diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml index d48dcfe..934f616 100644 --- a/.github/workflows/external_trigger.yml +++ b/.github/workflows/external_trigger.yml @@ -48,13 +48,30 @@ jobs: --header "Accept: application/vnd.oci.image.index.v1+json" \ --header "Authorization: Bearer ${token}" \ "https://ghcr.io/v2/${image}/manifests/${tag}") - multidigest=$(jq -r ".manifests[] | select(.platform.architecture == \"amd64\").digest?" <<< "${multidigest}") - digest=$(curl -s \ - --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ - --header "Accept: application/vnd.oci.image.manifest.v1+json" \ - --header "Authorization: Bearer ${token}" \ - "https://ghcr.io/v2/${image}/manifests/${multidigest}" \ - | jq -r '.config.digest') + if jq -e '.layers // empty' <<< "${multidigest}" >/dev/null 2>&1; then + # If there's a layer element it's a single-arch manifest so just get that digest + digest=$(jq -r '.config.digest' <<< "${multidigest}") + else + # Otherwise it's multi-arch or has manifest annotations + if jq -e '.manifests[]?.annotations // empty' <<< "${multidigest}" >/dev/null 2>&1; then + # Check for manifest annotations and delete if found + multidigest=$(jq 'del(.manifests[] | select(.annotations))' <<< "${multidigest}") + fi + if [[ $(jq '.manifests | length' <<< "${multidigest}") -gt 1 ]]; then + # If there's still more than one digest, it's multi-arch + multidigest=$(jq -r ".manifests[] | select(.platform.architecture == \"amd64\").digest?" <<< "${multidigest}") + else + # Otherwise it's single arch + multidigest=$(jq -r ".manifests[].digest?" <<< "${multidigest}") + fi + if digest=$(curl -s \ + --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \ + --header "Accept: application/vnd.oci.image.manifest.v1+json" \ + --header "Authorization: Bearer ${token}" \ + "https://ghcr.io/v2/${image}/manifests/${multidigest}"); then + digest=$(jq -r '.config.digest' <<< "${digest}"); + fi + fi image_info=$(curl -sL \ --header "Authorization: Bearer ${token}" \ "https://ghcr.io/v2/${image}/blobs/${digest}") @@ -92,7 +109,7 @@ jobs: else printf "\n## Trigger new build\n\n" >> $GITHUB_STEP_SUMMARY echo "New version \`${EXT_RELEASE}\` found; old version was \`${IMAGE_VERSION}\`. Triggering new build" >> $GITHUB_STEP_SUMMARY - if "${artifacts_found}" == "true" ]]; then + if [[ "${artifacts_found}" == "true" ]]; then echo "All artifacts seem to be uploaded." >> $GITHUB_STEP_SUMMARY fi response=$(curl -iX POST \ diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml index 1591155..ee7b6b7 100644 --- a/.github/workflows/package_trigger_scheduler.yml +++ b/.github/workflows/package_trigger_scheduler.yml @@ -27,9 +27,18 @@ jobs: fi printf "\n## Evaluating \`%s\`\n\n" ${br} >> $GITHUB_STEP_SUMMARY JENKINS_VARS=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-readarr/${br}/jenkins-vars.yml) - if [[ "${br}" == $(yq -r '.ls_branch' <<< "${JENKINS_VARS}") ]]; then + if ! curl -sfX GET https://raw.githubusercontent.com/linuxserver/docker-readarr/${br}/Jenkinsfile >/dev/null 2>&1; then + echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY + echo "> No Jenkinsfile found. Branch is either deprecated or is an early dev branch." >> $GITHUB_STEP_SUMMARY + skipped_branches="${skipped_branches}${br} " + elif [[ "${br}" == $(yq -r '.ls_branch' <<< "${JENKINS_VARS}") ]]; then echo "Branch appears to be live; checking workflow." >> $GITHUB_STEP_SUMMARY - if [[ $(yq -r '.skip_package_check' <<< "${JENKINS_VARS}") == "true" ]]; then + README_VARS=$(curl -sX GET https://raw.githubusercontent.com/linuxserver/docker-readarr/${br}/readme-vars.yml) + if [[ $(yq -r '.project_deprecation_status' <<< "${README_VARS}") == "true" ]]; then + echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY + echo "> Branch appears to be deprecated; skipping trigger." >> $GITHUB_STEP_SUMMARY + skipped_branches="${skipped_branches}${br} " + elif [[ $(yq -r '.skip_package_check' <<< "${JENKINS_VARS}") == "true" ]]; then echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY echo "> Skipping branch ${br} due to \`skip_package_check\` being set in \`jenkins-vars.yml\`." >> $GITHUB_STEP_SUMMARY skipped_branches="${skipped_branches}${br} " @@ -37,7 +46,7 @@ jobs: echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY echo "> Github organizational variable \`SKIP_PACKAGE_TRIGGER\` contains \`readarr_${br}\`; skipping trigger." >> $GITHUB_STEP_SUMMARY skipped_branches="${skipped_branches}${br} " - elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-readarr/job/${br}/lastBuild/api/json | jq -r '.building') == "true" ]; then + elif [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-readarr/job/${br}/lastBuild/api/json | jq -r '.building' 2>/dev/null) == "true" ]; then echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY echo "> There already seems to be an active build on Jenkins; skipping package trigger for ${br}" >> $GITHUB_STEP_SUMMARY skipped_branches="${skipped_branches}${br} " @@ -49,6 +58,11 @@ jobs: response=$(curl -iX POST \ https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-readarr/job/${br}/buildWithParameters?PACKAGE_CHECK=true \ --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|") + if [[ -z "${response}" ]]; then + echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY + echo "> Jenkins build could not be triggered. Skipping branch." + continue + fi echo "Jenkins [job queue url](${response%$'\r'})" >> $GITHUB_STEP_SUMMARY echo "Sleeping 10 seconds until job starts" >> $GITHUB_STEP_SUMMARY sleep 10 @@ -56,11 +70,14 @@ jobs: buildurl="${buildurl%$'\r'}" echo "Jenkins job [build url](${buildurl})" >> $GITHUB_STEP_SUMMARY echo "Attempting to change the Jenkins job description" >> $GITHUB_STEP_SUMMARY - curl -iX POST \ + if ! curl -ifX POST \ "${buildurl}submitDescription" \ --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \ --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ - --data-urlencode "Submit=Submit" + --data-urlencode "Submit=Submit"; then + echo "> [!WARNING]" >> $GITHUB_STEP_SUMMARY + echo "> Unable to change the Jenkins job description." + fi sleep 20 fi else diff --git a/Dockerfile b/Dockerfile index d97261b..85cf97e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -FROM ghcr.io/linuxserver/baseimage-alpine:3.20 +FROM ghcr.io/linuxserver/baseimage-alpine:3.21 # set version label ARG BUILD_DATE diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 6fdeedc..a4e7e45 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -1,6 +1,6 @@ # syntax=docker/dockerfile:1 -FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.20 +FROM ghcr.io/linuxserver/baseimage-alpine:arm64v8-3.21 # set version label ARG BUILD_DATE diff --git a/Jenkinsfile b/Jenkinsfile index ba7caed..f167faa 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -32,7 +32,7 @@ pipeline { CI_WEB='true' CI_PORT='8787' CI_SSL='false' - CI_DELAY='120' + CI_DELAY='240' CI_DOCKERENV='' CI_AUTH='' CI_WEBPATH='/system/status' @@ -575,7 +575,7 @@ pipeline { --label \"org.opencontainers.image.title=Readarr\" \ --label \"org.opencontainers.image.description=[Readarr](https://github.com/Readarr/Readarr) - Book Manager and Automation (Sonarr for Ebooks) \" \ --no-cache --pull -t ${IMAGE}:${META_TAG} --platform=linux/amd64 \ - --provenance=false --sbom=false --builder=container --load \ + --provenance=true --sbom=true --builder=container --load \ --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." sh '''#! /bin/bash set -e @@ -604,7 +604,9 @@ pipeline { for i in "${CACHE[@]}"; do docker push ${i}:amd64-${COMMIT_SHA}-${BUILD_NUMBER} & done - wait + for p in $(jobs -p); do + wait "$p" || { echo "job $p failed" >&2; exit 1; } + done fi ''' } @@ -639,7 +641,7 @@ pipeline { --label \"org.opencontainers.image.title=Readarr\" \ --label \"org.opencontainers.image.description=[Readarr](https://github.com/Readarr/Readarr) - Book Manager and Automation (Sonarr for Ebooks) \" \ --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} --platform=linux/amd64 \ - --provenance=false --sbom=false --builder=container --load \ + --provenance=true --sbom=true --builder=container --load \ --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." sh '''#! /bin/bash set -e @@ -668,7 +670,9 @@ pipeline { for i in "${CACHE[@]}"; do docker push ${i}:amd64-${COMMIT_SHA}-${BUILD_NUMBER} & done - wait + for p in $(jobs -p); do + wait "$p" || { echo "job $p failed" >&2; exit 1; } + done fi ''' } @@ -696,7 +700,7 @@ pipeline { --label \"org.opencontainers.image.title=Readarr\" \ --label \"org.opencontainers.image.description=[Readarr](https://github.com/Readarr/Readarr) - Book Manager and Automation (Sonarr for Ebooks) \" \ --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} --platform=linux/arm64 \ - --provenance=false --sbom=false --builder=container --load \ + --provenance=true --sbom=true --builder=container --load \ --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ." sh '''#! /bin/bash set -e @@ -725,7 +729,9 @@ pipeline { for i in "${CACHE[@]}"; do docker push ${i}:arm64v8-${COMMIT_SHA}-${BUILD_NUMBER} & done - wait + for p in $(jobs -p); do + wait "$p" || { echo "job $p failed" >&2; exit 1; } + done fi ''' } diff --git a/README.md b/README.md index 9b06a1f..4ea418f 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,10 @@ The folks over at servarr.com wrote a good [write-up](https://wiki.servarr.com/d This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/). +## Non-Root Operation + +This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/). + ## Usage To help you get started creating a container from this image you can either use docker-compose or the docker cli. @@ -141,6 +145,7 @@ Containers are configured using parameters passed at runtime (such as those abov | `-v /books` | Location of Book library on disk (See note in Application setup) | | `-v /downloads` | Location of download managers output directory (See note in Application setup) | | `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). | +| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). | ## Environment variables from files (Docker secrets) @@ -304,6 +309,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **20.12.24:** - Rebase to Alpine 3.21. * **25.05.24:** - Rebase to Alpine 3.20. * **20.03.24:** - Rebase to Alpine 3.19. * **06.06.23:** - Rebase develop to Alpine 3.18. diff --git a/jenkins-vars.yml b/jenkins-vars.yml index 3f75ffc..a2eda53 100644 --- a/jenkins-vars.yml +++ b/jenkins-vars.yml @@ -20,7 +20,7 @@ repo_vars: - CI_WEB='true' - CI_PORT='8787' - CI_SSL='false' - - CI_DELAY='120' + - CI_DELAY='240' - CI_DOCKERENV='' - CI_AUTH='' - CI_WEBPATH='/system/status' diff --git a/readme-vars.yml b/readme-vars.yml index 3e0ac83..6005d81 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -28,6 +28,7 @@ param_usage_include_ports: true param_ports: - {external_port: "8787", internal_port: "8787", port_desc: "The port for the Readarr web UI"} readonly_supported: true +nonroot_supported: true # application setup block app_setup_block_enabled: true app_setup_block: | @@ -85,6 +86,7 @@ init_diagram: | "readarr:develop" <- Base Images # changelog changelogs: + - {date: "20.12.24:", desc: "Rebase to Alpine 3.21."} - {date: "25.05.24:", desc: "Rebase to Alpine 3.20."} - {date: "20.03.24:", desc: "Rebase to Alpine 3.19."} - {date: "06.06.23:", desc: "Rebase develop to Alpine 3.18."} diff --git a/root/etc/s6-overlay/s6-rc.d/init-readarr-config/run b/root/etc/s6-overlay/s6-rc.d/init-readarr-config/run index 12adc03..bc8cb5d 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-readarr-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-readarr-config/run @@ -3,7 +3,8 @@ mkdir -p /run/readarr-temp -# permissions -lsiown -R abc:abc \ - /config \ - /run/readarr-temp +if [[ -z ${LSIO_NON_ROOT_USER} ]]; then + lsiown -R abc:abc \ + /config \ + /run/readarr-temp +fi diff --git a/root/etc/s6-overlay/s6-rc.d/svc-readarr/run b/root/etc/s6-overlay/s6-rc.d/svc-readarr/run index 44006a5..5c53374 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-readarr/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-readarr/run @@ -1,7 +1,14 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -exec \ - s6-notifyoncheck -d -n 300 -w 1000 \ - cd /app/readarr/bin s6-setuidgid abc /app/readarr/bin/Readarr \ - -nobrowser -data=/config +if [[ -z ${LSIO_NON_ROOT_USER} ]]; then + exec \ + s6-notifyoncheck -d -n 300 -w 1000 \ + cd /app/readarr/bin s6-setuidgid abc /app/readarr/bin/Readarr \ + -nobrowser -data=/config +else + exec \ + s6-notifyoncheck -d -n 300 -w 1000 \ + cd /app/readarr/bin /app/readarr/bin/Readarr \ + -nobrowser -data=/config +fi