From de993f37a4ca715c2dc66466eb20ab3f27183fcf Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Sun, 5 Jan 2025 21:12:18 -0500 Subject: [PATCH 01/10] Update clear-stale-docker-images.yml --- .../workflows/clear-stale-docker-images.yml | 52 +++++++++++++++---- 1 file changed, 41 insertions(+), 11 deletions(-) diff --git a/.github/workflows/clear-stale-docker-images.yml b/.github/workflows/clear-stale-docker-images.yml index 706d0ee5d..5f3ffb34e 100644 --- a/.github/workflows/clear-stale-docker-images.yml +++ b/.github/workflows/clear-stale-docker-images.yml @@ -6,20 +6,50 @@ on: workflow_dispatch: jobs: - delete-untagged-images: + delete-old-images-main: name: Delete Untagged Images runs-on: ubuntu-latest permissions: packages: write steps: - - uses: dataaxiom/ghcr-cleanup-action@v1 + - uses: snok/container-retention-policy@v2.2.1 with: - dry-run: false - package: homebox - delete-ghost-images: true - delete-orphaned-images: true - delete-partial-images: true - delete-untagged: true - # Make sure to update this to include the latest major tags - exclude-tags: main,vnext,latest,0.*,1.* - older-than: 3 months + # The type of account. Can be either 'org' or 'personal'. + account-type: org + # The name of the organization. Only required if the account type is 'personal'. + org-name: sysadminsmedia # optional, default is + # Image name to delete. Supports passing several names as a comma-separated list. + image-names: homebox + # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required. + cut-off: 90 days ago UTC + # Personal access token with read and delete scopes. + token: ${{ secrets.GITHUB_CLEANUP_PAT }} + # Restrict deletions to images without specific tags. Supports Unix-shell style wildcards + skip-tags: latest,latest-rootless,0.*,0.*-rootless,main,main-rootless,vnext,vnext-rootless,0,0-rootless # optional + # Do not actually delete images. Print output showing what would have been deleted. + dry-run: true # optional, default is false + # The token type. Can be either 'pat' or 'github-token'. If 'github-token', then image-names must the package name of repository from where this action is invoked. + token-type: pat # optional, default is pat + + delete-old-images-devcache: + name: Delete Cache Old Images + runs-on: ubuntu-latest + permissions: + packages: write + steps: + - uses: snok/container-retention-policy@v2.2.1 + with: + # The type of account. Can be either 'org' or 'personal'. + account-type: org + # The name of the organization. Only required if the account type is 'personal'. + org-name: sysadminsmedia # optional, default is + # Image name to delete. Supports passing several names as a comma-separated list. + image-names: devcache + # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required. + cut-off: 90 days ago UTC + # Personal access token with read and delete scopes. + token: ${{ secrets.GITHUB_CLEANUP_PAT }} + # Do not actually delete images. Print output showing what would have been deleted. + dry-run: true # optional, default is false + # The token type. Can be either 'pat' or 'github-token'. If 'github-token', then image-names must the package name of repository from where this action is invoked. + token-type: pat # optional, default is pat From ccb8961ed28e2fe05deafc664a5be30c2ca739c7 Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Sun, 5 Jan 2025 21:14:18 -0500 Subject: [PATCH 02/10] Update clear-stale-docker-images.yml --- .github/workflows/clear-stale-docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/clear-stale-docker-images.yml b/.github/workflows/clear-stale-docker-images.yml index 5f3ffb34e..048878ef6 100644 --- a/.github/workflows/clear-stale-docker-images.yml +++ b/.github/workflows/clear-stale-docker-images.yml @@ -23,7 +23,7 @@ jobs: # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required. cut-off: 90 days ago UTC # Personal access token with read and delete scopes. - token: ${{ secrets.GITHUB_CLEANUP_PAT }} + token: ${{ secrets.CLEANUP_PAT }} # Restrict deletions to images without specific tags. Supports Unix-shell style wildcards skip-tags: latest,latest-rootless,0.