diff --git a/.gitea/workflows/build-and-push.yml b/.gitea/workflows/build-and-push.yml new file mode 100644 index 0000000..b771209 --- /dev/null +++ b/.gitea/workflows/build-and-push.yml @@ -0,0 +1,43 @@ +name: Build and Push Docker Image + +on: + push: + branches: [master] + workflow_dispatch: + +permissions: + contents: read + actions: write + +jobs: + build-and-push: + name: Build & Push Docker Image + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Generate image metadata + id: meta + run: | + VERSION=$(cat deb/PACKAGE | grep -oP '\d+\.\d+\.\d+' | head -1 || echo "unknown") + SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) + echo "tag=${VERSION}-${SHORT_SHA}" >> $GITHUB_OUTPUT + echo "Image will be tagged: ${VERSION}-${SHORT_SHA}" + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to registry + run: | + echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.johnogle.info -u ${{ secrets.REGISTRY_USERNAME }} --password-stdin + + - name: Build and push (deb) + uses: docker/build-push-action@v5 + with: + context: ./deb + push: true + tags: | + registry.johnogle.info/protonmail-bridge:${{ steps.meta.outputs.tag }} + registry.johnogle.info/protonmail-bridge:latest + platforms: linux/amd64 diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index 8be4aa5..0000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1,12 +0,0 @@ -# These are supported funding model platforms - -github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] -patreon: # Replace with a single Patreon username -open_collective: # Replace with a single Open Collective username -ko_fi: # Replace with a single Ko-fi username -tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel -community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry -liberapay: # Replace with a single Liberapay username -issuehunt: # Replace with a single IssueHunt username -otechie: # Replace with a single Otechie username -custom: ['https://www.buymeacoffee.com/shenxn'] diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml deleted file mode 100644 index defc7de..0000000 --- a/.github/workflows/build.yaml +++ /dev/null @@ -1,232 +0,0 @@ -name: build from source - -on: - push: - paths: - - .github/workflows/build.yaml - - build/* - - VERSION - pull_request: - paths: - - .github/workflows/build.yaml - - build/* - workflow_dispatch: - -env: - GHCR_REPO: shenxn/protonmail-bridge-docker - DOCKERHUB_REPO: shenxn/protonmail-bridge - DOCKER_REPO_DEV: ghcr.io/shenxn/protonmail-bridge - PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64 - -jobs: - test: - runs-on: ubuntu-latest - if: github.ref != 'refs/heads/master' - steps: - - name: Checkout - uses: actions/checkout@master - - - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ${{ env.DOCKER_REPO_DEV }} - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: network=host - - - name: Build and push by digest - id: build - uses: docker/build-push-action@v6 - with: - labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,"name=${{ env.DOCKER_REPO_DEV }}",push-by-digest=false,name-canonical=true,push=true - context: ./build - file: ./build/Dockerfile - tags: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}" - build-args: | - version=${{ env.version }} - - - name: Run Trivy vulnerability scan - uses: aquasecurity/trivy-action@0.30.0 - with: - image-ref: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}" - format: 'sarif' - exit-code: 0 - severity: 'CRITICAL,HIGH' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan SARIF report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' - - build: - runs-on: ubuntu-latest - if: github.event_name == 'push' && github.ref == 'refs/heads/master' - strategy: - fail-fast: false - matrix: - platform: - - linux/amd64 - - linux/arm64/v8 - - linux/arm/v7 - - linux/riscv64 - steps: - - name: Checkout - uses: actions/checkout@master - - - name: Prepare - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ${{ env.DOCKERHUB_REPO }} - ${{ env.GHCR_REPO }} - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build and push by digest - id: build - uses: docker/build-push-action@v6 - with: - platforms: ${{ matrix.platform }} - labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,"name=name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=false - context: ./build - file: ./build/Dockerfile - tags: | - "${{ env.DOCKERHUB_REPO }}:build" - "${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build" - "${{ env.GHCR_REPO }}:build" - "${{ env.GHCR_REPO }}:${{ env.version }}-build" - provenance: false - sbom: false - build-args: | - version=${{ env.version }} - - - name: Export digest - run: | - mkdir -p ${{ runner.temp }}/digests - digest="${{ steps.build.outputs.digest }}" - touch "${{ runner.temp }}/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: ${{ runner.temp }}/digests/* - if-no-files-found: error - retention-days: 1 - - - merge: - runs-on: ubuntu-latest - needs: - - build - steps: - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: ${{ runner.temp }}/digests - pattern: digests-* - merge-multiple: true - - - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: network=host - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ${{ env.DOCKERHUB_REPO }} - ${{ env.GHCR_REPO }} - tags: | - type=raw,enable=true,value=${{ env.version }}-build - type=raw,enable=true,suffix=,value=build - - - name: Create manifest list and push - working-directory: ${{ runner.temp }}/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *) - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *) - - - name: Run Trivy vulnerability scan - uses: aquasecurity/trivy-action@0.30.0 - with: - image-ref: "${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build" - format: 'sarif' - exit-code: 0 - severity: 'CRITICAL,HIGH' - output: 'trivy-results.sarif' - - name: Upload Trivy scan SARIF report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.DOCKERHUB_REPO }}:${{ steps.meta.outputs.version }} - docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ steps.meta.outputs.version }} diff --git a/.github/workflows/deb.yaml b/.github/workflows/deb.yaml deleted file mode 100644 index ddf4c99..0000000 --- a/.github/workflows/deb.yaml +++ /dev/null @@ -1,79 +0,0 @@ -name: pack from deb - -on: - push: - paths: - - .github/workflows/deb.yaml - - deb/* - - VERSION - pull_request: - paths: - - .github/workflows/deb.yaml - - deb/* - workflow_dispatch: - -env: - DOCKER_REPO: shenxn/protonmail-bridge - DOCKER_REPO_DEV: ghcr.io/shenxn/protonmail-bridge-dev - -jobs: - deb: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@master - - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV - - name: Set repo - id: repo - run: if [[ $GITHUB_REF == "refs/heads/master" ]]; then echo "::set-output name=repo::${DOCKER_REPO}"; else echo "::set-output name=repo::${DOCKER_REPO_DEV}"; fi - - name: Docker meta - id: docker_meta - uses: crazy-max/ghaction-docker-meta@v1 - with: - images: ${{ steps.repo.outputs.repo }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Build image without push - uses: docker/build-push-action@v2 - with: - context: ./deb - file: ./deb/Dockerfile - load: true - tags: protonmail-bridge:latest - - name: Scan image - id: scan - uses: anchore/scan-action@v2 - with: - image: protonmail-bridge:latest - fail-build: true - severity-cutoff: critical - acs-report-enable: true - - name: Upload Anchore scan SARIF report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.scan.outputs.sarif }} - - name: Login to DockerHub - uses: docker/login-action@v1 - if: ${{ github.event_name != 'pull_request' }} - with: - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} - - name: Login to GitHub Container Registry - uses: docker/login-action@v1 - if: ${{ github.event_name != 'pull_request' }} - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.CR_PAT }} - - name: Push image - uses: docker/build-push-action@v2 - with: - context: ./deb - file: ./deb/Dockerfile - tags: | - ${{ steps.repo.outputs.repo }}:latest - ${{ steps.repo.outputs.repo }}:${{ env.version }} - labels: ${{ steps.docker_meta.outputs.labels }} - push: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/mirror.yaml b/.github/workflows/mirror.yaml deleted file mode 100644 index 4e2409b..0000000 --- a/.github/workflows/mirror.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: Mirroring - -# yamllint disable-line rule:truthy -on: - push: - branches: - - master - - dev - -jobs: - mirror_gitee: - name: Mirror to Gitee - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Push to Gitee - env: - SSH_KEY: ${{ secrets.GITEE_KEY }} - run: | - mkdir -p ~/.ssh - echo "${SSH_KEY}" > ~/.ssh/id_rsa - chmod 600 ~/.ssh/id_rsa - export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no -l git" - git remote add gitee git@gitee.com:shenxn/protonmail-bridge-docker.git - git push --tags --force --prune gitee "refs/remotes/origin/*:refs/heads/*" diff --git a/.github/workflows/update-check.yaml b/.github/workflows/update-check.yaml deleted file mode 100644 index 0c46ab4..0000000 --- a/.github/workflows/update-check.yaml +++ /dev/null @@ -1,24 +0,0 @@ -name: update check - -on: - push: - paths: - - .github/workflows/update-check.yaml - - update-check.py - pull_request: - paths: - - .github/workflows/update-check.yaml - - update-check.py - schedule: - - cron: '0 0 * * *' # runs everyday at midnight - -jobs: - check: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@master - with: - token: ${{ secrets.PERSONAL_TOKEN }} - - name: Check Update - run: python3 update-check.py ${{ github.event_name == 'pull_request' }}