Fix failing multi-arch builds and pick up upstream reliability fixes

claude · claude · commit f6c0d2632638 · 2026-04-15T05:25:57.000Z
build.yaml: drop tags from the per-platform push step (they conflict with push-by-digest=true,push=true and cause all master-branch matrix jobs to fail on GHCR). The merge job already creates the :build and :<version>-build tags via buildx imagetools create. Also drop linux/arm/v7 from the matrix: proton-bridge's CGO deps (libfido2/cbor) don't cross-compile cleanly on 32-bit ARM and upstream doesn't target it. build/Dockerfile: add runtime libfido2-1 and libcbor0.10 (dynamically linked by the built binaries, previously missing), add pkg-config to the build stage (CGO needs it to find .pc files), add procps for the healthcheck, and add a HEALTHCHECK so orchestrators detect a crashed bridge. Pulled from shenxn#149, shenxn#134, shenxn#128. build/entrypoint.sh, deb/entrypoint.sh: remove stale /root/.gnupg/ S.gpg-agent* sockets on startup (fixes bridge failing to start after a container restart) and harden socat with fork,reuseaddr and nodelay for more reliable port forwarding. Pulled from shenxn#134. README.md: drop arm/v7 from the supported platforms list.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -14,7 +14,7 @@ on:
 
 env:
   GHCR_REPO: ghcr.io/illusorykitsune/protonmail-bridge-docker
-  PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64
+  PLATFORMS: linux/amd64,linux/arm64/v8,linux/riscv64
 
 jobs:
   test:
@@ -89,7 +89,6 @@ jobs:
         platform:
           - linux/amd64
           - linux/arm64/v8
-          - linux/arm/v7
           - linux/riscv64
     steps:
       - name: Checkout
@@ -133,9 +132,6 @@ jobs:
           outputs: type=image,"name=${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=true
           context: ./build
           file: ./build/Dockerfile
-          tags: |
-            "${{ env.GHCR_REPO }}:build"
-            "${{ env.GHCR_REPO }}:${{ env.version }}-build"
           provenance: false
           sbom: false
           build-args: |
diff --git a/README.md b/README.md
@@ -13,7 +13,7 @@ ghcr.io/illusorykitsune/protonmail-bridge-docker
 Two image types are produced:
 
 - `deb` — based on the official [.deb release](https://proton.me/mail/bridge). `amd64` only.
-- `build` — built from [Proton Bridge source](https://github.com/ProtonMail/proton-bridge). Supports `amd64`, `arm64`, `arm/v7`, and `riscv64`.
+- `build` — built from [Proton Bridge source](https://github.com/ProtonMail/proton-bridge). Supports `amd64`, `arm64`, and `riscv64`.
 
 | tag                | description                         |
 | ------------------ | ----------------------------------- |
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -4,7 +4,7 @@ FROM debian:sid-slim AS build
 ARG version
 
 # Install dependencies
-RUN apt-get update && apt-get install -y golang build-essential libsecret-1-dev libfido2-dev libcbor-dev libssl-dev
+RUN apt-get update && apt-get install -y golang build-essential pkg-config libsecret-1-dev libfido2-dev libcbor-dev libssl-dev
 
 # Build
 ADD https://github.com/ProtonMail/proton-bridge.git#${version} /build/
@@ -17,9 +17,12 @@ LABEL maintainer="Simon Felding <sife@adm.ku.dk>"
 EXPOSE 25/tcp
 EXPOSE 143/tcp
 
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=60s \
+    CMD pgrep -f proton-bridge >/dev/null || exit 1
+
 # Install dependencies and protonmail bridge
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends socat pass libsecret-1-0 ca-certificates \
+    && apt-get install -y --no-install-recommends socat pass libsecret-1-0 libfido2-1 libcbor0.10 ca-certificates procps \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy bash scripts
diff --git a/build/entrypoint.sh b/build/entrypoint.sh
@@ -20,11 +20,17 @@ if [[ $1 == init ]]; then
 
 else
 
+    # Remove stale gpg-agent sockets left over from an unclean shutdown,
+    # otherwise the bridge fails to start after a container restart.
+    if [ -d /root/.gnupg ]; then
+        rm -f /root/.gnupg/S.gpg-agent*
+    fi
+
     # socat will make the conn appear to come from 127.0.0.1
     # ProtonMail Bridge currently expects that.
     # It also allows us to bind to the real ports :)
-    socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 &
-    socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 &
+    socat TCP-LISTEN:25,fork,reuseaddr  TCP:127.0.0.1:1025,nodelay &
+    socat TCP-LISTEN:143,fork,reuseaddr TCP:127.0.0.1:1143,nodelay &
 
     # Start protonmail
     # Fake a terminal, so it does not quit because of EOF...
diff --git a/deb/entrypoint.sh b/deb/entrypoint.sh
@@ -34,11 +34,17 @@ if [[ $1 == init ]]; then
 
 else
 
+    # Remove stale gpg-agent sockets left over from an unclean shutdown,
+    # otherwise the bridge fails to start after a container restart.
+    if [ -d /root/.gnupg ]; then
+        rm -f /root/.gnupg/S.gpg-agent*
+    fi
+
     # socat will make the conn appear to come from 127.0.0.1
     # ProtonMail Bridge currently expects that.
     # It also allows us to bind to the real ports :)
-    socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 &
-    socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 &
+    socat TCP-LISTEN:25,fork,reuseaddr  TCP:127.0.0.1:1025,nodelay &
+    socat TCP-LISTEN:143,fork,reuseaddr TCP:127.0.0.1:1143,nodelay &
 
     # Start protonmail
     # Fake a terminal, so it does not quit because of EOF...