*,0.*-rootless,main,main-rootless,vnext,vnext-rootless,0,0-rootless # optional # Do not actually delete images. Print output showing what would have been deleted. @@ -48,7 +48,7 @@ jobs: # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required. cut-off: 90 days ago UTC # Personal access token with read and delete scopes. - token: ${{ secrets.GITHUB_CLEANUP_PAT }} + token: ${{ secrets.CLEANUP_PAT }} # Do not actually delete images. Print output showing what would have been deleted. dry-run: true # optional, default is false # The token type. Can be either 'pat' or 'github-token'. If 'github-token', then image-names must the package name of repository from where this action is invoked. From f635bb1084b20cf39cec562a920e10c06a3d75b5 Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Sun, 5 Jan 2025 21:16:44 -0500 Subject: [PATCH 03/10] Update clear-stale-docker-images.yml --- .github/workflows/clear-stale-docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/clear-stale-docker-images.yml b/.github/workflows/clear-stale-docker-images.yml index 048878ef6..e0f6f1a54 100644 --- a/.github/workflows/clear-stale-docker-images.yml +++ b/.github/workflows/clear-stale-docker-images.yml @@ -27,7 +27,7 @@ jobs: # Restrict deletions to images without specific tags. Supports Unix-shell style wildcards skip-tags: latest,latest-rootless,0.*,0.*-rootless,main,main-rootless,vnext,vnext-rootless,0,0-rootless # optional # Do not actually delete images. Print output showing what would have been deleted. - dry-run: true # optional, default is false + dry-run: false # optional, default is false # The token type. Can be either 'pat' or 'github-token'. If 'github-token', then image-names must the package name of repository from where this action is invoked. token-type: pat # optional, default is pat @@ -50,6 +50,6 @@ jobs: # Personal access token with read and delete scopes. token: ${{ secrets.CLEANUP_PAT }} # Do not actually delete images. Print output showing what would have been deleted. - dry-run: true # optional, default is false + dry-run: false # optional, default is false # The token type. Can be either 'pat' or 'github-token'. If 'github-token', then image-names must the package name of repository from where this action is invoked. token-type: pat # optional, default is pat From da9d0681b8551de49fd2426520a7089d0b94c804 Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Sun, 5 Jan 2025 21:26:07 -0500 Subject: [PATCH 04/10] Update clear-stale-docker-images.yml --- .github/workflows/clear-stale-docker-images.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/clear-stale-docker-images.yml b/.github/workflows/clear-stale-docker-images.yml index e0f6f1a54..f1b5f08ae 100644 --- a/.github/workflows/clear-stale-docker-images.yml +++ b/.github/workflows/clear-stale-docker-images.yml @@ -12,8 +12,14 @@ jobs: permissions: packages: write steps: + - name: Fetch multi-platform package version SHAs + id: multi-arch-digests + run: | + package1=$(docker manifest inspect ghcr.io/sysadminsmedia/homebox | jq -r '.manifests.[] | .digest' | paste -s -d ' ' -) + echo "multi-arch-digests=$package1" >> $GITHUB_OUTPUT - uses: snok/container-retention-policy@v2.2.1 with: + skip-shas: ${{ steps.multi-arch-digests.outputs.multi-arch-digests }} # The type of account. Can be either 'org' or 'personal'. account-type: org # The name of the organization. Only required if the account type is 'personal'. @@ -27,7 +33,7 @@ jobs: # Restrict deletions to images without specific tags. Supports Unix-shell style wildcards skip-tags: latest,latest-rootless,0.*,0.