Fix v3.22.0 build, improve stability, and set up for community maintenance

- Add libfido2-dev, libcbor-dev to build deps; libfido2-1, libcbor0 to runtime (fixes #135)
- Make bridge binaries read-only to block built-in auto-updater at runtime
- Add HEALTHCHECK to Dockerfile
- Fix long-uptime stdin stability: replace cat pipe with sleep infinity
- Clean up stale GPG agent sockets on container startup
- Update maintainer label
- Repoint build.yaml to dancwilliams Docker Hub and GHCR repos
- Use clean version/latest tags (drop -build suffix)
- Fix missing checkout in merge job
- Add workflow_dispatch and pip install to update-check.yaml
- Remove Gitee mirror workflow
- Remove legacy deb build (Dockerfile, workflow, and deb/ directory)

build/entrypoint.sh

@@ -2,13 +2,19 @@
 
 set -ex
 
+# Workaround for stale gpg-agent socket causing auth failures on restart
+# Cleans up leftover sockets in the GPG home directory
+if [ -d /root/.gnupg ]; then
+    rm -f /root/.gnupg/S.gpg-agent*
+fi
+
 # Initialize
 if [[ $1 == init ]]; then
 
     # Initialize pass
     gpg --generate-key --batch /protonmail/gpgparams
     pass init pass-key
-    
+
     # Kill the other instance as only one can be running at a time.
     # This allows users to run entrypoint init inside a running conainter
     # which is useful in a k8s environment.
@@ -30,6 +36,13 @@ else
     # Fake a terminal, so it does not quit because of EOF...
     rm -f faketty
     mkfifo faketty
-    cat faketty | /protonmail/proton-bridge --cli $@
+
+    # Keep faketty open indefinitely (more stable than cat pipe over long uptimes)
+    sleep infinity > faketty &
+
+    # Start bridge reading from faketty; wait so container exits with bridge's exit code
+    /protonmail/proton-bridge --cli $@ < faketty &
+    wait $!
+    exit $?
 
 fi