Merge pull request #97 from wollomatic/main

wollomatic · web-flow · commit b54f67603005 · 2026-02-21T20:21:59.000+01:00
prepare v1.10.3
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3
diff --git a/.github/workflows/docker-image-release.yaml b/.github/workflows/docker-image-release.yaml
@@ -17,17 +17,17 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
-        with:
-          args: ./...
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: '1.25'
+          go-version: '1.26'
+
+      - name: Run Gosec Security Scanner
+        run: |
+          go install github.com/securego/gosec/v2/cmd/gosec@v2.23.0
+          gosec ./...
 
       - name: Run Go tests
         run: go test ./...
@@ -37,28 +37,28 @@ jobs:
         run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v4.0.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
         with:
           cosign-release: 'v2.6.1'
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push Docker Hub image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         id: push-dockerhub
         with:
           context: .
@@ -76,7 +76,7 @@ jobs:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Build and push GHCR image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         id: push-ghcr
         with:
           context: .
diff --git a/.github/workflows/docker-image-testing.yaml b/.github/workflows/docker-image-testing.yaml
@@ -19,17 +19,17 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
-        with:
-          args: ./...
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
-          go-version: '1.25'
+          go-version: '1.26'
+
+      - name: Run Gosec Security Scanner
+        run: |
+          go install github.com/securego/gosec/v2/cmd/gosec@v2.23.0
+          gosec ./...
 
       - name: Run Go tests
         run: go test ./...
@@ -40,23 +40,23 @@ jobs:
 #          cosign-release: 'v2.6.0'
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push image to Docker Hub and GHCR
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
         id: push-all
         with:
           context: .
@@ -70,7 +70,7 @@ jobs:
             ghcr.io/wollomatic/socket-proxy:testing-${{ github.sha }}
 
 #      - name: Build and push Docker Hub image
-#        uses: docker/build-push-action@v6
+#        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
 #        id: push-dockerhub
 #        with:
 #          context: .
@@ -88,7 +88,7 @@ jobs:
 #          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 #
 #      - name: Build and push GHCR image
-#        uses: docker/build-push-action@v6
+#        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
 #        id: push-ghcr
 #        with:
 #          context: .
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile:1
-FROM --platform=$BUILDPLATFORM golang:1.26.0-alpine3.23 AS build
+FROM --platform=$BUILDPLATFORM golang:1.26.0-alpine3.23@sha256:d4c4845f5d60c6a974c6000ce58ae079328d03ab7f721a0734277e69905473e5 AS build
 WORKDIR /application
 COPY . ./
 ARG TARGETOS
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # socket-proxy
 
 ## Latest image
-- `wollomatic/socket-proxy:1.11.2` / `ghcr.io/wollomatic/socket-proxy:1.11.2`
+- `wollomatic/socket-proxy:1.11.3` / `ghcr.io/wollomatic/socket-proxy:1.11.3`
 - `wollomatic/socket-proxy:1` / `ghcr.io/wollomatic/socket-proxy:1`
 
 > [!IMPORTANT]
diff --git a/examples/docker-compose/dozzle/compose.yaml b/examples/docker-compose/dozzle/compose.yaml
@@ -24,7 +24,7 @@ services:
       - docker-proxynet
 
   dozzle:
-    image: amir20/dozzle:v8.14 # make sure you use the most recent version
+    image: amir20/dozzle:v10.0 # make sure you use the most recent version
     user: 65534:65534
     read_only: true
     mem_limit: 256M
diff --git a/examples/docker-compose/watchtower/compose.yaml b/examples/docker-compose/watchtower/compose.yaml
@@ -10,6 +10,7 @@ services:
       - '-allowGET=/v1\..{2}/(containers/.*|images/.*)'
       - '-allowPOST=/v1\..{2}/(containers/.*|images/.*|networks/.*)'
       - '-allowDELETE=/v1\..{2}/(containers/.*|images/.*)'
+      - '-allowHEAD=/_ping'
       # check socket connection every hour and stop the proxy if it fails (will then be restarted by docker):
       - '-watchdoginterval=3600'
       - '-stoponwatchdog'
@@ -29,7 +30,10 @@ services:
       - docker-proxynet
 
