update README.md

.github/workflows/cron.update.yml

@@ -94,7 +94,7 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git add .json
-          git commit -m "[upgrade] ${{ env.LATEST_VERSION }}"
+          git commit -m "chore: auto upgrade to ${{ env.LATEST_VERSION }}"
           git push origin HEAD:master
 
       - name: cron-update / tag

.github/workflows/docker.yml

@@ -10,12 +10,11 @@ on:
         required: false
         default: 'docker'
 
-      runs-on:
+      platform:
-        description: 'set runs-on for workflow (github or selfhosted)'
+        description: 'list of platforms to build for'
         type: string
         required: false
-        default: 'ubuntu-22.04'
+        default: "amd64,arm64,arm/v7"
-
 
       build:
         description: 'set WORKFLOW_BUILD'
@@ -37,8 +36,94 @@ on:
         required: false
 
 jobs:
+  # ╔═════════════════════════════════════════════════════╗
+  # ║                                                     ║
+  # ║                                                     ║
+  # ║               CREATE PLATFORM MATRIX                ║
+  # ║                                                     ║
+  # ║                                                     ║
+  # ╚═════════════════════════════════════════════════════╝
+  matrix:
+    name: create job matrix
+    runs-on: ubuntu-latest
+    outputs:
+      stringify: ${{ steps.setup-matrix.outputs.stringify }}
+
+    steps:
+      # CHECKOUT REPOSITORY
+      - name: init / checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: ${{ github.ref_name }}
+
+      - name: matrix / setup list
+        id: setup-matrix
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          script: |
+            const { existsSync, readFileSync } = require('node:fs');
+            const { inspect } = require('node:util');
+            const { resolve } = require('node:path');
+            const opt = {dot:{}};
+
+            try{
+              const path = resolve('.json');
+              if(existsSync(path)){
+                try{
+                  opt.dot = JSON.parse(readFileSync(path).toString());
+                }catch(e){
+                  throw new Error('could not parse .json');
+                }
+              }else{
+                throw new Error('.json does not exist');
+              }
+            }catch(e){
+              core.setFailed(e);
+            }
+
+            const platforms = (
+              ("${{ github.event.inputs.platform }}" != "amd64,arm64,arm/v7") ? "${{ github.event.inputs.platform }}".split(",") : (
+                (opt.dot?.platform) ? opt.dot.platform.split(",") : "${{ github.event.inputs.platform }}".split(",")
+              )
+            );
+
+            const matrix = {include:[]};
+            for(const platform of platforms){
+              switch(platform){
+                case "amd64": matrix.include.push({platform:platform, runner:"ubuntu-24.04"}); break;
+                case "arm64": matrix.include.push({platform:platform, runner:"ubuntu-24.04-arm"}); break;
+                case "arm/v7": matrix.include.push({platform:platform, runner:"ubuntu-24.04-arm"}); break;
+              }
+            }
+
+            const stringify = JSON.stringify(matrix);
+            core.setOutput('stringify', stringify);
+
+            // print
+              core.info(inspect({opt:opt, matrix:matrix, platforms:platforms}, {showHidden:false, depth:null, colors:true}));
+
+
+  # ╔═════════════════════════════════════════════════════╗
+  # ║                                                     ║
+  # ║                                                     ║
+  # ║                BUILD CONTAINER IMAGE                ║
+  # ║                                                     ║
+  # ║                                                     ║
+  # ╚═════════════════════════════════════════════════════╝
   docker:
-    runs-on: ${{ inputs.runs-on }}
+    name: create container image
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.matrix.outputs.stringify) }}
+    outputs:
+      DOCKER_IMAGE_NAME: ${{ steps.setup-environment.outputs.DOCKER_IMAGE_NAME }}
+      DOCKER_IMAGE_MERGE_TAGS: ${{ steps.setup-environment.outputs.DOCKER_IMAGE_MERGE_TAGS }}
+      DOCKER_IMAGE_DESCRIPTION: ${{ steps.setup-environment.outputs.DOCKER_IMAGE_DESCRIPTION }}
+      DOCKER_IMAGE_NAME_AND_VERSION: ${{ steps.setup-environment.outputs.DOCKER_IMAGE_NAME_AND_VERSION }}
+      DOCKER_IMAGE_ARGUMENTS: ${{ steps.setup-environment.outputs.DOCKER_IMAGE_ARGUMENTS }}
+      WORKFLOW_BUILD: ${{ steps.setup-environment.outputs.WORKFLOW_BUILD }}
+
     timeout-minutes: 1440
 
