switched from drone to gitea actions

.drone.yml

@@ -1,23 +0,0 @@
-kind: pipeline
-type: docker
-name: default
-
-steps:
-  - name: build_and_publish
-    image: plugins/docker:linux-amd64
-    settings:
-      username:
-        from_secret: docker_username
-      password:
-        from_secret: docker_password
-      registry: docker.asperti.com
-      repo: docker.asperti.com/paspo/nextcloudclient
-      tags:
-        - latest
-      force_tag: true
-      cache_from: docker.asperti.com/paspo/nextcloudclient
-
-trigger:
-  event:
-    - tag
-    - cron

.gitea/workflows/build_and_publish.yaml

@@ -0,0 +1,75 @@
+---
+name: Container Publish
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/nextcloudclient
+
+on:
+  push:
+    tags:
+      - '*'
+  schedule:
+    - cron: "0 12 3 * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [vulnscan.yaml]
+    types: [completed]
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} -f Dockerfile .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest

.gitea/workflows/vulnscan.yaml

@@ -0,0 +1,64 @@
+---
+name: Vulnerability Scan
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/nextcloudclient
+
+on:
+  schedule:
+    - cron: "0 14 * * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
+
+jobs:
+  scan:
+    name: Daily Vulnerability Scan
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - name: Pull docker image
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
+
+      - name: Setup trivy
+        run: |
+          echo "Installing Trivy for arch: $(uname -m)"
+          case $(uname -m) in
+            x86_64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
+            aarch64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
+            *) exit 1 ;;
+          esac
+          dpkg -i /tmp/trivy.deb
+
+      - name: Run Trivy vulnerability scanner
+        id: scan
+        run: |
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json
+
+      # if some vulnerability is found, we fail
+      - name: check output
+        id: vulncount
+        run: |
+          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
+          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
+
+      - name: send telegram notification
+        if: failure()
+        uses: appleboy/telegram-action@master
+        with:
+          to: ${{ secrets.TELEGRAM_TO }}
+          token: ${{ secrets.TELEGRAM_TOKEN }}
+          format: markdown
+          message: |
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`

Dockerfile

@@ -22,6 +22,6 @@ ENV \
     NEXTCLOUD_SILENT= \
     NEXTCLOUD_SLEEP=30
 
-COPY entrypoint.sh start.sh /
+COPY rootfs /
 
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]

rootfs/entrypoint.sh

@@ -5,10 +5,12 @@ USER_GROUP=${USER_GROUP:-nextcloudgroup}
 USER_UID=${USER_UID:-1000}
 USER_GID=${USER_GID:-1000}
 NEXTCLOUD_SLEEP=${NEXTCLOUD_SLEEP:-30}
+NEXTCLOUD_DIR_CHOWN=${NEXTCLOUD_DIR_CHOWN:-1}
+NEXTCLOUD_DIR=${NEXTCLOUD_DIR:-/data}
 
 # check if group already exists
 GRP_NAME=$(getent group "${USER_GID}" )
-if [ "${GRP_NAME}" ] ; then
+if [[ -n "${GRP_NAME}" ]] ; then
 	USER_GROUP="${GRP_NAME//:*/}"
 else
 	# if not, we create the group
@@ -17,7 +19,7 @@ fi
 
 # check if user already exists
 USR_NAME=$(getent passwd "${USER_UID}" )
-if [ "${USR_NAME}" ] ; then
+if [[ -n "${USR_NAME}" ]] ; then
 	USER_NAME="${USR_NAME//:*/}"
 else
 	# if not, we create the user
@@ -25,12 +27,12 @@ else
 fi
 
 # create dir if not exists (it should exist if you mapped it outside the container)
-if [ ! -d "${NEXTCLOUD_DIR}" ] ; then
+if [[ ! -d "${NEXTCLOUD_DIR}" ]] ; then
 	mkdir -p "${NEXTCLOUD_DIR}"
 fi
 
