From 7ee796ce4b4e59f6f64ebbdda4456106acdbcf8a Mon Sep 17 00:00:00 2001
From: titanz <titanz@pm.me>
Date: Sat, 8 Feb 2025 22:37:31 +0100
Subject: [PATCH] Initial commit

---
 .gitea/workflows/build.yml | 109 +++++++++++++++++++++++++++++++++++++
 Dockerfile                 |  22 ++++++++
 README.md                  |  15 +++++
 3 files changed, 146 insertions(+)
 create mode 100644 .gitea/workflows/build.yml
 create mode 100644 Dockerfile
 create mode 100644 README.md

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
new file mode 100644
index 0000000..378f23d
--- /dev/null
+++ b/.gitea/workflows/build.yml
@@ -0,0 +1,109 @@
+name: Build
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - development
+    # Ignore Markdown files
+    paths-ignore:
+      - '**.md'
+  schedule:
+    # Build the image daily
+    - cron: '15 0 * * *'
+
+env:
+  REGISTRY: git.conorz.at
+  IMAGE_NAME: titanz-containers/ghost
+  TAG: latest
+
+jobs:
+  build:
+    name: Build & push new image
+    permissions:
+      contents: read
+      packages: write
+    timeout-minutes: 10
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Add support for more platforms with QEMU
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.ACTIONS_TOKEN }}
+
+      - name: Set Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            ${{ env.TAG }}
+
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+#  trivy:
+#    name: Scan current image with Trivy
+#    needs: build
+#    permissions:
+#      security-events: write
+#    timeout-minutes: 10
+#    runs-on: ubuntu-24.04
+#    steps:
+#      - name: Run Trivy vulnerability scanner
+#        uses: aquasecurity/trivy-action@master
+#        with:
+#          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
+#          format: template
+#          template: '@/contrib/sarif.tpl'
+#          output: trivy-results.sarif
+#          severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+#          vuln-type: os,library
+
+#      - name: Upload Trivy scan results to GitHub Security tab
+#        uses: github/codeql-action/upload-sarif@v3
+#        with:
+#          sarif_file: trivy-results.sarif
+#          category: trivy
+
+#  grype:
+#    name: Scan current image with Grype
+#    needs: build
+#    permissions:
+#      security-events: write
+#    timeout-minutes: 10
+#    runs-on: ubuntu-24.04
+#    steps:
+#      - name: Run Grype vulnerability scanner
+#        uses: anchore/scan-action@v6
+#        id: grype
+#        with:
+#          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }}
+#          fail-build: false
+
+#      - name: Upload Grype scan results to GitHub Security tab
+#        uses: github/codeql-action/upload-sarif@v3
+#        with:
+#          sarif_file: ${{ steps.grype.outputs.sarif }}
+#          category: grype
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..7658c28
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,22 @@
+ARG VERSION=5.109.2
+ARG UID=200003
+ARG GID=200003
+
+FROM ghost:${VERSION}-alpine
+
+LABEL maintainer="Lukas Raub titanz@pm.me"
+
+ARG UID
+ARG GID
+
+RUN apk -U upgrade \
+    && apk add libstdc++ shadow
+
+RUN --network=none \
+    addgroup -g ${GID} ghost \
+    && adduser -g ${GID} --ingroup ghost --disabled-password --system ghost
+
+USER ghost
+
+COPY --from=git.conorz.at/titanz-containers/hardened_malloc:latest /install /usr/local/lib/
+ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so"
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e2951e0
--- /dev/null
+++ b/README.md
@@ -0,0 +1,15 @@
+# ghost
+
+![Build, scan & push](https://git.conorz.at/titanz-containers/ghost/actions/workflows/build.yml/badge.svg)
+
+### Features & usage
+- Built on the [official Alpine-based image](https://github.com/docker-library/ghost/tree/master/5/alpine), to be used as a drop-in replacement.
+- Unprivileged image: you should check your volumes' permissions (eg `/var/lib/ghost/content`), default UID/GID is 200003. Default port is 2368/tcp.
+
+### Sample Docker Compose config
+
+See this [link](https://git.conorz.at/titanz/Docker-Compose-Files/src/branch/development/ghost).
+
+### Licensing
+- ghost is under the MIT license. Copyright to ghost belongs to Ghost Foundation.
+- Any image built by titanz containers is provided under the combination of license terms resulting from the use of individual packages.