Release/2.1.0

.env-dist

@@ -0,0 +1,45 @@
+#
+# General
+#
+COMPOSE_PROJECT_NAME=rengine
+
+#
+# SSL specific configuration
+#
+AUTHORITY_NAME=reNgine-ng
+AUTHORITY_PASSWORD=nSrmNkwT
+COMPANY=reNgine-ng
+DOMAIN_NAME=rengine-ng.example.com
+COUNTRY_CODE=US
+STATE=Georgia
+CITY=Atlanta
+
+#
+# Database configurations 
+# /!\ POSTGRES_USER & PG_USER must be the same user or Celery will fail to start
+#
+POSTGRES_DB=rengine
+POSTGRES_USER=rengine
+PGUSER=rengine
+POSTGRES_PASSWORD=hE2a5@K&9nEY1fzgA6X
+POSTGRES_PORT=5432
+POSTGRES_HOST=db
+
+#
+# Celery Scaling Configurations
+# The number of CONCURRENCY defines how many scans will run in parallel
+# See https://github.com/Security-Tools-Alliance/rengine-ng/wiki/quick#determining-concurrency-values for more information.
+# Please always keep minimum of 5
+#
+MIN_CONCURRENCY=5
+MAX_CONCURRENCY=30
+
+#
+# This section is for non-interactive installations only
+#
+# reNgine-ng installation type (prebuilt or source)
+INSTALL_TYPE=pre-built
+# reNgine-ng web interface super user
+DJANGO_SUPERUSER_USERNAME=rengine
+DJANGO_SUPERUSER_EMAIL=rengine@example.com
+DJANGO_SUPERUSER_PASSWORD=Sm7IJG.IfHAFw9snSKv

.github/release.yml

@@ -11,3 +11,4 @@ changelog:
         - refactor
         - dependencies
         - documentation
+        - ci

.github/workflows/build.yml

@@ -1,35 +1,105 @@
-name: Build Docker image
+name: Docker Image CI
 
 on:
+  pull_request:
+    paths:
+      - 'docker/**'
   push:
-    branches: [ master ]
-  schedule:
-    - cron: '0 18 * * 5'
+    branches:
+      - "master"
+      - "release/**"
+    paths:
+      - 'docker/**'
+    tags:
+      - "v*.*.*"
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      push_image:
+        description: 'Push image to registry'
+        required: true
+        default: 'false'
+        type: choice
+        options:
+        - 'true'
+        - 'false'
+
+env:
+  REGISTRY: ghcr.io
+  OWNER: security-tools-alliance
+  PROJECT: rengine-ng
 
 jobs:
-  build:
-    name: Build Docker image
+  build-and-push:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: [celery, web, postgres, redis, ollama, certs, proxy]
+        platform: [linux/amd64, linux/arm64]
     steps:
-      - name: Checkout the git repo
+      - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Log in to Docker Hub
-        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Get version
+        id: get_version
+        run: |
+          if [[ $GITHUB_REF == refs/tags/* ]]; then
+            echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
+          else
+            echo "VERSION=latest" >> $GITHUB_OUTPUT
+          fi
 
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request' || github.event.inputs.push_image == 'true'
+        uses: docker/login-action@v3
         with:
-          images: yogeshojha/rengine
-
-      - name: Build Docker image
-        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+          registry: ${{ env.REGISTRY }}
+          username: ${{ vars.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_PAT }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
         with:
-          context: web/
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          context: ./docker/${{ matrix.image }}
+          file: ./docker/${{ matrix.image }}/Dockerfile
+          push: ${{ github.event_name != 'pull_request' || github.event.inputs.push_image == 'true' }}
+          tags: |
+            ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.PROJECT }}:rengine-${{ matrix.image }}-${{ steps.get_version.outputs.VERSION }}
+            ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.PROJECT }}:rengine-${{ matrix.image }}-latest
+          platforms: ${{ matrix.platform }}
+
+  update-release:
+    needs: build-and-push
+    if: github.event_name == 'release' && github.event.action == 'published'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Update release description
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          release_id=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
+            "https://api.github.com/repos/${{ github.repository }}/releases/latest" | \
+            jq -r .id)
+          
+          images="celery web postgres redis ollama certs proxy"
+          image_list=""
+          for image in $images; do
+            image_list="${image_list}- ghcr.io/${{ env.OWNER }}/${{ env.PROJECT }}:rengine-${image}-${{ github.ref_name }}\n"
+          done
+          
+          body="Docker images for this release:\n${image_list}"
+          
+          curl -X PATCH -H "Authorization: token $GITHUB_TOKEN" \
+            -H "Accept: application/vnd.github.v3+json" \
+            "https://api.github.com/repos/${{ github.repository }}/releases/${release_id}" \
+            -d "{\"body\": \"$body\"}"

