diff --git a/.github/workflows/clear-stale-docker-images.yml b/.github/workflows/clear-stale-docker-images.yml index 706d0ee5d..5a2dc40b1 100644 --- a/.github/workflows/clear-stale-docker-images.yml +++ b/.github/workflows/clear-stale-docker-images.yml @@ -6,20 +6,47 @@ on: workflow_dispatch: jobs: - delete-untagged-images: + delete-old-images-main: name: Delete Untagged Images runs-on: ubuntu-latest permissions: packages: write steps: - - uses: dataaxiom/ghcr-cleanup-action@v1 + - name: Fetch multi-platform package version SHAs + id: multi-arch-digests + run: | + package1=$(docker manifest inspect ghcr.io/sysadminsmedia/homebox | jq -r '.manifests.[] | .digest' | paste -s -d ' ' -) + echo "multi-arch-digests=$package1" >> $GITHUB_OUTPUT + - uses: snok/container-retention-policy@v3.0.0 with: - dry-run: false - package: homebox - delete-ghost-images: true - delete-orphaned-images: true - delete-partial-images: true - delete-untagged: true - # Make sure to update this to include the latest major tags - exclude-tags: main,vnext,latest,0.*,1.* - older-than: 3 months + skip-shas: ${{ steps.multi-arch-digests.outputs.multi-arch-digests }} + # The type of account. Can be either 'org' or 'personal'. + account: sysadminsmedia + # Image name to delete. Supports passing several names as a comma-separated list. + image-names: homebox + # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required. + cut-off: 90d + # Personal access token with read and delete scopes. + token: ${{ secrets.CLEANUP_PAT }} + # Restrict deletions to images without specific tags. Supports Unix-shell style wildcards + skip-tags: "!latest,!latest-rootless,!0.*,!0.*-rootless,!main,!main-rootless,!vnext,!vnext-rootless,!0,!0-rootless" # optional + # Do not actually delete images. Print output showing what would have been deleted. + dry-run: true # optional, default is false + + delete-old-images-devcache: + name: Delete Cache Old Images + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - uses: snok/container-retention-policy@v3.0.0 + with: + # The type of account. Can be either 'org' or 'personal'. + account: sysadminsmedia + image-names: devcache + # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required. + cut-off: 90d + # Personal access token with read and delete scopes. + token: ${{ secrets.CLEANUP_PAT }} + # Do not actually delete images. Print output showing what would have been deleted. + dry-run: true # optional, default is false diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index 3639c64aa..cf009a0f1 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -101,7 +101,10 @@ jobs: build-args: | VERSION=${{ github.ref_name }} COMMIT=${{ github.sha }} - + provenance: true + sbom: true + annotations: ${{ steps.meta.outputs.annotations }} + - name: Export digest run: | mkdir -p /tmp/digests diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml index 83f305365..ef389606a 100644 --- a/.github/workflows/docker-publish.yaml +++ b/.github/workflows/docker-publish.yaml @@ -97,6 +97,9 @@ jobs: build-args: | VERSION=${{ github.ref_name }} COMMIT=${{ github.sha }} + provenance: true + sbom: true + annotations: ${{ steps.meta.outputs.annotations }} - name: Export digest run: | diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 866bf5602..37a1858ba 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -67,7 +67,8 @@ ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_pragma=busy_timeout=2000&_pragma=j # Install necessary runtime dependencies RUN apk --no-cache add ca-certificates wget -RUN addgroup -S nonroot && adduser -S nonroot -G nonroot +# Create a nonroot user with UID/GID 65532 +RUN addgroup -g 65532 nonroot && adduser -u 65532 -G nonroot -S nonroot # Create application directory and copy over built Go binary RUN mkdir /app