build: update project config

Author: sebthom

.gitattributes

@@ -39,6 +39,7 @@
 # Config/Serialisation
 .editorconfig    text
 **/.editorconfig text
+*.graphql        text
 *.ini            text
 *.properties     text
 *.json           text
@@ -56,8 +57,11 @@
 *.fish       text eol=lf
 *.sh         text eol=lf
 *.zsh        text eol=lf
+*.dart       text
+*.hx         text
 *.lua        text
 *.php        text
+*.py         text
 *.python     text
 *.sql        text
 **/Dockerfile text eol=lf
@@ -125,6 +129,8 @@
 *.htm        text diff=html
 *.html       text diff=html
 *.js         text
+*.ts         text
+*.vue        text
 
 
 # https://git-scm.com/docs/gitattributes#_export_ignore

.github/workflows/build.yml

@@ -3,10 +3,13 @@
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-softhsm2-pkcs11-proxy
 #
-# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
+# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
 name: Build
 
-on:
+on:  # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
+  schedule:
+    # https://docs.github.com/en/actions/reference/choosing-when-your-workflow-runs/events-that-trigger-workflows
+    - cron: '0 17 * * 3'
   push:
     branches-ignore:  # build all branches except:
     - 'dependabot/**'  # prevent GHA triggered twice (once for commit to the branch and once for opening/syncing the PR)
@@ -25,20 +28,20 @@ on:
     - '.git*'
     - '.github/*.yml'
     - '.github/workflows/stale.yml'
-  schedule:
-    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
-    - cron: '0 17 * * 3'
   workflow_dispatch:
-    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_dispatch
+    # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch
+
 
 defaults:
   run:
     shell: bash
 
+
 env:
   DOCKER_REPO_NAME: softhsm2-pkcs11-proxy
   TRIVY_CACHE_DIR: ~/.trivy/cache
 
+
 jobs:
 
   ###########################################################
@@ -59,7 +62,7 @@ jobs:
     - name: "Show: GitHub context"
       env:
         GITHUB_CONTEXT: ${{ toJSON(github) }}
-      run: echo $GITHUB_CONTEXT
+      run: printf '%s' "$GITHUB_CONTEXT" | python -m json.tool
 
 
     - name: "Show: environment variables"
@@ -167,7 +170,7 @@ jobs:
     concurrency:
       group: ${{ github.workflow }}
       cancel-in-progress: false
-      
+
     permissions:
       packages: write
 

.github/workflows/stale.yml

@@ -1,11 +1,12 @@
-# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
+# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
 name: Stale issues
 
 on:
   schedule:
-    - cron: '0 16 * * 1'
+    # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
+    - cron: '0 15 1,15 * *'
   workflow_dispatch:
-    # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
+    # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch
 
 permissions:
   issues: write
@@ -14,43 +15,6 @@ permissions:
 jobs:
   stale:
     runs-on: ubuntu-latest
-
     steps:
-    - name: Git checkout
-      uses: actions/checkout@v5  # https://github.com/actions/checkout
-
-    - name: Run stale action
-      uses: actions/stale@v10  # https://github.com/actions/stale
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        days-before-stale: 90
-        days-before-close: 14
-        stale-issue-message: >
-          This issue has been automatically marked as stale because it has not had
-          recent activity. It will be closed in 14 days if no further activity occurs.
-          If the issue is still valid, please add a respective comment to prevent this 
-          issue from being closed automatically. Thank you for your contributions.
-        stale-issue-label: stale
-        close-issue-label: wontfix
-        exempt-issue-labels: |
-          enhancement
-          pinned
-          security
-
-    - name: Run stale action (for enhancements)
-      uses: actions/stale@v10  # https://github.com/actions/stale
-      with:
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        days-before-stale: 360
-        days-before-close: 14
-        stale-issue-message: >
-          This issue has been automatically marked as stale because it has not had
-          recent activity. It will be closed in 14 days if no further activity occurs.
-          If the issue is still valid, please add a respective comment to prevent this 
-          issue from being closed automatically. Thank you for your contributions.
-        stale-issue-label: stale
-        close-issue-label: wontfix
-        only-labels: enhancement
-        exempt-issue-labels: |
-          pinned
-          security
+      - name: Run stale action
+        uses: sebthom/gha-shared/.github/actions/stale@v1

.gitignore

@@ -11,7 +11,6 @@ _LOCAL/
 .project
 .settings/
 bin/
-**/.*.md.html
 
 # IntelliJ
 /.idea

CODE_OF_CONDUCT.md

@@ -60,7 +60,7 @@ representative at an online or offline event.
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
-https://vegardit.com/en/legal/.
+https://vegardit.com/en/legal/
 All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the

CONTRIBUTING.md

@@ -1,25 +1,45 @@
-# Contributing
+# Contributing to the Project
 
-Thanks for your interest in contributing to this project!
+Thank you for your interest in contributing to this project! We strive to make the contribution process clear and welcoming.
 
