* CI: Split into native per-arch build jobs to fix QEMU arm64 crash
The arm64 build was failing with 'Illegal instruction (core dumped)'
during npm install because QEMU user-mode emulation doesn't support
all arm64 instructions used by newer Node.js versions.
Split the single multi-platform build job into:
- setup: determines tags, webapp version (shared via outputs)
- build-amd64: builds on ubuntu-latest natively
- build-arm64: builds on ubuntu-24.04-arm natively (no QEMU)
- manifest: merges per-arch digests into multi-arch manifest
- comment: posts PR test instructions
Both architectures get independent Trivy scans. The amd64 and arm64
builds run in parallel so total build time should be similar or faster.
Also pins Trivy CLI to v0.69.3 to work around deleted release assets
from the Trivy supply chain attack (aquasecurity/trivy#10265).
* Address review feedback: fix BUILD_DATE, add permissions, add event fallback
- Compute BUILD_DATE in setup job and pass as output instead of using
$(date) in build-args YAML which is not evaluated at runtime
- Add explicit permissions block (contents:read, packages:write,
pull-requests:write) to limit GITHUB_TOKEN scope
- Add else fallback in tag strategy for unsupported event types
* Bump Alpine base image from 3.22.2 to 3.23.3 to clear Trivy CVEs
* Fix Trivy CVEs: upgrade systeminformation to 5.31.0 and zlib to >=1.3.2
- systeminformation 5.27.1->5.31.0: fixes CVE-2025-68154, CVE-2026-26280,
CVE-2026-26318 (command injection vulnerabilities)
- zlib 1.3.1-r2->1.3.2: fixes CVE-2026-22184 (buffer overflow in untgz)
The systeminformation fix overrides the version pinned by the webapp
upstream (5.27.10) until that repo is updated.
* Fix zlib upgrade: use apk --upgrade to ensure CVE-2026-22184 is resolved
The previous 'apk add zlib>=1.3.2' wasn't upgrading zlib because it
was already installed as a transitive dependency. Use --upgrade flag
to force apk to pull the latest available version (1.3.2-r0).
* Fix Trivy arm64 scan: set TRIVY_PLATFORM to match image architecture
Trivy defaults to linux/amd64 when resolving remote image digests.
On the arm64 build job, the pushed digest is a single-platform arm64
image, so Trivy fails with 'no child with platform linux/amd64'.
Setting TRIVY_PLATFORM=linux/arm64 resolves this.
* Implement rootless Docker container with preserved TFTP logging
- Convert all processes to run as non-root user (nbxyz) for enhanced security
- Add customizable PUID/PGID environment variables for volume permission management
- Implement privilege dropping using gosu for secure initialization
- Optimize Dockerfile with multi-stage build and better caching
- Create dnsmasq wrapper script to ensure TFTP logs appear in docker logs
- Configure supervisord to properly forward dnsmasq output to container stdout
- Maintain full TFTP/PXE boot debugging functionality for users
Security improvements:
- All application processes (nginx, webapp, dnsmasq) run as nbxyz user
- Only supervisord initialization runs as root, then drops privileges
- Proper permission management for all service directories
- Configurable user/group IDs via PUID/PGID environment variables
Performance optimizations:
- Multi-stage Docker build reduces final image size
- Better layer caching for faster rebuilds
- Optimized package installation and cleanup
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Update Dockerfile
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update root/init.sh
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
