From 40350b3e2b5c34068fcbaf3785e18a5c1041425a Mon Sep 17 00:00:00 2001
From: Ronni Skansing <rskansing@gmail.com>
Date: Tue, 14 Oct 2025 22:04:37 +0200
Subject: [PATCH] Testing ghcr build

---
 .github/workflows/release.yml    | 26 +++++++++++++++
 .github/workflows/test-build.yml | 27 +++++++++++++++
 Dockerfile.release               | 57 ++++++++++++++++++++++++++++++++
 config.docker.json               | 30 +++++++++++++++++
 docker-compose.production.yml    | 26 +++++++++++++++
 5 files changed, 166 insertions(+)
 create mode 100644 Dockerfile.release
 create mode 100644 config.docker.json
 create mode 100644 docker-compose.production.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 67ddc77..2e56ee7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      packages: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -19,6 +20,13 @@ jobs:
       - name: Set up Docker
         uses: docker/setup-buildx-action@v3
 
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Extract version from tag
         id: get_version
         run: |
@@ -129,6 +137,24 @@ jobs:
             --title "PhishingClub ${{ steps.get_version.outputs.TAG }}" \
             --notes "${{ steps.get_release_notes.outputs.NOTES }}"
 
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile.release
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}:latest
+            ghcr.io/${{ github.repository }}:${{ steps.get_version.outputs.VERSION }}
+            ghcr.io/${{ github.repository }}:${{ steps.get_version.outputs.TAG }}
+          labels: |
+            org.opencontainers.image.title=PhishingClub
+            org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.version=${{ steps.get_version.outputs.VERSION }}
+            org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
+            org.opencontainers.image.revision=${{ github.sha }}
+
       - name: Notify about release
         run: |
           curl -d "phishingclub version ${{ steps.get_version.outputs.VERSION }} has been released on GitHub" https://ntfy.sh/phishing_club_released
diff --git a/.github/workflows/test-build.yml b/.github/workflows/test-build.yml
index 00777ec..9551c8b 100644
--- a/.github/workflows/test-build.yml
+++ b/.github/workflows/test-build.yml
@@ -9,6 +9,9 @@ on:
 jobs:
   test-build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -18,6 +21,13 @@ jobs:
       - name: Set up Docker
         uses: docker/setup-buildx-action@v3
 
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Extract version info
         id: get_version
         run: |
@@ -100,6 +110,23 @@ jobs:
             echo "✅ Package created without signature"
           fi
 
+      - name: Build and push test Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile.release
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}:test-${{ steps.get_version.outputs.HASH }}
+            ghcr.io/${{ github.repository }}:test-latest
+          labels: |
+            org.opencontainers.image.title=PhishingClub-Test
+            org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.version=${{ steps.get_version.outputs.VERSION }}
+            org.opencontainers.image.created=${{ github.event.head_commit.timestamp }}
+            org.opencontainers.image.revision=${{ github.sha }}
+
       - name: Verify build artifacts
         run: |
           echo "=== Build Summary ==="
diff --git a/Dockerfile.release b/Dockerfile.release
new file mode 100644
index 0000000..5bdf9dd
--- /dev/null
+++ b/Dockerfile.release
@@ -0,0 +1,57 @@
+# production dockerfile for release builds
+FROM debian:12-slim
+
+# install ca-certificates for https requests
+RUN apt-get update && \
+    apt-get install -y ca-certificates tzdata && \
+    rm -rf /var/lib/apt/lists/*
+
+# create non-root user
+RUN groupadd -g 1000 appuser && \
+    useradd -r -u 1000 -g appuser appuser
+
+# create app and data directories
+WORKDIR /app
+RUN mkdir -p /app/data && \
+    mkdir -p /app/config
+
+# copy the binary from build context
+COPY build/phishingclub /app/phishingclub
+
+# copy docker-friendly config
+COPY config.docker.json /app/config.docker.json
+
+# create entrypoint script
+RUN cat > /app/entrypoint.sh << 'EOF'
+#!/bin/sh
+
+# check if config exists, if not use docker-friendly default
+if [ ! -f /app/config/config.json ]; then
+    echo "🔧 No config found, using Docker-friendly default (non-privileged ports)..."
+    cp /app/config.docker.json /app/config/config.json
+    echo "✅ Docker config copied to /app/config/config.json"
+    echo "💡 You can mount your own config at /app/config/config.json to override"
+fi
+
+# start the application
+exec /app/phishingclub --config /app/config/config.json --files /app/data "$@"
+EOF
+
+# make scripts executable
+RUN chmod +x /app/phishingclub && \
+    chmod +x /app/entrypoint.sh
+
+# change ownership to appuser
+RUN chown -R appuser:appuser /app
+
+# switch to non-root user
+USER appuser
+
+# expose ports (using non-privileged ports by default)
+EXPOSE 8080 8443 8000
+
+# create volumes for config and data
+VOLUME ["/app/config", "/app/data"]
+
+# use entrypoint script
+ENTRYPOINT ["/app/entrypoint.sh"]
diff --git a/config.docker.json b/config.docker.json
new file mode 100644
index 0000000..b407c82
--- /dev/null
+++ b/config.docker.json
@@ -0,0 +1,30 @@
+{
+  "acme": {
+    "email": ""
+  },
+  "administration": {
+    "tls_host": "localhost",
+    "tls_auto": false,
+    "tls_cert_path": "/app/data/certs/admin/public.pem",
+    "tls_key_path": "/app/data/certs/admin/private.pem",
+    "address": "0.0.0.0:8000",
+    "ip_allow_list": []
+  },
+  "phishing": {
+    "http": "0.0.0.0:8080",
+    "https": "0.0.0.0:8443"
+  },
+  "database": {
+    "engine": "sqlite3",
+    "dsn": "file:/app/data/db.sqlite3"
+  },
+  "log": {
+    "path": "",
+    "errorPath": ""
+  },
+  "ip_security": {
+    "admin_allowed": [],
+    "trusted_proxies": [],
+    "trusted_ip_header": ""
+  }
+}
diff --git a/docker-compose.production.yml b/docker-compose.production.yml
new file mode 100644
index 0000000..6da179c
--- /dev/null
+++ b/docker-compose.production.yml
@@ -0,0 +1,26 @@
+# PhishingClub Production Docker Compose
+version: "3.8"
+
+services:
+  phishingclub:
+    image: ghcr.io/phishingclub/phishingclub:latest
+
+    container_name: phishingclub
+    restart: unless-stopped
+
+    # Mount config and data directories
+    volumes:
+      - ./config:/app/config
+      - ./data:/app/data
+
+    ports:
+      - "80:8080" # HTTP phishing server
+      - "443:8443" # HTTPS phishing server
+      - "8000:8000" # Admin interface
+
+    networks:
+      - phishingclub
+
+networks:
+  phishingclub:
+    driver: bridge