protonmail-bridge-nextcoud-.../build/Dockerfile

# debian:sid-slim is required for the build stage to support riscv64 (golang:bookworm does not).
# For the runtime stage we use debian:bookworm-slim for stable, predictable package names.
FROM debian:sid-slim AS build

ARG version

# Install build dependencies
RUN apt-get update && apt-get install -y golang build-essential libsecret-1-dev libfido2-dev libcbor-dev

# Build
ADD https://github.com/ProtonMail/proton-bridge.git#${version} /build/
WORKDIR /build/
RUN make build-nogui vault-editor

FROM debian:bookworm-slim
LABEL maintainer="Dan Williams <dancwilliams@github>"

EXPOSE 25/tcp
EXPOSE 143/tcp

# Monitor proton-bridge process health
HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=60s \
  CMD bash -c "pgrep -f proton-bridge || exit 1"

# Install runtime dependencies
RUN apt-get update \
    && apt-get install -y --no-install-recommends socat pass libsecret-1-0 libfido2-1 ca-certificates \
    && rm -rf /var/lib/apt/lists/*

# Copy bash scripts
COPY gpgparams entrypoint.sh /protonmail/

# Copy protonmail
COPY --from=build /build/bridge /protonmail/
COPY --from=build /build/proton-bridge /protonmail/
COPY --from=build /build/vault-editor /protonmail/

# Prevent the bridge's built-in auto-updater from replacing the container binary at runtime.
# Version management is handled externally via the update-check workflow.
RUN chmod -w /protonmail/bridge /protonmail/proton-bridge /protonmail/vault-editor

ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"]
Stabilize runtime image, add PR-based version gating, drop arm/v7 Dockerfile: - Keep build stage on debian:sid-slim (required for riscv64 Go support) - Switch runtime stage to debian:bookworm-slim for stable, predictable package names — eliminates the libcbor0 class of breakage for users update-check.py: - Create a branch and open a PR instead of pushing directly to master - PR body links to upstream release notes and prompts review of new dependencies before merge - Remove dead deb/PACKAGE code build.yaml: - Drop linux/arm/v7 — upstream go-libfido2 is incompatible with 32-bit ARM address space as of v3.22.0; not fixable without upstream changes - Add VERSION to pull_request trigger paths so the test job builds and validates every version bump PR before it can be merged update-check.yaml: - Pass GITHUB_TOKEN and GITHUB_REPOSITORY to script for PR creation README.md: - Document arm/v7 as unsupported with reason 2026-02-25 03:11:29 +00:00			`# debian:sid-slim is required for the build stage to support riscv64 (golang:bookworm does not).`
			`# For the runtime stage we use debian:bookworm-slim for stable, predictable package names.`
fix builds by switching base layer to debian:sid-slim tested locally, works fine. debian has supported riscv64 in the sid image for some time. this is the same thing the carlosedp/golang image did. this also fixes the bug with the wrong glibc version, as the build container now uses the same glibc version as the final container. 2025-02-15 16:07:15 +00:00			`FROM debian:sid-slim AS build`
Add build from source 2020-06-01 13:51:24 +00:00
improve build readability and speed (by parallelization) (#117) 2025-04-24 21:03:50 +00:00			`ARG version`