     services:
@@ -48,26 +133,38 @@ jobs:
           - 5000:5000
 
     permissions:
-      actions: read
+      actions: write
       contents: write
       packages: write
+      attestations: write
+      id-token: write
+      security-events: write
+
+    needs: matrix
 
     steps:
+      # ╔═════════════════════════════════════════════════════╗
+      # ║                 SETUP ENVIRONMENT                   ║
+      # ╚═════════════════════════════════════════════════════╝
+      # CHECKOUT ALL DEPTHS (ALL TAGS)
       - name: init / checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           ref: ${{ github.ref_name }}
           fetch-depth: 0
 
+      # SETUP ENVIRONMENT VARIABLES AND INPUTS
       - name: init / setup environment
-        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        id: setup-environment
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             const { existsSync, readFileSync } = require('node:fs');
             const { resolve } = require('node:path');
             const { inspect } = require('node:util');
             const { Buffer } = require('node:buffer');
-            const inputs = `${{ toJSON(github.event.inputs) }}`;
+            const inputs = `${{ toJSON(github.event.inputs) }}`.
+              replace(/"platform":\s*"\[(.+)\]",/i, `"platform": [$1],`);
             const opt = {input:{}, dot:{}};
 
             try{
@@ -79,6 +176,7 @@ jobs:
               }
             }catch(e){
               core.warning('could not parse github.event.inputs');
+              core.warning(inputs);
             }
 
             try{
@@ -96,8 +194,6 @@ jobs:
               core.setFailed(e);
             }
 
-            core.info(inspect(opt, {showHidden:false, depth:null, colors:true}));
-
             const docker = {
               image:{
                 name:opt.dot.image,
@@ -105,7 +201,11 @@ jobs:
                 prefix:((opt.input?.etc?.semverprefix) ? `${opt.input?.etc?.semverprefix}-` : ''),
                 suffix:((opt.input?.etc?.semversuffix) ? `-${opt.input?.etc?.semversuffix}` : ''),
                 description:(opt.dot?.readme?.description || ''),
+                platform:{
+                  sanitized:"${{ matrix.platform }}".replace(/[^A-Z-a-z0-9]+/i, ""),
+                },
                 tags:[],
+                build:(opt.input?.build === undefined) ? false : opt.input.build,
               },
               app:{
                 image:opt.dot.image,
@@ -118,8 +218,10 @@ jobs:
               },
               cache:{
                 registry:'localhost:5000/',
+                enable:(opt.input?.etc?.cache === undefined) ? true : opt.input.etc.cache,
               },
               tags:[],
+              merge_tags:[],
             };
 
             docker.cache.name = `${docker.image.name}:${docker.image.prefix}buildcache${docker.image.suffix}`;
@@ -127,18 +229,22 @@ jobs:
             docker.app.prefix = docker.image.prefix;
             docker.app.suffix = docker.image.suffix;
 
+            const semver = docker.app.version.split('.');
             // setup tags
-              if(!opt.dot?.semver?.disable?.rolling){
+              if(!opt.dot?.semver?.disable?.rolling && !opt.input.etc?.semver?.disable?.rolling){
                 docker.image.tags.push('rolling');
               }
               if(opt.input?.etc?.dockerfile !== 'arch.dockerfile' && opt.input?.etc?.tag){
-                docker.image.tags.push(`${context.sha.substring(0,7)}`);
                 docker.image.tags.push(opt.input.etc.tag);
+                if(Array.isArray(semver)){
+                  if(semver.length >= 1) docker.image.tags.push(`${opt.input.etc.tag}-${semver[0]}`);
+                  if(semver.length >= 2) docker.image.tags.push(`${opt.input.etc.tag}-${semver[0]}.${semver[1]}`);
+                  if(semver.length >= 3) docker.image.tags.push(`${opt.input.etc.tag}-${semver[0]}.${semver[1]}.${semver[2]}`);
+                }else{
                   docker.image.tags.push(`${opt.input.etc.tag}-${docker.app.version}`);
+                }
                 docker.cache.name = `${docker.image.name}:buildcache-${opt.input.etc.tag}`;
               }else if(docker.app.version !== 'latest'){
-                const semver = docker.app.version.split('.');
-                docker.image.tags.push(`${context.sha.substring(0,7)}`);
                 if(Array.isArray(semver)){
                   if(semver.length >= 1) docker.image.tags.push(`${semver[0]}`);
                   if(semver.length >= 2) docker.image.tags.push(`${semver[0]}.${semver[1]}`);
@@ -151,9 +257,10 @@ jobs:
               }
 
