Mouws/protonmail-bridge-nextcoud-podman
1
0
Fork 1
mirror of https://github.com/shenxn/protonmail-bridge-docker.git synced 2026-03-26 21:35:58 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Simplify for GHCR-only builds, fix workflow bugs, remove deb/mirror/dockerhub

Browse Source
This commit is contained in:
Bishop 2026-02-12 15:44:43 -06:00
parent 97014ae98c
commit 06d6e3a816
11 changed files with 42 additions and 430 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.github/FUNDING.yml vendored
View File

@ -1,12 +0,0 @@
# These are supported funding model platforms
github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
patreon: # Replace with a single Patreon username
open_collective: # Replace with a single Open Collective username
ko_fi: # Replace with a single Ko-fi username
tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
liberapay: # Replace with a single Liberapay username
issuehunt: # Replace with a single IssueHunt username
otechie: # Replace with a single Otechie username
custom: ['https://www.buymeacoffee.com/shenxn']

215
.github/workflows/build.yaml vendored
View File

@ -2,6 +2,7 @@ name: build from source
on:
push:
branches: [master]
paths:
- .github/workflows/build.yaml
- build/*
@ -13,105 +14,21 @@ on:
workflow_dispatch:
env:
GHCR_REPO: shenxn/protonmail-bridge-docker
DOCKERHUB_REPO: shenxn/protonmail-bridge
DOCKER_REPO_DEV: ghcr.io/shenxn/protonmail-bridge
PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64
GHCR_REPO: ghcr.io/${{ github.repository_owner }}/protonmail-bridge
jobs:
test:
runs-on: ubuntu-latest
if: github.ref != 'refs/heads/master'
steps:
- name: Checkout
uses: actions/checkout@master
- name: Set version
id: version
run: echo "version=`cat VERSION`" >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.DOCKER_REPO_DEV }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Build and push by digest
id: build
uses: docker/build-push-action@v6
with:
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,"name=${{ env.DOCKER_REPO_DEV }}",push-by-digest=false,name-canonical=true,push=true
context: ./build
file: ./build/Dockerfile
tags: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}"
build-args: |
version=${{ env.version }}
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.30.0
with:
image-ref: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}"
format: 'sarif'
exit-code: 0
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
- name: Upload Trivy scan SARIF report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
build:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
strategy:
fail-fast: false
matrix:
platform:
- linux/amd64
- linux/arm64/v8
- linux/arm/v7
- linux/riscv64
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout
uses: actions/checkout@master
- name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
uses: actions/checkout@v4
- name: Set version
id: version
run: echo "version=`cat VERSION`" >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.DOCKERHUB_REPO }}
${{ env.GHCR_REPO }}
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
run: echo "version=$(cat VERSION)" >> $GITHUB_ENV
- name: Login to GHCR
uses: docker/login-action@v3
@ -120,113 +37,43 @@ jobs:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push by digest
id: build
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.GHCR_REPO }}
tags: |
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
type=raw,value=${{ env.version }}
- name: Build and push
uses: docker/build-push-action@v6
with:
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,"name=name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=false
context: ./build
file: ./build/Dockerfile
tags: |
"${{ env.DOCKERHUB_REPO }}:build"
"${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build"
"${{ env.GHCR_REPO }}:build"
"${{ env.GHCR_REPO }}:${{ env.version }}-build"
provenance: false
sbom: false
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
version=${{ env.version }}
- name: Export digest
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1
merge:
runs-on: ubuntu-latest
needs:
- build
steps:
- name: Download digests
uses: actions/download-artifact@v4
with:
path: ${{ runner.temp }}/digests
pattern: digests-*
merge-multiple: true
- name: Set version
id: version
run: echo "version=`cat VERSION`" >> $GITHUB_ENV
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ env.DOCKERHUB_REPO }}
${{ env.GHCR_REPO }}
tags: |
type=raw,enable=true,value=${{ env.version }}-build
type=raw,enable=true,suffix=,value=build
- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *)
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.GHCR_REPO }}@sha256:%s ' *)
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scan
if: github.event_name != 'pull_request'
uses: aquasecurity/trivy-action@0.30.0
with:
image-ref: "${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build"
format: 'sarif'
image-ref: "${{ env.GHCR_REPO }}:${{ env.version }}"
format: sarif
exit-code: 0
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
severity: CRITICAL,HIGH
output: trivy-results.sarif
- name: Upload Trivy scan SARIF report
if: github.event_name != 'pull_request'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.DOCKERHUB_REPO }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ steps.meta.outputs.version }}
sarif_file: trivy-results.sarif

