diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml index ebed3bd..e0b4882 100644 --- a/.github/workflows/build-pr.yml +++ b/.github/workflows/build-pr.yml @@ -13,17 +13,17 @@ jobs: strategy: fail-fast: false matrix: - node: [ '20', '22', '24' ] + node: [ '22', '24', '26' ] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v7 - name: 🐋 Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - - name: 🏗️ Build Docker image - uses: docker/bake-action@v6 + - name: 🏗️ Build Docker image + uses: docker/bake-action@v7 env: NODE_VERSION: ${{ matrix.node }} STREAM: ${{ env.stream }} diff --git a/.github/workflows/build-push-stable.yml b/.github/workflows/build-push-stable.yml index b4bcdfa..0ad56fd 100644 --- a/.github/workflows/build-push-stable.yml +++ b/.github/workflows/build-push-stable.yml @@ -15,4 +15,6 @@ jobs: stream: stable push: true branch: releases + node_versions: '["22","24"]' + alpine_version: '3.21' secrets: inherit diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml index 15d3978..5845819 100644 --- a/.github/workflows/build-push.yml +++ b/.github/workflows/build-push.yml @@ -19,6 +19,14 @@ on: type: string default: main description: Branch name to build from. + node_versions: + type: string + default: '["22","24","26"]' + description: JSON array of Node.js versions to build. + alpine_version: + type: string + default: '3.24' + description: Alpine Linux version to build against. secrets: DOCKERHUB_USERNAME: @@ -38,34 +46,35 @@ jobs: strategy: fail-fast: false matrix: - node: [ '20', '22', '24' ] + node: ${{ fromJson(inputs.node_versions) }} steps: - name: 📥 Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@v7 with: ref: ${{ inputs.branch }} - name: 🔑 Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: 🔑 Log in to the GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: 🐋 Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: 🏗️ Build and push Docker image - uses: docker/bake-action@v6 + uses: docker/bake-action@v7 env: NODE_VERSION: ${{ matrix.node }} + ALPINE_VERSION: ${{ inputs.alpine_version }} STREAM: ${{ inputs.stream }} with: source: . diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 492ddf4..e2ca02e 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -18,16 +18,16 @@ jobs: fail-fast: false matrix: image_ref: + - ghcr.io/skpr/node:26-v3-latest + - ghcr.io/skpr/node:dev-26-v3-latest - ghcr.io/skpr/node:24-v3-latest - ghcr.io/skpr/node:dev-24-v3-latest - ghcr.io/skpr/node:22-v3-latest - ghcr.io/skpr/node:dev-22-v3-latest - - ghcr.io/skpr/node:20-v3-latest - - ghcr.io/skpr/node:dev-20-v3-latest steps: - name: 🔑 Log in to the GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} diff --git a/Dockerfile b/Dockerfile index 662c285..a2dee9b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,6 +41,9 @@ RUN mkdir /data && chown skpr:skpr /data WORKDIR /data +# Ensure yarn is available before wrapping (Node 26+ no longer ships yarn). +RUN npm install -g yarn --force + # Replace npm with a wrapper script to enforce security. RUN mv /usr/local/bin/npm /usr/local/bin/npm-unsafe ADD --chown=skpr:skpr bin/npm-wrapper /usr/local/bin/npm diff --git a/docker-bake.hcl b/docker-bake.hcl index 7975dd2..051562e 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -3,7 +3,7 @@ variable "NODE_VERSION" { } variable "ALPINE_VERSION" { - default = "3.21" + default = "3.24" } variable "STREAM" {