               for(const tag of docker.image.tags){
-                docker.tags.push(`${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+                docker.tags.push(`${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}-${docker.image.platform.sanitized}`);
-                docker.tags.push(`ghcr.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+                docker.tags.push(`ghcr.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}-${docker.image.platform.sanitized}`);
-                docker.tags.push(`quay.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}`);
+                docker.tags.push(`quay.io/${docker.image.name}:${docker.image.prefix}${tag}${docker.image.suffix}-${docker.image.platform.sanitized}`);
+                docker.merge_tags.push(`${docker.image.prefix}${tag}${docker.image.suffix}`);
               }
 
             // setup build arguments
@@ -174,69 +281,92 @@ jobs:
 
             // export to environment
               core.exportVariable('DOCKER_CACHE_REGISTRY', docker.cache.registry);
-              core.exportVariable('DOCKER_CACHE_NAME', docker.cache.name);
+              core.exportVariable('DOCKER_CACHE_NAME', `${docker.cache.name}-${docker.image.platform.sanitized}`);
               core.exportVariable('DOCKER_CACHE_GRYPE', docker.cache.grype);
 
               core.exportVariable('DOCKER_IMAGE_NAME', docker.image.name);
-              core.exportVariable('DOCKER_IMAGE_ARCH', docker.image.arch);
+              core.setOutput('DOCKER_IMAGE_NAME', docker.image.name);
               core.exportVariable('DOCKER_IMAGE_TAGS', docker.tags.join(','));
+              core.exportVariable('DOCKER_IMAGE_MERGE_TAGS', docker.merge_tags.join("\r\n"));
+              core.setOutput('DOCKER_IMAGE_MERGE_TAGS', docker.merge_tags.join("\r\n"));
               core.exportVariable('DOCKER_IMAGE_DESCRIPTION', docker.image.description);
+              core.setOutput('DOCKER_IMAGE_DESCRIPTION', docker.image.description);
               core.exportVariable('DOCKER_IMAGE_ARGUMENTS', arguments.join("\r\n"));
+              core.setOutput('DOCKER_IMAGE_ARGUMENTS', arguments.join("\r\n"));
               core.exportVariable('DOCKER_IMAGE_DOCKERFILE', opt.input?.etc?.dockerfile || 'arch.dockerfile');
+              core.exportVariable('DOCKER_IMAGE_PLATFORM_SANITIZED', docker.image.platform.sanitized);
+              core.exportVariable('DOCKER_IMAGE_NAME_AND_VERSION', `${docker.image.name}:${docker.app.version}`);
+              core.setOutput('DOCKER_IMAGE_NAME_AND_VERSION', `${docker.image.name}:${docker.app.version}`);
+
+              core.exportVariable('WORKFLOW_BUILD', docker.image.build);
+              core.setOutput('WORKFLOW_BUILD', docker.image.build);
+              core.exportVariable('WORKFLOW_BUILD_NO_CACHE', !docker.cache.enable);
 
-              core.exportVariable('WORKFLOW_BUILD', (opt.input?.build === undefined) ? false : opt.input.build);
               core.exportVariable('WORKFLOW_CREATE_RELEASE', (opt.input?.release === undefined) ? false : opt.input.release);
               core.exportVariable('WORKFLOW_CREATE_README', (opt.input?.readme === undefined) ? false : opt.input.readme);
               core.exportVariable('WORKFLOW_GRYPE_FAIL_ON_SEVERITY', (opt.dot?.grype?.fail === undefined) ? true : opt.dot.grype.fail);
-              core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high'));
+              core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'critical'));
-              if(opt.dot?.readme?.comparison){
+
-                core.exportVariable('WORKFLOW_CREATE_COMPARISON', true);
+            // print
-                core.exportVariable('WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE', opt.dot.readme.comparison.image);
+              core.info(inspect({opt:opt, docker:docker}, {showHidden:false, depth:null, colors:true}));
-                core.exportVariable('WORKFLOW_CREATE_COMPARISON_IMAGE', `${docker.image.name}:${docker.app.version}`);
-              }
 
