fix: use scoped caches for each image

fix: remove quotes from release action ldflags
chore(deps): bump alpine from 3.23 to 3.24 (#931 )
2026-06-16 16:30:23 +00:00 · 2026-06-16 15:41:44 +03:00 · 2026-06-16 15:16:44 +03:00 · 2026-06-16 15:08:27 +03:00 · 2026-06-16 15:06:15 +03:00 · 2026-06-16 15:05:54 +03:00
6 changed files with 102 additions and 27 deletions
@@ -16,7 +16,7 @@ jobs:
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
        with:
          package_json_file: ./frontend/package.json

@@ -60,7 +60,7 @@ jobs:
          ref: nightly

      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
        with:
          package_json_file: ./frontend/package.json

@@ -105,7 +105,7 @@ jobs:
          ref: nightly

      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
        with:
          package_json_file: ./frontend/package.json

@@ -173,8 +173,8 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=buildkit-amd64
+          cache-to: type=gha,mode=max,scope=buildkit-amd64
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -232,8 +232,8 @@ jobs:
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=buildkit-distroless-amd64
+          cache-to: type=gha,mode=max,scope=buildkit-distroless-amd64
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -289,8 +289,8 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=buildkit-arm64
+          cache-to: type=gha,mode=max,scope=buildkit-arm64
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -348,8 +348,8 @@ jobs:
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=buildkit-distroless-arm64
+          cache-to: type=gha,mode=max,scope=buildkit-distroless-arm64
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
@@ -36,7 +36,7 @@ jobs:
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
        with:
          package_json_file: ./frontend/package.json

@@ -78,7 +78,7 @@ jobs:
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Setup pnpm
-        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
+        uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9
        with:
          package_json_file: ./frontend/package.json

@@ -143,14 +143,14 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=buildkit-amd64
+          cache-to: type=gha,mode=max,scope=buildkit-amd64
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"
+            LDFLAGS=-s -w

      - name: Export digest
        run: |
@@ -200,14 +200,14 @@ jobs:
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=buildkit-distroless-amd64
+          cache-to: type=gha,mode=max,scope=buildkit-distroless-amd64
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"
+            LDFLAGS=-s -w

      - name: Export digest
        run: |
@@ -255,14 +255,14 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=buildkit-arm64
+          cache-to: type=gha,mode=max,scope=buildkit-arm64
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"
+            LDFLAGS=-s -w

      - name: Export digest
        run: |
@@ -312,14 +312,14 @@ jobs:
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=buildkit-distroless-arm64
+          cache-to: type=gha,mode=max,scope=buildkit-distroless-arm64
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
-            LDFLAGS="-s -w"
+            LDFLAGS=-s -w

      - name: Export digest
        run: |
@@ -38,6 +38,6 @@ jobs:
          retention-days: 5

      - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4
+        uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
        with:
          sarif_file: results.sarif
@@ -46,7 +46,7 @@ RUN CGO_ENABLED=0 go build -ldflags "${LDFLAGS} \
    -X github.com/tinyauthapp/tinyauth/internal/model.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth

 # Runner
-FROM alpine:3.23 AS runner
+FROM alpine:3.24 AS runner

 WORKDIR /tinyauth

@@ -3,12 +3,27 @@ package controller
 import (
 	"fmt"
 	"net/http"
+	"net/url"
+	"slices"
+	"strings"

 	"github.com/gin-gonic/gin"
 	"github.com/tinyauthapp/tinyauth/internal/service"
 	"go.uber.org/dig"
 )

+const OpenIDConnectRel = "http://openid.net/specs/connect/1.0/issuer"
+
+type WebfingerResponseLink struct {
+	Rel  string `json:"rel,omitempty"`
+	Href string `json:"href"`
+}
+
+type WebfingerResponse struct {
+	Subject string                  `json:"subject"`
+	Links   []WebfingerResponseLink `json:"links"`
+}
+
 type OpenIDConnectConfiguration struct {
 	Issuer                                 string   `json:"issuer"`
 	AuthorizationEndpoint                  string   `json:"authorization_endpoint"`
@@ -45,6 +60,7 @@ func NewWellKnownController(i WellKnownControllerInput) *WellKnownController {

 	i.RouterGroup.GET("/.well-known/openid-configuration", controller.OpenIDConnectConfiguration)
 	i.RouterGroup.GET("/.well-known/jwks.json", controller.JWKS)
+	i.RouterGroup.GET("/.well-known/webfinger", controller.WebFinger)

 	return controller
 }
@@ -105,3 +121,62 @@ func (controller *WellKnownController) JWKS(c *gin.Context) {

 	c.Status(http.StatusOK)
 }
+
+func (controller *WellKnownController) WebFinger(c *gin.Context) {
+	c.Header("Content-Type", "application/jrd+json")
+	c.Header("Access-Control-Allow-Origin", "*")
+
+	resource := c.Query("resource")
+
+	if !controller.validateWebFingerResource(resource) {
+		c.JSON(400, gin.H{
+			"status":  400,
+			"message": "invalid resource",
+		})
+		return
+	}
+
+	res := WebfingerResponse{
+		Subject: resource,
+		Links:   []WebfingerResponseLink{},
+	}
+
+	rel := c.Request.URL.Query()["rel"]
+
+	if controller.oidc != nil && (len(rel) == 0 || slices.Contains(rel, OpenIDConnectRel)) {
+		res.Links = append(res.Links, WebfingerResponseLink{Rel: OpenIDConnectRel, Href: controller.oidc.GetIssuer()})
+	}
+
+	c.JSON(200, res)
+}
+
+func (controller *WellKnownController) validateWebFingerResource(resource string) bool {
+	prefix, suffix, found := strings.Cut(resource, ":")
+
+	if !found {
+		return false
+	}
+
+	switch prefix {
+	case "acct":
+		if strings.Count(suffix, "@") != 1 {
+			return false
+		}
+		username, domain, found := strings.Cut(suffix, "@")
+		if !found || username == "" || domain == "" {
+			return false
+		}
+	case "https", "http":
+		u, err := url.Parse(resource)
+		if err != nil {
+			return false
+		}
+		if u.Host == "" {
+			return false
+		}
+	default:
+		return false
+	}
+
+	return true
+}
Author	SHA1	Message	Date
Stavros	905f67292c	fix: use scoped caches for each image	2026-06-16 15:41:44 +03:00
Stavros	6ed5c2d0a0	fix: remove quotes from release action ldflags	2026-06-16 15:16:44 +03:00
dependabot[bot]	9dd4515464	chore(deps): bump alpine from 3.23 to 3.24 (#931 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-16 15:08:27 +03:00
dependabot[bot]	40bcc7d9d8	chore(deps): bump github/codeql-action from 4.36.1 to 4.36.2 (#926 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-16 15:06:15 +03:00
dependabot[bot]	556096cdb8	chore(deps): bump pnpm/action-setup from 6.0.8 to 6.0.9 (#942 ) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-06-16 15:05:54 +03:00
Stavros	c825d81b2d	feat: add support for webfinger (#941 )	2026-06-16 15:05:11 +03:00