fix(Dockerfile): update Alpine and curl versions for improved stability

Reviewed-on: #4

.gitea/CODEOWNERS

@@ -0,0 +1 @@
+*   @luke

.gitea/workflows/ci.yml

@@ -0,0 +1,52 @@
+name: CI
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+
+      - name: Run Hadolint
+        uses: hadolint/hadolint-action@v3.3.0
+        with:
+          dockerfile: Dockerfile
+          output-file: hadolint.out
+          # format: sonarqube
+          format: tty
+          no-fail: true
+      
+      - name: Print Hadolint results
+        if: ${{ always() }}
+        run: cat hadolint.out
+
+      # - name: SonarQube Scan
+      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
+      #   env:
+      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
+      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
+
+      # - name: Snyk SAST Scan
+      #   uses: snyk/actions/python@master
+      #   env:
+      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      #   with:
+      #     # command: snyk
+      #     args: snyk code test --all-projects --exclude=.archive
+
+      # - name: Snyk Vulnerability Scan
+      #   uses: snyk/actions/python@master
+      #   continue-on-error: true # Sometimes vulns aren't immediately fixable
+      #   env:
+      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      #   with:
+      #     args: test --all-projects

.gitea/workflows/conventional_commit.yml

@@ -0,0 +1,16 @@
+name: Validate PR Title
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: https://git.tainton.uk/actions/conventional-commits-check-action@v1.3.0
+        with:
+          commit-message: ${{ gitea.event.pull_request.title }}

.gitea/workflows/release.yml

@@ -0,0 +1,103 @@
+name: Build and Release
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Documize version to build (e.g., v5.14.0). Must start with "v" and match an existing Documize release tag.'
+        required: true
+        type: string
+
+jobs:
+  # tag:
+  #   name: Tag release
+  #   uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/release-with-tag.yaml@main
+
+  # create_release:
+  #   name: Create Release
+  #   needs: tag
+  #   uses: https://git.tainton.uk/actions/gha-workflows/.gitea/workflows/create-release-preexisting-tag.yaml@main
+  #   with:
+  #     tag: ${{ needs.tag.outputs.tag_name }}
+  #     body: ${{ needs.tag.outputs.changelog }}
+  #   secrets:
+  #     ACTIONS_TOKEN: ${{ secrets.ACTIONS_TOKEN }}
+
+  docker:
+    name: Publish Docker Images
+    runs-on: ubuntu-latest
+    # needs: [tag, create_release]
+    steps:
+      - name: Update Docker configuration
+        continue-on-error: true
+        run: |
+          mkdir -p /etc/default
+          mkdir -p /etc/docker
+          touch -a /etc/default/docker
+          touch -a /etc/docker/daemon.json
+          echo "DOCKER_OPTS=\"--insecure-registry ${{ vars.PACKAGES_REGISTRY_URL }}\"" >> /etc/default/docker
+          echo "{\"insecure-registries\": [\"${{ vars.PACKAGES_REGISTRY_URL }}\"]}" > /etc/docker/daemon.json
+
+      - name: Get repo name
+        id: split
+        run: echo "repo=${REPO##*/}" >> "$GITEA_OUTPUT"
+        env:
+          REPO: ${{ gitea.repository }}
+
+      - name: Check out repository
+        uses: actions/checkout@v6.0.1
+        with:
+          fetch-depth: 0
+          ref: main
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Gitea Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ vars.PACKAGES_REGISTRY_URL }}
+          username: ${{ vars.ACTIONS_USERNAME }}
+          password: ${{ secrets.ACTIONS_TOKEN }}
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ vars.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          tags: type=semver,pattern=v{{version}},value=${{ inputs.version }} 
+          images: |
+            ghcr.io/${{ vars.GHCR_USERNAME }}/${{ steps.split.outputs.repo }}
+            ${{ vars.PACKAGES_REGISTRY_URL }}/${{ gitea.repository }}
+
+      - name: Print metadata
+        run: |
+          printf "Annotations:\n${{ steps.meta.outputs.annotations }}"
+          echo ""
+          printf "Labels:\n${{ steps.meta.outputs.labels }}"
+          echo ""
+          printf "Tags:\n${{ steps.meta.outputs.tags }}"
+
+      - name: Build images
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          load: true
+          build-args: |
+            DOCUMIZE_VERSION=${{ inputs.version }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+
+      - name: Push images
+        run: |
+          strtags="${{ steps.meta.outputs.tags }}"
+          readarray -t lines <<<"$strtags"
+          for element in "${lines[@]}"; do docker push "$element"; done
+          unset strtags lines

