Stabilize runtime image, add PR-based version gating, drop arm/v7

Dockerfile: - Keep build stage on debian:sid-slim (required for riscv64 Go support) - Switch runtime stage to debian:bookworm-slim for stable, predictable package names — eliminates the libcbor0 class of breakage for users update-check.py: - Create a branch and open a PR instead of pushing directly to master - PR body links to upstream release notes and prompts review of new dependencies before merge - Remove dead deb/PACKAGE code build.yaml: - Drop linux/arm/v7 — upstream go-libfido2 is incompatible with 32-bit ARM address space as of v3.22.0; not fixable without upstream changes - Add VERSION to pull_request trigger paths so the test job builds and validates every version bump PR before it can be merged update-check.yaml: - Pass GITHUB_TOKEN and GITHUB_REPOSITORY to script for PR creation README.md: - Document arm/v7 as unsupported with reason
2026-03-26 21:35:58 +00:00 · 2026-02-24 21:11:29 -06:00 · 2026-02-24 21:11:29 -06:00 · fcebd8a198
commit fcebd8a198
parent 152ddbc05b
5 changed files with 79 additions and 28 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -10,13 +10,14 @@ on:
    paths:
      - .github/workflows/build.yaml
      - build/*
+      - VERSION
  workflow_dispatch:

 env:
  DOCKERHUB_REPO: dancwilliams/protonmail-bridge
  GHCR_REPO: ghcr.io/dancwilliams/protonmail-bridge-docker
  DOCKER_REPO_DEV: ghcr.io/dancwilliams/protonmail-bridge
-  PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64
+  PLATFORMS: linux/amd64,linux/arm64/v8,linux/riscv64

 jobs:
  test:
@ -81,7 +82,6 @@ jobs:
        platform:
          - linux/amd64
          - linux/arm64/v8
-          - linux/arm/v7
          - linux/riscv64
    steps:
      - name: Checkout
--- a/.github/workflows/update-check.yaml
+++ b/.github/workflows/update-check.yaml
@ -24,4 +24,7 @@ jobs:
    - name: Install dependencies
      run: pip install requests
    - name: Check Update
+      env:
+        GITHUB_TOKEN: ${{ secrets.PERSONAL_TOKEN }}
+        GITHUB_REPOSITORY: ${{ github.repository }}
      run: python3 update-check.py ${{ github.event_name == 'pull_request' }}
--- a/README.md
+++ b/README.md
@ -30,7 +30,7 @@ Images are built for the following platforms from source:
 |---|---|
 | `linux/amd64` | Yes |
 | `linux/arm64/v8` | Yes |
-| `linux/arm/v7` | Yes |
+| `linux/arm/v7` | No — upstream go-libfido2 dependency does not support 32-bit ARM as of v3.22.0 |
 | `linux/riscv64` | Yes |

 ## Tags
--- a/build/Dockerfile
+++ b/build/Dockerfile
@ -1,9 +1,10 @@
-# The build image could be golang, but it currently does not support riscv64. Only debian:sid does, at the time of writing.
+# debian:sid-slim is required for the build stage to support riscv64 (golang:bookworm does not).
+# For the runtime stage we use debian:bookworm-slim for stable, predictable package names.
 FROM debian:sid-slim AS build

 ARG version

-# Install dependencies
+# Install build dependencies
 RUN apt-get update && apt-get install -y golang build-essential libsecret-1-dev libfido2-dev libcbor-dev

 # Build
@ -11,7 +12,7 @@ ADD https://github.com/ProtonMail/proton-bridge.git#${version} /build/
 WORKDIR /build/
 RUN make build-nogui vault-editor

-FROM debian:sid-slim
+FROM debian:bookworm-slim
 LABEL maintainer="Dan Williams <dancwilliams@github>"

 EXPOSE 25/tcp
@ -21,7 +22,7 @@ EXPOSE 143/tcp
 HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=60s \
  CMD bash -c "pgrep -f proton-bridge || exit 1"