*-rootless,main,main-rootless,vnext,vnext-rootless,0,0-rootless # optional # Do not actually delete images. Print output showing what would have been deleted. - dry-run: false # optional, default is false + dry-run: true # optional, default is false # The token type. Can be either 'pat' or 'github-token'. If 'github-token', then image-names must the package name of repository from where this action is invoked. token-type: pat # optional, default is pat From 08081d7abf9ddfb99084f550eddde0d312d3ba5a Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Sun, 5 Jan 2025 21:27:58 -0500 Subject: [PATCH 05/10] Update clear-stale-docker-images.yml --- .github/workflows/clear-stale-docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/clear-stale-docker-images.yml b/.github/workflows/clear-stale-docker-images.yml index f1b5f08ae..f3e9f8429 100644 --- a/.github/workflows/clear-stale-docker-images.yml +++ b/.github/workflows/clear-stale-docker-images.yml @@ -17,7 +17,7 @@ jobs: run: | package1=$(docker manifest inspect ghcr.io/sysadminsmedia/homebox | jq -r '.manifests.[] | .digest' | paste -s -d ' ' -) echo "multi-arch-digests=$package1" >> $GITHUB_OUTPUT - - uses: snok/container-retention-policy@v2.2.1 + - uses: snok/container-retention-policy@v3.0.0 with: skip-shas: ${{ steps.multi-arch-digests.outputs.multi-arch-digests }} # The type of account. Can be either 'org' or 'personal'. @@ -43,7 +43,7 @@ jobs: permissions: packages: write steps: - - uses: snok/container-retention-policy@v2.2.1 + - uses: snok/container-retention-policy@v3.0.0 with: # The type of account. Can be either 'org' or 'personal'. account-type: org From 4847d8d72b9fa1466068567a70745aac8cf6fb2c Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Mon, 6 Jan 2025 05:43:09 -0500 Subject: [PATCH 06/10] add docker sbom, provenance and annotations --- .github/workflows/docker-publish-rootless.yaml | 7 +++++-- .github/workflows/docker-publish.yaml | 3 +++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index 3639c64aa..4d3f2f34b 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -101,8 +101,11 @@ jobs: build-args: | VERSION=${{ github.ref_name }} COMMIT=${{ github.sha }} - - - name: Export digest + provenance: true + sbom: true + annotations: ${{ steps.meta.outputs.annotations }} + + - name: Export digest run: | mkdir -p /tmp/digests digest="${{ steps.build.outputs.digest }}" diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml index 83f305365..ef389606a 100644 --- a/.github/workflows/docker-publish.yaml +++ b/.github/workflows/docker-publish.yaml @@ -97,6 +97,9 @@ jobs: build-args: | VERSION=${{ github.ref_name }} COMMIT=${{ github.sha }} + provenance: true + sbom: true + annotations: ${{ steps.meta.outputs.annotations }} - name: Export digest run: | From 3919ed2e91613b120703a17b6f31f7a26d69e8ae Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Mon, 6 Jan 2025 05:46:02 -0500 Subject: [PATCH 07/10] Update docker-publish-rootless.yaml --- .github/workflows/docker-publish-rootless.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish-rootless.yaml b/.github/workflows/docker-publish-rootless.yaml index 4d3f2f34b..cf009a0f1 100644 --- a/.github/workflows/docker-publish-rootless.yaml +++ b/.github/workflows/docker-publish-rootless.yaml @@ -105,7 +105,7 @@ jobs: sbom: true annotations: ${{ steps.meta.outputs.annotations }} - - name: Export digest + - name: Export digest run: | mkdir -p /tmp/digests digest="${{ steps.build.outputs.digest }}" From a252f63ae88e0bbf47143774323741c8a3cecee0 Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Tue, 7 Jan 2025 19:55:05 -0500 Subject: [PATCH 08/10] Update to --- .github/workflows/clear-stale-docker-images.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/.github/workflows/clear-stale-docker-images.yml b/.github/workflows/clear-stale-docker-images.yml index f3e9f8429..7457c102d 100644 --- a/.github/workflows/clear-stale-docker-images.yml +++ b/.github/workflows/clear-stale-docker-images.yml @@ -21,9 +21,7 @@ jobs: with: skip-shas: ${{ steps.multi-arch-digests.outputs.multi-arch-digests }} # The type of account. Can be either 'org' or 'personal'. - account-type: org - # The name of the organization. Only required if the account type is 'personal'. - org-name: sysadminsmedia # optional, default is + account: sysadminsmedia # Image name to delete. Supports passing several names as a comma-separated list. image-names: homebox # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required. @@ -31,11 +29,9 @@ jobs: # Personal access token with read and delete scopes. token: ${{ secrets.CLEANUP_PAT }} # Restrict deletions to images without specific tags. Supports Unix-shell style wildcards - skip-tags: latest,latest-rootless,0.