2024-09-19 15:44:43 -04:00
4 changed files with 12 additions and 87 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -27,18 +27,18 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2

      - name: Install cosign
        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@main

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v2

      - name: Login to registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.repository_owner }}
@ -46,7 +46,7 @@ jobs:

      - name: Set Docker metadata
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@ -54,7 +54,7 @@ jobs:

      - name: Build and push Docker image
        id: build-and-push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v3
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
@ -65,24 +65,5 @@ jobs:
        if: ${{ github.event_name != 'pull_request' }}
        run: cosign sign ${TAGS} -y
        env:
+          COSIGN_EXPERIMENTAL: "true"
          TAGS: ${{ steps.meta.outputs.tags }}
-
-  scan:
-    name: Scan current image & report results
-    needs: build
-    runs-on: "ubuntu-latest"
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'ghcr.io/tommytran732/matrix.to'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
-          vuln-type: "os,library"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@ -1,27 +0,0 @@
-name: Scan
-
-on:
-  workflow_dispatch:
-  schedule:
-    # Scan the image regularly (once a day)
-    - cron: '0 23 * * *'
-
-jobs:
-  scan:
-    name: Scan current image & report results
-    runs-on: "ubuntu-latest"
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'ghcr.io/tommytran732/matrix.to'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
-          vuln-type: "os,library"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
--- a/36
+++ b/36
@ -1,25 +1,3 @@
-ARG HARDENED_MALLOC_VERSION=2024052100
-
-### Build Hardened Malloc
-FROM alpine:latest as hmalloc-builder
-
-ARG HARDENED_MALLOC_VERSION
-ARG CONFIG_NATIVE=false
-ARG VARIANT=default
-
-RUN apk -U upgrade \
-    && apk --no-cache add build-base git gnupg openssh-keygen
-    
-RUN cd /tmp \
-    && git clone --depth 1 --branch ${HARDENED_MALLOC_VERSION} https://github.com/GrapheneOS/hardened_malloc \
-    && cd hardened_malloc \
-    && wget -q https://grapheneos.org/allowed_signers -O grapheneos_allowed_signers \
-    && git config gpg.ssh.allowedSignersFile grapheneos_allowed_signers \
-    && git verify-tag $(git describe --tags) \
-    && make CONFIG_NATIVE=${CONFIG_NATIVE} VARIANT=${VARIANT}
-
-### Build Production
-
 FROM node:alpine

 LABEL maintainer="Thien Tran contact@tommytran.io"
@ -28,8 +6,8 @@ ARG UID=992
 ARG GID=992

 RUN apk -U upgrade \
-    && apk --no-cache add git \
-    && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" matrix-to
+  && apk --no-cache add git \
+  && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" matrix-to

 USER matrix-to

@ -42,13 +20,9 @@ COPY element.patch /home/matrix-to/matrix.to
 WORKDIR /home/matrix-to/matrix.to

 RUN git apply /home/matrix-to/matrix.to/element.patch \
-    && rm -rf .git \
-    && yarn \
-    && yarn build
-
-COPY --from=hmalloc-builder /tmp/hardened_malloc/out/libhardened_malloc.so /usr/local/lib/
-
-ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"
+  && rm -rf .git \
+  && yarn \
+  && yarn build

 EXPOSE 5000

--- a/README.md
+++ b/README.md
@ -1,7 +1,5 @@
 # Matrix.to-Docker

-![Build, scan & push](https://github.com/tommytran732/Matrix.to-Docker/actions/workflows/build.yml/badge.svg)
-
 Matrix.to is a simple url redirection service for the Matrix.org ecosystem which lets users share links to matrix entities without being tied to a specific app. Stylistically it serves as a landing page for rooms and communities.

 This is my own Docker image building from [the official repository](https://github.com/matrix-org/matrix.to).
@ -11,4 +9,3 @@ This is my own Docker image building from [the official repository](https://gith
 - Don't trust random images: build yourself if you can.
 - Default Element instance is changed from [Element.io](https://app.element.io) to [ArcticFoxes.net](https://element.arcticfoxes.net)
 - The Dockerfile builds from the main branch, as releases do not come out frequently.
- The image comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag.