fix: set latest tag

because apparently manifests are too difficult

.github/workflows/docker-build.yml

@@ -6,9 +6,18 @@ on:
     branches:
       - "main"
 
+env:
+  REGISTRY_IMAGE: registry.dangerous.tech/dangeroustech/zerotierbridge
+
 jobs:
-  DockerBuildAndRelease:
+  Docker_Build:
+    name: "Docker Build And Release"
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        arch: ["amd64", "arm64"]
+        version: ["1.12.2"]
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
@@ -20,20 +29,106 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Login to Registry
-        id: registry_push
+        id: login
         uses: docker/login-action@v3
         with:
           registry: registry.dangerous.tech
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
-      - name: Build and Push
+      - name: Build
         id: docker_build
         uses: docker/build-push-action@v5
         with:
           context: .
+          build-args: |
+            ARCH=${{ matrix.arch }}
+            VERSION=${{ matrix.version }}
           push: true
-          tags: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
+          platforms: linux/${{ matrix.arch }}
+          # tags: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
+          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true
+
+      - name: Export Digests
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.docker_build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v3
+        with:
+          name: digests
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  MergeRefs:
+    name: "Do The Horrible Merge Thing"
+    runs-on: ubuntu-latest
+    needs:
+      - Docker_Build
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v3
+        with:
+          name: digests
+          path: /tmp/digests
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Registry
+        id: login
+        uses: docker/login-action@v3
+        with:
+          registry: registry.dangerous.tech
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_IMAGE }}
+          tags: |
+            # set latest tag for default branch
+            # https://github.com/docker/metadata-action#latest-tag
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        id: sbom
+        with:
+          image: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
+          registry-username: ${{ secrets.REGISTRY_USERNAME }}
+          registry-password: ${{ secrets.REGISTRY_PASSWORD }}
+          format: spdx-json
+          output-file: ./sbom.spdx.json
+
+      - name: Scan SBOM
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          sbom: sbom.spdx.json
+          severity-cutoff: medium
+          fail-build: false
+          only-fixed: true
+          by-cve: true
+
+      - name: upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
 
       - name: Changelog
         uses: TriPSs/conventional-changelog-action@v3
@@ -41,7 +136,7 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-          git-message: "chore 🤖: Release {version} [skip ci]"
+          git-message: "chore 🤖: Release {version}"
           output-file: "CHANGELOG.md"
           tag-prefix: "v"
           fallback-version: "1.0.0"
@@ -58,3 +153,5 @@ jobs:
           tag_name: ${{ steps.changelog.outputs.tag }}
           name: ${{ steps.changelog.outputs.tag }}
           body: ${{ steps.changelog.outputs.clean_changelog }}
+          files: |
+            sbom.spdx.json

.github/workflows/sbom.yml

@@ -1,17 +0,0 @@
-name: Generate SBOM
-
-on:
-  release:
-    types: [created, published]
-
-jobs:
-  GenerateSBOM:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Generate SBOM
-        uses: anchore/sbom-action@v0
-        id: sbom
-        with:
-          image: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
-          registry-username: ${{ secrets.REGISTRY_USERNAME }}
-          registry-password: ${{ secrets.REGISTRY_PASSWORD }}

CHANGELOG.md

@@ -1,4 +1,57 @@
-## [1.0.6](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.5...v1.0.6) (2023-09-22)
+# [1.1.0](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.13...v1.1.0) (2023-09-23)
+
+
+### Features
+
+* multi-platform builds ([aab5c07](https://github.com/dangeroustech/ZeroTierBridge/commit/aab5c079dcd559b7c3123aa72d02f7691827083e))
+
+
+
+## [1.0.13](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.12...v1.0.13) (2023-09-22)
+
+
+
+## [1.0.12](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.11...v1.0.12) (2023-09-22)
+
+
+### Bug Fixes
+
+* correct double message ([6e3c269](https://github.com/dangeroustech/ZeroTierBridge/commit/6e3c2690fc612e42c1d2818cc8d4bdfb9d5e39ba))
+
+
+
+## [1.0.11](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.10...v1.0.11) (2023-09-22)
+
+
+### Bug Fixes
+
+* only alert on CVEs that have a fix ([977df48](https://github.com/dangeroustech/ZeroTierBridge/commit/977df48644e0a7112dc25f9f04afa6d84ce87db9))
+* pull correct deb package ([fed1c28](https://github.com/dangeroustech/ZeroTierBridge/commit/fed1c2860230d39aeb80178c79697c1c41fed23d))
+
+
+
+## [1.0.10](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.9...v1.0.10) (2023-09-22)
+
+
+### Bug Fixes
+
+* upload sarif file ([89e2953](https://github.com/dangeroustech/ZeroTierBridge/commit/89e29531f070539935a93b6f55d791170ea42e72))
+
+
+
+## [1.0.9](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.8...v1.0.9) (2023-09-22)
+
+
+
+## [1.0.8](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.7...v1.0.8) (2023-09-22)
+
+
+
+## [1.0.7](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.6...v1.0.7) (2023-09-22)
+
+
+
+## [1.0.6](https://github.com/dangeroustech/ZeroTierBridge/compare/v0.0.1...v1.0.6) (2023-09-22)
 
 
 

Dockerfile

@@ -1,11 +1,11 @@
-FROM debian:buster as stage
+FROM debian:bookworm as stage
-ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one
+ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/bookworm/pool/main/z/zerotier-one
 ARG ARCH=amd64
 ARG VERSION=1.12.2
 RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y ca-certificates curl
 RUN curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH}.deb"
 
-FROM debian:buster
+FROM debian:bookworm
 RUN mkdir /app
 WORKDIR /app
 COPY --from=stage zerotier-one.deb .

README.md

@@ -42,14 +42,10 @@ Disable bridging by passing `ZT_BRIDGE=false`. This can be done after the initia
 
 If you would like the container to retain the same ZeroTier client ID on reboot, attach a volume as per the below.
 
-`docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE ZT_BRIDGE=true --volume zt1:/var/lib/zerotier-one/ zerotierbridge:latest`
+`docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE ZT_BRIDGE=true --volume zt_config:/var/lib/zerotier-one/ zerotierbridge:latest`
 
 #### Caveat: Architecture
 
 If you need to run this on a device with different architecture (a raspberry pi, for instance), then just edit line 3 of the Dockerfile.
 
 If you were using a Raspberry Pi 4, you would change this to `ARCH=arm64` and the container will pull the correct ZeroTier installer.
-
-## TODO
-
-- Add kubernetes deployment YAML

docker-compose.yml.example

@@ -3,12 +3,7 @@ version: "3"
 services:
   zerotierbridge:
     container_name: zerotierbridge
-    build:
+    image: registry.dangerous.tech/dangeroustech/zerotierbridge
-      context: .
-      dockerfile: Dockerfile
-      args:
-        ARCH: amd64
-        VERSION: 1.12.2
     restart: always
     privileged: true
     volumes:
@@ -17,4 +12,4 @@ services:
       - ZT_NETWORKS=NETWORK_ID_1 NETWORK_ID_2 NETWORK_ID_3
       - ZT_BRIDGE=true
 volumes:
-  zt_config:
+  zt_config:

package.json

@@ -1,3 +1,3 @@
 {
-  "version": "1.0.6"
+  "version": "1.1.0"
 }

results.sarif

@@ -0,0 +1,16 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Grype",
+          "version": "0.63.0",
+          "informationUri": "https://github.com/anchore/grype"
+        }
+      },
+      "results": []
+    }
+  ]
+}