Add Mjolnir module and update workflow

Signed-off-by: Tommy <contact@tommytran.io>

.github/workflows/Build.yml

@@ -1,17 +1,17 @@
-name: build
+name: Build
 
 on:
   workflow_dispatch:
   push:
     branches: [ main ]
   schedule:
-    # Build the image regularly (each Friday)
-    - cron: '13 21 * * 5'
+    # Build the image regularly (each Saturday)
+    - cron: '0 22 * * 6'
 
 jobs:
   build:
     name: Build, scan & push
-    runs-on: "ubuntu-20.04"
+    runs-on: "ubuntu-latest"
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
@@ -19,15 +19,15 @@ jobs:
       - name: Build an image from Dockerfile
         run: |
           docker build \
-              -t ghcr.io/wonderfall/synapse \
-              -t ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c6) \
-              -t ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c4) \
+              -t ghcr.io/tommytran732/synapse \
+              -t ghcr.io/tommytran732/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c6) \
+              -t ghcr.io/tommytran732/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c4) \
               .
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'ghcr.io/wonderfall/synapse'
+          image-ref: 'ghcr.io/tommytran732/synapse'
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'
@@ -46,6 +46,6 @@ jobs:
           
       - name: Push image to GitHub
         run: |
-          docker push ghcr.io/wonderfall/synapse
-          docker push ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c6)
-          docker push ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c4)
+          docker push ghcr.io/tommytran732/synapse
+          docker push ghcr.io/tommytran732/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c6)
+          docker push ghcr.io/tommytran732/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c4)

.github/workflows/Scan.yml

@@ -1,14 +1,14 @@
-name: scan
+name: Scan
 
 on:
   schedule:
     # Scan the image regularly (once a day)
-    - cron: '45 03 * * *'
+    - cron: '0 23 * * *'
 
 jobs:
-  build:
+  scan:
     name: Scan current image & report results
-    runs-on: "ubuntu-20.04"
+    runs-on: "ubuntu-latest"
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
@@ -16,7 +16,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: 'ghcr.io/wonderfall/synapse'
+          image-ref: 'ghcr.io/tommytran732/synapse'
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'

Dockerfile

@@ -1,17 +1,15 @@
 ARG SYNAPSE_VERSION=1.66.0
-ARG PYTHON_VERSION=3.10
-ARG ALPINE_VERSION=3.16
 ARG HARDENED_MALLOC_VERSION=11
 ARG UID=991
 ARG GID=991
 
 
 ### Build Hardened Malloc
-FROM alpine:${ALPINE_VERSION} as build-malloc
+FROM alpine:latest as build-malloc
 
 ARG HARDENED_MALLOC_VERSION
 ARG CONFIG_NATIVE=false
-ARG VARIANT=light
+ARG VARIANT=default
 
 RUN apk --no-cache add build-base git gnupg && cd /tmp \
  && wget -q https://github.com/thestinger.gpg && gpg --import thestinger.gpg \
@@ -21,8 +19,7 @@ RUN apk --no-cache add build-base git gnupg && cd /tmp \
 
 
 ### Build Synapse
-ARG ALPINE_VERSION
-FROM python:${PYTHON_VERSION}-alpine${ALPINE_VERSION} as builder
+FROM python:alpine as builder
 
 ARG SYNAPSE_VERSION
 
@@ -38,15 +35,14 @@ RUN apk -U upgrade \
         rustup \
         zlib-dev \
  && rustup-init -y && source $HOME/.cargo/env \
+ && pip install --upgrade pip \
  && pip install --prefix="/install" --no-warn-script-location \
         matrix-synapse[all]==${SYNAPSE_VERSION}
 
 
 ### Build Production
-ARG ALPINE_VERSION
-ARG PYTHON_VERSION
 
-FROM python:${PYTHON_VERSION}-alpine${ALPINE_VERSION}
+FROM python:alpine
 
 ARG UID
 ARG GID
@@ -63,15 +59,18 @@ RUN apk -U upgrade \
         zlib \
         tzdata \
         xmlsec \
+        git \
  && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" synapse \
  && rm -rf /var/cache/apk/*
 
+RUN pip install --upgrade pip \
+ && pip install -e "git+https://github.com/matrix-org/mjolnir.git#egg=mjolnir&subdirectory=synapse_antispam"
 
-COPY --from=build-malloc /tmp/hardened_malloc/out-light/libhardened_malloc-light.so /usr/local/lib/
+COPY --from=build-malloc /tmp/hardened_malloc/out/libhardened_malloc.so /usr/local/lib/
 COPY --from=builder /install /usr/local
 COPY --chown=synapse:synapse rootfs /
 
-ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc-light.so"
+ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"
 
 USER synapse
 

README.md

@@ -1,17 +1,20 @@
-# wonderfall/synapse
+# tommytran732/synapse
+
+![Build, scan & push](https://github.com/tommytran732/Synapse-Docker/actions/workflows/Build.yml/badge.svg)
 
 ![Build, scan & push](https://github.com/wonderfall/docker-synapse/actions/workflows/build.yml/badge.svg)
 
 [Synapse](https://github.com/matrix-org/synapse) is a [Matrix](https://matrix.org/) implementation written in Python.
 
 ### Notes
-- Prebuilt images are available at `ghcr.io/wonderfall/synapse`.
+- Prebuilt images are available at `ghcr.io/tommytran732/synapse`.
 - Don't trust random images: build yourself if you can.
-- Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/Wonderfall/docker-synapse/blob/main/Dockerfile#L1-L6).
-- Images from `ghcr.io` are built every week, and scanned every day for critical vulnerabilities.
+- Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/TommyTran732/Synapse-Docker/blob/main/Dockerfile#L1-L4).
+- Images from `ghcr.io` are built every week, and scanned every day for critical vulnerabilities with Trivy.
 
 ### Features & usage
 - Drop-in replacement for the [official image](https://github.com/matrix-org/synapse/tree/develop/docker).
 - Unprivileged image: you should check your volumes permissions (eg `/data`), default UID/GID is 991.
 - Based on [Alpine](https://alpinelinux.org/), which provides more recent packages while having less attack surface.
 - Comes with a [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc), protecting against some heap-based buffer overflows.
+- [Mjolnir module](https://github.com/matrix-org/mjolnir/blob/main/docs/synapse_module.md) support.