.github/workflows/build.yml

@@ -27,18 +27,18 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v2
 
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@main
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v2
 
       - name: Login to registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v2
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.repository_owner }}
@@ -46,7 +46,7 @@ jobs:
 
       - name: Set Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v4
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -54,7 +54,7 @@ jobs:
 
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v3
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
@@ -65,24 +65,5 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         run: cosign sign ${TAGS} -y
         env:
+          COSIGN_EXPERIMENTAL: "true"
           TAGS: ${{ steps.meta.outputs.tags }}
-
-  scan:
-    name: Scan current image & report results
-    needs: build
-    runs-on: "ubuntu-latest"
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'ghcr.io/tommytran732/matrix.to'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
-          vuln-type: "os,library"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'

.github/workflows/scan.yml

@@ -1,27 +0,0 @@
-name: Scan
-
-on:
-  workflow_dispatch:
-  schedule:
-    # Scan the image regularly (once a day)
-    - cron: '0 23 * * *'
-
-jobs:
-  scan:
-    name: Scan current image & report results
-    runs-on: "ubuntu-latest"
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'ghcr.io/tommytran732/matrix.to'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
-          vuln-type: "os,library"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -1,25 +1,3 @@
-ARG HARDENED_MALLOC_VERSION=2024052100
-
-### Build Hardened Malloc
-FROM alpine:latest as hmalloc-builder
-
-ARG HARDENED_MALLOC_VERSION
-ARG CONFIG_NATIVE=false
-ARG VARIANT=default
-
-RUN apk -U upgrade \
-    && apk --no-cache add build-base git gnupg openssh-keygen
-    
-RUN cd /tmp \
-    && git clone --depth 1 --branch ${HARDENED_MALLOC_VERSION} https://github.com/GrapheneOS/hardened_malloc \
-    && cd hardened_malloc \
-    && wget -q https://grapheneos.org/allowed_signers -O grapheneos_allowed_signers \
-    && git config gpg.ssh.allowedSignersFile grapheneos_allowed_signers \
-    && git verify-tag $(git describe --tags) \
-    && make CONFIG_NATIVE=${CONFIG_NATIVE} VARIANT=${VARIANT}
-
-### Build Production
-
 FROM node:alpine
 
 LABEL maintainer="Thien Tran contact@tommytran.io"
@@ -28,8 +6,8 @@ ARG UID=992
 ARG GID=992
 
 RUN apk -U upgrade \
-    && apk --no-cache add git \
+  && apk --no-cache add git \
-    && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" matrix-to
+  && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" matrix-to
 
 USER matrix-to
 
@@ -42,13 +20,9 @@ COPY element.patch /home/matrix-to/matrix.to
 WORKDIR /home/matrix-to/matrix.to
 
 RUN git apply /home/matrix-to/matrix.to/element.patch \
-    && rm -rf .git \
+  && rm -rf .git \
-    && yarn \
+  && yarn \
-    && yarn build
+  && yarn build
-
-COPY --from=hmalloc-builder /tmp/hardened_malloc/out/libhardened_malloc.so /usr/local/lib/
-
-ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"
 
 EXPOSE 5000
 

README.md

@@ -1,7 +1,5 @@
 # Matrix.to-Docker
 
-![Build, scan & push](https://github.com/tommytran732/Matrix.to-Docker/actions/workflows/build.yml/badge.svg)
-
 Matrix.to is a simple url redirection service for the Matrix.org ecosystem which lets users share links to matrix entities without being tied to a specific app. Stylistically it serves as a landing page for rooms and communities.
 
 This is my own Docker image building from [the official repository](https://github.com/matrix-org/matrix.to).
@@ -11,4 +9,3 @@ This is my own Docker image building from [the official repository](https://gith
 - Don't trust random images: build yourself if you can.
 - Default Element instance is changed from [Element.io](https://app.element.io) to [ArcticFoxes.net](https://element.arcticfoxes.net)
 - The Dockerfile builds from the main branch, as releases do not come out frequently.
-- The image comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag.