mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-28 09:55:39 -04:00
e2dab007f8
* ci(pnpr): publish a Docker image on release Add a `docker` job to the pnpr release workflow that builds and pushes a multi-arch (linux/amd64, linux/arm64) image to ghcr.io/pnpm/pnpr after the npm packages are published. The image is built from the static musl binaries the release job already produces, so no Rust toolchain runs in the Docker build and the image matches exactly what ships to npm. It is based on debian:stable-slim with ca-certificates (pnpr reaches upstream registries over HTTPS via rustls' platform cert verifier), runs as a non-root user, declares storage and cache volumes, exposes 7677, and defaults to binding 0.0.0.0 so the server is reachable from outside the container. The build self-checks that `pnpr --version` matches the PNPR_VERSION build-arg. Stable releases also move the mutable `latest` tag; prereleases (versions containing a hyphen) only get the exact-version tag. * ci(pnpr): drop unused id-token permission from docker job The docker job uses only docker/build-push-action's built-in provenance and SBOM attestations, which are pushed to GHCR via GITHUB_TOKEN. It does not call actions/attest-build-provenance, so the OIDC id-token: write permission was unused. Drop it to follow least privilege. * ci(pnpr): verify staged binary checksum in the docker image build The build job now pins each binary's SHA256 at build time and uploads it with the artifact. The docker job verifies the staged binaries against those checksums and passes them as build-args, and the Dockerfile re-verifies the binary it copies before trusting it. A 'pnpr --version' check only confirms reported metadata, so it cannot stand in for an integrity check on the binary itself. Mirrors the existing pnpm image. * ci(pnpr): extract release artifacts into an isolated directory Extract the downloaded musl tarballs into a throwaway directory and move only the expected, checksum-verified regular files into the Docker build context. A malformed archive (path traversal or symlink entries) can no longer escape into the workspace and overwrite the Dockerfile or staged binaries before the image is pushed to GHCR. * docs(pnpr): add a language to the docker README code fence The image-name fenced block lacked a language identifier, tripping markdownlint MD040. Tag it as text.