 # replace data directory permissions
-if [ "${NEXTCLOUD_DIR_CHOWN}" = "1" ] ; then
+if [[ "${NEXTCLOUD_DIR_CHOWN}" = "1" ]] ; then
 	chown -R "${USER_UID}":"${USER_GID}" "${NEXTCLOUD_DIR}"
 fi
 

rootfs/start.sh

@@ -6,35 +6,43 @@ NEXTCLOUD_URL=${NEXTCLOUD_URL:-https://nextcloud.example.com}
 NEXTCLOUD_DIR=${NEXTCLOUD_DIR:-/data}
 NEXTCLOUD_DIR_CHOWN=${NEXTCLOUD_DIR_CHOWN:-1}
 
+NEXTCLOUD_FORCE_TRUST=${NEXTCLOUD_FORCE_TRUST:-0}
+NEXTCLOUD_HTTPPROXY=${NEXTCLOUD_HTTPPROXY:-}
+NEXTCLOUD_UPLIMIT=${NEXTCLOUD_UPLIMIT:-}
+NEXTCLOUD_DOWNLIMIT=${NEXTCLOUD_DOWNLIMIT:-}
+NEXTCLOUD_EXCLUDEFILE=${NEXTCLOUD_EXCLUDEFILE:-}
+NEXTCLOUD_UNSYNCFILE=${NEXTCLOUD_UNSYNCFILE:-}
+NEXTCLOUD_SILENT=${NEXTCLOUD_SILENT:-0}
+
 PARAMS=()
-if [ "${NEXTCLOUD_FORCE_TRUST}" = "1" ] ; then
+if [[ "${NEXTCLOUD_FORCE_TRUST}" = "1" ]] ; then
 	PARAMS+=("--trust")
 fi
-if [ ! "${NEXTCLOUD_HTTPPROXY}" = "" ] ; then
+if [[ ! "${NEXTCLOUD_HTTPPROXY}" = "" ]] ; then
 	PARAMS+=("--httpproxy")
 	PARAMS+=("${NEXTCLOUD_HTTPPROXY}")
 fi
-if [ ! "${NEXTCLOUD_UPLIMIT}" = "" ] ; then
+if [[ ! "${NEXTCLOUD_UPLIMIT}" = "" ]] ; then
 	PARAMS+=("--uplimit")
 	PARAMS+=("${NEXTCLOUD_UPLIMIT}")
 fi
-if [ ! "${NEXTCLOUD_DOWNLIMIT}" = "" ] ; then
+if [[ ! "${NEXTCLOUD_DOWNLIMIT}" = "" ]] ; then
 	PARAMS+=("--downlimit")
 	PARAMS+=("${NEXTCLOUD_DOWNLIMIT}")
 fi
-if [ ! "${NEXTCLOUD_EXCLUDEFILE}" = "" ] ; then
-	if [ -r "${NEXTCLOUD_EXCLUDEFILE}" ] ; then
+if [[ ! "${NEXTCLOUD_EXCLUDEFILE}" = "" ]] ; then
+	if [[ -r "${NEXTCLOUD_EXCLUDEFILE}" ]] ; then
 		PARAMS+=("--exclude")
 		PARAMS+=("${NEXTCLOUD_EXCLUDEFILE}")
 	fi
 fi
-if [ ! "${NEXTCLOUD_UNSYNCFILE}" = "" ] ; then
-	if [ -r "${NEXTCLOUD_UNSYNCFILE}" ] ; then
+if [[ ! "${NEXTCLOUD_UNSYNCFILE}" = "" ]] ; then
+	if [[ -r "${NEXTCLOUD_UNSYNCFILE}" ]] ; then
 		PARAMS+=("--unsyncedfolders")
 		PARAMS+=("${NEXTCLOUD_UNSYNCFILE}")
 	fi
 fi
-if [ "${NEXTCLOUD_SILENT}" = "1" ] ; then
+if [[ "${NEXTCLOUD_SILENT}" = "1" ]] ; then
 	PARAMS+=("--silent")
 fi