Stabilize runtime image, add PR-based version gating, drop arm/v7 Dockerfile: - Keep build stage on debian:sid-slim (required for riscv64 Go support) - Switch runtime stage to debian:bookworm-slim for stable, predictable package names — eliminates the libcbor0 class of breakage for users update-check.py: - Create a branch and open a PR instead of pushing directly to master - PR body links to upstream release notes and prompts review of new dependencies before merge - Remove dead deb/PACKAGE code build.yaml: - Drop linux/arm/v7 — upstream go-libfido2 is incompatible with 32-bit ARM address space as of v3.22.0; not fixable without upstream changes - Add VERSION to pull_request trigger paths so the test job builds and validates every version bump PR before it can be merged update-check.yaml: - Pass GITHUB_TOKEN and GITHUB_REPOSITORY to script for PR creation README.md: - Document arm/v7 as unsupported with reason 2026-02-25 03:11:29 +00:00			`# Install build dependencies`
Fix v3.22.0 build, improve stability, and set up for community maintenance - Add libfido2-dev, libcbor-dev to build deps; libfido2-1, libcbor0 to runtime (fixes #135) - Make bridge binaries read-only to block built-in auto-updater at runtime - Add HEALTHCHECK to Dockerfile - Fix long-uptime stdin stability: replace cat pipe with sleep infinity - Clean up stale GPG agent sockets on container startup - Update maintainer label - Repoint build.yaml to dancwilliams Docker Hub and GHCR repos - Use clean version/latest tags (drop -build suffix) - Fix missing checkout in merge job - Add workflow_dispatch and pip install to update-check.yaml - Remove Gitee mirror workflow - Remove legacy deb build (Dockerfile, workflow, and deb/ directory) 2026-02-25 02:15:39 +00:00			`RUN apt-get update && apt-get install -y golang build-essential libsecret-1-dev libfido2-dev libcbor-dev`
Add build from source 2020-06-01 13:51:24 +00:00
			`# Build`
improve build readability and speed (by parallelization) (#117) 2025-04-24 21:03:50 +00:00			`ADD https://github.com/ProtonMail/proton-bridge.git#${version} /build/`
Add build from source 2020-06-01 13:51:24 +00:00			`WORKDIR /build/`
improve build readability and speed (by parallelization) (#117) 2025-04-24 21:03:50 +00:00			`RUN make build-nogui vault-editor`
Add build from source 2020-06-01 13:51:24 +00:00
Stabilize runtime image, add PR-based version gating, drop arm/v7 Dockerfile: - Keep build stage on debian:sid-slim (required for riscv64 Go support) - Switch runtime stage to debian:bookworm-slim for stable, predictable package names — eliminates the libcbor0 class of breakage for users update-check.py: - Create a branch and open a PR instead of pushing directly to master - PR body links to upstream release notes and prompts review of new dependencies before merge - Remove dead deb/PACKAGE code build.yaml: - Drop linux/arm/v7 — upstream go-libfido2 is incompatible with 32-bit ARM address space as of v3.22.0; not fixable without upstream changes - Add VERSION to pull_request trigger paths so the test job builds and validates every version bump PR before it can be merged update-check.yaml: - Pass GITHUB_TOKEN and GITHUB_REPOSITORY to script for PR creation README.md: - Document arm/v7 as unsupported with reason 2026-02-25 03:11:29 +00:00			`FROM debian:bookworm-slim`
Fix v3.22.0 build, improve stability, and set up for community maintenance - Add libfido2-dev, libcbor-dev to build deps; libfido2-1, libcbor0 to runtime (fixes #135) - Make bridge binaries read-only to block built-in auto-updater at runtime - Add HEALTHCHECK to Dockerfile - Fix long-uptime stdin stability: replace cat pipe with sleep infinity - Clean up stale GPG agent sockets on container startup - Update maintainer label - Repoint build.yaml to dancwilliams Docker Hub and GHCR repos - Use clean version/latest tags (drop -build suffix) - Fix missing checkout in merge job - Add workflow_dispatch and pip install to update-check.yaml - Remove Gitee mirror workflow - Remove legacy deb build (Dockerfile, workflow, and deb/ directory) 2026-02-25 02:15:39 +00:00			`LABEL maintainer="Dan Williams <dancwilliams@github>"`
Add build from source 2020-06-01 13:51:24 +00:00
			`EXPOSE 25/tcp`
			`EXPOSE 143/tcp`