-We want to make contributing as easy and transparent as possible.
+Please take a moment to review the guidelines below.
 
 
 ## Code of Conduct
 
-Our code of conduct is described in [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).
+Please review and adhere to our [Code of Conduct](CODE_OF_CONDUCT.md) in all your interactions with the project.
+This helps us maintain a positive and respectful environment for everyone involved.
 
 
-## Issues
+## How to Contribute
 
-We use GitHub issues to track bugs and feature requests. Please ensure your description is clear and has sufficient instructions to be able to reproduce the issue.
+### Contributor Responsibilities
 
+By submitting your contributions, you agree to the following:
+- You are the sole author of the content you contribute, or you have the appropriate rights and permissions to contribute it.
+- If employed, you have obtained any necessary permissions from your employer to contribute to this project.
+- All contributions will be made available under the project’s license.
 
-## Pull Requests
+### Issues
 
-Before you make a substantial pull request, please file an issue and make sure someone from the team agrees that there is a problem or room for improvement.
+We use GitHub Issues to track bugs and feature requests. When submitting an issue, please ensure:
+- The description is clear and concise.
+- You provide enough details and steps to reproduce the issue, if applicable.
 
+### Pull Requests
 
-## License
+Before making substantial contributions:
+1. **Discuss Changes**: Please file an issue first to discuss your proposed changes with the team. This helps ensure your contribution aligns with the project’s goals.
+2. **Follow Best Practices**: Adhere to the guidelines and ensure your code meets the project’s standards (see [Code Guidelines](#code-guidelines)).
 
-By contributing your code, you agree to license your contribution under the [Apache License 2.0](LICENSE.txt).
+When submitting a pull request:
+- Ensure your changes are well-documented.
+- Include tests for any new features or significant changes.
+- Reference the relevant issue(s) in your pull request description.
+
+
+## Licensing
+
+By contributing to this project, you agree that your contributions will be licensed under the [Apache License 2.0](LICENSE.txt).
+
+The project itself is also licensed under the [Apache License 2.0](LICENSE.txt)).

build-image.sh

@@ -106,14 +106,15 @@ echo "
 " | sudo tee /etc/buildkitd.toml
 
 builder_name="bx-$(date +%s)-$RANDOM"
-run_step "Configure buildx builder" -- docker buildx create \
+run_step "buildx builder: configure" -- docker buildx create \
   --name "$builder_name" \
   --bootstrap \
   --config /etc/buildkitd.toml \
   --driver-opt network=host `# required for buildx to access the temporary registry` \
   --driver docker-container \
   --driver-opt image=ghcr.io/dockerhub-mirror/moby__buildkit:latest
-trap 'docker buildx rm --force "$builder_name"' EXIT
+add_trap "docker buildx rm --force '$builder_name'" EXIT
+run_step "buildx builder: inspect" -- docker buildx inspect "$builder_name" --bootstrap
 
 
 #################################################
@@ -152,10 +153,9 @@ for key in "${!image_meta[@]}"; do
 done
 
 if [[ ${build_multi_arch:-} == "true" ]]; then
-  build_opts+=(--push)
-  build_opts+=(--sbom=true) # https://docs.docker.com/build/metadata/attestations/sbom/#create-sbom-attestations
   build_opts+=(--platform "$platforms")
-  build_opts+=(--tag "$LOCAL_REGISTRY/$image_name")
+  build_opts+=(--sbom=true)  # https://docs.docker.com/build/metadata/attestations/sbom/#create-sbom-attestations
+  build_opts+=(--output "type=registry,name=${LOCAL_REGISTRY}/${image_name},registry.http=true,registry.insecure=true")
 else
   build_opts+=(--output "type=docker,load=true")
   build_opts+=(--tag "$image_name")
@@ -173,10 +173,16 @@ run_step "Building docker image [$image_name]..." -- \
 # load image into local docker daemon for testing
 #################################################
 if [[ ${build_multi_arch:-} == "true" ]]; then
-  run_step "Load image into local daemon for testing" @@ "
-    docker pull '$LOCAL_REGISTRY/$image_name';
-    docker tag '$LOCAL_REGISTRY/$image_name' '$image_name'
-  "
+  # cannot use "regctl image copy ... " which does not support loading into docker daemon https://github.com/regclient/regclient/issues/568
+  # cannot use "docker pull '$LOCAL_REGISTRY/$image_name'" which does not support ad-hoc pulling from unsecure registries - must be allowed in docker daemon config
+  run_step "Load image into local daemon for testing" -- \
+    docker run --rm \
+      -v /var/run/docker.sock:/var/run/docker.sock \
+      --network host `# required to access the temporary registry` \
+      quay.io/skopeo/stable:latest \
+      copy --src-tls-verify=false \
+           "docker://$LOCAL_REGISTRY/$image_name" \
+           "docker-daemon:$image_name"
 fi
 