 
-
+      # ╔═════════════════════════════════════════════════════╗
-      # DOCKER    
+      # ║             CONTAINER REGISTRY LOGIN                ║
+      # ╚═════════════════════════════════════════════════════╝
+      # DOCKER HUB
       - name: docker / login to hub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           username: 11notes
           password: ${{ secrets.DOCKER_TOKEN }}
 
+      # GITHUB CONTAINER REGISTRY
       - name: github / login to ghcr
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: ghcr.io
           username: 11notes
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      # REDHAT QUAY
       - name: quay / login to quay
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: quay.io
           username: 11notes+github
           password: ${{ secrets.QUAY_TOKEN }}
 
-      - name: docker / setup qemu
-        if: env.WORKFLOW_BUILD == 'true'
-        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a
 
-      - name: docker / setup buildx
+      # ╔═════════════════════════════════════════════════════╗
+      # ║               BUILD CONTAINER IMAGE                 ║
+      # ╚═════════════════════════════════════════════════════╝
+      # SETUP QEMU
+      - name: container image / setup qemu
+        if: env.WORKFLOW_BUILD == 'true' && matrix.platform == 'arm/v7'
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        with:
+          image: tonistiigi/binfmt:qemu-v8.1.5
+          cache-image: false
+
+      # SETUP BUILDX BUILDER WITH USING LOCAL REGISTRY
+      - name: container image / setup buildx
         if: env.WORKFLOW_BUILD == 'true'
-        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
         with:
           driver-opts: network=host
 
-      - name: docker / build image locally
+      # BUILD CONTAINER IMAGE FROM GLOBAL CACHE (DOCKER HUB) AND PUSH TO LOCAL CACHE
+      - name: container image / build
         if: env.WORKFLOW_BUILD == 'true'
-        id: docker-build
+        id: image-build
-        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
+          no-cache: ${{ env.WORKFLOW_BUILD_NO_CACHE }}
           file: ${{ env.DOCKER_IMAGE_DOCKERFILE }}
           push: true
-          platforms: ${{ env.DOCKER_IMAGE_ARCH }}
+          platforms: linux/${{ matrix.platform }}
           cache-from: type=registry,ref=${{ env.DOCKER_CACHE_NAME }}
           cache-to: type=registry,ref=${{ env.DOCKER_CACHE_REGISTRY }}${{ env.DOCKER_CACHE_NAME }},mode=max,compression=zstd,force-compression=true
           build-args: |
@@ -244,10 +374,11 @@ jobs:
           tags: |
             ${{ env.DOCKER_CACHE_GRYPE }}
 
-      - name: grype / scan
+      # SCAN LOCAL CONTAINER IMAGE WITH GRYPE
+      - name: container image / scan with grype
         if: env.WORKFLOW_BUILD == 'true'
         id: grype
-        uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
+        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
         with:
           image: ${{ env.DOCKER_CACHE_GRYPE }}
           fail-build: ${{ env.WORKFLOW_GRYPE_FAIL_ON_SEVERITY }}
@@ -256,9 +387,10 @@ jobs:
           by-cve: true
           cache-db: true
 
-      - name: grype / fail
+      # OUTPUT CVE REPORT IF SCAN FAILS
-        if: env.WORKFLOW_BUILD == 'true' && (failure() || steps.grype.outcome == 'failure') && steps.docker-build.outcome == 'success'
+      - name: container image / scan with grype FAILED
-        uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
+        if: env.WORKFLOW_BUILD == 'true' && (failure() || steps.grype.outcome == 'failure') && steps.image-build.outcome == 'success'
+        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
         with:
           image: ${{ env.DOCKER_CACHE_GRYPE }}
           fail-build: false
@@ -267,16 +399,19 @@ jobs:
           by-cve: true
           cache-db: true
 
