fix: Dockerfile to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-DEBIAN12-SYSTEMD-6277507
- https://snyk.io/vuln/SNYK-DEBIAN12-SYSTEMD-6277507
- https://snyk.io/vuln/SNYK-DEBIAN12-ZLIB-6008963
- https://snyk.io/vuln/SNYK-DEBIAN12-GNUTLS28-6474581
- https://snyk.io/vuln/SNYK-DEBIAN12-SYSTEMD-6277509

.github/workflows/docker-build.yml

@@ -1,23 +1,38 @@
 name: Publish Docker Image
+permissions:
+  actions: read
+  checks: read
+  contents: write
+  deployments: read
+  issues: read
+  discussions: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  security-events: write
+  statuses: read
 
 on:
   pull_request:
+    branches:
+      - main
   push:
     branches:
-      - "main"
+      - main
 
 env:
   REGISTRY_IMAGE: registry.dangerous.tech/dangeroustech/zerotierbridge
 
 jobs:
   Docker_Build:
-    name: "Docker Build And Release"
+    name: Docker Build And Release
     runs-on: ubuntu-latest
     strategy:
       fail-fast: true
       matrix:
-        arch: ["amd64", "arm64"]
-        version: ["1.12.2"]
+        arch: [amd64, arm64]
+        version: [1.12.2]
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
@@ -46,7 +61,6 @@ jobs:
             VERSION=${{ matrix.version }}
           push: true
           platforms: linux/${{ matrix.arch }}
-          # tags: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
           outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true
 
       - name: Export Digests
@@ -64,7 +78,8 @@ jobs:
           retention-days: 1
 
   MergeRefs:
-    name: "Do The Horrible Merge Thing"
+    name: Do The Horrible Merge Thing
+    if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     needs:
       - Docker_Build
@@ -123,13 +138,15 @@ jobs:
           severity-cutoff: medium
           fail-build: false
           only-fixed: true
-          by-cve: true
 
       - name: upload Anchore scan SARIF report
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
 
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
       - name: Changelog
         uses: TriPSs/conventional-changelog-action@v3
         id: changelog
@@ -137,9 +154,9 @@ jobs:
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           git-message: "chore 🤖: Release {version}"
-          output-file: "CHANGELOG.md"
-          tag-prefix: "v"
-          fallback-version: "1.0.0"
+          output-file: CHANGELOG.md
+          tag-prefix: v
+          fallback-version: 1.0.0
           release-count: 0 # preserve all versions in changelog
           skip-on-empty: false # otherwise we don't publish fixes
 

CHANGELOG.md

@@ -1,3 +1,23 @@
+## [1.1.2](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.1.1...v1.1.2) (2023-10-18)
+
+
+
+## [1.1.1](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.1.0...v1.1.1) (2023-10-17)
+
+
+### Bug Fixes
+
+* 401 ([bca9ec3](https://github.com/dangeroustech/ZeroTierBridge/commit/bca9ec3df76f9c6ea114e099dd9317c58489d0b2))
+* correct deps ([be55349](https://github.com/dangeroustech/ZeroTierBridge/commit/be55349cefbf291a9ce4233e65a785dad4ec3830))
+* correct multiplatform builds ([593036c](https://github.com/dangeroustech/ZeroTierBridge/commit/593036c8ad8099a3a4e7b1ac9b1dcfbdb8e04a98))
+* push by digest again ([8d55074](https://github.com/dangeroustech/ZeroTierBridge/commit/8d550748cde552ef5552e02770842d4e91f99253))
+* push by digest is breaking things ([2c987a3](https://github.com/dangeroustech/ZeroTierBridge/commit/2c987a3bbe0492aaf22b26e446cb7d96a6c9115d))
+* re-setup buildx ([f8d7326](https://github.com/dangeroustech/ZeroTierBridge/commit/f8d73263fdfd328ad38a77ff381e93bd8bda5750))
+* remove tag to hopefully fix digest pushing ([5cd683c](https://github.com/dangeroustech/ZeroTierBridge/commit/5cd683cb7a83e37eb5b4717309d672f35b256c25))
+* set latest tag ([46ee60c](https://github.com/dangeroustech/ZeroTierBridge/commit/46ee60cbc9091e93f977701a771ba9ce0216e5d1))
+
+
+
 # [1.1.0](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.13...v1.1.0) (2023-09-23)
 
 

Dockerfile

@@ -1,11 +1,11 @@
-FROM debian:bookworm as stage
+FROM debian:12.6 as stage
 ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/bookworm/pool/main/z/zerotier-one
 ARG ARCH=amd64
 ARG VERSION=1.12.2
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y ca-certificates curl
 RUN curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH}.deb"
 
-FROM debian:bookworm
+FROM debian:12.6
 RUN mkdir /app
 WORKDIR /app
 COPY --from=stage zerotier-one.deb .

README.md

@@ -6,7 +6,7 @@ A container to provide out-of-the-box bridging functionality to a ZeroTier netwo
 
 ### Prerequisites
 
-- Docker running as your logged in user (i.e. not having to run `sudo docker-compose xyz`) - [Linux instructions here](https://docs.docker.com/engine/install/linux-postinstall/)
+- Docker running as your logged in user (if `docker ps` runs then you're good, if not follow the link ->) - [Linux instructions here](https://docs.docker.com/engine/install/linux-postinstall/)
 
 ### ZeroTier UI Changes
 
@@ -22,17 +22,15 @@ You also need to add a static route into ZeroTier so that the traffic is routed
 
 **You need to edit the `ZT_NETWORKS` and `ARCH` variable in the `docker-compose.yml` file first to add your networks and make sure your acrhitecture is correct (see [this page](http://download.zerotier.com/debian/buster/pool/main/z/zerotier-one/) for examples, usually either amd64 or arm64)**
 
-Easy one-liner for Docker Compose:
+Easiest way to bring up is via Docker Compose. Rename `docker-compose.yml.example` to `docker-compose.yml` and run `docker compose up -d`.
 
-`docker-compose build && docker-compose up -d`
-
-If you want to disable bridging, set `ZT_BRIDGE=false`. This can be done after the initial networks have been joined (just rebuild the container), as the ZeroTier config persists but IPTables forwarding is done on each container startup.
+If you want to disable bridging, set `ZT_BRIDGE=false`. This can be done after the initial networks have been joined (just change the environment variable in the `docker-compose.yml` file and run `), as the ZeroTier config persists but IPTables forwarding is done on each container startup.
 
 ### OG Docker
 
 `docker build -t zerotierbridge .`
 
-`docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE -e ZT_BRIDGE=true zerotierbridge:latest`
+`docker run --privileged -e ZT_NETWORKS=NETWORK_1 NETWORK_2 -e ZT_BRIDGE=true zerotierbridge:latest`
 
 Add your network ID(s) into the `ZT_NETWORKS` argument, space separated.
 
@@ -42,7 +40,7 @@ Disable bridging by passing `ZT_BRIDGE=false`. This can be done after the initia
 
 If you would like the container to retain the same ZeroTier client ID on reboot, attach a volume as per the below.
 
-`docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE ZT_BRIDGE=true --volume zt_config:/var/lib/zerotier-one/ zerotierbridge:latest`
+`docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE ZT_BRIDGE=true -v zt_config:/var/lib/zerotier-one/ zerotierbridge:latest`
 
 #### Caveat: Architecture
 

package.json

@@ -1,3 +1,3 @@
 {
-  "version": "1.1.0"
+  "version": "1.1.2"
 }