.github/workflows/container-image.yml

@@ -1,5 +1,4 @@
-# sync with https://github.com/fphammerle/docker-onion-service/blob/master/.github/workflows/container-image.yml
-
+---
 name: container image
 
 on:
@@ -11,16 +10,47 @@ on:
 jobs:
   docker-build:
     runs-on: ubuntu-24.04
+    permissions: {packages: write}
     steps:
+    - id: meta
+      # > "automatic" tag management and OCI Image Format Spec… for labels
+      # https://web.archive.org/web/20250103123053/https://docs.docker.com/build/ci/github-actions/manage-tags-labels/
+      uses: docker/metadata-action@v5
+      with:
+        # see comment on `push: true` below
+        images: ghcr.io/${{ github.repository_owner }}/postfix
+        # https://web.archive.org/web/20250103130404/https://github.com/docker/metadata-action?tab=readme-ov-file#tags-input
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=sha,format=long
+          type=raw,value=latest,enable=false
     - uses: docker/setup-qemu-action@v3.6.0
+    - uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
     - uses: docker/setup-buildx-action@v3.10.0
     # > By default, this action uses the Git context so you don't need to use
     # > the actions/checkout action to checkout the repository because this
     # > will be done directly by buildkit. [...]
-    # > any file mutation in the steps that precede [...] will be ignored
+    # > any file mutation in the steps that precede [...] will be ignored,
+    # > including processing of the .dockerignore file
     # https://github.com/marketplace/actions/build-and-push-docker-images
+    # > The commit history is not preserved.
+    # https://docs.docker.com/engine/reference/commandline/build/#git-repositories
     - uses: docker/build-push-action@v6.18.0
       with:
         platforms: |
           linux/amd64
+          linux/arm/v6
           linux/arm/v7
+          linux/arm64
+        # > Require approval for all external contributors
+        # > All users that are not a member or owner of this repository will
+        # > require approval to run workflows.
+        # https://github.com/fphammerle/systemctl-mqtt/settings/actions
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}

Dockerfile

@@ -6,16 +6,16 @@
 #
 # SPDX-License-Identifier: EPL-2.0
 
-FROM docker.io/alpine:3.21.3
+FROM docker.io/alpine:3.22.0
 
 # http://www.postfix.org/announcements.html
-# https://git.alpinelinux.org/aports/log/main/postfix?h=3.21-stable
-ARG POSTFIX_PACKAGE_VERSION=3.9.4-r0
+# https://git.alpinelinux.org/aports/log/main/postfix?h=3.22-stable
+ARG POSTFIX_PACKAGE_VERSION=3.10.2-r0
 # http://www.postfix.org/postconf.5.html#tls_append_default_CA
 # https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
 # https://gitlab.alpinelinux.org/alpine/ca-certificates/-/commits/master
-# https://git.alpinelinux.org/aports/log/main/ca-certificates?h=3.21-stable
-ARG MOZILLA_CA_CERT_STORE_PACKAGE_VERSION=20241121-r1
+# https://git.alpinelinux.org/aports/log/main/ca-certificates?h=3.22-stable
+ARG MOZILLA_CA_CERT_STORE_PACKAGE_VERSION=20241121-r2
 RUN apk add --no-cache \
         ca-certificates=$MOZILLA_CA_CERT_STORE_PACKAGE_VERSION \
         postfix=$POSTFIX_PACKAGE_VERSION \

Makefile

@@ -1,41 +0,0 @@
-# sync with https://github.com/fphammerle/docker-onion-service/blob/master/Makefile
-
-IMAGE_NAME = docker.io/fphammerle/postfix
-PROJECT_VERSION = $(shell git describe --match=v* --abbrev=0 --dirty | sed -e 's/^v//')
-POSTFIX_PACKAGE_VERSION = $(shell grep -Po 'POSTFIX_PACKAGE_VERSION=\K.+' Dockerfile | tr -d -)
-ARCH = $(shell arch)
-# architecture[arm_variant]
-# https://github.com/opencontainers/image-spec/blob/v1.0.1/image-index.md#image-index-property-descriptions
-IMAGE_TAG_ARCH_aarch64 = arm64
-IMAGE_TAG_ARCH_armv6l = armv6
-IMAGE_TAG_ARCH_armv7l = armv7
-IMAGE_TAG_ARCH_x86_64 = amd64
-IMAGE_TAG_ARCH = ${IMAGE_TAG_ARCH_${ARCH}}
-MANIFEST_TAG = ${PROJECT_VERSION}-postfix${POSTFIX_PACKAGE_VERSION}
-IMAGE_TAG = ${MANIFEST_TAG}-${IMAGE_TAG_ARCH}
-BUILD_PARAMS = --tag="${IMAGE_NAME}:${IMAGE_TAG}" \
-	--build-arg=REVISION="$(shell git rev-parse HEAD)"
-
-.PHONY: worktree-clean docker-build podman-build docker-push docker-manifest-create docker-manifest-push
-
-worktree-clean:
-	git diff --exit-code
-	git diff --staged --exit-code
-
-docker-build: worktree-clean
-	sudo docker build ${BUILD_PARAMS} .
-
-podman-build: worktree-clean
-	# --format=oci (default) not fully supported by hub.docker.com
-	# https://github.com/docker/hub-feedback/issues/1871#issuecomment-748924149
-	podman build --format=docker ${BUILD_PARAMS} .
-
-docker-push: docker-build
-	sudo docker push "${IMAGE_NAME}:${IMAGE_TAG}"
-	@echo git tag --sign --message '$(shell sudo docker image inspect --format '{{join .RepoDigests "\n"}}' "${IMAGE_NAME}:${IMAGE_TAG}")' docker/${IMAGE_TAG} $(shell git rev-parse HEAD)
-
-docker-manifest-push:
-	git tag | grep '^docker/${MANIFEST_TAG}-' | xargs -L1 -t git tag -v \
-		| grep @sha256: | xargs -t sudo docker manifest create "${IMAGE_NAME}:${MANIFEST_TAG}"
-	sudo docker manifest push "${IMAGE_NAME}:${MANIFEST_TAG}"
-	sudo docker manifest inspect "${IMAGE_NAME}:${MANIFEST_TAG}" | yq --yaml-output .