Mouws/protonmail-bridge-nextcoud-podman
1
0
Fork 1
mirror of https://github.com/shenxn/protonmail-bridge-docker.git synced 2026-03-26 21:35:58 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Split into two workflows: build (push/PR/dispatch) and scheduled-update (daily version check)

Browse Source
This commit is contained in:
Anton 2026-03-11 18:34:08 +00:00
parent 08380e548e
commit b8703845db
2 changed files with 173 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
.github/workflows/build.yaml vendored
View File

@ -9,47 +9,27 @@ on:
paths:
- .github/workflows/build.yaml
- build/*
schedule:
- cron: '0 6 * * *'
workflow_dispatch:
env:
GHCR_REPO: ghcr.io/trent-maetzold/protonmail-bridge
PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64
jobs:
version-check:
resolve-version:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.check.outputs.version }}
build_needed: ${{ steps.check.outputs.build_needed }}
version: ${{ steps.resolve.outputs.version }}
steps:
- name: Get latest upstream release
id: check
id: resolve
run: |
latest=$(curl -s https://api.github.com/repos/ProtonMail/proton-bridge/releases/latest | jq -r '.tag_name')
echo "Latest upstream: $latest"
echo "version=$latest" >> $GITHUB_OUTPUT
if [[ "${{ github.event_name }}" == "schedule" ]]; then
# Check if we already have this version in GHCR
token=$(curl -s "https://ghcr.io/token?scope=repository:trent-maetzold/protonmail-bridge:pull" | jq -r '.token')
tags=$(curl -s -H "Authorization: Bearer $token" "https://ghcr.io/v2/trent-maetzold/protonmail-bridge/tags/list" | jq -r '.tags[]?' 2>/dev/null || echo "")
if echo "$tags" | grep -qx "${latest}-build"; then
echo "Version ${latest} already built"
echo "build_needed=false" >> $GITHUB_OUTPUT
else
echo "New version ${latest} detected"
echo "build_needed=true" >> $GITHUB_OUTPUT
fi
else
echo "build_needed=true" >> $GITHUB_OUTPUT
fi
test:
runs-on: ubuntu-latest
needs: version-check
if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref != 'refs/heads/master')
needs: resolve-version
if: github.event_name == 'pull_request'
steps:
- name: Checkout
uses: actions/checkout@v4
@ -81,7 +61,7 @@ jobs:
tags: "${{ env.GHCR_REPO }}:dev-${{ github.ref_name }}"
push: true
build-args: |
version=${{ needs.version-check.outputs.version }}
version=${{ needs.resolve-version.outputs.version }}
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.30.0
@ -99,14 +79,8 @@ jobs:
build:
runs-on: ubuntu-latest
needs: version-check
if: |
(github.event_name != 'pull_request') &&
(
(github.event_name == 'push' && github.ref == 'refs/heads/master') ||
(github.event_name == 'workflow_dispatch') ||
(github.event_name == 'schedule' && needs.version-check.outputs.build_needed == 'true')
)
needs: resolve-version
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
strategy:
fail-fast: false
matrix:
@ -155,7 +129,7 @@ jobs:
provenance: false
sbom: false
build-args: |
version=${{ needs.version-check.outputs.version }}
version=${{ needs.resolve-version.outputs.version }}
- name: Export digest
run: |
@ -174,7 +148,7 @@ jobs:
merge:
runs-on: ubuntu-latest
needs:
- version-check
- resolve-version
- build
steps:
- name: Download digests
@ -202,7 +176,7 @@ jobs:
with:
images: ${{ env.GHCR_REPO }}
tags: |
type=raw,enable=true,value=${{ needs.version-check.outputs.version }}-build
type=raw,enable=true,value=${{ needs.resolve-version.outputs.version }}-build
type=raw,enable=true,value=build
type=raw,enable=true,value=latest
@ -215,7 +189,7 @@ jobs:
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.30.0
with:
image-ref: "${{ env.GHCR_REPO }}:${{ needs.version-check.outputs.version }}-build"
image-ref: "${{ env.GHCR_REPO }}:${{ needs.resolve-version.outputs.version }}-build"
format: 'sarif'
exit-code: 0
severity: 'CRITICAL,HIGH'
@ -228,4 +202,4 @@ jobs:
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ needs.version-check.outputs.version }}-build
docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ needs.resolve-version.outputs.version }}-build

160
.github/workflows/scheduled-update.yaml vendored Normal file
View File

@ -0,0 +1,160 @@
name: scheduled version check
on:
schedule:
- cron: '0 6 * * *'
env:
GHCR_REPO: ghcr.io/trent-maetzold/protonmail-bridge
jobs:
check:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.check.outputs.version }}
build_needed: ${{ steps.check.outputs.build_needed }}
steps:
- name: Check for new upstream version
id: check
run: |
latest=$(curl -s https://api.github.com/repos/ProtonMail/proton-bridge/releases/latest | jq -r '.tag_name')
echo "Latest upstream: $latest"
echo "version=$latest" >> $GITHUB_OUTPUT
token=$(curl -s "https://ghcr.io/token?scope=repository:trent-maetzold/protonmail-bridge:pull" | jq -r '.token')
tags=$(curl -s -H "Authorization: Bearer $token" "https://ghcr.io/v2/trent-maetzold/protonmail-bridge/tags/list" | jq -r '.tags[]?' 2>/dev/null || echo "")
if echo "$tags" | grep -qx "${latest}-build"; then
echo "Version ${latest} already built"
echo "build_needed=false" >> $GITHUB_OUTPUT
else
echo "New version ${latest} detected"
echo "build_needed=true" >> $GITHUB_OUTPUT
fi
build:
needs: check
if: needs.check.outputs.build_needed == 'true'
strategy:
fail-fast: false
matrix:
platform:
- linux/amd64
- linux/arm64/v8
- linux/arm/v7
- linux/riscv64
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Prepare
run: |
platform=${{ matrix.platform }}
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.GHCR_REPO }}
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push by digest
id: build
uses: docker/build-push-action@v6
with:
platforms: ${{ matrix.platform }}
labels: ${{ steps.meta.outputs.labels }}
outputs: type=image,"name=${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true
context: ./build
file: ./build/Dockerfile
provenance: false
sbom: false
build-args: |
version=${{ needs.check.outputs.version }}
- name: Export digest
run: |
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
- name: Upload digest
uses: actions/upload-artifact@v4
with:
name: digests-${{ env.PLATFORM_PAIR }}
path: ${{ runner.temp }}/digests/*
if-no-files-found: error
retention-days: 1
merge:
runs-on: ubuntu-latest
needs:
- check
- build
steps:
- name: Download digests
uses: actions/download-artifact@v4
with:
path: ${{ runner.temp }}/digests
pattern: digests-*
merge-multiple: true
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.GHCR_REPO }}
tags: |
type=raw,enable=true,value=${{ needs.check.outputs.version }}-build
type=raw,enable=true,value=build
type=raw,enable=true,value=latest
- name: Create manifest list and push
working-directory: ${{ runner.temp }}/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.GHCR_REPO }}@sha256:%s ' *)
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.30.0
with:
image-ref: "${{ env.GHCR_REPO }}:${{ needs.check.outputs.version }}-build"
format: 'sarif'
exit-code: 0
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
- name: Upload Trivy scan SARIF report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
- name: Inspect image
run: |
docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ needs.check.outputs.version }}-build