diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..c886da6 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,69 @@ +name: Build + +on: + workflow_dispatch: + push: + branches: + - main + # Ignore Markdown files + paths-ignore: + - '**.md' + schedule: + # Build the image regularly (each Saturday) + - cron: '0 22 * * 6' + +env: + REGISTRY: ghcr.io + IMAGE_NAME: tommytran732/matrix.to + +jobs: + build: + name: Build, scan & push + runs-on: "ubuntu-latest" + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@main + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set Docker metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + latest + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v3 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + run: cosign sign ${TAGS} -y + env: + COSIGN_EXPERIMENTAL: "true" + TAGS: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 0000000..face5b6 --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,29 @@ +name: Scan + +on: + schedule: + # Scan the image regularly (once a day) + - cron: '0 23 * * *' + +jobs: + scan: + name: Scan current image & report results + runs-on: "ubuntu-latest" + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'ghcr.io/tommytran732/matrix.to' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + vuln-type: "os" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..ca7824b --- /dev/null +++ b/Dockerfile @@ -0,0 +1,21 @@ +FROM node:alpine + +LABEL maintainer="Thien Tran contact@tommytran.io" + +ARG UID=992 +ARG GID=992 + +RUN apk -U upgrade \ + && apk --no-cache add git \ + && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" matrix-to + +RUN git clone https://github.com/matrix-org/matrix.to \ + && cd matrix.to \ + && yarn \ + && yarn build + +USER matrix-to + +EXPOSE 5000 + +ENTRYPOINT ["yarn", "start"] diff --git a/README.md b/README.md index d822390..31439b3 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,11 @@ # Matrix.to-Docker -Docker image for Matrix.to + +Matrix.to is a simple url redirection service for the Matrix.org ecosystem which lets users share links to matrix entities without being tied to a specific app. Stylistically it serves as a landing page for rooms and communities. + +This is my own Docker image building from [the official repository](https://github.com/matrix-org/matrix.to). + +### Notes +- Prebuilt images are available at `ghcr.io/tommytran732/matrix.to`. +- Don't trust random images: build yourself if you can. +- The Dockerfile builds from the main branch, as the relases do not come out frequently. +- Images from `ghcr.io` are built every week and scanned every day for critical vulnerabilities with Trivy. I recommend that you use these images. \ No newline at end of file