.yml@main
-    permissions:
-      contents: read
-      packages: write
-    with:
-      asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
-      api-url: https://api.main.devguard.org
-      artifact-name: "pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
-      image-suffix: "scanner"
+      nix-cache-substituter: https://nix.garage.l3montree.cloud
+      nix-cache-public-key: nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
+      nix-cache-s3-bucket: nix
+      nix-cache-region: garage
     secrets:
       devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
 
-  attest-scanner:
-    needs:
-    - build-scanner-image
-    - scanner-container-scanning
-    - tests
-    uses: l3montree-dev/devguard-action/.github/workflows/attest.yml@main
+  scanner-pipeline:
+    needs: [tests]
+    uses: l3montree-dev/devguard-action/.github/workflows/full-nix.yml@nix
     permissions:
       contents: read
       packages: write
+      security-events: write
     with:
+      nix-target-amd64: devguard-scanner-amd64
+      nix-target-arm64: devguard-scanner-arm64
+      image-name: ghcr.io/${{ github.repository }}/scanner
+      artifact-name-suffix: scanner
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
       api-url: https://api.main.devguard.org
-      artifact-name: "pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
-      image-suffix: "scanner"
+      web-ui: https://main.devguard.org
+      fail-on-cvss: high
+      fail-on-risk: high
+      nix-cache-substituter: https://nix.garage.l3montree.cloud
+      nix-cache-public-key: nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
+      nix-cache-s3-bucket: nix
+      nix-cache-region: garage
     secrets:
       devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
 
 
@@ -0,0 +1,30 @@
+name: Mirror to GitLab
+
+on:
+  push:
+    branches: ["**"]
+    tags: ["**"]
+
+jobs:
+  mirror:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+          persist-credentials: false
+
+      - name: Mirror to GitLab
+        continue-on-error: true
+        run: |
+          git remote add gitlab "https://oauth2:${GITLAB_TOKEN}@${GITLAB_HOST}/${GITLAB_REPO}.git"
+          # Avoid --mirror, which also pushes refs/remotes/* that GitLab rejects as hidden refs.
+          git push --prune gitlab 'refs/heads/*:refs/heads/*'
+          git push --prune gitlab 'refs/tags/*:refs/tags/*'
+        env:
+          GITLAB_TOKEN: ${{ secrets.GITLAB_MIRROR_TOKEN }}
+          GITLAB_HOST: ${{ vars.GITLAB_HOST }}
+          GITLAB_REPO: ${{ vars.GITLAB_REPO }}
@@ -2,72 +2,27 @@ name: DevGuard PostgreSQL Workflow
 
 on:
   push:
-    tags:
-    - '*'
 
-permissions:
-  contents: read
-
-# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
 jobs:
-  # Docker image build job
-  build-image:
-    uses: l3montree-dev/devguard-action/.github/workflows/build-image.yml@main
+  postgresql-pipeline:
+    uses: l3montree-dev/devguard-action/.github/workflows/full-nix.yml@nix
     permissions:
       contents: read
       packages: write
+      security-events: write
     with:
-      artifact-name: "postgresql"
-      asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
-      api-url: https://api.main.devguard.org
-      image-suffix: "postgresql"
-    secrets:
-      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}  
-      build-args: "--context=. --dockerfile=Dockerfile.postgresql"
-
-  # Image scanning job to detect vulnerabilities in the built Docker image
-  container-scanning:
-    uses: l3montree-dev/devguard-action/.github/workflows/container-scanning.yml@main
-    needs: 
-    - build-image
-    with:
+      nix-target-amd64: postgresql-amd64
+      nix-target-arm64: postgresql-arm64
+      image-name: ghcr.io/${{ github.repository }}/postgresql
+      artifact-name-suffix: postgresql
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
       api-url: https://api.main.devguard.org
-      artifact-name: "postgresql"
       web-ui: https://main.devguard.org
-      image-suffix: "postgresql"
-    secrets:
-      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
-
-  deploy:
-    needs:
-    - build-image
-    - container-scanning
-    uses: l3montree-dev/devguard-action/.github/workflows/deploy.yml@main
-    permissions:
-      contents: read
-      packages: write
-    with:
-      asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
-      api-url: https://api.main.devguard.org
-      image-suffix: "postgresql"
-    secrets:
-      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}     
-    if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
-  
-  sign:
-    needs:
-    - build-image
-    - container-scanning
-    uses: l3montree-dev/devguard-action/.github/workflows/sign.yml@main
-    permissions:
-      contents: read
-      packages: write
-    with:
-      asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
-      api-url: https://api.main.devguard.org
-      artifact-name: "postgresql"
-      image-suffix: "postgresql"
+      fail-on-cvss: high
+      fail-on-risk: high
+      nix-cache-substituter: https://nix.garage.l3montree.cloud
+      nix-cache-public-key: nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
+      nix-cache-s3-bucket: nix
+      nix-cache-region: garage
     secrets:
-      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
-    if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
+      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
@@ -0,0 +1,63 @@
+# SPDX-License-Identifier: AGPL-3.0
+# GitLab CI for the devguard repository (mirrored from GitHub).
+
+stages:
+  - .pre
+  - test
+  - build
+  - oci-image
+  - attestation
+
+# ── Lint ──────────────────────────────────────────────────────────────────────
+
+lint:
+  stage: test
+  image: golang:1.25
+  before_script:
+    - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh
+  script:
+    - golangci-lint run --timeout=30m
+
+
+.common: &common
+  devguard_asset_name: "$DEVGUARD_ASSET_NAME"
+  devguard_api_url: "$DEVGUARD_API_URL"
+  devguard_web_ui: "$DEVGUARD_WEB_UI"
+  devguard_token: "$DEVGUARD_TOKEN"
+  nix_cache_substituter: https://nix.garage.l3montree.cloud
+  nix_cache_public_key: nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
+  nix_cache_s3_bucket: nix
+  nix_cache_region: garage
+  version: nix
+
+
+include:
+# ── api-pipeline ──────────────────────────────────────────────────────────────
+  - remote: https://gitlab.com/l3montree/devguard/-/raw/nix/templates/build-nix-multiarch.yml
+    inputs:
+      <<: *common
+      nix_target_amd64: "devguard-amd64"
+      nix_target_arm64: "devguard-arm64"
+      arm64_runner_tag: "arm"
+
+# ── scanner-pipeline ──────────────────────────────────────────────────────────
+  - remote: https://gitlab.com/l3montree/devguard/-/raw/nix/templates/build-nix-multiarch.yml
+    inputs:
+      <<: *common
+      image_suffix: "scanner"
+      nix_target_amd64: "devguard-scanner-amd64"
+      nix_target_arm64: "devguard-scanner-arm64"
+      arm64_runner_tag: "arm"
+      job_suffix: ":scanner"
+      version: nix
+
+  # ── postgresql-pipeline ──────────────────────────────────────────────────────────
+  - remote: https://gitlab.com/l3montree/devguard/-/raw/nix/templates/build-nix-multiarch.yml
+    inputs:
+      <<: *common
+      image_suffix: "postgresql"
+      nix_target_amd64: "postgresql-amd64"
+      nix_target_arm64: "postgresql-arm64"
+      arm64_runner_tag: "arm"
+      job_suffix: ":postgresql"
+      version: nix
@@ -16,6 +16,7 @@
         "montree",
         "nolint",
         "packageurl",
+        "Pkgs",
         "pypi",
         "sarif",
         "Vulns"