-      - name: docker / build image from cache and push to registries
+      # PUSH IMAGE TO ALL REGISTRIES IF CLEAN
+      - name: container image / push to registries
+        id: image-push
         if: env.WORKFLOW_BUILD == 'true'
-        uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
+          no-cache: ${{ env.WORKFLOW_BUILD_NO_CACHE }}
           file: ${{ env.DOCKER_IMAGE_DOCKERFILE }}
           push: true
           sbom: true
           provenance: mode=max
-          platforms: ${{ env.DOCKER_IMAGE_ARCH }}
+          platforms: linux/${{ matrix.platform }}
           cache-from: type=registry,ref=${{ env.DOCKER_CACHE_REGISTRY }}${{ env.DOCKER_CACHE_NAME }}
           cache-to: type=registry,ref=${{ env.DOCKER_CACHE_NAME }},mode=max,compression=zstd,force-compression=true
           build-args: |
@@ -284,23 +419,46 @@ jobs:
           tags: |
             ${{ env.DOCKER_IMAGE_TAGS }}
 
+      # CREATE ATTESTATION ARTIFACTS
+      - name: container image / create attestation artifacts
+        if: env.WORKFLOW_BUILD == 'true' && steps.image-push.outcome == 'success'
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
+        with:
+          subject-name: docker.io/${{ env.DOCKER_IMAGE_NAME }}
+          subject-digest: ${{ steps.image-push.outputs.digest }}
+          push-to-registry: false
+
+      # EXPORT DIGEST
+      - name: container image / export digest
+        if: env.WORKFLOW_BUILD == 'true' && steps.image-push.outcome == 'success'
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.image-push.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      # UPLOAD DIGEST
+      - name: container image / upload
+        if: env.WORKFLOW_BUILD == 'true' && steps.image-push.outcome == 'success'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: digests-linux-${{ env.DOCKER_IMAGE_PLATFORM_SANITIZED }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
 
 
-      # RELEASE      
+      # ╔═════════════════════════════════════════════════════╗
-      - name: github / release / markdown
+      # ║               CREATE GITHUB RELEASE                 ║
-        if: env.WORKFLOW_CREATE_RELEASE == 'true'
+      # ╚═════════════════════════════════════════════════════╝
+      # CREATE RELEASE MARKUP
+      - name: github release / prepare markdown
+        if: env.WORKFLOW_CREATE_RELEASE == 'true' && matrix.platform == 'amd64'
         id: git-release
         uses: 11notes/action-docker-release@v1
-        # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
-        # ---------------------------------------------------------------------------------
-        # the next step "github / release / create" creates a new release based on the code
-        # in the repo. This code is not modified and can't be modified by this action.
-        # It does create the markdown for the release, which could be abused, but to what
-        # extend? Adding a link to a malicious repo?
 
-      - name: github / release / create
+      # CREATE GITHUB RELEASE
+      - name: github release / create
         if: env.WORKFLOW_CREATE_RELEASE == 'true' && steps.git-release.outcome == 'success'
-        uses: actions/create-release@4c11c9fe1dcd9636620a16455165783b20fc7ea0
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -311,74 +469,165 @@ jobs:
           prerelease: false
 
 
+  # ╔═════════════════════════════════════════════════════╗
+  # ║                                                     ║
+  # ║                                                     ║
+  # ║         MERGE IMAGES INTO SINGLE MANIFEST           ║
+  # ║                                                     ║
+  # ║                                                     ║
+  # ╚═════════════════════════════════════════════════════╝
+  merge_platform_images:
+    needs: docker
+    if: needs.docker.outputs.WORKFLOW_BUILD == 'true'
+    name: merge platform images to a single manifest
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        registry: [docker.io, ghcr.io, quay.io]
 
+    env:
+      DOCKER_IMAGE_NAME: ${{ needs.docker.outputs.DOCKER_IMAGE_NAME }}
+      DOCKER_IMAGE_MERGE_TAGS: ${{ needs.docker.outputs.DOCKER_IMAGE_MERGE_TAGS }}
 
