chore 🤖: Release v1.2.1 [skip ci]

- Add workflow-level concurrency to avoid overlapping releases
- Enable BuildKit cache (GHA) for faster Docker builds
- Simplify to a single multi-arch build (linux/amd64, linux/arm64)
  - Remove digest export/upload and manifest merge steps
  - Push manifest directly from buildx with tag `latest`
- Fix GitHub Release token casing to use `secrets.GITHUB_TOKEN`
- Update Dockerfile to use TARGETARCH for correct package selection
  - Pass VERSION consistently; write version to image

No functional change to runtime behavior expected; improves speed, reliability, and maintainability of the release pipeline.

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - github-actions
+

.github/workflows/docker-build.yml

@@ -1,17 +1,40 @@
 name: Publish Docker Image
+permissions:
+  actions: read
+  checks: read
+  contents: write
+  deployments: read
+  issues: read
+  discussions: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  security-events: write
+  statuses: read
+
+concurrency:
+  group: docker-release-${{ github.ref }}
+  cancel-in-progress: true
 
 on:
   pull_request:
+    branches:
+      - main
   push:
     branches:
-      - "main"
+      - main
+
+env:
+  REGISTRY_IMAGE: registry.dangerous.tech/dangeroustech/zerotierbridge
 
 jobs:
-  DockerBuildAndRelease:
+  Docker_Build:
+    name: Docker Build And Release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -20,50 +43,91 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: Login to Registry
-        id: registry_push
+        id: login
         uses: docker/login-action@v3
         with:
           registry: registry.dangerous.tech
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
-      - name: Build and Push
+      - name: Build
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
+          build-args: |
+            VERSION=1.12.2
           push: true
-          tags: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ env.REGISTRY_IMAGE }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      - name: Changelog
-        uses: TriPSs/conventional-changelog-action@v3
-        id: changelog
-        if: ${{ github.event_name != 'pull_request' }}
+
+  MergeRefs:
+    name: Publish Multi-Arch Image And Release
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    needs:
+      - Docker_Build
+    steps:
+      - name: Login to Registry
+        id: login
+        uses: docker/login-action@v3
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          git-message: "chore 🤖: Release {version} [skip ci]"
-          output-file: "CHANGELOG.md"
-          tag-prefix: "v"
-          fallback-version: "1.0.0"
-          release-count: 0 # preserve all versions in changelog
-          skip-on-empty: false # otherwise we don't publish fixes
+          registry: registry.dangerous.tech
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
 
-      - name: Create Release
-        uses: softprops/action-gh-release@v1
-        id: release
-        if: ${{ steps.changelog.outputs.skipped == 'false' }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.github_token }}
-        with:
-          tag_name: ${{ steps.changelog.outputs.tag }}
-          name: ${{ steps.changelog.outputs.tag }}
-          body: ${{ steps.changelog.outputs.clean_changelog }}
-
-      - name: Syft SBOM
+      - name: Generate SBOM
         uses: anchore/sbom-action@v0
         id: sbom
-        if: ${{ steps.changelog.outputs.skipped == 'false' }}
         with:
           image: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
           registry-username: ${{ secrets.REGISTRY_USERNAME }}
           registry-password: ${{ secrets.REGISTRY_PASSWORD }}
+          format: spdx-json
+          output-file: ./sbom.spdx.json
+
+      - name: Scan SBOM
+        uses: anchore/scan-action@v7
+        id: scan
+        with:
+          sbom: sbom.spdx.json
+          severity-cutoff: medium
+          fail-build: false
+          only-fixed: true
+
+      - name: upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Checkout Repository
+        uses: actions/checkout@v5
+
+      - name: Changelog
+        uses: TriPSs/conventional-changelog-action@v6
+        id: changelog
+        if: ${{ github.event_name != 'pull_request' }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          git-message: "chore 🤖: Release {version}"
+          output-file: CHANGELOG.md
+          tag-prefix: v
+          fallback-version: 1.0.0
+          release-count: 0 # preserve all versions in changelog
+          skip-on-empty: false # otherwise we don't publish fixes
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        id: release
+        if: ${{ steps.changelog.outputs.skipped == 'false' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ steps.changelog.outputs.tag }}
+          name: ${{ steps.changelog.outputs.tag }}
+          body: ${{ steps.changelog.outputs.clean_changelog }}
+          files: |
+            sbom.spdx.json

