protonmail-bridge-nextcoud-.../build/Dockerfile

# ARG before any FROM is global and available in FROM instructions.
# debian:bookworm-slim is the default; the workflow overrides to debian:sid-slim for riscv64
# since bookworm has no riscv64 image.
ARG RUNTIME_IMAGE=debian:bookworm-slim@sha256:74a21da88cf4b2e8fde34558376153c5cd80b00ca81da2e659387e76524edc73

# debian:sid-slim is required for the build stage to support riscv64 (golang:bookworm does not).
FROM debian:sid-slim@sha256:a145cf2bc72431523b8f5d152e9cbcc20cfaeccdb7626802f5ce6fb31a6f58bb AS build

ARG version

# Install build dependencies
RUN apt-get -o Acquire::http::Timeout=30 update && apt-get -o Acquire::http::Timeout=30 install -y golang build-essential libsecret-1-dev libfido2-dev libcbor-dev

# Build
ADD https://github.com/ProtonMail/proton-bridge.git#${version} /build/
WORKDIR /build/
RUN make build-nogui vault-editor

FROM ${RUNTIME_IMAGE}
LABEL maintainer="Dan Williams <dancwilliams@github>"

EXPOSE 25/tcp
EXPOSE 143/tcp

# Monitor proton-bridge process health
HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=60s \
  CMD bash -c "pgrep -f proton-bridge || exit 1"

# Install runtime dependencies
RUN apt-get -o Acquire::http::Timeout=30 update \
    && apt-get -o Acquire::http::Timeout=30 install -y --no-install-recommends socat pass libsecret-1-0 libfido2-1 ca-certificates \
    && rm -rf /var/lib/apt/lists/*

# Copy bash scripts
COPY gpgparams entrypoint.sh /protonmail/

# Copy protonmail
COPY --from=build /build/bridge /protonmail/
COPY --from=build /build/proton-bridge /protonmail/
COPY --from=build /build/vault-editor /protonmail/

# Prevent the bridge's built-in auto-updater from replacing the container binary at runtime.
# Version management is handled externally via the update-check workflow.
RUN chmod -w /protonmail/bridge /protonmail/proton-bridge /protonmail/vault-editor

ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"]
Fix ARG scoping: declare RUNTIME_IMAGE before first FROM 2026-02-25 03:21:41 +00:00			`# ARG before any FROM is global and available in FROM instructions.`
			`# debian:bookworm-slim is the default; the workflow overrides to debian:sid-slim for riscv64`
			`# since bookworm has no riscv64 image.`
Pin base image digests and add Renovate for automated updates Renovate will open PRs automatically when debian:bookworm-slim or debian:sid-slim receive updates (e.g. security patches), keeping the container current without relying solely on scheduled rebuilds. 2026-02-26 17:53:35 +00:00			`ARG RUNTIME_IMAGE=debian:bookworm-slim@sha256:74a21da88cf4b2e8fde34558376153c5cd80b00ca81da2e659387e76524edc73`
Fix ARG scoping: declare RUNTIME_IMAGE before first FROM 2026-02-25 03:21:41 +00:00
Stabilize runtime image, add PR-based version gating, drop arm/v7 Dockerfile: - Keep build stage on debian:sid-slim (required for riscv64 Go support) - Switch runtime stage to debian:bookworm-slim for stable, predictable package names — eliminates the libcbor0 class of breakage for users update-check.py: - Create a branch and open a PR instead of pushing directly to master - PR body links to upstream release notes and prompts review of new dependencies before merge - Remove dead deb/PACKAGE code build.yaml: - Drop linux/arm/v7 — upstream go-libfido2 is incompatible with 32-bit ARM address space as of v3.22.0; not fixable without upstream changes - Add VERSION to pull_request trigger paths so the test job builds and validates every version bump PR before it can be merged update-check.yaml: - Pass GITHUB_TOKEN and GITHUB_REPOSITORY to script for PR creation README.md: - Document arm/v7 as unsupported with reason 2026-02-25 03:11:29 +00:00			`# debian:sid-slim is required for the build stage to support riscv64 (golang:bookworm does not).`
Pin base image digests and add Renovate for automated updates Renovate will open PRs automatically when debian:bookworm-slim or debian:sid-slim receive updates (e.g. security patches), keeping the container current without relying solely on scheduled rebuilds. 2026-02-26 17:53:35 +00:00			`FROM debian:sid-slim@sha256:a145cf2bc72431523b8f5d152e9cbcc20cfaeccdb7626802f5ce6fb31a6f58bb AS build`
Add build from source 2020-06-01 13:51:24 +00:00
improve build readability and speed (by parallelization) (#117) 2025-04-24 21:03:50 +00:00			`ARG version`