Dockerfile

@@ -1,9 +1,10 @@
-FROM alpine:latest
+FROM alpine:3.23.2
 LABEL maintainer="Luke Tainton <luke@tainton.uk>"
-LABEL org.opencontainers.image.source="https://gitlab.com/luketainton/documize-docker"
-ARG DOCUMIZE_VERSION=v4.2.3
-RUN apk add --no-cache curl
+LABEL org.opencontainers.image.source="https://git.tainton.uk/repos/documize-docker"
+ARG DOCUMIZE_VERSION=v5.14.0
+ENV DOCUMIZEPORT=5001
+RUN apk add --no-cache curl=8.17.0-r1
 WORKDIR /opt
 RUN curl -L -o documize "https://github.com/documize/community/releases/download/${DOCUMIZE_VERSION}/documize-community-linux-amd64" && chmod 755 documize
-ENTRYPOINT ["./documize -port 80"]
-EXPOSE 80
+ENTRYPOINT ["./documize -port ${DOCUMIZEPORT}"]
+EXPOSE ${DOCUMIZEPORT}

README.md

@@ -2,4 +2,7 @@
 Documize Community in a Docker container.
 
 ## Running
-Set the `DOCUMIZEDB` and `DOCUMIZEDBTYPE` environment variables as described in the [documentation](https://docs.documize.com/s/VzO9ZqMOCgABGyfW/installation-guides/d/V16L08ucxwABhZF6/installation-guide).
+Set the `DOCUMIZEDB` and `DOCUMIZEDBTYPE` environment variables as described in the [Installation Guide](https://docs.documize.com/s/VzO9ZqMOCgABGyfW/installation-guides/d/V16L08ucxwABhZF6/installation-guide) and [Configuration Options](https://docs.documize.com/s/VzO9ZqMOCgABGyfW/VzO9ZqMOCgABGyfW/d/VzSL8cVZ4QAB2B4Y/configuration-options).
+
+## Docker Compose
+A sample Docker Compose manifest is available in this repo.

docker-compose.yml

@@ -0,0 +1,35 @@
+services:
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    # Alternatively, you can use a pre-built image:
+    # image: "git.tainton.uk/repos/documize-docker:latest"
+    restart: "unless-stopped"
+    environment:
+      - "DOCUMIZEPORT=5001"
+      - "DOCUMIZESALT=your_salt_here"
+      - "DOCUMIZEDBTYPE=postgresql"
+      - "DOCUMIZEDB=host=db port=5432 dbname=documize user=documize password=${DB_PASSWORD} sslmode=disable"
+    ports:
+      - "80:5001/tcp"
+    depends_on:
+      db:
+        condition: service_healthy
+
+  db:
+    image: postgres:18.1-alpine
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=documize
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      - POSTGRES_DB=documize
+    volumes:
+      - "./db:/var/lib/postgresql/18/docker"
+    healthcheck:
+      test:
+        - CMD-SHELL
+        - pg_isready -U documize
+      interval: 5s
+      timeout: 5s
+      retries: 5

renovate.json

@@ -0,0 +1,23 @@
+{
+  "assignAutomerge": false,
+  "assigneesFromCodeOwners": false,
+  "dependencyDashboardAutoclose": true,
+  "extends": ["config:recommended", "docker:enableMajor"],
+  "ignorePaths": ["**/.archive/**"],
+  "labels": ["type/dependencies"],
+  "platformCommit": "enabled",
+  "rebaseWhen": "behind-base-branch",
+  "rollbackPrs": true,
+  "semanticCommits": "enabled",
+  "semanticCommitScope": "deps",
+  "semanticCommitType": "feat",
+  "vulnerabilityAlerts": {
+    "commitMessagePrefix": "[SECURITY] ",
+    "enabled": true,
+    "labels": ["security"],
+    "prCreation": "immediate"
+  },
+  "lockFileMaintenance": {
+    "enabled": true
+  }
+}