*,0.*-rootless,main,main-rootless,vnext,vnext-rootless,0,0-rootless # optional + skip-tags: "!latest,!latest-rootless,!0.*,!0.*-rootless,!main,!main-rootless,!vnext,!vnext-rootless,!0,!0-rootless" # optional # Do not actually delete images. Print output showing what would have been deleted. dry-run: true # optional, default is false - # The token type. Can be either 'pat' or 'github-token'. If 'github-token', then image-names must the package name of repository from where this action is invoked. - token-type: pat # optional, default is pat delete-old-images-devcache: name: Delete Cache Old Images @@ -46,16 +42,11 @@ jobs: - uses: snok/container-retention-policy@v3.0.0 with: # The type of account. Can be either 'org' or 'personal'. - account-type: org - # The name of the organization. Only required if the account type is 'personal'. - org-name: sysadminsmedia # optional, default is - # Image name to delete. Supports passing several names as a comma-separated list. + account: sysadminsmedia image-names: devcache # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required. cut-off: 90 days ago UTC # Personal access token with read and delete scopes. token: ${{ secrets.CLEANUP_PAT }} # Do not actually delete images. Print output showing what would have been deleted. - dry-run: false # optional, default is false - # The token type. Can be either 'pat' or 'github-token'. If 'github-token', then image-names must the package name of repository from where this action is invoked. - token-type: pat # optional, default is pat + dry-run: true # optional, default is false From 25700c12da8d8c08189e3df33f68432cdee01593 Mon Sep 17 00:00:00 2001 From: Matt Kilgore Date: Tue, 7 Jan 2025 19:56:38 -0500 Subject: [PATCH 09/10] Update cutoff --- .github/workflows/clear-stale-docker-images.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/clear-stale-docker-images.yml b/.github/workflows/clear-stale-docker-images.yml index 7457c102d..5a2dc40b1 100644 --- a/.github/workflows/clear-stale-docker-images.yml +++ b/.github/workflows/clear-stale-docker-images.yml @@ -25,7 +25,7 @@ jobs: # Image name to delete. Supports passing several names as a comma-separated list. image-names: homebox # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required. - cut-off: 90 days ago UTC + cut-off: 90d # Personal access token with read and delete scopes. token: ${{ secrets.CLEANUP_PAT }} # Restrict deletions to images without specific tags. Supports Unix-shell style wildcards @@ -45,7 +45,7 @@ jobs: account: sysadminsmedia image-names: devcache # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required. - cut-off: 90 days ago UTC + cut-off: 90d # Personal access token with read and delete scopes. token: ${{ secrets.CLEANUP_PAT }} # Do not actually delete images. Print output showing what would have been deleted. From 44bdca8c212a6d4ae1e500e59d14587c9cadc17e Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Wed, 8 Jan 2025 18:58:40 +0000 Subject: [PATCH 10/10] Update Dockerfile.rootless Specify UID:GID of nonroot user to fix issue with rootless database --- Dockerfile.rootless | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile.rootless b/Dockerfile.rootless index 866bf5602..37a1858ba 100644 --- a/Dockerfile.rootless +++ b/Dockerfile.rootless @@ -67,7 +67,8 @@ ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_pragma=busy_timeout=2000&_pragma=j # Install necessary runtime dependencies RUN apk --no-cache add ca-certificates wget -RUN addgroup -S nonroot && adduser -S nonroot -G nonroot +# Create a nonroot user with UID/GID 65532 +RUN addgroup -g 65532 nonroot && adduser -u 65532 -G nonroot -S nonroot # Create application directory and copy over built Go binary RUN mkdir /app