Stabilize runtime image, add PR-based version gating, drop arm/v7 Dockerfile: - Keep build stage on debian:sid-slim (required for riscv64 Go support) - Switch runtime stage to debian:bookworm-slim for stable, predictable package names — eliminates the libcbor0 class of breakage for users update-check.py: - Create a branch and open a PR instead of pushing directly to master - PR body links to upstream release notes and prompts review of new dependencies before merge - Remove dead deb/PACKAGE code build.yaml: - Drop linux/arm/v7 — upstream go-libfido2 is incompatible with 32-bit ARM address space as of v3.22.0; not fixable without upstream changes - Add VERSION to pull_request trigger paths so the test job builds and validates every version bump PR before it can be merged update-check.yaml: - Pass GITHUB_TOKEN and GITHUB_REPOSITORY to script for PR creation README.md: - Document arm/v7 as unsupported with reason 2026-02-25 03:11:29 +00:00			`# Install build dependencies`
Fix build hangs: add apt-get network timeout and job timeout apt-get has no default network timeout, so an unresponsive Debian mirror can block a build stage indefinitely. Add Acquire::http::Timeout=30 to both update and install calls in all apt-get invocations so mirror hangs fail fast rather than running until GitHub's 6-hour job limit. Also add timeout-minutes: 60 to the build job so a runaway step fails within an hour rather than silently consuming the full 6-hour default. 2026-02-25 12:29:20 +00:00			`RUN apt-get -o Acquire::http::Timeout=30 update && apt-get -o Acquire::http::Timeout=30 install -y golang build-essential libsecret-1-dev libfido2-dev libcbor-dev`
Add build from source 2020-06-01 13:51:24 +00:00
			`# Build`
improve build readability and speed (by parallelization) (#117) 2025-04-24 21:03:50 +00:00			`ADD https://github.com/ProtonMail/proton-bridge.git#${version} /build/`
Add build from source 2020-06-01 13:51:24 +00:00			`WORKDIR /build/`
improve build readability and speed (by parallelization) (#117) 2025-04-24 21:03:50 +00:00			`RUN make build-nogui vault-editor`
Add build from source 2020-06-01 13:51:24 +00:00
Fix riscv64 runtime: use sid-slim on riscv64, bookworm-slim elsewhere debian:bookworm-slim has no riscv64 image. Parameterize the runtime base via RUNTIME_IMAGE build-arg; the workflow passes sid-slim for riscv64 and bookworm-slim for all other platforms. 2026-02-25 03:16:50 +00:00			`FROM ${RUNTIME_IMAGE}`
Fix v3.22.0 build, improve stability, and set up for community maintenance - Add libfido2-dev, libcbor-dev to build deps; libfido2-1, libcbor0 to runtime (fixes #135) - Make bridge binaries read-only to block built-in auto-updater at runtime - Add HEALTHCHECK to Dockerfile - Fix long-uptime stdin stability: replace cat pipe with sleep infinity - Clean up stale GPG agent sockets on container startup - Update maintainer label - Repoint build.yaml to dancwilliams Docker Hub and GHCR repos - Use clean version/latest tags (drop -build suffix) - Fix missing checkout in merge job - Add workflow_dispatch and pip install to update-check.yaml - Remove Gitee mirror workflow - Remove legacy deb build (Dockerfile, workflow, and deb/ directory) 2026-02-25 02:15:39 +00:00			`LABEL maintainer="Dan Williams <dancwilliams@github>"`
Add build from source 2020-06-01 13:51:24 +00:00
			`EXPOSE 25/tcp`
			`EXPOSE 143/tcp`

