Stabilize runtime image, add PR-based version gating, drop arm/v7

Dockerfile: - Keep build stage on debian:sid-slim (required for riscv64 Go support) - Switch runtime stage to debian:bookworm-slim for stable, predictable package names — eliminates the libcbor0 class of breakage for users update-check.py: - Create a branch and open a PR instead of pushing directly to master - PR body links to upstream release notes and prompts review of new dependencies before merge - Remove dead deb/PACKAGE code build.yaml: - Drop linux/arm/v7 — upstream go-libfido2 is incompatible with 32-bit ARM address space as of v3.22.0; not fixable without upstream changes - Add VERSION to pull_request trigger paths so the test job builds and validates every version bump PR before it can be merged update-check.yaml: - Pass GITHUB_TOKEN and GITHUB_REPOSITORY to script for PR creation README.md: - Document arm/v7 as unsupported with reason
2026-03-26 21:35:58 +00:00 · 2026-02-24 21:11:29 -06:00 · 2026-02-24 21:11:29 -06:00 · fcebd8a198
commit fcebd8a198
parent 152ddbc05b
5 changed files with 79 additions and 28 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -10,13 +10,14 @@ on:
    paths:
      - .github/workflows/build.yaml
      - build/*
      - VERSION
  workflow_dispatch:
 env:
  DOCKERHUB_REPO: dancwilliams/protonmail-bridge
  GHCR_REPO: ghcr.io/dancwilliams/protonmail-bridge-docker
  DOCKER_REPO_DEV: ghcr.io/dancwilliams/protonmail-bridge
-  PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64
+  PLATFORMS: linux/amd64,linux/arm64/v8,linux/riscv64
 jobs:
  test:
@ -81,7 +82,6 @@ jobs:
        platform:
          - linux/amd64
          - linux/arm64/v8
          - linux/arm/v7
          - linux/riscv64
    steps:
      - name: Checkout
--- a/.github/workflows/update-check.yaml
+++ b/.github/workflows/update-check.yaml
@ -24,4 +24,7 @@ jobs:
    - name: Install dependencies
      run: pip install requests
    - name: Check Update
      env:
        GITHUB_TOKEN: ${{ secrets.PERSONAL_TOKEN }}
        GITHUB_REPOSITORY: ${{ github.repository }}
      run: python3 update-check.py ${{ github.event_name == 'pull_request' }}
--- a/README.md
+++ b/README.md
@ -30,7 +30,7 @@ Images are built for the following platforms from source:
 |---|---|
 | `linux/amd64` | Yes |
 | `linux/arm64/v8` | Yes |
-| `linux/arm/v7` | Yes |
+| `linux/arm/v7` | No — upstream go-libfido2 dependency does not support 32-bit ARM as of v3.22.0 |
 | `linux/riscv64` | Yes |
 ## Tags
--- a/build/Dockerfile
+++ b/build/Dockerfile
@ -1,9 +1,10 @@
-# The build image could be golang, but it currently does not support riscv64. Only debian:sid does, at the time of writing.
+# debian:sid-slim is required for the build stage to support riscv64 (golang:bookworm does not).
 # For the runtime stage we use debian:bookworm-slim for stable, predictable package names.
 FROM debian:sid-slim AS build
 ARG version
-# Install dependencies
+# Install build dependencies
 RUN apt-get update && apt-get install -y golang build-essential libsecret-1-dev libfido2-dev libcbor-dev
 # Build
@ -11,7 +12,7 @@ ADD https://github.com/ProtonMail/proton-bridge.git#${version} /build/
 WORKDIR /build/
 RUN make build-nogui vault-editor
-FROM debian:sid-slim
+FROM debian:bookworm-slim
 LABEL maintainer="Dan Williams <dancwilliams@github>"
 EXPOSE 25/tcp
@ -21,7 +22,7 @@ EXPOSE 143/tcp
 HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=60s \
  CMD bash -c "pgrep -f proton-bridge || exit 1"
-# Install dependencies and protonmail bridge
+# Install runtime dependencies
 RUN apt-get update \
    && apt-get install -y --no-install-recommends socat pass libsecret-1-0 libfido2-1 ca-certificates \
    && rm -rf /var/lib/apt/lists/*
--- a/update-check.py
+++ b/update-check.py
@ -1,37 +1,84 @@
-import requests, os, sys
+import requests, os, sys, subprocess
 def git(command):
    return os.system(f"git {command}")
 def git_output(command):
    result = subprocess.run(f"git {command}", shell=True, capture_output=True, text=True)
    return result.stdout.strip()
-release = requests.get("https://api.github.com/repos/protonmail/proton-bridge/releases/latest").json()
+
 # Get latest upstream release
 release = requests.get("https://api.github.com/repos/ProtonMail/proton-bridge/releases/latest").json()
 version = release['tag_name']
-deb = [asset for asset in release ['assets'] if asset['name'].endswith('.deb')][0]['browser_download_url']
+print(f"Latest upstream release: {version}")
-print(f"Latest release is: {version}")
+# Read current version
 with open("VERSION", 'r') as f:
    current_version = f.read().strip()
 if version == current_version:
    print("Already up to date.")
    exit(0)
 print(f"New version detected: {current_version} -> {version}")
 # Don't push anything during pull_request runs (used for testing this script itself)
 is_pull_request = len(sys.argv) > 1 and sys.argv[1] == "true"
 if is_pull_request:
    print("Pull request run — skipping push.")
    exit(0)
 # Write new version
 with open("VERSION", 'w') as f:
-  f.write(version)
+    f.write(version + "\n")
 with open("deb/PACKAGE", 'w') as f:
  f.write(deb)
 # Configure git identity
 git("config --local user.name 'GitHub Actions'")
 git("config --local user.email 'actions@github.com'")
-git("add -A")
+# Create and push a branch for the version bump
 branch = f"bump/{version}"
 git(f"checkout -b {branch}")
 git("add VERSION")
 git(f'commit -m "Bump version to {version}"')
-if git("diff --cached --quiet") == 0: # Returns 0 if there are no changes
+if git(f"push origin {branch}") != 0:
  print("Version didn't change")
  exit(0)
 git(f"commit -m 'Bump version to {version}'")
 is_pull_request = sys.argv[1] == "true"
 if is_pull_request:
  print("This is a pull request, skipping push step.")
  exit(0)
 if git("push") != 0:
    print("Git push failed!")
    exit(1)
 # Open a pull request via GitHub API
 token = os.environ.get("GITHUB_TOKEN")
 repo  = os.environ.get("GITHUB_REPOSITORY")
 upstream_url = f"https://github.com/ProtonMail/proton-bridge/releases/tag/{version}"
 pr_body = f"""\
 Automated version bump from `{current_version}` to `{version}`.
 **Before merging:**
 - Check the [upstream release notes]({upstream_url}) for any new system dependencies or breaking changes.
 - Confirm the test build below passes. If it fails, a new dependency likely needs to be added to the Dockerfile.
 This PR was opened automatically by the update-check workflow.
 """
 response = requests.post(
    f"https://api.github.com/repos/{repo}/pulls",
    json={
        "title": f"Bump version to {version}",
        "body": pr_body,
        "head": branch,
        "base": "master",
    },
    headers={
        "Authorization": f"token {token}",
        "Accept": "application/vnd.github.v3+json",
    },
 )
 if response.status_code == 201:
    print(f"PR opened: {response.json()['html_url']}")
 else:
    print(f"Failed to create PR: {response.status_code} {response.text}")
    exit(1)