Merge pull request 'fix(deps): pin dependencies' (#7) from renovate/pin-dependencies into main

Reviewed-on: #7

.gitea/workflows/build-and-publish.yml

@@ -3,51 +3,130 @@ name: Build and publish container
 on:
   push:
     branches: [main]
-    tags: ["v*"]
   pull_request:
     branches: [main]
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
+      contents: write
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          # Full history and tags are required to derive the next version
+          # from the conventional-commit messages since the last release.
+          fetch-depth: 0
 
       - name: Determine registry host
         run: echo "REGISTRY=${GITHUB_SERVER_URL#*://}" >> "$GITHUB_ENV"
 
+      # Derive the release version from conventional commits since the last
+      # v* tag: feat -> minor, fix/perf -> patch, ! or BREAKING CHANGE -> major.
+      # Anything else (chore, ci, docs, build) produces no release; those builds
+      # are published under a sha-<short> tag only.
+      - name: Compute version and image tags
+        id: version
+        run: |
+          set -euo pipefail
+          image="${REGISTRY}/${GITHUB_REPOSITORY,,}"
+
+          last_tag="$(git tag --list 'v*' --sort=-v:refname | head -n1 || true)"
+          if [ -n "$last_tag" ]; then
+            range="${last_tag}..HEAD"
+            base="${last_tag#v}"
+          else
+            range=""
+            base="0.0.0"
+          fi
+
+          subjects="$(git log ${range} --format='%s')"
+          bodies="$(git log ${range} --format='%B')"
+
+          bump="none"
+          if printf '%s\n' "$bodies" | grep -qiE 'BREAKING[ -]CHANGE' \
+             || printf '%s\n' "$subjects" | grep -qE '^[a-z]+([(][^)]*[)])?!:'; then
+            bump="major"
+          elif printf '%s\n' "$subjects" | grep -qE '^feat([(][^)]*[)])?:'; then
+            bump="minor"
+          elif printf '%s\n' "$subjects" | grep -qE '^(fix|perf)([(][^)]*[)])?:'; then
+            bump="patch"
+          fi
+
+          major="${base%%.*}"
+          rest="${base#*.}"
+          minor="${rest%%.*}"
+          patch="${rest##*.}"
+
+          release="false"
+          if [ "${GITHUB_EVENT_NAME}" = "push" ] && [ "$bump" != "none" ]; then
+            release="true"
+            case "$bump" in
+              major) major=$((major + 1)); minor=0; patch=0 ;;
+              minor) minor=$((minor + 1)); patch=0 ;;
+              patch) patch=$((patch + 1)) ;;
+            esac
+            version="${major}.${minor}.${patch}"
+            {
+              echo "tags<<__EOT__"
+              echo "${image}:${version}"
+              echo "${image}:${major}.${minor}"
+              echo "${image}:${major}"
+              echo "${image}:latest"
+              echo "__EOT__"
+            } >> "$GITHUB_OUTPUT"
+            echo "version=${version}" >> "$GITHUB_OUTPUT"
+          else
+            short="$(git rev-parse --short HEAD)"
+            {
+              echo "tags<<__EOT__"
+              echo "${image}:sha-${short}"
+              echo "__EOT__"
+            } >> "$GITHUB_OUTPUT"
+          fi
+          echo "release=${release}" >> "$GITHUB_OUTPUT"
+          echo "Computed bump=${bump}, release=${release}, base=${base}"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
+
       - name: Set up Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Log in to the Gitea container registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
+          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITEA_TOKEN }}
+          password: ${{ secrets.PACKAGES_TOKEN }}
-
-      - name: Extract image metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY }}/${{ github.repository }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=sha
-            type=raw,value=latest,enable={{is_default_branch}}
 
       - name: Build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: .
+          platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          tags: ${{ steps.version.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          labels: |
+            org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+
+      # Record the release as an annotated git tag so the next run computes the
+      # following version from it. This push does not re-trigger the workflow,
+      # which only listens on the main branch and pull requests.
+      - name: Tag the release
+        if: steps.version.outputs.release == 'true'
+        run: |
+          set -euo pipefail
+          v="v${{ steps.version.outputs.version }}"
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor }}@users.noreply.${REGISTRY}"
+          git tag -a "$v" -m "$v"
+          git push origin "$v"

Dockerfile

@@ -1,7 +1,7 @@
 # Lightweight, non-root nginx serving the static site.
 # Runs as user "nginx" and listens on 8080, ready to sit behind an
 # external reverse proxy that terminates TLS and forwards requests.
-FROM nginxinc/nginx-unprivileged:1.27-alpine-slim
+FROM nginxinc/nginx-unprivileged:1.31-alpine-slim@sha256:6616de6eaa82bc2ee3541fa287a8fca7dc7271e6374e9402014dbd13f4a980ae
 
 COPY default.conf /etc/nginx/conf.d/default.conf
 COPY --chown=nginx:nginx index.html styles.css script.js messages.js /usr/share/nginx/html/

README.md

@@ -45,13 +45,38 @@ docker run --rm -p 8080:8080 dlr
 ## CI
 
 `.gitea/workflows/build-and-publish.yml` builds the container with Gitea Actions
-and publishes it to this Gitea instance's container registry on pushes to `main`
+on every push to `main` and on pull requests. Pull requests build the image but
-and on `v*` tags. Pull requests build the image but do not push. Authentication
+do not push. The registry host is derived from the Gitea server URL. Images are
-uses the automatically provided `GITEA_TOKEN`; the registry host is derived from
+built for `linux/amd64` and `linux/arm64` (armv8) and published as a single
-the Gitea server URL.
+multi-arch manifest; the arm64 build runs under QEMU emulation.
 