Fix v3.22.0 build, improve stability, and set up for community maintenance - Add libfido2-dev, libcbor-dev to build deps; libfido2-1, libcbor0 to runtime (fixes #135) - Make bridge binaries read-only to block built-in auto-updater at runtime - Add HEALTHCHECK to Dockerfile - Fix long-uptime stdin stability: replace cat pipe with sleep infinity - Clean up stale GPG agent sockets on container startup - Update maintainer label - Repoint build.yaml to dancwilliams Docker Hub and GHCR repos - Use clean version/latest tags (drop -build suffix) - Fix missing checkout in merge job - Add workflow_dispatch and pip install to update-check.yaml - Remove Gitee mirror workflow - Remove legacy deb build (Dockerfile, workflow, and deb/ directory) 2026-02-25 02:15:39 +00:00			`# Monitor proton-bridge process health`
			`HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=60s \`
			`CMD bash -c "pgrep -f proton-bridge \|\| exit 1"`

Stabilize runtime image, add PR-based version gating, drop arm/v7 Dockerfile: - Keep build stage on debian:sid-slim (required for riscv64 Go support) - Switch runtime stage to debian:bookworm-slim for stable, predictable package names — eliminates the libcbor0 class of breakage for users update-check.py: - Create a branch and open a PR instead of pushing directly to master - PR body links to upstream release notes and prompts review of new dependencies before merge - Remove dead deb/PACKAGE code build.yaml: - Drop linux/arm/v7 — upstream go-libfido2 is incompatible with 32-bit ARM address space as of v3.22.0; not fixable without upstream changes - Add VERSION to pull_request trigger paths so the test job builds and validates every version bump PR before it can be merged update-check.yaml: - Pass GITHUB_TOKEN and GITHUB_REPOSITORY to script for PR creation README.md: - Document arm/v7 as unsupported with reason 2026-02-25 03:11:29 +00:00			`# Install runtime dependencies`
Fix build hangs: add apt-get network timeout and job timeout apt-get has no default network timeout, so an unresponsive Debian mirror can block a build stage indefinitely. Add Acquire::http::Timeout=30 to both update and install calls in all apt-get invocations so mirror hangs fail fast rather than running until GitHub's 6-hour job limit. Also add timeout-minutes: 60 to the build job so a runaway step fails within an hour rather than silently consuming the full 6-hour default. 2026-02-25 12:29:20 +00:00			`RUN apt-get -o Acquire::http::Timeout=30 update \`
			`&& apt-get -o Acquire::http::Timeout=30 install -y --no-install-recommends socat pass libsecret-1-0 libfido2-1 ca-certificates \`
Add build from source 2020-06-01 13:51:24 +00:00			`&& rm -rf /var/lib/apt/lists/*`

			`# Copy bash scripts`
			`COPY gpgparams entrypoint.sh /protonmail/`

			`# Copy protonmail`
improve build readability and speed (by parallelization) (#117) 2025-04-24 21:03:50 +00:00			`COPY --from=build /build/bridge /protonmail/`
			`COPY --from=build /build/proton-bridge /protonmail/`
			`COPY --from=build /build/vault-editor /protonmail/`
Add build from source 2020-06-01 13:51:24 +00:00
Fix v3.22.0 build, improve stability, and set up for community maintenance - Add libfido2-dev, libcbor-dev to build deps; libfido2-1, libcbor0 to runtime (fixes #135) - Make bridge binaries read-only to block built-in auto-updater at runtime - Add HEALTHCHECK to Dockerfile - Fix long-uptime stdin stability: replace cat pipe with sleep infinity - Clean up stale GPG agent sockets on container startup - Update maintainer label - Repoint build.yaml to dancwilliams Docker Hub and GHCR repos - Use clean version/latest tags (drop -build suffix) - Fix missing checkout in merge job - Add workflow_dispatch and pip install to update-check.yaml - Remove Gitee mirror workflow - Remove legacy deb build (Dockerfile, workflow, and deb/ directory) 2026-02-25 02:15:39 +00:00			`# Prevent the bridge's built-in auto-updater from replacing the container binary at runtime.`
			`# Version management is handled externally via the update-check workflow.`
			`RUN chmod -w /protonmail/bridge /protonmail/proton-bridge /protonmail/vault-editor`

Add build from source 2020-06-01 13:51:24 +00:00			`ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"]`