.github/workflows/container-image.yml

@@ -1,3 +1,4 @@
+---
 name: container image
 
 on:
@@ -9,30 +10,49 @@ on:
 jobs:
   docker-build:
     runs-on: ubuntu-24.04
+    permissions: {packages: write}
     steps:
+    - id: meta
+      # > "automatic" tag management and OCI Image Format Spec… for labels
+      # https://web.archive.org/web/20250103123053/https://docs.docker.com/build/ci/github-actions/manage-tags-labels/
+      uses: docker/metadata-action@v5
+      with:
+        # see comment on `push: true` below
+        images: ghcr.io/${{ github.repository_owner }}/onion-service
+        # https://web.archive.org/web/20250103130404/https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=sha,format=long
+          type=raw,value=latest,enable=false
     - uses: docker/setup-qemu-action@v3.6.0
-    - uses: docker/setup-buildx-action@v3.10.0
+    - uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - uses: docker/setup-buildx-action@v3.11.1
     # > By default, this action uses the Git context so you don't need to use
     # > the actions/checkout action to checkout the repository because this
     # > will be done directly by buildkit. [...]
-    # > any file mutation in the steps that precede [...] will be ignored
+    # > any file mutation in the steps that precede [...] will be ignored,
+    # > including processing of the .dockerignore file
     # https://github.com/marketplace/actions/build-and-push-docker-images
+    # > The commit history is not preserved.
+    # https://docs.docker.com/engine/reference/commandline/build/#git-repositories
     - uses: docker/build-push-action@v6.18.0
       with:
         platforms: |
           linux/amd64
+          linux/arm/v6
           linux/arm/v7
+          linux/arm64
         # potential alternative: https://github.com/docker/metadata-action
         build-args: REVISION=${{ github.sha }}
-        # > $ skopeo copy --all oci-archive:oci-container-image.tar \
-        # >     docker://quay.io/fphammerle/test:test
-        # > [...]
-        # > FATA[0056] Error creating an updated image manifest: Error preparing
-        # . updated manifest, layer "sha256:[...]": unsupported MIME type for
-        # . compression: application/vnd.in-toto+json
-        provenance: false
-        # https://docs.docker.com/engine/reference/commandline/buildx_build/#output
-        # https://github.com/opencontainers/image-spec
-        outputs: type=oci,dest=oci-container-image.tar
-    - uses: actions/upload-artifact@v4.6.2
-      with: {path: oci-container-image.tar}
+        # > Require approval for all external contributors
+        # > All users that are not a member or owner of this repository will
+        # > require approval to run workflows.
+        # https://github.com/fphammerle/systemctl-mqtt/settings/actions
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -6,7 +6,7 @@ ARG GETTEXT_PACKAGE_VERSION=0.24.1-r0
 # https://gitweb.torproject.org/tor.git/plain/ChangeLog
 # https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes
 # https://git.alpinelinux.org/aports/log/community/tor?h=3.22-stable
-ARG TOR_PACKAGE_VERSION=0.4.8.16-r0
+ARG TOR_PACKAGE_VERSION=0.4.8.17-r0
 RUN apk add --no-cache \
         tor=$TOR_PACKAGE_VERSION \
         gettext-envsubst=$GETTEXT_PACKAGE_VERSION \

Makefile

@@ -1,39 +0,0 @@
-IMAGE_NAME = docker.io/fphammerle/onion-service
-PROJECT_VERSION = $(shell git describe --match=v* --abbrev=0 --dirty | sed -e 's/^v//')
-TOR_PACKAGE_VERSION = $(shell grep -Po 'TOR_PACKAGE_VERSION=\K.+' Dockerfile | tr -d -)
-ARCH = $(shell arch)
-# architecture[arm_variant]
-# https://github.com/opencontainers/image-spec/blob/v1.0.1/image-index.md#image-index-property-descriptions
-IMAGE_TAG_ARCH_aarch64 = arm64
-IMAGE_TAG_ARCH_armv6l = armv6
-IMAGE_TAG_ARCH_armv7l = armv7
-IMAGE_TAG_ARCH_x86_64 = amd64
-IMAGE_TAG_ARCH = ${IMAGE_TAG_ARCH_${ARCH}}
-MANIFEST_TAG = ${PROJECT_VERSION}-tor${TOR_PACKAGE_VERSION}
-IMAGE_TAG = ${MANIFEST_TAG}-${IMAGE_TAG_ARCH}
-BUILD_PARAMS = --tag="${IMAGE_NAME}:${IMAGE_TAG}" \
-	--build-arg=REVISION="$(shell git rev-parse HEAD)"
-
-.PHONY: worktree-clean docker-build podman-build docker-push docker-manifest-push
-
-worktree-clean:
-	git diff --exit-code
-	git diff --staged --exit-code
-
-docker-build: worktree-clean
-	sudo docker build ${BUILD_PARAMS} .
-
-podman-build: worktree-clean
-	# --format=oci (default) not fully supported by hub.docker.com
-	# https://github.com/docker/hub-feedback/issues/1871#issuecomment-748924149
-	podman build --format=docker ${BUILD_PARAMS} .
-
-docker-push: docker-build
-	sudo docker push "${IMAGE_NAME}:${IMAGE_TAG}"
-	@echo git tag --sign --message '$(shell sudo docker image inspect --format '{{join .RepoDigests "\n"}}' "${IMAGE_NAME}:${IMAGE_TAG}" | sed "s/@/:${IMAGE_TAG}@/")' docker/${IMAGE_TAG} $(shell git rev-parse HEAD)
-
-docker-manifest-push:
-	git tag | grep '^docker/${MANIFEST_TAG}-' | xargs -L1 -t git tag -v \
-		| grep @sha256: | xargs -t sudo docker manifest create "${IMAGE_NAME}:${MANIFEST_TAG}"
-	sudo docker manifest push "${IMAGE_NAME}:${MANIFEST_TAG}"
-	sudo docker manifest inspect "${IMAGE_NAME}:${MANIFEST_TAG}" | yq --yaml-output .