79
.github/workflows/deb.yaml vendored
View File

@ -1,79 +0,0 @@
name: pack from deb
on:
push:
paths:
- .github/workflows/deb.yaml
- deb/*
- VERSION
pull_request:
paths:
- .github/workflows/deb.yaml
- deb/*
workflow_dispatch:
env:
DOCKER_REPO: shenxn/protonmail-bridge
DOCKER_REPO_DEV: ghcr.io/shenxn/protonmail-bridge-dev
jobs:
deb:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@master
- name: Set version
id: version
run: echo "version=`cat VERSION`" >> $GITHUB_ENV
- name: Set repo
id: repo
run: if [[ $GITHUB_REF == "refs/heads/master" ]]; then echo "::set-output name=repo::${DOCKER_REPO}"; else echo "::set-output name=repo::${DOCKER_REPO_DEV}"; fi
- name: Docker meta
id: docker_meta
uses: crazy-max/ghaction-docker-meta@v1
with:
images: ${{ steps.repo.outputs.repo }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Build image without push
uses: docker/build-push-action@v2
with:
context: ./deb
file: ./deb/Dockerfile
load: true
tags: protonmail-bridge:latest
- name: Scan image
id: scan
uses: anchore/scan-action@v2
with:
image: protonmail-bridge:latest
fail-build: true
severity-cutoff: critical
acs-report-enable: true
- name: Upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Login to DockerHub
uses: docker/login-action@v1
if: ${{ github.event_name != 'pull_request' }}
with:
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Login to GitHub Container Registry
uses: docker/login-action@v1
if: ${{ github.event_name != 'pull_request' }}
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.CR_PAT }}
- name: Push image
uses: docker/build-push-action@v2
with:
context: ./deb
file: ./deb/Dockerfile
tags: |
${{ steps.repo.outputs.repo }}:latest
${{ steps.repo.outputs.repo }}:${{ env.version }}
labels: ${{ steps.docker_meta.outputs.labels }}
push: ${{ github.event_name != 'pull_request' }}

27
.github/workflows/mirror.yaml vendored
View File

@ -1,27 +0,0 @@
name: Mirroring
# yamllint disable-line rule:truthy
on:
push:
branches:
- master
- dev
jobs:
mirror_gitee:
name: Mirror to Gitee
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Push to Gitee
env:
SSH_KEY: ${{ secrets.GITEE_KEY }}
run: |
mkdir -p ~/.ssh
echo "${SSH_KEY}" > ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no -l git"
git remote add gitee git@gitee.com:shenxn/protonmail-bridge-docker.git
git push --tags --force --prune gitee "refs/remotes/origin/*:refs/heads/*"

25
.github/workflows/update-check.yaml vendored
View File

@ -1,24 +1,19 @@
name: update check
on:
push:
paths:
- .github/workflows/update-check.yaml
- update-check.py
pull_request:
paths:
- .github/workflows/update-check.yaml
- update-check.py
schedule:
- cron: '0 0 * * *' # runs everyday at midnight
- cron: "0 0 * * *"
workflow_dispatch:
permissions:
contents: write
jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@master
with:
token: ${{ secrets.PERSONAL_TOKEN }}
- name: Check Update
run: python3 update-check.py ${{ github.event_name == 'pull_request' }}
- name: Checkout
uses: actions/checkout@v4
- name: Check for update
run: python3 update-check.py