   watchtower:
-    image: containrrr/watchtower:1.7.1
+    # image: containrrr/watchtower:1.7.1
+    # https://github.com/containrrr/watchtower was archived on December 17, 2025.
+    # https://github.com/nicholas-fedor/watchtower is a maintained fork.
+    image: ghcr.io/nicholas-fedor/watchtower:1.14.2 # the containrrr repo is no longer maintained
     depends_on:
       - dockerproxy
     command:
diff --git a/go.mod b/go.mod
@@ -1,3 +1,3 @@
 module github.com/wollomatic/socket-proxy
 
-go 1.22.6
+go 1.26.0
diff --git a/internal/docker/api/types/network/endpoint.go b/internal/docker/api/types/network/endpoint.go
@@ -20,6 +20,5 @@ type EndpointSettings struct {
 
 // Copy makes a deep copy of `EndpointSettings`
 func (es *EndpointSettings) Copy() *EndpointSettings {
-	epCopy := *es
-	return &epCopy
+	return new(*es)
 }
diff --git a/internal/docker/client/request.go b/internal/docker/client/request.go
@@ -72,18 +72,15 @@ func (cli *Client) doRequest(req *http.Request) (*http.Response, error) {
 			return nil, err
 		}
 
-		var uErr *url.Error
-		if errors.As(err, &uErr) {
-			var nErr *net.OpError
-			if errors.As(uErr.Err, &nErr) {
+		if uErr, ok := errors.AsType[*url.Error](err); ok {
+			if nErr, ok2 := errors.AsType[*net.OpError](uErr.Err); ok2 {
 				if os.IsPermission(nErr.Err) {
 					return nil, errConnectionFailed{fmt.Errorf("permission denied while trying to connect to the Docker daemon socket at %v: %v", cli.host, err)}
 				}
 			}
 		}
 
-		var nErr net.Error
-		if errors.As(err, &nErr) {
+		if nErr, ok := errors.AsType[net.Error](err); ok {
 			if nErr.Timeout() {
 				return nil, connectionFailed(cli.host)
 			}

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`module github.com/wollomatic/socket-proxy`
`2`	`2`
`3`		`-go 1.22.6`
	`3`	`+go 1.26.0`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,5 @@ type EndpointSettings struct {`
`20`	`20`
`21`	`21`	// Copy makes a deep copy of `EndpointSettings`
`22`	`22`	`func (es EndpointSettings) Copy() EndpointSettings {`
`23`		`- epCopy := *es`
`24`		`- return &epCopy`
	`23`	`+ return new(*es)`
`25`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -72,18 +72,15 @@ func (cli Client) doRequest(req http.Request) (*http.Response, error) {`
`72`	`72`	`return nil, err`
`73`	`73`	`}`
`74`	`74`
`75`		`- var uErr *url.Error`
`76`		`- if errors.As(err, &uErr) {`
`77`		`- var nErr *net.OpError`
`78`		`- if errors.As(uErr.Err, &nErr) {`
	`75`	`+ if uErr, ok := errors.AsType[*url.Error](err); ok {`
	`76`	`+ if nErr, ok2 := errors.AsType[*net.OpError](uErr.Err); ok2 {`
`79`	`77`	`if os.IsPermission(nErr.Err) {`
`80`	`78`	`return nil, errConnectionFailed{fmt.Errorf("permission denied while trying to connect to the Docker daemon socket at %v: %v", cli.host, err)}`
`81`	`79`	`}`
`82`	`80`	`}`
`83`	`81`	`}`
`84`	`82`
`85`		`- var nErr net.Error`
`86`		`- if errors.As(err, &nErr) {`
	`83`	`+ if nErr, ok := errors.AsType[net.Error](err); ok {`
`87`	`84`	`if nErr.Timeout() {`
`88`	`85`	`return nil, connectionFailed(cli.host)`
`89`	`86`	`}`