From e3117223ede6e97f8235d0bc3726479e5e30ea78 Mon Sep 17 00:00:00 2001
From: Markis Taylor <m@rkis.net>
Date: Tue, 4 Apr 2023 22:12:08 -0400
Subject: [PATCH] maggie's changes (#1)

---
 .github/workflows/fetch-upstream.yaml | 96 +++++++++++++++++++++++++++
 Dockerfile                            | 18 ++---
 Makefile                              |  3 +-
 3 files changed, 107 insertions(+), 10 deletions(-)
 create mode 100644 .github/workflows/fetch-upstream.yaml

diff --git a/.github/workflows/fetch-upstream.yaml b/.github/workflows/fetch-upstream.yaml
new file mode 100644
index 00000000..4c22b0e0
--- /dev/null
+++ b/.github/workflows/fetch-upstream.yaml
@@ -0,0 +1,96 @@
+
+name: "Fetch upstream changes and create tags"
+
+on:
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: maggie0002/cloudflared
+
+jobs:
+  fetch-and-tag:
+    name: "Fetch upstream changes and create tags"
+    runs-on: "ubuntu-latest"
+    outputs:
+      output1: ${{ steps.fetch_and_tag_step.outputs.current_tag }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          token: ${{secrets.TAP}}
+
+      - name: Fetch upstream and rebase
+        run: |
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com" && \
+          git config user.name "GitHub Workflow" && \
+          git remote add upstream https://github.com/cloudflare/cloudflared.git && \
+          git fetch --tags upstream && \
+          git rebase upstream/master
+
+      - name: Get and store latest tag as output variable
+        id: fetch_and_tag_step
+        run: |
+          echo $(git log --tags --simplify-by-decoration --pretty="format:%D" --reverse -n1  | cut -d" " -f2 | sed '$s/,$//') && \
+          latest_tag=$(git log --tags --simplify-by-decoration --pretty="format:%D" --reverse -n1  | cut -d" " -f2 | sed '$s/,$//') && \
+          echo "latest_tag=$(git log --tags --simplify-by-decoration --pretty="format:%D" --reverse -n1  | cut -d" " -f2 | sed '$s/,$//')" >> "$GITHUB_ENV" && \
+          echo "::set-output name=current_tag::$latest_tag"
+
+      - name: If a new tag from CloudFlare
+        if: ${{ !endsWith(env.latest_tag, '-ma') }}
+        run: |
+          git tag "${{env.latest_tag}}-ma"
+      - name: Push changes
+        run: |
+          git push origin master --tags -f
+
+  build-and-push:
+    name: "Build and publish images"
+    runs-on: ubuntu-latest
+    needs: [fetch-and-tag]
+    if: ${{ !endsWith(needs.fetch-and-tag.outputs.output1, '-ma') }}
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository based on tag
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ needs.fetch-and-tag.outputs.output1 }}
+
+      - name: Rebase the custom build on to this tag
+        run: |
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com" && \
+          git config user.name "GitHub Workflow" && \
+          git merge origin/base -m "Merge Docker build files"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Available platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.fetch-and-tag.outputs.output1 }},${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
index 870bbbeb..02495cfb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,9 @@ ENV GO111MODULE=on \
     CGO_ENABLED=0 \
     TARGET_GOOS=${TARGET_GOOS} \
     TARGET_GOARCH=${TARGET_GOARCH}
-    
+
+LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
+
 WORKDIR /go/src/github.com/cloudflare/cloudflared/
 
 # copy our sources into the builder image
@@ -15,17 +17,15 @@ COPY . .
 # compile cloudflared
 RUN make cloudflared
 
-# use a distroless base image with glibc
-FROM gcr.io/distroless/base-debian11:nonroot
+# use an empty image, and rely on GoLang to manage binaries
+FROM scratch
 
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 
-# copy our compiled binary
-COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
-
-# run as non-privileged user
-USER nonroot
+# copy required files into the container
+COPY --from=builder /go/src/github.com/cloudflare/cloudflared/cloudflared .
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt 
 
 # command / entrypoint of container
-ENTRYPOINT ["cloudflared", "--no-autoupdate"]
+ENTRYPOINT ["./cloudflared", "--no-autoupdate"]
 CMD ["version"]
diff --git a/Makefile b/Makefile
index 06fa0050..199a7f7c 100644
--- a/Makefile
+++ b/Makefile
@@ -35,7 +35,8 @@ ifeq ($(FIPS), true)
 	VERSION_FLAGS := $(VERSION_FLAGS) -X "main.BuildType=FIPS"
 endif
 
-LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS)'
+LDFLAGS := -ldflags='$(VERSION_FLAGS) $(LINK_FLAGS) -s -w'
+
 ifneq ($(GO_BUILD_TAGS),)
 	GO_BUILD_TAGS := -tags "$(GO_BUILD_TAGS)"
 endif