28
deb/Dockerfile
View File

@ -1,28 +0,0 @@
### The Deb install is just a repack of the official ProtonMail Bridge deb package with less dependencies.
### I recommend you don't use this. It's here for legacy reasons.
FROM debian:sid-slim AS build
COPY install.sh PACKAGE /
RUN apt-get update && apt-get install -y wget binutils
# Repack deb (removes unnecessary dependencies and produces /protonmail.deb)
RUN bash /install.sh
FROM debian:sid-slim
LABEL maintainer="Simon Felding <sife@adm.ku.dk>"
EXPOSE 25/tcp
EXPOSE 143/tcp
WORKDIR /protonmail
# Copy bash scripts
COPY gpgparams entrypoint.sh PACKAGE /protonmail/
COPY --from=build /protonmail.deb /tmp/protonmail.deb
RUN apt-get update \
&& apt-get install -y --no-install-recommends /tmp/protonmail.deb socat pass libsecret-1-0 ca-certificates procps \
&& rm -rf /var/lib/apt/lists/*
CMD ["bash", "/protonmail/entrypoint.sh"]

1
deb/PACKAGE
View File

@ -1 +0,0 @@
https://github.com/ProtonMail/proton-bridge/releases/download/v3.22.0/protonmail-bridge_3.22.0-1_amd64.deb

49
deb/entrypoint.sh
View File

@ -1,49 +0,0 @@
#!/bin/bash
set -ex
# Initialize
if [[ $1 == init ]]; then
# # Parse parameters
# TFP="" # Default empty two factor passcode
# shift # skip `init`
# while [[ $# -gt 0 ]]; do
# key="$1"
# case $key in
# -u|--username)
# USERNAME="$2"
# ;;
# -p|--password)
# PASSWORD="$2"
# ;;
# -t|--twofactor)
# TWOFACTOR="$2"
# ;;
# esac
# shift
# shift
# done
# Initialize pass
gpg --generate-key --batch /protonmail/gpgparams
pass init pass-key
# Login
protonmail-bridge --cli
else
# socat will make the conn appear to come from 127.0.0.1
# ProtonMail Bridge currently expects that.
# It also allows us to bind to the real ports :)
socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 &
socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 &
# Start protonmail
# Fake a terminal, so it does not quit because of EOF...
rm -f faketty
mkfifo faketty
cat faketty | protonmail-bridge --cli
fi

8
deb/gpgparams
View File

@ -1,8 +0,0 @@
%no-protection
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 2048
Name-Real: pass-key
Expire-Date: 0
%commit
%echo done

16
deb/install.sh
View File

@ -1,16 +0,0 @@
#!/bin/bash
set -ex
# Repack deb (remove unnecessary dependencies)
mkdir deb
wget -i /PACKAGE -O /deb/protonmail.deb
cd deb
ar x -v protonmail.deb
mkdir control
tar zxvf control.tar.gz -C control
sed -i "s/^Depends: .*$/Depends: libgl1, libc6, libsecret-1-0, libstdc++6, libgcc1/" control/control
cd control
tar zcvf ../control.tar.gz .
cd ../
ar rcs -v /protonmail.deb debian-binary control.tar.gz data.tar.gz

12
update-check.py
View File

@ -3,34 +3,24 @@ import requests, os, sys
def git(command):
return os.system(f"git {command}")
release = requests.get("https://api.github.com/repos/protonmail/proton-bridge/releases/latest").json()
version = release['tag_name']
deb = [asset for asset in release ['assets'] if asset['name'].endswith('.deb')][0]['browser_download_url']
print(f"Latest release is: {version}")
with open("VERSION", 'w') as f:
f.write(version)
with open("deb/PACKAGE", 'w') as f:
f.write(deb)
git("config --local user.name 'GitHub Actions'")
git("config --local user.email 'actions@github.com'")
git("add -A")
if git("diff --cached --quiet") == 0: # Returns 0 if there are no changes
if git("diff --cached --quiet") == 0:
print("Version didn't change")
exit(0)
git(f"commit -m 'Bump version to {version}'")
is_pull_request = sys.argv[1] == "true"
if is_pull_request:
print("This is a pull request, skipping push step.")
exit(0)
if git("push") != 0:
print("Git push failed!")