Add Mjolnir module and update workflow

Signed-off-by: Tommy <contact@tommytran.io>

.github/workflows/build.yml

@@ -1,4 +1,4 @@
-name: build
+name: Build
 
 on:
   workflow_dispatch:
@@ -9,12 +9,12 @@ on:
     paths-ignore:
       - '**.md'
   schedule:
-    # Build the image regularly (each Friday)
-    - cron: '13 21 * * 5'
+    # Build the image regularly (each Saturday)
+    - cron: '0 22 * * 6'
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: wonderfall/synapse
+  IMAGE_NAME: tommytran732/synapse
 
 jobs:
   build:
@@ -75,4 +75,4 @@ jobs:
         run: cosign sign ${TAGS}
         env:
           COSIGN_EXPERIMENTAL: "true"
-          TAGS: ${{ steps.meta.outputs.tags }}
+          TAGS: ${{ steps.meta.outputs.tags }}

.github/workflows/scan.yml

@@ -1,14 +1,14 @@
-name: scan
+name: Scan
 
 on:
   schedule:
     # Scan the image regularly (once a day)
-    - cron: '45 03 * * *'
+    - cron: '0 23 * * *'
 
 jobs:
-  build:
+  scan:
     name: Scan current image & report results
-    runs-on: "ubuntu-20.04"
+    runs-on: "ubuntu-latest"
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
@@ -16,7 +16,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'ghcr.io/wonderfall/synapse'
+          image-ref: 'ghcr.io/tommytran732/synapse'
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'
@@ -26,4 +26,4 @@ jobs:
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -1,17 +1,15 @@
 ARG SYNAPSE_VERSION=1.75.0
-ARG PYTHON_VERSION=3.11
-ARG ALPINE_VERSION=3.17
 ARG HARDENED_MALLOC_VERSION=11
 ARG UID=991
 ARG GID=991
 
 
 ### Build Hardened Malloc
-FROM alpine:${ALPINE_VERSION} as build-malloc
+FROM alpine:latest as build-malloc
 
 ARG HARDENED_MALLOC_VERSION
 ARG CONFIG_NATIVE=false
-ARG VARIANT=light
+ARG VARIANT=default
 
 RUN apk --no-cache add build-base git gnupg && cd /tmp \
  && wget -q https://github.com/thestinger.gpg && gpg --import thestinger.gpg \
@@ -21,8 +19,7 @@ RUN apk --no-cache add build-base git gnupg && cd /tmp \
 
 
 ### Build Synapse
-ARG ALPINE_VERSION
-FROM python:${PYTHON_VERSION}-alpine${ALPINE_VERSION} as builder
+FROM python:alpine as builder
 
 ARG SYNAPSE_VERSION
 
@@ -33,7 +30,7 @@ RUN apk -U upgrade \
         libjpeg-turbo-dev \
         libxslt-dev \
         linux-headers \
-        openssl-dev \        
+        openssl-dev \
         postgresql-dev \
         rustup \
         zlib-dev \
@@ -44,10 +41,8 @@ RUN apk -U upgrade \
 
 
 ### Build Production
-ARG ALPINE_VERSION
-ARG PYTHON_VERSION
 
-FROM python:${PYTHON_VERSION}-alpine${ALPINE_VERSION}
+FROM python:alpine
 
 ARG UID
 ARG GID
@@ -64,17 +59,20 @@ RUN apk -U upgrade \
         zlib \
         tzdata \
         xmlsec \
+        git \
         curl \
         icu-libs \
  && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" synapse \
  && rm -rf /var/cache/apk/*
 
+RUN pip install --upgrade pip \
+ && pip install -e "git+https://github.com/matrix-org/mjolnir.git#egg=mjolnir&subdirectory=synapse_antispam"
 
-COPY --from=build-malloc /tmp/hardened_malloc/out-light/libhardened_malloc-light.so /usr/local/lib/
+COPY --from=build-malloc /tmp/hardened_malloc/out/libhardened_malloc.so /usr/local/lib/
 COPY --from=builder /install /usr/local
 COPY --chown=synapse:synapse rootfs /
 
-ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc-light.so"
+ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"
 
 USER synapse
 
@@ -85,4 +83,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp
 ENTRYPOINT ["python3", "start.py"]
 
 HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \
-    CMD curl -fSs http://localhost:8008/health || exit 1
+    CMD curl -fSs http://localhost:8008/health || exit 1

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 Wonderfall
+Copyright (c) 2021 Wonderfall, Thien Tran
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,17 +1,19 @@
-# wonderfall/synapse
+# tommytran732/synapse
 
-![Build, scan & push](https://github.com/wonderfall/docker-synapse/actions/workflows/build.yml/badge.svg)
+![Build, scan & push](https://github.com/tommytran732/Synapse-Docker/actions/workflows/build.yml/badge.svg)
 
 [Synapse](https://github.com/matrix-org/synapse) is a [Matrix](https://matrix.org/) implementation written in Python.
 
 ### Notes
-- Prebuilt images are available at `ghcr.io/wonderfall/synapse`.
+- Prebuilt images are available at `ghcr.io/tommytran732/synapse` and `quay.io/tommytran732/synapse`.
 - Don't trust random images: build yourself if you can.
-- Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/Wonderfall/docker-synapse/blob/main/Dockerfile#L1-L6).
-- Images from `ghcr.io` are built every week, and scanned every day for critical vulnerabilities.
+- Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/TommyTran732/Synapse-Docker/blob/main/Dockerfile#L1-L4).
+- Images from `ghcr.io` are built every week and scanned every day for critical vulnerabilities with Trivy. I recommend that you use these images.
+- Images from `quay.io` are built on every push event and scanned for vulnerabilities with Clair.
 
 ### Features & usage
 - Drop-in replacement for the [official image](https://github.com/matrix-org/synapse/tree/develop/docker).
 - Unprivileged image: you should check your volumes permissions (eg `/data`), default UID/GID is 991.
 - Based on [Alpine](https://alpinelinux.org/), which provides more recent packages while having less attack surface.
 - Comes with a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), protecting against some heap-based buffer overflows.
+- [Mjolnir module](https://github.com/matrix-org/mjolnir/blob/main/docs/synapse_module.md) support.