Fix v3.22.0 build, improve stability, and set up for community maintenance - Add libfido2-dev, libcbor-dev to build deps; libfido2-1, libcbor0 to runtime (fixes #135) - Make bridge binaries read-only to block built-in auto-updater at runtime - Add HEALTHCHECK to Dockerfile - Fix long-uptime stdin stability: replace cat pipe with sleep infinity - Clean up stale GPG agent sockets on container startup - Update maintainer label - Repoint build.yaml to dancwilliams Docker Hub and GHCR repos - Use clean version/latest tags (drop -build suffix) - Fix missing checkout in merge job - Add workflow_dispatch and pip install to update-check.yaml - Remove Gitee mirror workflow - Remove legacy deb build (Dockerfile, workflow, and deb/ directory) 2026-02-25 02:15:39 +00:00			`# Monitor proton-bridge process health`
			`HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=60s \`
			`CMD bash -c "pgrep -f proton-bridge \|\| exit 1"`

Stabilize runtime image, add PR-based version gating, drop arm/v7 Dockerfile: - Keep build stage on debian:sid-slim (required for riscv64 Go support) - Switch runtime stage to debian:bookworm-slim for stable, predictable package names — eliminates the libcbor0 class of breakage for users update-check.py: - Create a branch and open a PR instead of pushing directly to master - PR body links to upstream release notes and prompts review of new dependencies before merge - Remove dead deb/PACKAGE code build.yaml: - Drop linux/arm/v7 — upstream go-libfido2 is incompatible with 32-bit ARM address space as of v3.22.0; not fixable without upstream changes - Add VERSION to pull_request trigger paths so the test job builds and validates every version bump PR before it can be merged update-check.yaml: - Pass GITHUB_TOKEN and GITHUB_REPOSITORY to script for PR creation README.md: - Document arm/v7 as unsupported with reason 2026-02-25 03:11:29 +00:00			`# Install runtime dependencies`
Add build from source 2020-06-01 13:51:24 +00:00			`RUN apt-get update \`
Fix runtime deps: drop explicit libcbor0, libfido2-1 pulls it transitively 2026-02-25 02:36:42 +00:00			`&& apt-get install -y --no-install-recommends socat pass libsecret-1-0 libfido2-1 ca-certificates \`
Add build from source 2020-06-01 13:51:24 +00:00			`&& rm -rf /var/lib/apt/lists/*`

			`# Copy bash scripts`
			`COPY gpgparams entrypoint.sh /protonmail/`

			`# Copy protonmail`
improve build readability and speed (by parallelization) (#117) 2025-04-24 21:03:50 +00:00			`COPY --from=build /build/bridge /protonmail/`
			`COPY --from=build /build/proton-bridge /protonmail/`
			`COPY --from=build /build/vault-editor /protonmail/`
Add build from source 2020-06-01 13:51:24 +00:00
Fix v3.22.0 build, improve stability, and set up for community maintenance - Add libfido2-dev, libcbor-dev to build deps; libfido2-1, libcbor0 to runtime (fixes #135) - Make bridge binaries read-only to block built-in auto-updater at runtime - Add HEALTHCHECK to Dockerfile - Fix long-uptime stdin stability: replace cat pipe with sleep infinity - Clean up stale GPG agent sockets on container startup - Update maintainer label - Repoint build.yaml to dancwilliams Docker Hub and GHCR repos - Use clean version/latest tags (drop -build suffix) - Fix missing checkout in merge job - Add workflow_dispatch and pip install to update-check.yaml - Remove Gitee mirror workflow - Remove legacy deb build (Dockerfile, workflow, and deb/ directory) 2026-02-25 02:15:39 +00:00			`# Prevent the bridge's built-in auto-updater from replacing the container binary at runtime.`
			`# Version management is handled externally via the update-check workflow.`
			`RUN chmod -w /protonmail/bridge /protonmail/proton-bridge /protonmail/vault-editor`

Add build from source 2020-06-01 13:51:24 +00:00			`ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"]`