CHANGELOG.md

@@ -1,3 +1,102 @@
+## [1.2.1](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.2.0...v1.2.1) (2025-10-26)
+
+
+
+# [1.2.0](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.1.2...v1.2.0) (2025-10-26)
+
+
+### Bug Fixes
+
+* **workflow:** update artifact naming and handling in docker-build.yml ([96ebbf8](https://github.com/dangeroustech/ZeroTierBridge/commit/96ebbf805d2cb3bb4089a5a0dc70114e3c16cc1b))
+
+
+### Features
+
+* **docker:** add health check to Dockerfile for zerotier-cli ([7d643e3](https://github.com/dangeroustech/ZeroTierBridge/commit/7d643e3ff6c0683d335baae5138ceef475cd37c3))
+
+
+
+## [1.1.2](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.1.1...v1.1.2) (2023-10-18)
+
+
+
+## [1.1.1](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.1.0...v1.1.1) (2023-10-17)
+
+
+### Bug Fixes
+
+* 401 ([bca9ec3](https://github.com/dangeroustech/ZeroTierBridge/commit/bca9ec3df76f9c6ea114e099dd9317c58489d0b2))
+* correct deps ([be55349](https://github.com/dangeroustech/ZeroTierBridge/commit/be55349cefbf291a9ce4233e65a785dad4ec3830))
+* correct multiplatform builds ([593036c](https://github.com/dangeroustech/ZeroTierBridge/commit/593036c8ad8099a3a4e7b1ac9b1dcfbdb8e04a98))
+* push by digest again ([8d55074](https://github.com/dangeroustech/ZeroTierBridge/commit/8d550748cde552ef5552e02770842d4e91f99253))
+* push by digest is breaking things ([2c987a3](https://github.com/dangeroustech/ZeroTierBridge/commit/2c987a3bbe0492aaf22b26e446cb7d96a6c9115d))
+* re-setup buildx ([f8d7326](https://github.com/dangeroustech/ZeroTierBridge/commit/f8d73263fdfd328ad38a77ff381e93bd8bda5750))
+* remove tag to hopefully fix digest pushing ([5cd683c](https://github.com/dangeroustech/ZeroTierBridge/commit/5cd683cb7a83e37eb5b4717309d672f35b256c25))
+* set latest tag ([46ee60c](https://github.com/dangeroustech/ZeroTierBridge/commit/46ee60cbc9091e93f977701a771ba9ce0216e5d1))
+
+
+
+# [1.1.0](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.13...v1.1.0) (2023-09-23)
+
+
+### Features
+
+* multi-platform builds ([aab5c07](https://github.com/dangeroustech/ZeroTierBridge/commit/aab5c079dcd559b7c3123aa72d02f7691827083e))
+
+
+
+## [1.0.13](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.12...v1.0.13) (2023-09-22)
+
+
+
+## [1.0.12](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.11...v1.0.12) (2023-09-22)
+
+
+### Bug Fixes
+
+* correct double message ([6e3c269](https://github.com/dangeroustech/ZeroTierBridge/commit/6e3c2690fc612e42c1d2818cc8d4bdfb9d5e39ba))
+
+
+
+## [1.0.11](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.10...v1.0.11) (2023-09-22)
+
+
+### Bug Fixes
+
+* only alert on CVEs that have a fix ([977df48](https://github.com/dangeroustech/ZeroTierBridge/commit/977df48644e0a7112dc25f9f04afa6d84ce87db9))
+* pull correct deb package ([fed1c28](https://github.com/dangeroustech/ZeroTierBridge/commit/fed1c2860230d39aeb80178c79697c1c41fed23d))
+
+
+
+## [1.0.10](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.9...v1.0.10) (2023-09-22)
+
+
+### Bug Fixes
+
+* upload sarif file ([89e2953](https://github.com/dangeroustech/ZeroTierBridge/commit/89e29531f070539935a93b6f55d791170ea42e72))
+
+
+
+## [1.0.9](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.8...v1.0.9) (2023-09-22)
+
+
+
+## [1.0.8](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.7...v1.0.8) (2023-09-22)
+
+
+
+## [1.0.7](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.6...v1.0.7) (2023-09-22)
+
+
+
+## [1.0.6](https://github.com/dangeroustech/ZeroTierBridge/compare/v0.0.1...v1.0.6) (2023-09-22)
+
+
+
+## [1.0.5](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.4...v1.0.5) (2023-09-22)
+
+
+
 ## [1.0.4](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.0.3...v1.0.4) (2023-09-22)
 
 

Dockerfile

@@ -1,19 +1,27 @@
-FROM debian:buster as stage
-ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/buster/pool/main/z/zerotier-one
-ARG ARCH=amd64
+FROM debian:12.6 as stage
+ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/bookworm/pool/main/z/zerotier-one
+ARG TARGETARCH
 ARG VERSION=1.12.2
-RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y ca-certificates curl
-RUN curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH}.deb"
+RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y \
+    ca-certificates=20230311+deb12u1 \
+    curl=7.88.1-10+deb12u14
+RUN ARCH_MAPPING=$([ "$TARGETARCH" = "amd64" ] && echo amd64 || ([ "$TARGETARCH" = "arm64" ] && echo arm64 || echo "$TARGETARCH")) \
+    && curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH_MAPPING}.deb"
 
