build: improve build config

Author: sebthom

.gitattributes

@@ -60,6 +60,8 @@
 *.php        text
 *.python     text
 *.sql        text
+**/Dockerfile text eol=lf
+**/*.Dockerfile text eol=lf
 
 
 # Archives

.github/dependabot.yml

@@ -1,16 +1,17 @@
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
 version: 2
 updates:
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: weekly
-      day: monday
-      time: "09:00"
-    commit-message:
-      prefix: fix
-      prefix-development: chore
-      include: scope
-    labels:
-      - gha
-      - dependencies
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: weekly
+    day: monday
+    time: "14:00"
+  commit-message:
+    prefix: ci
+    prefix-development: ci
+    include: scope
+  labels:
+  - dependencies
+  - gha
+  - pinned

.github/stale.yml

@@ -1,42 +1,101 @@
-# Copyright 2021 by Vegard IT GmbH, Germany, https://vegardit.com
+# SPDX-FileCopyrightText: © Vegard IT GmbH (https://vegardit.com)
+# SPDX-FileContributor: Sebastian Thomschke
 # SPDX-License-Identifier: Apache-2.0
+# SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-softhsm2-pkcs11-proxy
 #
-# Author: Sebastian Thomschke, Vegard IT GmbH
-#
-# https://github.com/vegardit/docker-softhsm2-pkcs11-proxy
-#
-# https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions
+# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
 name: Build
 
 on:
   push:
-    branches:
-    - '**'
-    tags-ignore:
+    branches-ignore:  # build all branches except:
+    - 'dependabot/**'  # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR)
+    tags-ignore:  # don't build tags
     - '**'
     paths-ignore:
     - '**/*.md'
+    - '.editorconfig'
+    - '.git*'
+    - '.github/*.yml'
+    - '.github/workflows/stale.yml'
+  pull_request:
+    paths-ignore:
+    - '**/*.md'
+    - '.editorconfig'
+    - '.git*'
+    - '.github/*.yml'
+    - '.github/workflows/stale.yml'
   schedule:
-    # https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows
-    - cron: '0 0 * * *'
+    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
+    - cron: '0 17 * * 3'
   workflow_dispatch:
-    # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
+    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_dispatch
+
+defaults:
+  run:
+    shell: bash
 
 env:
+  DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/softhsm2-pkcs11-proxy
   TRIVY_CACHE_DIR: ~/.trivy/cache
 
 jobs:
+
+  ###########################################################
   build:
-    runs-on: ubuntu-latest
+  ###########################################################
+    runs-on: ubuntu-latest  # https://github.com/actions/runner-images#available-images
+    timeout-minutes: 60
+
+    permissions:
+      packages: write
 
     strategy:
       matrix:
-        DOCKER_BASE_IMAGE: [ "alpine:latest", "debian:stable-slim" ]
         SOFTHSM_VERSION: [ "latest", "develop" ]
+        DOCKER_BASE_IMAGE:
+        - ghcr.io/dockerhub-mirror/alpine:latest
+        - ghcr.io/dockerhub-mirror/debian:stable-slim
 
     steps:
+    - name: "Show: GitHub context"
+      env:
+        GITHUB_CONTEXT: ${{ toJSON(github) }}
+      run: echo $GITHUB_CONTEXT
+
+
+    - name: "Show: environment variables"
+      run: env | sort
+
+
     - name: Git Checkout
-      uses: actions/checkout@v4 #https://github.com/actions/checkout
+      uses: actions/checkout@v4  # https://github.com/actions/checkout
+
+
+    - name: Run the sh-checker
+      uses: luizm/action-sh-checker@master  # https://github.com/marketplace/actions/sh-checker
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SHFMT_OPTS: --simplify --keep-padding
+      with:
+         sh_checker_comment: true
+         sh_checker_checkbashisms_enable: true
+         sh_checker_shfmt_disable: true
+
+
+    - name: Check Alpine Dockerfile
+      uses: hadolint/hadolint-action@v3.1.0
+      if: ${{ startsWith(matrix.DOCKER_BASE_IMAGE, 'alpine') }}
+      with:
+        dockerfile: image/alpine.Dockerfile
+
+
+    - name: Check Debian Dockerfile
+      uses: hadolint/hadolint-action@v3.1.0
+      if: ${{ startsWith(matrix.DOCKER_BASE_IMAGE, 'debian') }}
+      with:
+        dockerfile: image/debian.Dockerfile
+
 
     - name: Cache trivy cache
       uses: actions/cache@v4
@@ -47,24 +106,47 @@ jobs:
         restore-keys: |
           ${{ runner.os }}-trivy-
 
+
     - name: Configure fast APT repository mirror
       uses: vegardit/fast-apt-mirror.sh@v1
 
+
     - name: Install dos2unix
       run: sudo apt-get install --no-install-recommends -y dos2unix
 