.github/workflows/close-issues-on-pr-merge-to-release-branch.yml

@@ -0,0 +1,25 @@
+name: Close issues on PR merge to release branch
+
+on:
+  pull_request:
+    types:
+      - closed
+
+jobs:
+  close-related-issues:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.merged == true && startsWith(github.ref, 'refs/heads/release/')
+    permissions:
+      issues: write
+    steps:
+      - name: Extract issue number
+        id: extract_issue_number
+        run: |
+          issue_number=$(echo "${{ github.event.pull_request.body }}" | grep -oE '#[0-9]+' | head -n 1 | tr -d '#')
+          echo "ISSUE_NUMBER=$issue_number" >> $GITHUB_ENV
+
+      - name: Close linked issues
+        uses: peter-evans/close-issue@v3
+        with:
+          issue-number: ${{ env.ISSUE_NUMBER }}
+          comment: "This issue is being closed because the related PR has been merged into a release branch."

.github/workflows/codeql-analysis.yml

@@ -1,35 +1,46 @@
-name: "Code Quality"
+name: "CodeQL Advanced"
 
 on:
   push:
-    branches: [ master ]
+    branches: [ "**" ]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
   pull_request:
-    branches: [ master ]
-  schedule:
-    - cron: '0 18 * * 5'
+    branches: [ "**" ]
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
 
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ 'ubuntu-latest' }}
+    permissions:
+      security-events: write
+      packages: read
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'javascript', 'python' ]
+        include:
+        - language: javascript
+          build-mode: none
+        - language: python
+          build-mode: none
 
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
 
-    # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+        build-mode: ${{ matrix.build-mode }}
+        queries: security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/delete-untagged-images.yml

@@ -0,0 +1,52 @@
+name: Delete Untagged GHCR Images
+
+on:
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Dry run (does not delete images)'
+        required: true
+        default: 'true'
+        type: choice
+        options:
+        - 'true'
+        - 'false'
+  schedule:
+    - cron: '0 0 1,15 * *'
+
+env:
+  REGISTRY: ghcr.io
+  OWNER: security-tools-alliance
+  PROJECT: rengine-ng
+
+jobs:
+  delete-untagged-ghcr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ vars.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_PAT }}
+
+      - name: Delete untagged images
+        uses: Chizkiyahu/delete-untagged-ghcr-action@v4
+        with:
+          token: ${{ secrets.GHCR_PAT }}
+          repository_owner: ${{ env.OWNER }}
+          repository: ${{ env.PROJECT }}
+          untagged_only: true
+          owner_type: org
+          except_untagged_multiplatform: true
+
+      - name: Summary
+        if: always()
+        env:
+          DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
+        run: |
+          echo "## Summary of untagged image deletion" >> $GITHUB_STEP_SUMMARY
+          echo "- Dry run: $DRY_RUN" >> $GITHUB_STEP_SUMMARY
+          echo "- Owner: $OWNER" >> $GITHUB_STEP_SUMMARY
+          echo "- Project: $PROJECT" >> $GITHUB_STEP_SUMMARY
+          echo "Check the logs above for more details on deleted images or images that would have been deleted in dry run mode." >> $GITHUB_STEP_SUMMARY

.github/workflows/release.yml

@@ -11,6 +11,8 @@ jobs:
   release:
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - name: Create release