-      # LICENSE
+    permissions:
-      - name: license / update year
+      contents: read
-        continue-on-error: true
+      packages: write
-        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+      attestations: write
+      id-token: write
+
+    steps:
+      # ╔═════════════════════════════════════════════════════╗
+      # ║             CONTAINER REGISTRY LOGIN                ║
+      # ╚═════════════════════════════════════════════════════╝
+      # DOCKER HUB
+      - name: docker / login to hub
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
-          script: |
+          username: 11notes
-            const { existsSync, readFileSync, writeFileSync } = require('node:fs');
+          password: ${{ secrets.DOCKER_TOKEN }}
-            const { resolve } = require('node:path');
+
-            const file = 'LICENSE';
+      # GITHUB CONTAINER REGISTRY
-            const year = new Date().getFullYear();
+      - name: github / login to ghcr
-            try{
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
-              const path = resolve(file);
+        with:
-              if(existsSync(path)){
+          registry: ghcr.io
-                let license = readFileSync(file).toString();
+          username: 11notes
-                if(!new RegExp(`Copyright \\(c\\) ${year} 11notes`, 'i').test(license)){
+          password: ${{ secrets.GITHUB_TOKEN }}
-                  license = license.replace(/Copyright \(c\) \d{4} /i, `Copyright (c) ${new Date().getFullYear()} `);
+
-                  writeFileSync(path, license);
+      # REDHAT QUAY
-                }
+      - name: quay / login to quay
-              }else{
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
-                throw new Error(`file ${file} does not exist`);
+        with:
-              }
+          registry: quay.io
-            }catch(e){
+          username: 11notes+github
-              core.setFailed(e);
+          password: ${{ secrets.QUAY_TOKEN }}
-            }
 
 
+      # ╔═════════════════════════════════════════════════════╗
+      # ║           MERGE PLATFORM IMAGES MANIFEST            ║
+      # ╚═════════════════════════════════════════════════════╝
+      # DOWNLOAD DIGESTS
+      - name: platform merge / digest
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      # SETUP BUILDX BUILDER
+      - name: platform merge / buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      # GET META DATA
+      - name: platform merge / meta
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
+        with:
+          images: ${{ matrix.registry }}/${{ env.DOCKER_IMAGE_NAME }}
+          tags: |
+            ${{ env.DOCKER_IMAGE_MERGE_TAGS }}
+
+      # CREATE MANIFEST
+      - name: platform merge / create manifest and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'docker.io/${{ env.DOCKER_IMAGE_NAME }}@sha256:%s ' *)
+
+      # INSPECT MANIFEST
+      - name: platform merge / inspect
+        run: |
+          docker buildx imagetools inspect ${{ matrix.registry }}/${{ env.DOCKER_IMAGE_NAME }}:${{ steps.meta.outputs.version }}
 
 
-      # README
+  # ╔═════════════════════════════════════════════════════╗
-      - name: github / checkout HEAD
+  # ║                                                     ║
+  # ║                                                     ║
+  # ║               FINALIZE IMAGE CREATION               ║
+  # ║                                                     ║
+  # ║                                                     ║
+  # ╚═════════════════════════════════════════════════════╝
+  finally:
+    if: ${{ always() }}
+    needs:
+      - docker
+      - merge_platform_images
+    name: finalize image creation
+    runs-on: ubuntu-latest
+
+    env:
+      DOCKER_IMAGE_NAME: ${{ needs.docker.outputs.DOCKER_IMAGE_NAME }}
+      DOCKER_IMAGE_DESCRIPTION: ${{ needs.docker.outputs.DOCKER_IMAGE_DESCRIPTION }}
+      DOCKER_IMAGE_NAME_AND_VERSION: ${{ needs.docker.outputs.DOCKER_IMAGE_NAME_AND_VERSION }}
+      DOCKER_IMAGE_ARGUMENTS: ${{ needs.docker.outputs.DOCKER_IMAGE_ARGUMENTS }}
+
+    permissions:
+      contents: write
+
+    steps:
+      # ╔═════════════════════════════════════════════════════╗
+      # ║                 SETUP ENVIRONMENT                   ║
+      # ╚═════════════════════════════════════════════════════╝
+      # CHECKOUT ALL DEPTHS (ALL TAGS)
+      - name: init / checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          ref: master
+          fetch-depth: 0
+
+      # ╔═════════════════════════════════════════════════════╗
+      # ║             CONTAINER REGISTRY LOGIN                ║
+      # ╚═════════════════════════════════════════════════════╝
+      # DOCKER HUB
+      - name: docker / login to hub
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          username: 11notes
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      # ╔═════════════════════════════════════════════════════╗
+      # ║                  CREATE README.md                   ║
+      # ╚═════════════════════════════════════════════════════╝
+      # CHECKOUT HEAD TO BE UP TO DATE WITH EVERYTHING
+      - name: README.md / checkout
+        if: github.event.inputs.readme == 'true'
         continue-on-error: true
         run: |
           git checkout HEAD
 