-    - name: Build docker image
-      shell: bash
+
+    - name: "Determine if docker images shall be published"
+      run: |
+        # ACT -> https://nektosact.com/usage/index.html#skipping-steps
+        set -x
+        if [[ $GITHUB_REF_NAME == 'main' && $GITHUB_EVENT_NAME != 'pull_request' && -z "$ACT" ]]; then
+          echo "DOCKER_PUSH_GHCR=true" >> "$GITHUB_ENV"
+          if [[ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ]]; then
+            echo "DOCKER_PUSH=true" >> "$GITHUB_ENV"
+          fi
+        fi
+
+
+    - name: Login to docker.io
+      if: ${{ env.DOCKER_PUSH }}
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKER_HUB_USERNAME }}
+        password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+
+    - name: Login to ghcr.io
+      if: ${{ env.DOCKER_PUSH_GHCR }}
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+
+    - name: Build ${{ env.DOCKER_IMAGE_REPO }}:${{ matrix.SOFTHSM_VERSION }}
       env:
         DOCKER_BASE_IMAGE: ${{ matrix.DOCKER_BASE_IMAGE }}
-        DOCKER_REGISTRY: docker.io
-        DOCKER_REGISTRY_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
-        DOCKER_REGISTRY_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
         SOFTHSM_VERSION: ${{ matrix.SOFTHSM_VERSION }}
-        TRIVY_GITHUB_TOKEN: ${{ github.token }}
-      run: |
-        if [[ $GITHUB_REF_NAME == "main" && $ACT != "true" ]]; then
-          export DOCKER_PUSH=1
-          echo "$DOCKER_REGISTRY_TOKEN" | docker login -u="$DOCKER_REGISTRY_USERNAME" "$DOCKER_REGISTRY" --password-stdin
-        fi
-        bash build-image.sh
+        TRIVY_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: bash build-image.sh

.github/workflows/build.yml

@@ -0,0 +1,56 @@
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+name: Stale issues
+
+on:
+  schedule:
+    - cron: '0 16 * * 1'
+  workflow_dispatch:
+    # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Git checkout
+      uses: actions/checkout@v4  # https://github.com/actions/checkout
+
+    - name: Run stale action
+      uses: actions/stale@v9  # https://github.com/actions/stale
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        days-before-stale: 90
+        days-before-close: 14
+        stale-issue-message: >
+          This issue has been automatically marked as stale because it has not had
+          recent activity. It will be closed in 14 days if no further activity occurs.
+          If the issue is still valid, please add a respective comment to prevent this 
+          issue from being closed automatically. Thank you for your contributions.
+        stale-issue-label: stale
+        close-issue-label: wontfix
+        exempt-issue-labels: |
+          enhancement
+          pinned
+          security
+
+    - name: Run stale action (for enhancements)
+      uses: actions/stale@v9  # https://github.com/actions/stale
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        days-before-stale: 360
+        days-before-close: 14
+        stale-issue-message: >
+          This issue has been automatically marked as stale because it has not had
+          recent activity. It will be closed in 14 days if no further activity occurs.
+          If the issue is still valid, please add a respective comment to prevent this 
+          issue from being closed automatically. Thank you for your contributions.
+        stale-issue-label: stale
+        close-issue-label: wontfix
+        only-labels: enhancement
+        exempt-issue-labels: |
+          pinned
+          security

.github/workflows/stale.yml

@@ -14,16 +14,16 @@ bin/
 **/.*.md.html
 
 # IntelliJ
-.idea
-*.iml
-*.ipr
-*.iws
+/.idea
+/*.iml
+/*.ipr
+/*.iws
 
 # NetBeans
 nb-configuration.xml
 
 # Visual Studio Code
-.vscode
+/.vscode
 
 # OSX
 .DS_Store

.gitignore

@@ -26,14 +26,14 @@ Client applications can communicate with the HSM via TCP/TLS using libpkcs11-pro
 
 ## <a name="tags"></a>Docker image tagging scheme
 
-|Tag|Description|OS
+|Tag|Description|Base Image
 |-|-|-
-|`:latest` <br> `:latest-alpine` | build of the latest available release | Alpine Latest
-|`:latest-debian` | build of the latest available release | Debian Stable
-|`:develop` <br> `:develop-alpine` | daily build of the development branch | Alpine Latest
-|`:develop-debian` | build of the development branch | Debian Stable
-|`:2.x` <br> `:2.x-alpine` | build of the latest minor version of the respective <br> major release, e.g. `2.x` may contain release `2.1` | Alpine Latest
-|`:2.x-debian` | build of the latest minor version of the respective <br> major release, e.g. `2.x` may contain release `2.1` | Debian Stable
+|`:latest` <br> `:latest-alpine` | weekly build of the latest available SoftHSM release | alpine:latest
+|`:latest-debian` | weekly build of the latest available SoftHSM release | debian:stable-slim
+|`:develop` <br> `:develop-alpine` | weekly build of the development branch | alpine:latest
+|`:develop-debian` | weekly build of the development branch | debian:stable-slim
+|`:2.x` <br> `:2.x-alpine` | weekly build of the latest minor version of the respective <br> major release, e.g. `2.x` may contain release `2.6` | alpine:latest
+|`:2.x-debian` | weekly build of the latest minor version of the respective <br> major release, e.g. `2.x` may contain release `2.6` | debian:stable-slim
 
 See all tags at https://hub.docker.com/r/vegardit/softhsm2-pkcs11-proxy/tags