appwrite · davidjeddy · Mar 13, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026
diff --git a/.dive-ci b/.dive-ci
@@ -0,0 +1,13 @@
+rules:
+  # If the efficiency is measured below X%, mark as failed.
+  # Expressed as a ratio between 0-1.
+  lowestEfficiency: 0.90
+
+  # If the amount of wasted space is at least X or larger than X, mark as failed.
+  # Expressed in B, KB, MB, and GB.
+  highestWastedBytes: 128MB
+
+  # If the amount of wasted space makes up for X% or more of the image, mark as failed.
+  # Note: the base image layer is NOT included in the total image size.
+  # Expressed as a ratio between 0-1; fails if the threshold is met or crossed.
+  highestUserWastedPercent: 0.10
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,6 @@
+.git*
+*.md
+*test*.*
+Dockerfile
+LICENSE
+trivy-*.json
diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
@@ -1,37 +1,86 @@
-name: Build and Push to DockerHub
+name: Build and Push
 
-on:
-  release:
-    types: [published]
+on: push
+
+permissions:
+  contents: read
 
 env:
-  REGISTRY: docker.io
   IMAGE_NAME: appwrite/base
-  TAG: ${{ github.event.release.tag_name }}
+  REGISTRY: docker.io
 
+# https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/
+# https://learn.arm.com/learning-paths/cross-platform/github-arm-runners/actions/
 jobs:
-  build:
-    runs-on: ubuntu-latest
+  build_and_push:
+    if: github.ref != 'refs/heads/main'
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-24.04
+            arch: amd64
+          - os: ubuntu-24.04-arm
+            arch: arm64
     steps:
       - name: Checkout the repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v6
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{matrix.arch}} .
 
+      - name: Push an image
+        run: |
+          docker image push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-${{matrix.arch}}
+
+  manifest_build_and_push_on_feature:
+    if: github.ref != 'refs/heads/main'
+    needs: build_and_push
+    runs-on: ubuntu-24.04
+    steps:
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      - name: Create manifest
+        run: |
+            docker manifest create \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64 \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64
+
+      - name: Push manifest
+        run: |
+            docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
 
-      - name: Build and push
-        uses: docker/build-push-action@v4
+  manifest_build_and_push_on_main:
+    if: github.ref == 'refs/heads/main'
+    needs: build_and_push
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v4
         with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Create manifest
+        run: |
+            docker manifest create \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }} \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-amd64 \
+              ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}-arm64
+
+      - name: Push manifest
+        run: |
+            docker manifest push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
diff --git a/.github/workflows/dive.yml b/.github/workflows/dive.yml
@@ -0,0 +1,26 @@
+name: Dive Test
+
+on: push
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
+
+jobs:
+  dive:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
+
+      - name: Dive
+        uses: yuichielectric/dive-action@0.0.4
+        with:
+          image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}'
diff --git a/.github/workflows/lifecycle-policy.yml b/.github/workflows/lifecycle-policy.yml
@@ -0,0 +1,36 @@
+# https://github.com/marketplace/actions/delete-package-versions
+# Ignore SemVer tags (proper releases)
+# Keep 7 sha tagged images (ordred by publish datetime)
+
+name: Container Lifecycle Policy
+
+on:
+  schedule:
+    - cron: '30 9 * * *'
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
+
+jobs:
+  prune_sha_tagged_images:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Login to DockerHub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      # TODO pull all the images in the registry before running this. Be sure we have a backup
+      # # https://github.com/marketplace/actions/delete-package-versions#delete-oldest-x-number-of-versions-while-ignoring-particular-package-versions
+      # # Ignore SemVer tagged images https://ihateregex.io/expr/semver/
+      # - uses: actions/delete-package-versions@v5
+      #   with: 
+      #     ignore-versions: '^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$'
+      #     min-versions-to-keep: 7
+      #     package-name: 'base'
+      #     package-type: 'container'
diff --git a/.github/workflows/scheduled-trivy.yml b/.github/workflows/scheduled-trivy.yml
@@ -0,0 +1,44 @@
+name: Scheduled Trivy Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main" ]
+  schedule:
+    - cron: '43 11 * * 6'
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
+
+jobs:
+  scheduled_trivy:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6.0.2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner (sarif report)
+        uses: aquasecurity/trivy-action@0.35.0
+        with:
+          format: 'sarif'
+          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}'
+          output: 'trivy-image-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      # https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: '.'
diff --git a/.github/workflows/structure-test.yml b/.github/workflows/structure-test.yml
@@ -0,0 +1,28 @@
+# https://github.com/marketplace/actions/container-structure-test-action
+name: Container Structure Test
+
+on: push
+
+permissions:
+  contents: read
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
+
+jobs:
+  structure_test:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v6.0.2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
+
+      - name: Run container structure tests
+        uses: plexsystems/container-structure-test-action@v0.1.0
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          config: tests.yaml
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -1,48 +1,38 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
+# https://github.com/aquasecurity/trivy-action
+name: Push Trivy Scan
 
-name: trivy
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ "main" ]
-  schedule:
-    - cron: '43 11 * * 6'
+on: push
 
 permissions:
-  contents: read
+  contents: read # for actions/checkout to fetch code
+  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+  actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+env:
+  IMAGE_NAME: appwrite/base
+  REGISTRY: docker.io
 
 jobs:
-  build:
-    permissions:
-      contents: read # for actions/checkout to fetch code
-      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-    name: Build
-    runs-on: ubuntu-latest
+  trivy:
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6.0.2
 
       - name: Build an image from Dockerfile
         run: |
-          docker build -t appwrite/docker-base:${{ github.sha }} .
+          docker image build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+      - name: Run Trivy vulnerability scanner (sarif report)
+        uses: aquasecurity/trivy-action@0.35.0
         with:
-          image-ref: 'appwrite/docker-base:${{ github.sha }}'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
+          format: 'sarif'
+          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}'
+          output: 'trivy-image-results.sarif'
           severity: 'CRITICAL,HIGH'
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+      # https://github.com/github/codeql-action/blob/main/upload-sarif/action.yml
+      - name: Upload Trivy scan results
+        uses: github/codeql-action/upload-sarif@v4
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: '.'
diff --git a/.gitignore b/.gitignore
@@ -1 +1,4 @@
 .idea
+*.log
+NOTES*.md
+trivy-*-results.json