-      - name: docker / setup comparison images
+      # CREATE MAKRDOWN OF README.md
-        if: env.WORKFLOW_CREATE_COMPARISON == 'true'
+      - name: README.md / create
-        continue-on-error: true
+        if: github.event.inputs.readme == 'true'
-        run: |    
-          docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}
-          docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size0.log
-
-          docker image pull ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}
-          docker image ls --filter "reference=${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }}" --format json | jq --raw-output '.Size' &> ./comparison.size1.log
-          
-          docker run --entrypoint "/bin/sh" --rm ${{ env.WORKFLOW_CREATE_COMPARISON_FOREIGN_IMAGE }} -c id &> ./comparison.id.log
-
-      - name: github / create README.md
         id: github-readme
         continue-on-error: true
-        if: env.WORKFLOW_CREATE_README == 'true'
         uses: 11notes/action-docker-readme@v1
-        # WHY IS THIS ACTION NOT SHA256 PINNED? SECURITY MUCH?!?!?!
-        # ---------------------------------------------------------------------------------
-        # the next step "github / commit & push" only adds the README and LICENSE as well as 
-        # compose.yaml to the repository. This does not pose a security risk if this action
-        # would be compromised. The code of the app can't be changed by this action. Since
-        # only the files mentioned are commited to the repo. Sure, someone could make a bad
-        # compose.yaml, but since this serves only as an example I see no harm in that.
-        with:
-          sarif_file: ${{ steps.grype.outputs.sarif }}
-          build_output_metadata: ${{ steps.docker-build.outputs.metadata }}
 
-      - name: docker / push README.md to docker hub
+      # UPLOAD README.md to DOCKER HUB
+      - name: README.md / push to Docker Hub
+        if: github.event.inputs.readme == 'true' && steps.github-readme.outcome == 'success' && hashFiles('README_NONGITHUB.md') != ''
         continue-on-error: true
-        if: steps.github-readme.outcome == 'success' && hashFiles('README_NONGITHUB.md') != ''
+        uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8 # v1
-        uses: christian-korneck/update-container-description-action@d36005551adeaba9698d8d67a296bd16fa91f8e8
         env:
           DOCKER_USER: 11notes
           DOCKER_PASS: ${{ secrets.DOCKER_TOKEN }}
@@ -388,9 +637,10 @@ jobs:
           short_description: ${{ env.DOCKER_IMAGE_DESCRIPTION }}
           readme_file: 'README_NONGITHUB.md'
 
-      - name: github / commit & push
+      # COMMIT NEW README.md, LICENSE and compose
+      - name: README.md / github commit & push
+        if: github.event.inputs.readme == 'true' && steps.github-readme.outcome == 'success' && hashFiles('README.md') != ''
         continue-on-error: true
-        if: steps.github-readme.outcome == 'success' && hashFiles('README.md') != ''
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
@@ -404,13 +654,13 @@ jobs:
           if [ -f LICENSE ]; then
             git add LICENSE
           fi
-          git commit -m "auto update README.md"
+          git commit -m "update README.md"
           git push origin HEAD:master
 
-
+      # ╔═════════════════════════════════════════════════════╗
-
+      # ║         GITHUB REPOSITORY DEFAULT SETTINGS          ║
-
+      # ╚═════════════════════════════════════════════════════╝
-      # REPOSITORY SETTINGS
+      # UPDATE REPO WITH DEFAULT SETTINGS FOR CONTAINER IMAGE
       - name: github / update description and set repo defaults
         run: |
           curl --request PATCH \