-FROM debian:buster
+FROM debian:12.6
+ARG VERSION
 RUN mkdir /app
 WORKDIR /app
 COPY --from=stage zerotier-one.deb .
-RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y procps iptables openssl \
+RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y \
+    procps=2:4.0.2-3 \
+    iptables=1.8.9-2 \
+    openssl=3.0.17-1~deb12u3 \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 RUN dpkg -i zerotier-one.deb && rm -f zerotier-one.deb
 RUN echo "${VERSION}" >/etc/zerotier-version
 COPY entrypoint.sh entrypoint.sh
 RUN chmod 755 entrypoint.sh
+HEALTHCHECK --interval=30s --timeout=5s --start-period=60s --retries=3 CMD sh -c 'zerotier-cli info 2>/dev/null | grep -q ONLINE'
 ENTRYPOINT ["/app/entrypoint.sh"]

README.md

@@ -6,7 +6,7 @@ A container to provide out-of-the-box bridging functionality to a ZeroTier netwo
 
 ### Prerequisites
 
-- Docker running as your logged in user (i.e. not having to run `sudo docker-compose xyz`) - [Linux instructions here](https://docs.docker.com/engine/install/linux-postinstall/)
+- Docker running as your logged in user (if `docker ps` runs then you're good, if not follow the link ->) - [Linux instructions here](https://docs.docker.com/engine/install/linux-postinstall/)
 
 ### ZeroTier UI Changes
 
@@ -22,17 +22,15 @@ You also need to add a static route into ZeroTier so that the traffic is routed
 
 **You need to edit the `ZT_NETWORKS` and `ARCH` variable in the `docker-compose.yml` file first to add your networks and make sure your acrhitecture is correct (see [this page](http://download.zerotier.com/debian/buster/pool/main/z/zerotier-one/) for examples, usually either amd64 or arm64)**
 
-Easy one-liner for Docker Compose:
+Easiest way to bring up is via Docker Compose. Rename `docker-compose.yml.example` to `docker-compose.yml` and run `docker compose up -d`.
 
-`docker-compose build && docker-compose up -d`
-
-If you want to disable bridging, set `ZT_BRIDGE=false`. This can be done after the initial networks have been joined (just rebuild the container), as the ZeroTier config persists but IPTables forwarding is done on each container startup.
+If you want to disable bridging, set `ZT_BRIDGE=false`. This can be done after the initial networks have been joined (just change the environment variable in the `docker-compose.yml` file and run `), as the ZeroTier config persists but IPTables forwarding is done on each container startup.
 
 ### OG Docker
 
 `docker build -t zerotierbridge .`
 
-`docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE -e ZT_BRIDGE=true zerotierbridge:latest`
+`docker run --privileged -e ZT_NETWORKS=NETWORK_1 NETWORK_2 -e ZT_BRIDGE=true zerotierbridge:latest`
 
 Add your network ID(s) into the `ZT_NETWORKS` argument, space separated.
 
@@ -42,14 +40,10 @@ Disable bridging by passing `ZT_BRIDGE=false`. This can be done after the initia
 
 If you would like the container to retain the same ZeroTier client ID on reboot, attach a volume as per the below.
 
-`docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE ZT_BRIDGE=true --volume zt1:/var/lib/zerotier-one/ zerotierbridge:latest`
+`docker run --privileged -e ZT_NETWORKS=NETWORK_ID_HERE ZT_BRIDGE=true -v zt_config:/var/lib/zerotier-one/ zerotierbridge:latest`
 
 #### Caveat: Architecture
 
 If you need to run this on a device with different architecture (a raspberry pi, for instance), then just edit line 3 of the Dockerfile.
 
 If you were using a Raspberry Pi 4, you would change this to `ARCH=arm64` and the container will pull the correct ZeroTier installer.
-
-## TODO
-
-- Add kubernetes deployment YAML

docker-compose.yml.example

@@ -3,12 +3,7 @@ version: "3"
 services:
   zerotierbridge:
     container_name: zerotierbridge
-    build:
-      context: .
-      dockerfile: Dockerfile
-      args:
-        ARCH: amd64
-        VERSION: 1.12.2
+    image: registry.dangerous.tech/dangeroustech/zerotierbridge
     restart: always
     privileged: true
     volumes:

package.json

@@ -1,3 +1,3 @@
 {
-  "version": "1.0.4"
+  "version": "1.2.1"
 }

results.sarif

@@ -0,0 +1,16 @@
+{
+  "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Grype",
+          "version": "0.63.0",
+          "informationUri": "https://github.com/anchore/grype"
+        }
+      },
+      "results": []
+    }
+  ]
+}