chore 🤖: Release v1.2.1 [skip ci]

- Add workflow-level concurrency to avoid overlapping releases
- Enable BuildKit cache (GHA) for faster Docker builds
- Simplify to a single multi-arch build (linux/amd64, linux/arm64)
  - Remove digest export/upload and manifest merge steps
  - Push manifest directly from buildx with tag `latest`
- Fix GitHub Release token casing to use `secrets.GITHUB_TOKEN`
- Update Dockerfile to use TARGETARCH for correct package selection
  - Pass VERSION consistently; write version to image

No functional change to runtime behavior expected; improves speed, reliability, and maintainability of the release pipeline.

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 10
+    labels:
+      - dependencies
+      - github-actions
+

.github/workflows/docker-build.yml

@@ -13,6 +13,10 @@ permissions:
   security-events: write
   statuses: read
 
+concurrency:
+  group: docker-release-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
   pull_request:
     branches:
@@ -28,14 +32,9 @@ jobs:
   Docker_Build:
     name: Docker Build And Release
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: true
-      matrix:
-        arch: [amd64, arm64]
-        version: [1.12.2]
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -53,46 +52,25 @@ jobs:
 
       - name: Build
         id: docker_build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           build-args: |
-            ARCH=${{ matrix.arch }}
-            VERSION=${{ matrix.version }}
+            VERSION=1.12.2
           push: true
-          platforms: linux/${{ matrix.arch }}
-          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ env.REGISTRY_IMAGE }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
 
-      - name: Export Digests
-        run: |
-          mkdir -p /tmp/digests
-          digest="${{ steps.docker_build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@v3
-        with:
-          name: digests
-          path: /tmp/digests/*
-          if-no-files-found: error
-          retention-days: 1
 
   MergeRefs:
-    name: Do The Horrible Merge Thing
+    name: Publish Multi-Arch Image And Release
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     needs:
       - Docker_Build
     steps:
-      - name: Download digests
-        uses: actions/download-artifact@v3
-        with:
-          name: digests
-          path: /tmp/digests
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
       - name: Login to Registry
         id: login
         uses: docker/login-action@v3
@@ -101,25 +79,6 @@ jobs:
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_PASSWORD }}
 
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY_IMAGE }}
-          tags: |
-            # set latest tag for default branch
-            # https://github.com/docker/metadata-action#latest-tag
-            type=raw,value=latest,enable={{is_default_branch}}
-
-      - name: Create manifest list and push
-        working-directory: /tmp/digests
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
-      - name: Inspect image
-        run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
-
       - name: Generate SBOM
         uses: anchore/sbom-action@v0
         id: sbom
@@ -131,7 +90,7 @@ jobs:
           output-file: ./sbom.spdx.json
 
       - name: Scan SBOM
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@v7
         id: scan
         with:
           sbom: sbom.spdx.json
@@ -140,15 +99,15 @@ jobs:
           only-fixed: true
 
       - name: upload Anchore scan SARIF report
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
 
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Changelog
-        uses: TriPSs/conventional-changelog-action@v3
+        uses: TriPSs/conventional-changelog-action@v6
         id: changelog
         if: ${{ github.event_name != 'pull_request' }}
         with:
@@ -161,11 +120,11 @@ jobs:
           skip-on-empty: false # otherwise we don't publish fixes
 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         id: release
         if: ${{ steps.changelog.outputs.skipped == 'false' }}
         env:
-          GITHUB_TOKEN: ${{ secrets.github_token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           tag_name: ${{ steps.changelog.outputs.tag }}
           name: ${{ steps.changelog.outputs.tag }}

CHANGELOG.md

@@ -1,3 +1,21 @@
+## [1.2.1](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.2.0...v1.2.1) (2025-10-26)
+
+
+
+# [1.2.0](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.1.2...v1.2.0) (2025-10-26)
+
+
+### Bug Fixes
+
+* **workflow:** update artifact naming and handling in docker-build.yml ([96ebbf8](https://github.com/dangeroustech/ZeroTierBridge/commit/96ebbf805d2cb3bb4089a5a0dc70114e3c16cc1b))
+
+
+### Features
+
+* **docker:** add health check to Dockerfile for zerotier-cli ([7d643e3](https://github.com/dangeroustech/ZeroTierBridge/commit/7d643e3ff6c0683d335baae5138ceef475cd37c3))
+
+
+
 ## [1.1.2](https://github.com/dangeroustech/ZeroTierBridge/compare/v1.1.1...v1.1.2) (2023-10-18)
 
 

Dockerfile

@@ -1,19 +1,27 @@
-FROM debian:bookworm as stage
+FROM debian:12.6 as stage
 ARG PACKAGE_BASEURL=https://download.zerotier.com/debian/bookworm/pool/main/z/zerotier-one
-ARG ARCH=amd64
+ARG TARGETARCH
 ARG VERSION=1.12.2
-RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y ca-certificates curl
-RUN curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH}.deb"
+RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y \
+    ca-certificates=20230311+deb12u1 \
+    curl=7.88.1-10+deb12u14
+RUN ARCH_MAPPING=$([ "$TARGETARCH" = "amd64" ] && echo amd64 || ([ "$TARGETARCH" = "arm64" ] && echo arm64 || echo "$TARGETARCH")) \
+    && curl -sSL -o zerotier-one.deb "${PACKAGE_BASEURL}/zerotier-one_${VERSION}_${ARCH_MAPPING}.deb"
 
-FROM debian:bookworm
+FROM debian:12.6
+ARG VERSION
 RUN mkdir /app
 WORKDIR /app
 COPY --from=stage zerotier-one.deb .
-RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y procps iptables openssl \
+RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y \
+    procps=2:4.0.2-3 \
+    iptables=1.8.9-2 \
+    openssl=3.0.17-1~deb12u3 \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 RUN dpkg -i zerotier-one.deb && rm -f zerotier-one.deb
 RUN echo "${VERSION}" >/etc/zerotier-version
 COPY entrypoint.sh entrypoint.sh
 RUN chmod 755 entrypoint.sh
+HEALTHCHECK --interval=30s --timeout=5s --start-period=60s --retries=3 CMD sh -c 'zerotier-cli info 2>/dev/null | grep -q ONLINE'
 ENTRYPOINT ["/app/entrypoint.sh"]

package.json

@@ -1,3 +1,3 @@
 {
-  "version": "1.1.2"
+  "version": "1.2.1"
 }