From ce11499792152a9e1efbfefc2dff9457238cc1f1 Mon Sep 17 00:00:00 2001
From: Daniel Thamdrup <dallemon@protonmail.com>
Date: Tue, 28 Nov 2023 15:32:28 +0100
Subject: [PATCH 1/5] new dockerfile based on chainguard images

Signed-off-by: Daniel Thamdrup <dallemon@protonmail.com>
---
 Dockerfile | 34 ++++++++++++++++------------------
 1 file changed, 16 insertions(+), 18 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8563c0bb..99f6bd6e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,6 @@
+# syntax=docker/dockerfile:latest
 ## build ergo binary
-FROM docker.io/golang:1.21-alpine AS build-env
-
-RUN apk upgrade -U --force-refresh --no-cache && apk add --no-cache --purge --clean-protected -l -u make git
+FROM cgr.dev/chainguard/go:latest AS build-env
 
 # copy ergo source
 WORKDIR /go/src/github.com/ergochat/ergo
@@ -15,34 +14,33 @@ RUN sed -i 's/^\(\s*\)\"127.0.0.1:6667\":.*$/\1":6667":/' /go/src/github.com/erg
 # compile
 RUN make install
 
+## tmp container for collecting files
+FROM scratch AS tmp
+
+# collect all files
+COPY --from=build-env /root/go/bin/ergo \
+                      /go/src/github.com/ergochat/ergo/default.yaml \
+                      /go/src/github.com/ergochat/ergo/distrib/docker/run.sh \
+                      /ircd-bin/
+COPY --from=build-env /go/src/github.com/ergochat/ergo/languages /ircd-bin/languages/
+COPY --from=build-env /go/src/github.com/ergochat/ergo/ergo.motd /ircd/ergo.motd
+
 ## build ergo container
-FROM docker.io/alpine:3.13
+FROM cgr.dev/chainguard/busybox:latest AS runtime
 
 # metadata
-LABEL maintainer="Daniel Oaks <daniel@danieloaks.net>,Daniel Thamdrup <dallemon@protonmail.com>" \
+LABEL maintainer="Daniel Oaks <daniel@danieloaks.net>,Daniel Thamdrup <danielthamdrup@pm.me>" \
       description="Ergo is a modern, experimental IRC server written in Go"
 
 # standard ports listened on
 EXPOSE 6667/tcp 6697/tcp
 
 # ergo itself
-COPY --from=build-env /go/bin/ergo \
-                      /go/src/github.com/ergochat/ergo/default.yaml \
-                      /go/src/github.com/ergochat/ergo/distrib/docker/run.sh \
-                      /ircd-bin/
-COPY --from=build-env /go/src/github.com/ergochat/ergo/languages /ircd-bin/languages/
+COPY --from=tmp --chown=nonroot:nonroot / /
 
 # running volume holding config file, db, certs
 VOLUME /ircd
 WORKDIR /ircd
 
-# default motd
-COPY --from=build-env /go/src/github.com/ergochat/ergo/ergo.motd /ircd/ergo.motd
-
 # launch
 ENTRYPOINT ["/ircd-bin/run.sh"]
-
-# # uncomment to debug
-# RUN apk add --no-cache bash
-# RUN apk add --no-cache vim
-# CMD /bin/bash

From 9383ddd0e59873617befa4c4b5b9a991768c6b62 Mon Sep 17 00:00:00 2001
From: Daniel Thamdrup <dallemon@protonmail.com>
Date: Tue, 28 Nov 2023 15:47:37 +0100
Subject: [PATCH 2/5] use wolfi glibc image for runtime

Signed-off-by: Daniel Thamdrup <dallemon@protonmail.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 99f6bd6e..27c35468 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -26,7 +26,7 @@ COPY --from=build-env /go/src/github.com/ergochat/ergo/languages /ircd-bin/langu
 COPY --from=build-env /go/src/github.com/ergochat/ergo/ergo.motd /ircd/ergo.motd
 
