Updated deps and made workflow for delivery

.github/workflows/delivery.yml

@@ -0,0 +1,86 @@
+name: Delivery
+
+on:
+    push:
+        branches: [main]
+    release:
+        # Note: a current limitation is that when a release is edited after publication, then the Docker tags are not automatically updated.
+        types: [published]
+    schedule:
+        # Run every monday on 9:00 in the morning (UTC).
+        - cron: '0 9 * * 0'
+    workflow_dispatch:
+
+permissions:
+    contents: write
+    packages: write
+    security-events: write
+
+jobs:
+    publish-docker-image:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v4
+
+            - name: Check whether this event is the HEAD of main
+              continue-on-error: true
+              id: is-head-main
+              run: git rev-parse HEAD | grep -x ${{ github.sha }}
+              shell: bash
+
+            - name: Docker meta
+              id: meta
+              uses: docker/metadata-action@v5
+              with:
+                  images: ghcr.io/${{ github.repository }}
+                  tags: |
+                      type=semver,pattern={{major}}.{{minor}}.{{patch}}
+                      type=edge,enable=${{ steps.is-head-main.outcome == 'success' }}
+                      type=ref,event=branch,enable=${{ github.event_name == 'workflow_dispatch' }}
+
+            - name: Set up Docker Buildx
+              uses: docker/setup-buildx-action@v3
+
+            - name: Login to GitHub Container Registry
+              uses: docker/login-action@v3
+              with:
+                  registry: ghcr.io
+                  username: ${{ github.actor }}
+                  password: ${{ secrets.GITHUB_TOKEN }}
+
+            - name: Build container and export to local Docker
+              uses: docker/build-push-action@v5
+              with:
+                  context: .
+                  file: backend.Dockerfile
+                  load: true
+                  tags: local/postguard-backend:scan
+                  cache-from: type=gha
+                  cache-to: type=gha,mode=max
+
+            - name: Scan Image
+              uses: anchore/scan-action@v4
+              id: scan
+              with:
+                  image: local/postguard-backend:scan
+                  only-fixed: true
+                  fail-build: true
+                  severity-cutoff: critical
+                  output-format: sarif
+
+            - name: Upload Anchore scan SARIF report
+              uses: github/codeql-action/upload-sarif@v4
+              if: ${{ !cancelled() }}
+              with:
+                  sarif_file: ${{ steps.scan.outputs.sarif }}
+
+            - name: Push image to GitHub Container Registry
+              uses: docker/build-push-action@v5
+              if: ${{ github.event_name == 'release' || github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+              with:
+                  context: .
+                  file: backend.Dockerfile
+                  push: true
+                  tags: ${{ steps.meta.outputs.tags || 'edge' }}
+                  labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -2,3 +2,6 @@ dist/
 data/
 irma/
 target/
+
+.idea
+.vscode

backend.Dockerfile

@@ -1,4 +1,36 @@
-FROM debian:buster-slim
-RUN apt-get update && \
-  apt-get install -y libssl-dev && \
-  rm -rf /var/lib/apt/lists/*
+FROM rust:1.91.0-slim-trixie AS builder
+
+ENV ROCKET_PROFILE=release
+
+WORKDIR /app
+
+COPY cryptify-back-end/src ./src
+COPY cryptify-back-end/templates ./templates
+COPY cryptify-back-end/Cargo.toml .
+COPY cryptify-back-end/Cargo.lock .
+
+RUN apt-get update  \
+    && apt-get --no-install-recommends install -y libssl-dev pkg-config  \
+    && rm -rf /var/lib/apt/lists/*  \
+    && cargo build --release  \
+    && cp ./target/release/cryptify-backend /usr/local/bin/cryptify-backend
+
+
+FROM debian:trixie-slim
+ENV ROCKET_CONFIG=config.toml
+
+RUN groupadd -r nonroot \
+    && useradd -r -g nonroot nonroot \
+    && apt-get update  \
+    && apt-get --no-install-recommends install -y ca-certificates libssl3  \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /usr/local/bin/cryptify-backend /usr/local/bin/cryptify-backend
+RUN mkdir -p /app && chown nonroot:nonroot /app
+
+WORKDIR /app
+USER nonroot
+
+RUN mkdir -p /tmp/data
+
+CMD ["/bin/sh", "-c", "/usr/local/bin/cryptify-backend"]