Initial commit

Author: dedene

.dockerignore

@@ -0,0 +1,2 @@
+# Ignore everything
+*

.github/auto-merge.yml

@@ -0,0 +1,4 @@
+# Run on autopilot
+- match:
+    dependency_type: all
+    update_type: all

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'daily'
+
+  # Maintain dependencies within Dockerfiles
+  - package-ecosystem: 'docker'
+    directory: '/'
+    schedule:
+      interval: 'daily'

.github/workflows/auto-merge.yml

@@ -0,0 +1,14 @@
+name: Auto-Merge Dependabot PRs
+
+on:
+  pull_request:
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ahmadnassri/action-dependabot-auto-merge@v2
+        with:
+          target: minor
+          github-token: ${{ secrets.GH_TOKEN }}

.github/workflows/build.yml

@@ -0,0 +1,199 @@
+name: Build and push container images
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - Dockerfile
+  pull_request:
+    branches: [main]
+    paths:
+      - Dockerfile
+
+env:
+  DOCKER_BUILDKIT: 1
+  COSIGN_EXPERIMENTAL: 1
+
+jobs:
+  metadata:
+    name: Get image and repo details
+    runs-on: ubuntu-latest
+
+    outputs:
+      name: ${{ steps.name.outputs.name }}
+      title: ${{ steps.title.outputs.title }}
+      version: ${{ steps.version.outputs.version }}
+      branch: ${{ steps.branch.outputs.branch }}
+      labels: ${{ steps.metadata.outputs.labels }}
+      tags: ${{ steps.metadata.outputs.tags }}
+      platforms: linux/amd64,linux/arm64,linux/arm/v7
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Generate docker-compliant image name
+        id: name
+        run: echo "name=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//')" | tee -a $GITHUB_OUTPUT
+
+      - name: Generate OCI image title
+        id: title
+        run:
+          echo "title=$(echo ${GITHUB_REPOSITORY#*/} | sed 's/docker-//')" | tee -a $GITHUB_OUTPUT
+
+      - name: Parse Caddy version
+        id: version
+        run:
+          echo "version=$(grep -Eo 'caddy:[0-9]+\.[0-9]+\.[0-9]+$' Dockerfile | cut -d ':' -f2)" |
+          tee -a $GITHUB_OUTPUT
+
+      - name: Generate build tag from head
+        id: branch
+        run: |
+          export GIT_REF=${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}
+          echo "branch=$(echo ${GIT_REF,,} | sed 's/[^a-zA-Z0-9]/-/g')" | tee -a $GITHUB_OUTPUT
+
+      - name: Generate Docker metadata with Caddy version
+        uses: docker/metadata-action@v4
+        id: metadata
+        with:
+          images: |
+            docker.io/${{ steps.name.outputs.name }}
+            ghcr.io/${{ steps.name.outputs.name }}
+          tags: |
+            type=semver,pattern={{version}},value=v${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}}.{{minor}},value=v${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}},value=v${{ steps.version.outputs.version }}
+          labels: |
+            org.opencontainers.image.title=${{ steps.title.outputs.title }}
+
+  build:
+    name: Build container image
+    runs-on: ubuntu-latest
+    needs: [metadata]
+
+    permissions:
+      id-token: write # keyless Cosign signatures
+      pull-requests: write # PR comments
+
+    outputs:
+      digest: ${{ steps.build.outputs.digest }}
+      image-ref: ttl.sh/${{ needs.metadata.outputs.name }}:${{ github.sha }}
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v4
+        id: build
+        with:
+          context: .
+          push: true # to ttl.sh
+          tags: ttl.sh/${{ needs.metadata.outputs.name }}:${{ github.sha }}
+          labels: ${{ needs.metadata.outputs.labels }}
+          platforms: ${{ needs.metadata.outputs.platforms }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Sign container images
+        run: |
+          cosign sign --yes --recursive \
+            "ttl.sh/$IMAGE_NAME@$IMAGE_DIGEST"
+        env:
+          IMAGE_NAME: ${{ needs.metadata.outputs.name }}
+          IMAGE_DIGEST: ${{ steps.build.outputs.digest }}
+
+  trivy:
+    name: Run Trivy scanner
+    needs: [build]
+    uses: ./.github/workflows/trivy.yml
+    with:
+      image-ref: ${{ needs.build.outputs.image-ref }}
+
+  publish:
+    name: Publish container image
+    needs: [metadata, build, trivy]
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write # keyless Cosign signatures
+      packages: write # GHCR
+      contents: write # git tags
+
+    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USER }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
+      - name: Login to GitHub Container Repository
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Verify container images
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp https://github.com/$GITHUB_REPOSITORY/.github/workflows/ \
+            ${{ needs.build.outputs.image-ref }}
+
+      - name: Publish container image
+        uses: docker/build-push-action@v4
+        id: publish
+        with:
+          context: .
+          push: true
+          tags: ${{ needs.metadata.outputs.tags }}
+          labels: ${{ needs.metadata.outputs.labels }}
+          platforms: ${{ needs.metadata.outputs.platforms }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Sign container images
+        run: |
+          cosign sign --yes --recursive "docker.io/$IMAGE_NAME@$IMAGE_DIGEST"
+          cosign sign --yes --recursive "ghcr.io/$IMAGE_NAME@$IMAGE_DIGEST"
+        env:
+          IMAGE_NAME: ${{ needs.metadata.outputs.name }}
+          IMAGE_DIGEST: ${{ steps.publish.outputs.digest }}
+
+      - name: Push version tags
+        run: |
+          MAJOR=$(echo $CADDY_VERSION | cut -d . -f 1)
+          MINOR=$(echo $CADDY_VERSION | cut -d . -f 2)
+          git tag -f "v$MAJOR"
+          git tag -f "v$MAJOR.$MINOR"
+          git tag -f "v$CADDY_VERSION"
+          git push -f -u origin "v$MAJOR"
+          git push -f -u origin "v$MAJOR.$MINOR"
+          git push -f -u origin "v$CADDY_VERSION"
+        env:
+          CADDY_VERSION: ${{ needs.metadata.outputs.version }}