 ## build ergo container
-FROM cgr.dev/chainguard/busybox:latest AS runtime
+FROM cgr.dev/chainguard/busybox:latest-glibc AS runtime
 
 # metadata
 LABEL maintainer="Daniel Oaks <daniel@danieloaks.net>,Daniel Thamdrup <danielthamdrup@pm.me>" \

From 4e985dbd6948b1f69556dde227caa3568cb3f8eb Mon Sep 17 00:00:00 2001
From: Daniel Thamdrup <danielthamdrup@pm.me>
Date: Mon, 4 Dec 2023 12:00:22 +0100
Subject: [PATCH 3/5] Create dependabot.yml

---
 .github/dependabot.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..72b00011
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+---
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    ignore:
+      - dependency-name: "*"
+        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
+...

From 83c708de888b06bc4396e6c11fa90ea50e148115 Mon Sep 17 00:00:00 2001
From: Daniel Thamdrup <dallemon@protonmail.com>
Date: Mon, 4 Dec 2023 12:04:59 +0100
Subject: [PATCH 4/5] add images sha256

Signed-off-by: Daniel Thamdrup <dallemon@protonmail.com>
---
 Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 27c35468..b2b1c037 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
-# syntax=docker/dockerfile:latest
+# syntax=docker/dockerfile:latest@sha256:ac85f380a63b13dfcefa89046420e1781752bab202122f8f50032edf31be0021
 ## build ergo binary
-FROM cgr.dev/chainguard/go:latest AS build-env
+FROM cgr.dev/chainguard/go:latest@sha256:c894bc454800817b1747c8a1a640ae6d86004b06190f94e791098e7e78dbbc00 AS build-env
 
 # copy ergo source
 WORKDIR /go/src/github.com/ergochat/ergo
@@ -26,7 +26,7 @@ COPY --from=build-env /go/src/github.com/ergochat/ergo/languages /ircd-bin/langu
 COPY --from=build-env /go/src/github.com/ergochat/ergo/ergo.motd /ircd/ergo.motd
 
 ## build ergo container
-FROM cgr.dev/chainguard/busybox:latest-glibc AS runtime
+FROM cgr.dev/chainguard/busybox:latest-glibc@sha256:f5f11a14dda5355dff116219302d45f1a4fd018285c8922cf848a9b24cae1f3d AS runtime
 
 # metadata
 LABEL maintainer="Daniel Oaks <daniel@danieloaks.net>,Daniel Thamdrup <danielthamdrup@pm.me>" \

From 9216db98e7bde3ff24e6e7c6837202fcabc27c82 Mon Sep 17 00:00:00 2001
From: Daniel Thamdrup <dallemon@protonmail.com>
Date: Fri, 15 Dec 2023 15:21:01 +0100
Subject: [PATCH 5/5] use digestabot instead

Signed-off-by: Daniel Thamdrup <dallemon@protonmail.com>
---
 .github/dependabot.yml           | 16 ----------------
 .github/workflows/digestabot.yml | 24 ++++++++++++++++++++++++
 2 files changed, 24 insertions(+), 16 deletions(-)
 delete mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/digestabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
deleted file mode 100644
index 72b00011..00000000
--- a/.github/dependabot.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
-version: 2
-updates:
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-major", "version-update:semver-minor", "version-update:semver-patch"]
-...
diff --git a/.github/workflows/digestabot.yml b/.github/workflows/digestabot.yml
new file mode 100644
index 00000000..8f9da589
--- /dev/null
+++ b/.github/workflows/digestabot.yml
@@ -0,0 +1,24 @@
+
+name: Image digest update
+
+on:
+  workflow_dispatch:
+  schedule:
+    # At the end of every day
+    - cron: "0 0 * * *"
+
+jobs:
+  image-update:
+    name: Image digest update
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # to push the updates
+      pull-requests: write # to open Pull requests
+      id-token: write # used to sign the commits using gitsign
+
+    steps:
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+    - uses: chainguard-dev/digestabot@4298e530896fb4164f9c89030c561b75b9321149
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}