From 744434b290a080b0e777b0dc7e0de01e2b7cbe0c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 08:08:29 +0000 Subject: [PATCH 1/7] Bump python in the docker-dependencies group Bumps the docker-dependencies group with 1 update: python. Updates `python` from 3.14.1-alpine3.22 to 3.14.3-alpine3.22 --- updated-dependencies: - dependency-name: python dependency-version: 3.14.3-alpine3.22 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: docker-dependencies ... Signed-off-by: dependabot[bot] --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 1f364fd..3f0657c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ # syntax=docker/dockerfile:1 ARG webchanges_tag=v3.34.1 -FROM python:3.14.1-alpine3.22 AS builder +FROM python:3.14.3-alpine3.22 AS builder ARG webchanges_tag ENV PYTHONUTF8=1 From 234857429d9fdf1a60782a56c784fe978ce16cf1 Mon Sep 17 00:00:00 2001 From: yubiuser Date: Mon, 16 Mar 2026 10:37:39 +0100 Subject: [PATCH 2/7] Pin base images by sha to address silent rebuilds Signed-off-by: yubiuser --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3f0657c..465d557 100644 --- a/Dockerfile +++ b/Dockerfile @@ -60,7 +60,7 @@ RUN python3 -m PyInstaller -F --strip webchanges.py -FROM alpine:3.23 AS deploy +FROM alpine:3.23.3@sha256:a76a5883dc20c193bd6eb522e940c5d3979ab4af8011d5972a928fb7156fcb9e AS deploy ENV APP_USER=webchanges ENV PYTHONUTF8=1 RUN apk add --no-cache tini From 778d59c653a82e41ae55dfd03b1e729c648d8a6e Mon Sep 17 00:00:00 2001 From: yubiuser Date: Mon, 16 Mar 2026 11:13:14 +0100 Subject: [PATCH 3/7] Use https://github.com/docker/github-builder to build and publish images Signed-off-by: yubiuser --- .github/workflows/ci.yaml | 147 +++++++++----------------------------- 1 file changed, 33 insertions(+), 114 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1d4605d..58b6220 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -12,123 +12,42 @@ on: env: REGISTRY_IMAGE: ghcr.io/yubiuser/webchanges +permissions: + contents: read + jobs: + build-prepare: + runs-on: ubuntu-24.04 + outputs: + REGISTRY_IMAGE: ${{ env.REGISTRY_IMAGE }} + steps: + # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671 + - run: echo "Exposing env vars for reusable workflow" build: - runs-on: ${{ matrix.runner }} + uses: docker/github-builder/.github/workflows/build.yml@v1.2.0 permissions: contents: read - packages: write - strategy: - fail-fast: true - matrix: - include: - - platform: linux/amd64 - runner: ubuntu-latest - - platform: linux/arm64 - runner: ubuntu-24.04-arm - steps: - - - name: Prepare name for digest up/download - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV - - - - name: Checkout Code - uses: actions/checkout@v6.0.2 - - - - name: Set up QEMU - uses: docker/setup-qemu-action@v4.0.0 - - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4.0.0 - - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v6 - with: - images: | - ${{ env.REGISTRY_IMAGE }} - - - name: Login to GitHub Container Registry - uses: docker/login-action@v4.0.0 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - - name: Build and push Docker image - uses: docker/build-push-action@v7.0.0 - id: build - with: - context: . - platforms: ${{ matrix.platform }} - labels: ${{ steps.meta.outputs.labels }} - provenance: false - outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=${{ github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'release' }} - - - name: Export digest - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - name: Upload digest - uses: actions/upload-artifact@v7.0.0 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: /tmp/digests/* - if-no-files-found: error - retention-days: 1 - - merge: - runs-on: ubuntu-latest + packages: write # required to push to GHCR + id-token: write # for signing attestation(s) with GitHub OIDC Token needs: - - build - if: | - github.actor != 'dependabot[bot]' - && ( github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'release' ) - permissions: - contents: read - packages: write - steps: - - name: Download digests - uses: actions/download-artifact@v8.0.1 - with: - path: /tmp/digests - pattern: digests-* - merge-multiple: true - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4.0.0 - - name: Docker meta - id: meta - uses: docker/metadata-action@v6 - with: - images: | - ${{ env.REGISTRY_IMAGE }} - tags: | - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - type=sha,enable=${{ github.event_name == 'workflow_dispatch' }} - type=ref,event=pr - type=ref,event=branch - - name: Login to GitHub Container Registry - uses: docker/login-action@v4.0.0 - with: - registry: ghcr.io + - build-prepare + with: + runner: auto + distribute: true + setup-qemu: true + output: image + push: ${{ github.actor != 'dependabot[bot]' && ( github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'release' ) }} + meta-images: ${{ needs.build-prepare.outputs.REGISTRY_IMAGE }} + meta-tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=sha,enable=${{ github.event_name == 'workflow_dispatch' }} + type=ref,event=pr + type=ref,event=branch + platforms: linux/amd64,linux/arm64 + secrets: + registry-auths: | + - registry: ghcr.io username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Create manifest list and push - working-directory: /tmp/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *) - - name: Inspect image - run: | - docker buildx imagetools inspect --raw ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }} - + password: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From e9682abcd402c0f2bef3c2c435149e2196420266 Mon Sep 17 00:00:00 2001 From: yubiuser Date: Mon, 16 Mar 2026 11:47:14 +0100 Subject: [PATCH 4/7] Disable signing to prevent sha tag-spam in the GHCR Signed-off-by: yubiuser --- .github/workflows/ci.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 58b6220..0aa16b1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -46,6 +46,8 @@ jobs: type=ref,event=pr type=ref,event=branch platforms: linux/amd64,linux/arm64 + # FIXME: GHCR does not support the referrers API and spams the registry with sha-tagged images when cosigned: https://github.com/docker/github-builder/issues/109 + sign: false secrets: registry-auths: | - registry: ghcr.io From 7a6b4aebd06e250e9a470185ba1d51bf178ff51d Mon Sep 17 00:00:00 2001 From: yubiuser Date: Mon, 16 Mar 2026 12:02:55 +0100 Subject: [PATCH 5/7] Add caching Signed-off-by: yubiuser --- .github/workflows/ci.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0aa16b1..c187dde 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -36,6 +36,8 @@ jobs: distribute: true setup-qemu: true output: image + cache: true + cache-scope: build push: ${{ github.actor != 'dependabot[bot]' && ( github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push' || github.event_name == 'release' ) }} meta-images: ${{ needs.build-prepare.outputs.REGISTRY_IMAGE }} meta-tags: | From d3112e37407a01c323564014c52d257ab1c2c33d Mon Sep 17 00:00:00 2001 From: yubiuser Date: Mon, 16 Mar 2026 12:08:25 +0100 Subject: [PATCH 6/7] Fix base image sha Signed-off-by: yubiuser --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 465d557..d517cd3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -60,7 +60,7 @@ RUN python3 -m PyInstaller -F --strip webchanges.py -FROM alpine:3.23.3@sha256:a76a5883dc20c193bd6eb522e940c5d3979ab4af8011d5972a928fb7156fcb9e AS deploy +FROM alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 AS deploy ENV APP_USER=webchanges ENV PYTHONUTF8=1 RUN apk add --no-cache tini From f0d1340a3d7736841cca0309dfce0d240eda6139 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 21 Mar 2026 16:02:26 +0000 Subject: [PATCH 7/7] Bump docker/github-builder/.github/workflows/build.yml Bumps the github_action-dependencies group with 1 update: [docker/github-builder/.github/workflows/build.yml](https://github.com/docker/github-builder). Updates `docker/github-builder/.github/workflows/build.yml` from 1.2.0 to 1.4.0 - [Release notes](https://github.com/docker/github-builder/releases) - [Commits](https://github.com/docker/github-builder/compare/v1.2.0...v1.4.0) --- updated-dependencies: - dependency-name: docker/github-builder/.github/workflows/build.yml dependency-version: 1.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github_action-dependencies ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c187dde..b7c297e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -24,7 +24,7 @@ jobs: # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671 - run: echo "Exposing env vars for reusable workflow" build: - uses: docker/github-builder/.github/workflows/build.yml@v1.2.0 + uses: docker/github-builder/.github/workflows/build.yml@v1.4.0 permissions: contents: read packages: write # required to push to GHCR