-# Install dependencies and protonmail bridge
+# Install runtime dependencies
 RUN apt-get update \
    && apt-get install -y --no-install-recommends socat pass libsecret-1-0 libfido2-1 ca-certificates \
    && rm -rf /var/lib/apt/lists/*
--- a/update-check.py
+++ b/update-check.py
@ -1,37 +1,84 @@
-import requests, os, sys
+import requests, os, sys, subprocess

 def git(command):
-  return os.system(f"git {command}")
+    return os.system(f"git {command}")
+
+def git_output(command):
+    result = subprocess.run(f"git {command}", shell=True, capture_output=True, text=True)
+    return result.stdout.strip()


-release = requests.get("https://api.github.com/repos/protonmail/proton-bridge/releases/latest").json()
+# Get latest upstream release
+release = requests.get("https://api.github.com/repos/ProtonMail/proton-bridge/releases/latest").json()
 version = release['tag_name']
-deb = [asset for asset in release ['assets'] if asset['name'].endswith('.deb')][0]['browser_download_url']
+print(f"Latest upstream release: {version}")

-print(f"Latest release is: {version}")
+# Read current version
+with open("VERSION", 'r') as f:
+    current_version = f.read().strip()

+if version == current_version:
+    print("Already up to date.")
+    exit(0)
+
+print(f"New version detected: {current_version} -> {version}")
+
+# Don't push anything during pull_request runs (used for testing this script itself)
+is_pull_request = len(sys.argv) > 1 and sys.argv[1] == "true"
+if is_pull_request:
+    print("Pull request run — skipping push.")
+    exit(0)
+
+# Write new version
 with open("VERSION", 'w') as f:
-  f.write(version)
-
-with open("deb/PACKAGE", 'w') as f:
-  f.write(deb)
+    f.write(version + "\n")

+# Configure git identity
 git("config --local user.name 'GitHub Actions'")
 git("config --local user.email 'actions@github.com'")

-git("add -A")
+# Create and push a branch for the version bump
+branch = f"bump/{version}"
+git(f"checkout -b {branch}")
+git("add VERSION")
+git(f'commit -m "Bump version to {version}"')

-if git("diff --cached --quiet") == 0: # Returns 0 if there are no changes
-  print("Version didn't change")
-  exit(0)
+if git(f"push origin {branch}") != 0:
+    print("Git push failed!")
+    exit(1)

-git(f"commit -m 'Bump version to {version}'")
-is_pull_request = sys.argv[1] == "true"
+# Open a pull request via GitHub API
+token = os.environ.get("GITHUB_TOKEN")
+repo  = os.environ.get("GITHUB_REPOSITORY")

-if is_pull_request:
-  print("This is a pull request, skipping push step.")
-  exit(0)
+upstream_url = f"https://github.com/ProtonMail/proton-bridge/releases/tag/{version}"

-if git("push") != 0:
-  print("Git push failed!")
-  exit(1)
+pr_body = f"""\
+Automated version bump from `{current_version}` to `{version}`.
+
+**Before merging:**
+- Check the [upstream release notes]({upstream_url}) for any new system dependencies or breaking changes.
+- Confirm the test build below passes. If it fails, a new dependency likely needs to be added to the Dockerfile.
+
+This PR was opened automatically by the update-check workflow.
+"""
+
+response = requests.post(
+    f"https://api.github.com/repos/{repo}/pulls",
+    json={
+        "title": f"Bump version to {version}",
+        "body": pr_body,
+        "head": branch,
+        "base": "master",
+    },
+    headers={
+        "Authorization": f"token {token}",
+        "Accept": "application/vnd.github.v3+json",
+    },
+)
+
+if response.status_code == 201:
+    print(f"PR opened: {response.json()['html_url']}")
+else:
+    print(f"Failed to create PR: {response.status_code} {response.text}")
+    exit(1)