Skip to content

Fix failing multi-arch runs; sync reliability fixes from upstream#2

Merged
IllusoryKitsune merged 1 commit intomasterfrom
claude/fix-runs-sync-upstream-LZave
Apr 15, 2026
Merged

Fix failing multi-arch runs; sync reliability fixes from upstream#2
IllusoryKitsune merged 1 commit intomasterfrom
claude/fix-runs-sync-upstream-LZave

Conversation

@IllusoryKitsune
Copy link
Copy Markdown
Owner

@IllusoryKitsune IllusoryKitsune commented Apr 15, 2026

Summary

Post-merge of #1, the build from source workflow failed on master (run #9) for every architecture:

  • amd64, arm64/v8, riscv64failed to push ghcr.io/illusorykitsune/protonmail-bridge-docker:build by digest
  • arm/v7make build-nogui vault-editor compile failure

This PR unbreaks the master-branch build and brings in the non-controversial upstream reliability fixes that were missing.

Root causes

  1. Push step is wrong. The build job specifies tags: alongside outputs: ...push-by-digest=true,...,push=true. The canonical multi-arch recipe has matrix jobs push only by digest — the merge job derives tags via docker/metadata-action and publishes them with buildx imagetools create. Four parallel jobs racing on the :build tag was being rejected by GHCR.
  2. arm/v7 cross-compile breaks. Proton Bridge's CGO deps (libfido2/cbor) don't cross-compile cleanly for 32-bit ARM with the current toolchain. Upstream proton-bridge doesn't officially target armv7 either.

Changes

.github/workflows/build.yaml

  • Drop linux/arm/v7 from the matrix and from the PLATFORMS env.
  • Remove the tags: block from the per-platform "Build and push by digest" step (merge job still produces :build and :<version>-build).

build/Dockerfile

  • Build stage: add pkg-config (CGO needs it to locate libfido2/cbor .pc files; not part of build-essential).

  • Runtime stage: add libfido2-1, libcbor0.10, procps. The bridge binaries are dynamically linked against libfido2/cbor — without these in the runtime image the built binary won't launch. procps is needed for pgrep below.

  • Add HEALTHCHECK so Docker/K8s can detect a crashed bridge.

    Pulled from upstream shenxn/protonmail-bridge-docker#149, #134, #128.

build/entrypoint.sh, deb/entrypoint.sh

  • Clean up stale /root/.gnupg/S.gpg-agent* sockets on startup (bridge refuses to start after unclean shutdowns otherwise).

  • Harden socat with fork,reuseaddr + nodelay for more reliable SMTP/IMAP forwarding.

    Pulled from upstream shenxn/protonmail-bridge-docker#134.

README.md

  • Drop arm/v7 from the supported-platform list.

Upstream items intentionally not included

  • #146 full build rewrite — experimental, invasive, still open upstream.
  • #110 rootless support — changes defaults and volume paths; belongs in its own PR.
  • #122 IPv6-only listener — dual-stack on Linux already works via default TCP-LISTEN; switching to TCP6-LISTEN breaks with net.ipv6.bindv6only=1.

Test plan

  • This PR runs the test job (single-arch amd64 build + Trivy scan) and deb job — both should stay green. The Dockerfile/entrypoint changes are exercised by those builds.
  • After merge, the build from source run on master should succeed on all three remaining arches (amd64, arm64/v8, riscv64) and the merge job should publish ghcr.io/illusorykitsune/protonmail-bridge-docker:build and :v3.23.1-build manifest lists.
  • Smoke-test the resulting image: docker run --rm ghcr.io/illusorykitsune/protonmail-bridge-docker:build /protonmail/proton-bridge --version should print a version string (proves libfido2-1/libcbor0.10 are present at runtime).
  • docker inspect --format '{{json .Config.Healthcheck}}' <image> shows the new healthcheck.

https://claude.ai/code/session_01GReisMWDRKaVU49RuzvnrL

@claude
Fix failing multi-arch builds and pick up upstream reliability fixes
f6c0d26 
build.yaml: drop tags from the per-platform push step (they conflict
with push-by-digest=true,push=true and cause all master-branch matrix
jobs to fail on GHCR). The merge job already creates the :build and
:<version>-build tags via buildx imagetools create. Also drop linux/arm/v7
from the matrix: proton-bridge's CGO deps (libfido2/cbor) don't
cross-compile cleanly on 32-bit ARM and upstream doesn't target it.

build/Dockerfile: add runtime libfido2-1 and libcbor0.10 (dynamically
linked by the built binaries, previously missing), add pkg-config to
the build stage (CGO needs it to find .pc files), add procps for the
healthcheck, and add a HEALTHCHECK so orchestrators detect a crashed
bridge. Pulled from shenxn#149, shenxn#134, shenxn#128.

build/entrypoint.sh, deb/entrypoint.sh: remove stale /root/.gnupg/
S.gpg-agent* sockets on startup (fixes bridge failing to start after
a container restart) and harden socat with fork,reuseaddr and nodelay
for more reliable port forwarding. Pulled from
shenxn#134.

README.md: drop arm/v7 from the supported platforms list.
@IllusoryKitsune IllusoryKitsune marked this pull request as ready for review April 15, 2026 05:31
@IllusoryKitsune IllusoryKitsune merged commit 3c1141b into master Apr 15, 2026
10 checks passed
@IllusoryKitsune IllusoryKitsune deleted the claude/fix-runs-sync-upstream-LZave branch April 15, 2026 05:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@IllusoryKitsune @claude