Update Dockerfile.rootless

Specify UID:GID of nonroot user to fix issue with rootless database

.github/workflows/clear-stale-docker-images.yml

@@ -6,20 +6,47 @@ on:
   workflow_dispatch:
 
 jobs:
-  delete-untagged-images:
+  delete-old-images-main:
     name: Delete Untagged Images
     runs-on: ubuntu-latest
     permissions:
       packages: write
     steps:
-      - uses: dataaxiom/ghcr-cleanup-action@v1
+      - name: Fetch multi-platform package version SHAs
+        id: multi-arch-digests
+        run: |
+          package1=$(docker manifest inspect ghcr.io/sysadminsmedia/homebox | jq -r '.manifests.[] | .digest' | paste -s -d ' ' -)
+          echo "multi-arch-digests=$package1" >> $GITHUB_OUTPUT
+      - uses: snok/container-retention-policy@v3.0.0
         with:
-          dry-run: false
-          package: homebox
-          delete-ghost-images: true
-          delete-orphaned-images: true
-          delete-partial-images: true
-          delete-untagged: true
-          # Make sure to update this to include the latest major tags
-          exclude-tags: main,vnext,latest,0.*,1.*
-          older-than: 3 months
+          skip-shas: ${{ steps.multi-arch-digests.outputs.multi-arch-digests }}
+          # The type of account. Can be either 'org' or 'personal'.
+          account: sysadminsmedia 
+          # Image name to delete. Supports passing several names as a comma-separated list.
+          image-names: homebox
+          # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required.
+          cut-off: 90d
+          # Personal access token with read and delete scopes.
+          token: ${{ secrets.CLEANUP_PAT }}
+          # Restrict deletions to images without specific tags. Supports Unix-shell style wildcards
+          skip-tags: "!latest,!latest-rootless,!0.*,!0.*-rootless,!main,!main-rootless,!vnext,!vnext-rootless,!0,!0-rootless" # optional
+          # Do not actually delete images. Print output showing what would have been deleted.
+          dry-run: true # optional, default is false
+
+  delete-old-images-devcache:
+    name: Delete Cache Old Images
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: snok/container-retention-policy@v3.0.0
+        with:
+          # The type of account. Can be either 'org' or 'personal'.
+          account: sysadminsmedia 
+          image-names: devcache
+          # The cut-off for which to delete images older than. For example '2 days ago UTC'. Timezone is required.
+          cut-off: 90d
+          # Personal access token with read and delete scopes.
+          token: ${{ secrets.CLEANUP_PAT }}
+          # Do not actually delete images. Print output showing what would have been deleted.
+          dry-run: true # optional, default is false

.github/workflows/docker-publish-rootless.yaml

@@ -101,7 +101,10 @@ jobs:
           build-args: |
             VERSION=${{ github.ref_name }}
             COMMIT=${{ github.sha }}
-
+          provenance: true
+          sbom: true
+          annotations: ${{ steps.meta.outputs.annotations }}
+          
       - name: Export digest
         run: |
           mkdir -p /tmp/digests

.github/workflows/docker-publish.yaml

@@ -97,6 +97,9 @@ jobs:
           build-args: |
             VERSION=${{ github.ref_name }}
             COMMIT=${{ github.sha	}}
+          provenance: true
+          sbom: true
+          annotations: ${{ steps.meta.outputs.annotations }}
 
       - name: Export digest
         run: |

Dockerfile.rootless

@@ -67,7 +67,8 @@ ENV HBOX_STORAGE_SQLITE_URL=/data/homebox.db?_pragma=busy_timeout=2000&_pragma=j
 
 # Install necessary runtime dependencies
 RUN apk --no-cache add ca-certificates wget
-RUN addgroup -S nonroot && adduser -S nonroot -G nonroot
+# Create a nonroot user with UID/GID 65532
+RUN addgroup -g 65532 nonroot && adduser -u 65532 -G nonroot -S nonroot
 
 # Create application directory and copy over built Go binary
 RUN mkdir /app