From fcebd8a198d40ad78f9479c235fb0f1791b0024b Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Tue, 24 Feb 2026 21:11:29 -0600 Subject: [PATCH] Stabilize runtime image, add PR-based version gating, drop arm/v7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dockerfile: - Keep build stage on debian:sid-slim (required for riscv64 Go support) - Switch runtime stage to debian:bookworm-slim for stable, predictable package names — eliminates the libcbor0 class of breakage for users update-check.py: - Create a branch and open a PR instead of pushing directly to master - PR body links to upstream release notes and prompts review of new dependencies before merge - Remove dead deb/PACKAGE code build.yaml: - Drop linux/arm/v7 — upstream go-libfido2 is incompatible with 32-bit ARM address space as of v3.22.0; not fixable without upstream changes - Add VERSION to pull_request trigger paths so the test job builds and validates every version bump PR before it can be merged update-check.yaml: - Pass GITHUB_TOKEN and GITHUB_REPOSITORY to script for PR creation README.md: - Document arm/v7 as unsupported with reason --- .github/workflows/build.yaml | 4 +- .github/workflows/update-check.yaml | 3 + README.md | 2 +- build/Dockerfile | 9 +-- update-check.py | 89 ++++++++++++++++++++++------- 5 files changed, 79 insertions(+), 28 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 88373fd..3ad7480 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -10,13 +10,14 @@ on: paths: - .github/workflows/build.yaml - build/* + - VERSION workflow_dispatch: env: DOCKERHUB_REPO: dancwilliams/protonmail-bridge GHCR_REPO: ghcr.io/dancwilliams/protonmail-bridge-docker DOCKER_REPO_DEV: ghcr.io/dancwilliams/protonmail-bridge - PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64 + PLATFORMS: linux/amd64,linux/arm64/v8,linux/riscv64 jobs: test: @@ -81,7 +82,6 @@ jobs: platform: - linux/amd64 - linux/arm64/v8 - - linux/arm/v7 - linux/riscv64 steps: - name: Checkout diff --git a/.github/workflows/update-check.yaml b/.github/workflows/update-check.yaml index c6ee641..e7bf50b 100644 --- a/.github/workflows/update-check.yaml +++ b/.github/workflows/update-check.yaml @@ -24,4 +24,7 @@ jobs: - name: Install dependencies run: pip install requests - name: Check Update + env: + GITHUB_TOKEN: ${{ secrets.PERSONAL_TOKEN }} + GITHUB_REPOSITORY: ${{ github.repository }} run: python3 update-check.py ${{ github.event_name == 'pull_request' }} diff --git a/README.md b/README.md index 0dc5fbf..fc595dc 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ Images are built for the following platforms from source: |---|---| | `linux/amd64` | Yes | | `linux/arm64/v8` | Yes | -| `linux/arm/v7` | Yes | +| `linux/arm/v7` | No — upstream go-libfido2 dependency does not support 32-bit ARM as of v3.22.0 | | `linux/riscv64` | Yes | ## Tags diff --git a/build/Dockerfile b/build/Dockerfile index a4ed9d0..51b3681 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,9 +1,10 @@ -# The build image could be golang, but it currently does not support riscv64. Only debian:sid does, at the time of writing. +# debian:sid-slim is required for the build stage to support riscv64 (golang:bookworm does not). +# For the runtime stage we use debian:bookworm-slim for stable, predictable package names. FROM debian:sid-slim AS build ARG version -# Install dependencies +# Install build dependencies RUN apt-get update && apt-get install -y golang build-essential libsecret-1-dev libfido2-dev libcbor-dev # Build @@ -11,7 +12,7 @@ ADD https://github.com/ProtonMail/proton-bridge.git#${version} /build/ WORKDIR /build/ RUN make build-nogui vault-editor -FROM debian:sid-slim +FROM debian:bookworm-slim LABEL maintainer="Dan Williams " EXPOSE 25/tcp @@ -21,7 +22,7 @@ EXPOSE 143/tcp HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=60s \ CMD bash -c "pgrep -f proton-bridge || exit 1" -# Install dependencies and protonmail bridge +# Install runtime dependencies RUN apt-get update \ && apt-get install -y --no-install-recommends socat pass libsecret-1-0 libfido2-1 ca-certificates \ && rm -rf /var/lib/apt/lists/* diff --git a/update-check.py b/update-check.py index 19666d6..611dc7d 100644 --- a/update-check.py +++ b/update-check.py @@ -1,37 +1,84 @@ -import requests, os, sys +import requests, os, sys, subprocess def git(command): - return os.system(f"git {command}") + return os.system(f"git {command}") + +def git_output(command): + result = subprocess.run(f"git {command}", shell=True, capture_output=True, text=True) + return result.stdout.strip() -release = requests.get("https://api.github.com/repos/protonmail/proton-bridge/releases/latest").json() +# Get latest upstream release +release = requests.get("https://api.github.com/repos/ProtonMail/proton-bridge/releases/latest").json() version = release['tag_name'] -deb = [asset for asset in release ['assets'] if asset['name'].endswith('.deb')][0]['browser_download_url'] +print(f"Latest upstream release: {version}") -print(f"Latest release is: {version}") +# Read current version +with open("VERSION", 'r') as f: + current_version = f.read().strip() +if version == current_version: + print("Already up to date.") + exit(0) + +print(f"New version detected: {current_version} -> {version}") + +# Don't push anything during pull_request runs (used for testing this script itself) +is_pull_request = len(sys.argv) > 1 and sys.argv[1] == "true" +if is_pull_request: + print("Pull request run — skipping push.") + exit(0) + +# Write new version with open("VERSION", 'w') as f: - f.write(version) - -with open("deb/PACKAGE", 'w') as f: - f.write(deb) + f.write(version + "\n") +# Configure git identity git("config --local user.name 'GitHub Actions'") git("config --local user.email 'actions@github.com'") -git("add -A") +# Create and push a branch for the version bump +branch = f"bump/{version}" +git(f"checkout -b {branch}") +git("add VERSION") +git(f'commit -m "Bump version to {version}"') -if git("diff --cached --quiet") == 0: # Returns 0 if there are no changes - print("Version didn't change") - exit(0) +if git(f"push origin {branch}") != 0: + print("Git push failed!") + exit(1) -git(f"commit -m 'Bump version to {version}'") -is_pull_request = sys.argv[1] == "true" +# Open a pull request via GitHub API +token = os.environ.get("GITHUB_TOKEN") +repo = os.environ.get("GITHUB_REPOSITORY") -if is_pull_request: - print("This is a pull request, skipping push step.") - exit(0) +upstream_url = f"https://github.com/ProtonMail/proton-bridge/releases/tag/{version}" -if git("push") != 0: - print("Git push failed!") - exit(1) +pr_body = f"""\ +Automated version bump from `{current_version}` to `{version}`. + +**Before merging:** +- Check the [upstream release notes]({upstream_url}) for any new system dependencies or breaking changes. +- Confirm the test build below passes. If it fails, a new dependency likely needs to be added to the Dockerfile. + +This PR was opened automatically by the update-check workflow. +""" + +response = requests.post( + f"https://api.github.com/repos/{repo}/pulls", + json={ + "title": f"Bump version to {version}", + "body": pr_body, + "head": branch, + "base": "master", + }, + headers={ + "Authorization": f"token {token}", + "Accept": "application/vnd.github.v3+json", + }, +) + +if response.status_code == 201: + print(f"PR opened: {response.json()['html_url']}") +else: + print(f"Failed to create PR: {response.status_code} {response.text}") + exit(1)