sr2/protonmail-bridge-docker
5
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Rewrite CI from scratch: clean build + scheduled update, remove deb workflow

Browse source
This commit is contained in:
Anton 2026-03-11 20:07:05 +00:00
parent 3ae2d2dee5
commit 21ae9d5b7e
8 changed files with 65 additions and 453 deletions
Download patch file Download diff file Expand all files Collapse all files

188
.github/workflows/build.yaml vendored
View file

@ -1,14 +1,15 @@
name: build from source
name: Build and Push
on:
push:
branches: [master]
paths:
- .github/workflows/build.yaml
- build/*
- build/**
pull_request:
paths:
- .github/workflows/build.yaml
- build/*
- build/**
workflow_dispatch:
permissions:
@ -17,181 +18,58 @@ permissions:
security-events: write
env:
GHCR_REPO: ghcr.io/trent-maetzold/protonmail-bridge
IMAGE: ghcr.io/${{ github.repository_owner }}/protonmail-bridge
jobs:
resolve-version:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.resolve.outputs.version }}
version: ${{ steps.version.outputs.version }}
steps:
- name: Get latest upstream release
id: resolve
id: version
run: |
latest=$(curl -s https://api.github.com/repos/ProtonMail/proton-bridge/releases/latest | jq -r '.tag_name')
echo "version=$latest" >> $GITHUB_OUTPUT
version=$(curl -s https://api.github.com/repos/ProtonMail/proton-bridge/releases/latest | jq -r '.tag_name')
echo "version=$version" >> $GITHUB_OUTPUT
echo "Resolved version: $version"
test:
runs-on: ubuntu-latest
build:
needs: resolve-version
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/checkout@v4
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.GHCR_REPO }}
- uses: docker/setup-buildx-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
if: github.event_name != 'pull_request'
with:
driver: docker
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build
uses: docker/build-push-action@v6
with:
context: ./build
file: ./build/Dockerfile
load: true
tags: "protonmail-bridge:test"
build-args: |
version=${{ needs.resolve-version.outputs.version }}
- name: Run Trivy vulnerability scan
continue-on-error: true
run: |
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:latest image \
--severity CRITICAL,HIGH \
--exit-code 0 \
protonmail-bridge:test
build:
runs-on: ubuntu-latest
needs: resolve-version
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
strategy:
fail-fast: false
matrix:
platform:
- linux/amd64
- linux/arm64/v8
- linux/arm/v7
- linux/riscv64
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.GHCR_REPO }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push by digest
id: build
uses: docker/build-push-action@v6
with:
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,"name=${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true
context: ./build
file: ./build/Dockerfile
provenance: false
sbom: false
build-args: |
version=${{ needs.resolve-version.outputs.version }}
- name: Export digest
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1
merge:
runs-on: ubuntu-latest
needs:
- resolve-version
- build
steps:
- name: Download digests
uses: actions/download-artifact@v4
with:
path: ${{ runner.temp }}/digests
pattern: digests-*
merge-multiple: true
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.GHCR_REPO }}
push: ${{ github.event_name != 'pull_request' }}
load: ${{ github.event_name == 'pull_request' }}
tags: |
type=raw,enable=true,value=${{ needs.resolve-version.outputs.version }}-build
type=raw,enable=true,value=build
type=raw,enable=true,value=latest
${{ env.IMAGE }}:latest
${{ env.IMAGE }}:${{ needs.resolve-version.outputs.version }}
build-args: |
version=${{ needs.resolve-version.outputs.version }}
- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.GHCR_REPO }}@sha256:%s ' *)
- name: Run Trivy vulnerability scan
- name: Trivy scan
uses: aquasecurity/trivy-action@0.30.0
with:
image-ref: "${{ env.GHCR_REPO }}:${{ needs.resolve-version.outputs.version }}-build"
format: 'sarif'
exit-code: 0
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
image-ref: ${{ env.IMAGE }}:${{ needs.resolve-version.outputs.version }}
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
- name: Upload Trivy scan SARIF report
- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ needs.resolve-version.outputs.version }}-build
sarif_file: trivy-results.sarif