 
@@ -185,7 +191,7 @@ fi
 #################################################
 if [[ ${DOCKER_AUDIT_IMAGE:-1} == "1" ]]; then
   run_step "Auditing docker image [$image_name]" -- \
-   bash "$shared_lib/cmd/audit-image.sh" "$image_name"
+    bash "$shared_lib/cmd/audit-image.sh" "$image_name"
 fi
 
 
@@ -207,16 +213,18 @@ function regctl() {
     --network host `# required to access the temporary registry` \
     ghcr.io/regclient/regctl:latest \
     --host "reg=$LOCAL_REGISTRY,tls=disabled" \
+    --verbosity debug \
     "${@}"
 }
 
 if [[ ${DOCKER_PUSH:-} == "true" ]]; then
   for tag in "${tags[@]}"; do
-    regctl image copy --referrers "$LOCAL_REGISTRY/$image_name" "docker.io/$image_repo:$tag"
+    # cannot use "skopeo  copy ... " which does not support SBOMs https://github.com/containers/skopeo/issues/2393
+    regctl image copy --digest-tags --include-external --referrers "$LOCAL_REGISTRY/$image_name" "docker.io/$image_repo:$tag"
   done
 fi
 if [[ ${DOCKER_PUSH_GHCR:-} == "true" ]]; then
   for tag in "${tags[@]}"; do
-    regctl image copy --referrers "$LOCAL_REGISTRY/$image_name" "ghcr.io/$image_repo:$tag"
+    regctl image copy --digest-tags --include-external --referrers "$LOCAL_REGISTRY/$image_name" "ghcr.io/$image_repo:$tag"
   done
 fi

image/debian.Dockerfile

@@ -28,7 +28,7 @@ ARG PKCS11_PROXY_SOURCE_URL
 
 ARG BASE_LAYER_CACHE_KEY
 
-# https://github.com/hadolint/hadolint/wiki/DL3008 Pin versions
+# https://github.com/hadolint/hadolint/wiki/DL3008 Pin versions in apt-get
 # hadolint ignore=DL3008
 RUN --mount=type=bind,source=.shared,target=/mnt/shared <<EOF
   /mnt/shared/cmd/debian-install-os-updates.sh

image/run.sh

@@ -28,19 +28,19 @@ awk '/32 host/ { if(uniq[ip]++ && ip != "127.0.0.1") print " - " ip } {ip=$2}' /
 
 log INFO "Configuring SoftHSM storage type [$SOFTHSM_STORAGE]..."
 case $SOFTHSM_STORAGE in
-   file)      sed -iE 's/^objectstore.backend\s?=\s?.*/objectstore.backend = file/' /etc/softhsm2.conf ;;
-   db|sqlite) sed -iE 's/^objectstore.backend\s?=\s?.*/objectstore.backend = db/'   /etc/softhsm2.conf ;;
-   *)         log ERROR "Unsupported SoftHSM storage type [$SOFTHSM_STORAGE]"; exit 1 ;;
+  file)      sed -iE 's/^objectstore.backend\s?=\s?.*/objectstore.backend = file/' /etc/softhsm2.conf ;;
+  db|sqlite) sed -iE 's/^objectstore.backend\s?=\s?.*/objectstore.backend = db/'   /etc/softhsm2.conf ;;
+  *)         log ERROR "Unsupported SoftHSM storage type [$SOFTHSM_STORAGE]"; exit 1 ;;
 esac
 
 
 #################################################
 # load custom init script if specified
 #################################################
 if [[ -f $INIT_SH_FILE ]]; then
-   log INFO "Loading [$INIT_SH_FILE]..."
-   # shellcheck disable=SC1090  # ShellCheck can't follow non-constant source
-   source "$INIT_SH_FILE"
+  log INFO "Loading [$INIT_SH_FILE]..."
+  # shellcheck disable=SC1090  # ShellCheck can't follow non-constant source
+  source "$INIT_SH_FILE"
 fi
 
 log INFO "Starting pkcs11-daemon..."