.github/workflows/version.yml

@@ -0,0 +1,33 @@
+name: version
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'set version for build'
+        type: string
+        required: true
+jobs:
+  version:
+    runs-on: ubuntu-latest
+    steps:
+      # ╔═════════════════════════════════════════════════════╗
+      # ║               BUILD VERSION {N} IMAGE               ║
+      # ╚═════════════════════════════════════════════════════╝
+      - name: version / setup config
+        uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
+        with:
+          script: |
+            const { Buffer } = require('node:buffer');
+            const etc = {
+              version:"${{ github.event.inputs.version }}",
+              semver:{disable:{rolling: true}}
+            };
+            core.exportVariable('WORKFLOW_BASE64JSON', Buffer.from(JSON.stringify(etc)).toString('base64'));
+
+      - name: version / build container image
+        uses: the-actions-org/workflow-dispatch@3133c5d135c7dbe4be4f9793872b6ef331b53bc7
+        with:
+          wait-for-completion: false
+          workflow: docker.yml
+          token: "${{ secrets.REPOSITORY_TOKEN }}"
+          inputs: '{ "release":"false", "readme":"false", "etc":"${{ env.WORKFLOW_BASE64JSON }}" }'

README.md

@@ -47,12 +47,14 @@ services:
       TZ: "Europe/Zurich"
     volumes:
       - "var:/kms/var"
+    networks:
+      frontend:
     ports:
       - "1688:1688/tcp"
     restart: "always"
 
   gui:
-    image: "11notes/kms:1.0.3"
+    image: "11notes/kms-gui:1.0.3"
     depends_on:
       app:
         condition: "service_healthy"
@@ -61,28 +63,47 @@ services:
       TZ: "Europe/Zurich"
     volumes:
       - "var:/kms/var"
+    networks:
+      frontend:
     ports:
       - "3000:3000/tcp"
     restart: "always"
 
 volumes:
   var:
+
+networks:
+  frontend:
 ```
+To find out how you can change the default UID/GID of this container image, consult the [how-to.changeUIDGID](https://github.com/11notes/RTFM/blob/main/linux/container/image/11notes/how-to.changeUIDGID.md#change-uidgid-the-correct-way) section of my [RTFM](https://github.com/11notes/RTFM)
 
 # EXAMPLE
-## Windows Server 2025 Datacenter. List of [GVLK](https://learn.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys)
+## Add your product key
+Windows Server 2025 Datacenter. List of [GVLK](https://learn.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys)
 ```cmd
 slmgr /ipk D764K-2NDRG-47T6Q-P8T8W-YP6DF
 ```
-Add your KMS server information to server via registry
+## Add your KMS server information
+... via CLI
+```
+ slmgr /skms KMS_IP:KMS_PORT
+```
+... via registry (or add these key to your GPO)
 ```powershell
+"Windows"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
 
+"Office"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
 ```
-Activate server
+... via DNS
+```sh
+# BIND
+_vlmcs._tcp SRV 0 0 KMS_PORT KMS_IP
+```
+## Activate server
 ```cmd
 slmgr /ato
 ```
@@ -147,4 +168,4 @@ This image supports unraid by default. Simply add **-unraid** to any tag and the
 # ElevenNotes™️
 This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the [releases](https://github.com/11notes/docker-kms/releases) for breaking changes. If you have any problems with using this image simply raise an [issue](https://github.com/11notes/docker-kms/issues), thanks. If you have a question or inputs please create a new [discussion](https://github.com/11notes/docker-kms/discussions) instead of an issue. You can find all my other repositories on [github](https://github.com/11notes?tab=repositories).
 
-*created 10.07.2025, 07:54:05 (CET)*
+*created 23.10.2025, 07:06:45 (CET)*

project.md

@@ -32,19 +32,32 @@ ${{ title_volumes }}
 ${{ content_compose }}
 
 # EXAMPLE
-## Windows Server 2025 Datacenter. List of [GVLK](https://learn.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys)
+## Add your product key
+Windows Server 2025 Datacenter. List of [GVLK](https://learn.microsoft.com/en-us/windows-server/get-started/kms-client-activation-keys)
 ```cmd
 slmgr /ipk D764K-2NDRG-47T6Q-P8T8W-YP6DF
 ```
-Add your KMS server information to server via registry
+## Add your KMS server information
+... via CLI
+```
+ slmgr /skms KMS_IP:KMS_PORT
+```
+... via registry (or add these key to your GPO)
 ```powershell
+"Windows"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
 
+"Office"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServiceName" -Value "KMS_IP"
 Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform" -Name "KeyManagementServicePort" -Value "KMS_PORT"
 ```
-Activate server
+... via DNS
+```sh
+# BIND
+_vlmcs._tcp SRV 0 0 KMS_PORT KMS_IP
+```
+## Activate server
 ```cmd
 slmgr /ato
 ```