.github/workflows/readme.yml

@@ -0,0 +1,29 @@
+name: Sync GitHub README with Docker Hub
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [main]
+    paths:
+      - README.md
+
+jobs:
+  github-docker:
+    name: Sync GitHub README with Docker Hub
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Generate docker-compliant image name
+        run:
+          echo "IMAGE_NAME=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//')" | tee -a $GITHUB_ENV
+
+      - name: Update Docker Hub description
+        uses: peter-evans/dockerhub-description@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USER }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+          repository: ${{ env.IMAGE_NAME }}
+          short-description: ${{ github.event.repository.description }}

.github/workflows/trivy.yml

@@ -0,0 +1,103 @@
+name: Trivy Security Scan
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: 0 0 * * * # daily at midnight
+  workflow_call:
+    inputs:
+      image-ref:
+        type: string
+        required: false
+        description: Container Ref to be scanned by Trivy
+
+env:
+  DOCKER_BUILDKIT: 1
+  COSIGN_EXPERIMENTAL: 1
+
+jobs:
+  trivy-repo:
+    name: Scan repository
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write # upload security results
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get main branch SHA
+        run: |
+          git pull origin main:main
+          echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV
+
+      - name: Scan repo filesystem
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: fs
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+          ref: refs/heads/main
+          sha: ${{ env.BASE_SHA }}
+
+  trivy-docker:
+    name: Scan container image
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write # upload security results
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get main branch SHA
+        run: |
+          git pull origin main:main
+          echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Generate docker-compliant image name
+        run: |
+          if [[ -z "$IMAGE_REF" ]]; then
+            echo "IMAGE_REF=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//'):latest" | tee -a $GITHUB_ENV
+          else
+            echo "IMAGE_REF=$IMAGE_REF" | tee -a $GITHUB_ENV
+          fi
+        env:
+          IMAGE_REF: ${{ inputs.image-ref }}
+
+      - name: Verify container images
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp https://github.com/$GITHUB_REPOSITORY/.github/workflows/ \
+            $IMAGE_REF
+
+      - name: Scan container image
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ env.IMAGE_REF }}
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload scan results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+          ref: refs/heads/main
+          sha: ${{ env.BASE_SHA }}