sr2/protonmail-bridge-docker
5
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Fix v3.22.0 build, improve stability, and set up for community maintenance

Browse source 
- Add libfido2-dev, libcbor-dev to build deps; libfido2-1, libcbor0 to runtime (fixes #135)
- Make bridge binaries read-only to block built-in auto-updater at runtime
- Add HEALTHCHECK to Dockerfile
- Fix long-uptime stdin stability: replace cat pipe with sleep infinity
- Clean up stale GPG agent sockets on container startup
- Update maintainer label
- Repoint build.yaml to dancwilliams Docker Hub and GHCR repos
- Use clean version/latest tags (drop -build suffix)
- Fix missing checkout in merge job
- Add workflow_dispatch and pip install to update-check.yaml
- Remove Gitee mirror workflow
- Remove legacy deb build (Dockerfile, workflow, and deb/ directory)
This commit is contained in:
Dan Williams 2026-02-24 20:15:39 -06:00
parent 97014ae98c
commit 5ad6fa81e3
11 changed files with 51 additions and 255 deletions
Download patch file Download diff file Expand all files Collapse all files

60
.github/workflows/build.yaml vendored
View file

@ -13,9 +13,9 @@ on:
workflow_dispatch:
env:
GHCR_REPO: shenxn/protonmail-bridge-docker
DOCKERHUB_REPO: shenxn/protonmail-bridge
DOCKER_REPO_DEV: ghcr.io/shenxn/protonmail-bridge
DOCKERHUB_REPO: dancwilliams/protonmail-bridge
GHCR_REPO: ghcr.io/dancwilliams/protonmail-bridge-docker
DOCKER_REPO_DEV: ghcr.io/dancwilliams/protonmail-bridge
PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64
jobs:
@ -24,11 +24,10 @@ jobs:
if: github.ref != 'refs/heads/master'
steps:
- name: Checkout
uses: actions/checkout@master
uses: actions/checkout@v4
- name: Set version
id: version
run: echo "version=`cat VERSION`" >> $GITHUB_ENV
run: echo "version=$(cat VERSION)" >> $GITHUB_ENV
- name: Docker meta
id: meta
@ -46,18 +45,16 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Build and push by digest
- name: Build and push
id: build
uses: docker/build-push-action@v6
with:
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,"name=${{ env.DOCKER_REPO_DEV }}",push-by-digest=false,name-canonical=true,push=true
context: ./build
file: ./build/Dockerfile
tags: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}"
push: true
build-args: |
version=${{ env.version }}
@ -88,7 +85,7 @@ jobs:
- linux/riscv64
steps:
- name: Checkout
uses: actions/checkout@master
uses: actions/checkout@v4
- name: Prepare
run: |
@ -96,16 +93,7 @@ jobs:
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Set version
id: version
run: echo "version=`cat VERSION`" >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.DOCKERHUB_REPO }}
${{ env.GHCR_REPO }}
run: echo "version=$(cat VERSION)" >> $GITHUB_ENV
- name: Login to Docker Hub
uses: docker/login-action@v3
@ -131,15 +119,9 @@ jobs:
uses: docker/build-push-action@v6
with:
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,"name=name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=false
outputs: type=image,name=${{ env.DOCKERHUB_REPO }},push-by-digest=true,name-canonical=true,push=true
context: ./build
file: ./build/Dockerfile
tags: |
"${{ env.DOCKERHUB_REPO }}:build"
"${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build"
"${{ env.GHCR_REPO }}:build"
"${{ env.GHCR_REPO }}:${{ env.version }}-build"
provenance: false
sbom: false
build-args: |
@ -159,12 +141,14 @@ jobs:
if-no-files-found: error
retention-days: 1
merge:
runs-on: ubuntu-latest
needs:
- build
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download digests
uses: actions/download-artifact@v4
with:
@ -173,8 +157,7 @@ jobs:
merge-multiple: true
- name: Set version
id: version
run: echo "version=`cat VERSION`" >> $GITHUB_ENV
run: echo "version=$(cat VERSION)" >> $GITHUB_ENV
- name: Login to Docker Hub
uses: docker/login-action@v3
@ -191,8 +174,6 @@ jobs:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Docker meta
id: meta
@ -202,25 +183,24 @@ jobs:
${{ env.DOCKERHUB_REPO }}
${{ env.GHCR_REPO }}
tags: |
type=raw,enable=true,value=${{ env.version }}-build
type=raw,enable=true,suffix=,value=build
type=raw,value=${{ env.version }}
type=raw,value=latest
- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *)
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.GHCR_REPO }}@sha256:%s ' *)
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.30.0
with:
image-ref: "${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build"
image-ref: "${{ env.DOCKERHUB_REPO }}:${{ env.version }}"
format: 'sarif'
exit-code: 0
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
- name: Upload Trivy scan SARIF report
uses: github/codeql-action/upload-sarif@v3
with:
@ -228,5 +208,5 @@ jobs:
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.DOCKERHUB_REPO }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ env.DOCKERHUB_REPO }}:${{ env.version }}
docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ env.version }}