ci: build linux arm64 for release

Signed-off-by: Richard Zak <[email protected]>

Author: rjzak

.github/workflows/release.yml

@@ -12,7 +12,7 @@ permissions:
   id-token: write
 
 jobs:
-  linux:
+  linux_x86:
     if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push'
     runs-on: ubuntu-latest
     steps:
@@ -36,6 +36,7 @@ jobs:
       - name: Setup Rust toolchain
         run: |
           rustup target install x86_64-unknown-linux-musl
+          sudo apt-get update
           sudo apt-get install -y musl musl-dev musl-tools dpkg-dev liblzma-dev
           cargo install cargo-deb cargo-auditable cargo-audit
       - id: version
@@ -105,6 +106,79 @@ jobs:
           if-no-files-found: error
           retention-days: 5
 
+  linux_arm:
+    if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push'
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+          allowed-endpoints: >
+            azure.archive.ubuntu.com:80
+            cdn.fwupd.org:443
+            crates.io:443
+            esm.ubuntu.com:443
+            github.com:443
+            index.crates.io:443
+            motd.ubuntu.com:443
+            ppa.launchpadcontent.net:443
+            static.crates.io:443
+            static.rust-lang.org:443
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Rust toolchain
+        run: |
+          rustup target install aarch64-unknown-linux-musl
+          sudo apt-get update
+          sudo apt-get install -y musl musl-dev musl-tools dpkg-dev liblzma-dev
+          cargo install cargo-deb cargo-auditable cargo-audit
+      - id: version
+        run: echo "version=$(cargo metadata --format-version=1 --no-deps | jq '.packages[] | select(.name == "malwaredb") | .version' --raw-output)" >>$GITHUB_OUTPUT
+      - name: Install dependencies
+        run: sudo apt-get install -y libmagic-dev
+      - name: Install GUI dependencies
+        run: sudo apt-get install -y libxcb-shape0-dev libxcb-xfixes0-dev libx11-dev libxkbcommon-dev libfontconfig-dev libxext-dev libxft-dev libxinerama-dev libxcursor-dev libxrender-dev libxfixes-dev
+      - name: Build client
+        run: cargo auditable build --workspace --bin mdb_client --target aarch64-unknown-linux-musl --release
+      - name: Package client
+        run: |
+          cd client
+          cargo auditable deb --target aarch64-unknown-linux-musl
+      - name: Build server
+        run: cargo auditable build --features=admin,admin-gui,sqlite,vt --bin mdb_server --release
+      - name: Package server
+        run: cargo deb --locked --cargo-build 'auditable build' --target aarch64-unknown-linux-gnu
+      - run: mv target/release/mdb_server target/release/mdb_server_linux_gnu_arm64
+      - name: Upload mdb_server
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: mdb_server_linux_gnu_arm64
+          path: target/release/mdb_server_linux_gnu_arm64
+          if-no-files-found: error
+          retention-days: 5
+      - name: Upload mdb_server deb
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: "malwaredb_${{ steps.version.outputs.version }}-1_arm64.deb"
+          path: "target/aarch64-unknown-linux-gnu/debian/malwaredb_${{ steps.version.outputs.version }}-1_arm64.deb"
+          if-no-files-found: error
+          retention-days: 5
+      - run: mv target/aarch64-unknown-linux-musl/release/mdb_client target/aarch64-unknown-linux-musl/release/mdb_client_linux_musl_arm64
+      - name: Upload mdb_client
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: mdb_client_linux_musl_arm64
+          path: target/aarch64-unknown-linux-musl/release/mdb_client_linux_musl_arm64
+          retention-days: 5
+      - name: Upload mdb_client deb
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: "malwaredb-client_${{ steps.version.outputs.version }}-1_arm64.deb"
+          path: "target/aarch64-unknown-linux-musl/debian/malwaredb-client_${{ steps.version.outputs.version }}-1_arm64.deb"
+          if-no-files-found: error
+          retention-days: 5
+
   macos:
     if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push'
     runs-on: macos-14
@@ -239,7 +313,7 @@ jobs:
 
   release:
     if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push'
-    needs: [ windows, macos, linux ]
+    needs: [ windows, macos, linux_x86, linux_arm ]
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -284,15 +358,27 @@ jobs:
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: mdb_server_linux_musl_x86_64
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: mdb_server_linux_gnu_arm64
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: "malwaredb_${{ steps.version.outputs.version }}-1_amd64.deb"
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: "malwaredb_${{ steps.version.outputs.version }}-1_arm64.deb"
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: mdb_client_linux_musl_x86_64
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: mdb_client_linux_musl_arm64
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: "malwaredb-client_${{ steps.version.outputs.version }}-1_amd64.deb"
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: "malwaredb-client_${{ steps.version.outputs.version }}-1_arm64.deb"
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: sbom.xml
@@ -309,7 +395,7 @@ jobs:
         run: |
           mkdir ~/.minisign/
           echo "${{ secrets.MINISIGN_KEY }}" > ~/.minisign/minisign.key
-          echo | ./minisign -Sm mdb_* malwaredb* sbom.*
+          echo | ./minisign -t "MalwareDB ${{ steps.version.outputs.version }}" -Sm mdb_* malwaredb* sbom.*
           echo | ./minisign -R
       - uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
@@ -333,10 +419,18 @@ jobs:
             mdb_server_linux_musl_x86_64.minisig
             mdb_client_linux_musl_x86_64
             mdb_client_linux_musl_x86_64.minisig
+            mdb_server_linux_gnu_arm64
+            mdb_server_linux_gnu_arm64.minisig
+            mdb_client_linux_musl_arm64
+            mdb_client_linux_musl_arm64.minisig
             malwaredb_${{ steps.version.outputs.version }}-1_amd64.deb
             malwaredb_${{ steps.version.outputs.version }}-1_amd64.deb.minisig
             malwaredb-client_${{ steps.version.outputs.version }}-1_amd64.deb
             malwaredb-client_${{ steps.version.outputs.version }}-1_amd64.deb.minisig
+            malwaredb_${{ steps.version.outputs.version }}-1_arm64.deb
+            malwaredb_${{ steps.version.outputs.version }}-1_arm64.deb.minisig
+            malwaredb-client_${{ steps.version.outputs.version }}-1_arm64.deb
+            malwaredb-client_${{ steps.version.outputs.version }}-1_arm64.deb.minisig
             sbom.xml
             sbom.xml.minisig
             sbom.json
@@ -355,5 +449,7 @@ jobs:
             mdb_client_arm64.exe
             mdb_server_linux_musl_x86_64
             mdb_client_linux_musl_x86_64
+            mdb_server_linux_gnu_arm64
+            mdb_client_linux_musl_arm64
             sbom.xml
             sbom.json