-The published image is `<gitea-host>/<owner>/<repo>`, tagged by branch, semver
+Authentication requires a Personal Access Token with package read/write scope,
-(for `v*` tags), commit SHA, and `latest` on the default branch.
+because the automatically provided `GITEA_TOKEN` does not carry container
+registry write permission on most Gitea instances. Create the token under an
+account with write access to the target package namespace, then store it as a
+repository Actions secret named `PACKAGES_TOKEN`.
+
+### Automatic releases
+
+The published image is `<gitea-host>/<owner>/<repo>`. Releases are derived from
+[Conventional Commits](https://www.conventionalcommits.org/). On each push to
+`main`, the workflow inspects the commits since the last `v*` tag and computes
+the next version:
+
+- `feat:` → minor bump,
+- `fix:` / `perf:` → patch bump,
+- `!` or `BREAKING CHANGE` → major bump,
+- anything else (`chore`, `ci`, `docs`, `build`) → no release.
+
+When a release is warranted, the image is published with `X.Y.Z`, `X.Y`, `X` and
+`latest` tags, and the workflow records an annotated `vX.Y.Z` git tag so the next
+release is computed from it. Pushes to `main` that warrant no release are
+published under a `sha-<short>` tag only, so `latest` always points at the most
+recent release rather than the newest commit.
+
+Recording the release tag requires the workflow's `contents: write` permission;
+if the instance forbids the automatic token from pushing, supply a PAT with
+repository write scope and push the tag with it instead.
 
 ## Dependency updates
 
@@ -72,6 +97,10 @@ CDN, Renovate will track it if it is either annotated with a comment, e.g.
 or referenced through a versioned jsDelivr / unpkg npm URL, which is detected
 automatically.
 
+Renovate is configured to commit updates as `fix(deps): …`. Each merged Renovate
+PR therefore registers as a patch-level change, so the release workflow above
+cuts a new patch release and tags the image automatically.
+
 ## Files
 
 | File                                  | Purpose                                          |

messages.js

@@ -11,8 +11,13 @@
  */
 
 const MESSAGES = [
-  "PLACEHOLDER: write your first reason here",
+  "Maggie came back, she was unimpressed",
-  "PLACEHOLDER: write another reason here",
+  "They mixed up the B23s and the 2024 tube stock",
-  // Add as many entries as you like, one per line:
+  "The computer went on strike",
-  // "Your reason here",
+	"Leaves on the track",
+	"Escalators broke at Cutty Sark",
+	"EHRC decided it was woke",
+	"JK Rowling",
+	"Kaiju",
+	"28 Days Later happened",
 ];

renovate.json

@@ -6,21 +6,35 @@
     ":semanticCommits"
   ],
   "labels": ["renovate"],
+  "semanticCommits": "enabled",
+  "semanticCommitType": "fix",
+  "semanticCommitScope": "deps",
   "github-actions": {
-    "fileMatch": ["^\\.gitea/workflows/[^/]+\\.ya?ml$"]
+    "managerFilePatterns": ["/^\\.gitea/workflows/[^/]+\\.ya?ml$/"]
   },
   "packageRules": [
     {
       "description": "Group nginx base image updates",
       "matchManagers": ["dockerfile"],
       "groupName": "docker base image"
+    },
+    {
+      "description": "Commit every update as fix(deps) so each merged Renovate PR triggers a patch release. config:recommended pulls in :semanticPrefixFixDepsChoreOthers, which forces non-npm updates (Docker, Actions) to chore and would otherwise produce no release.",
+      "matchPackageNames": ["*"],
+      "semanticCommitType": "fix"
+    },
+    {
+      "description": "Auto-merge patch and minor updates once checks pass.",
+      "matchUpdateTypes": ["patch", "minor"],
+      "automerge": true
     }
   ],
+  "platformAutomerge": true,
   "customManagers": [
     {
       "customType": "regex",
       "description": "Update HTML dependencies annotated with a renovate comment, e.g. <!-- renovate: datasource=npm depName=bootstrap --> before the versioned URL",
-      "fileMatch": ["\\.html$"],
+      "managerFilePatterns": ["/\\.html$/"],
       "matchStrings": [
         "datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)( versioning=(?<versioning>\\S+))?[\\s\\S]*?(?<currentValue>v?\\d+\\.\\d+\\.\\d+[\\w.-]*)"
       ]
@@ -28,7 +42,7 @@
     {
       "customType": "regex",
       "description": "Auto-detect versioned jsDelivr / unpkg npm assets in HTML",
-      "fileMatch": ["\\.html$"],
+      "managerFilePatterns": ["/\\.html$/"],
       "matchStrings": [
         "https://cdn\\.jsdelivr\\.net/npm/(?<depName>@?[^@/]+(?:/[^@/]+)?)@(?<currentValue>\\d[^/\"']+)",
         "https://unpkg\\.com/(?<depName>@?[^@/]+(?:/[^@/]+)?)@(?<currentValue>\\d[^/\"']+)"

styles.css

@@ -10,7 +10,6 @@
 /* Modern DLR — turquoise/teal */
 [data-theme="modern"] {
   --bg: #00afaa;
-  --bg-accent: #007e7a;
   --surface: #ffffff;
   --text: #ffffff;
   --message: #ffffff;
@@ -20,14 +19,13 @@
   --button-active-text: #ffffff;
 }
 
-/* Original DLR — 1987 red and blue */
+/* Original DLR — 1987 red, white and blue */
 [data-theme="original"] {
-  --bg: #002b5c;
+  --bg: #c8102e;
-  --bg-accent: #c8102e;
+  --surface: #002b5c;
-  --surface: #f5f0e1;
   --text: #f5f0e1;
   --message: #f5f0e1;
-  --button-bg: #c8102e;
+  --button-bg: #002b5c;
   --button-text: #f5f0e1;
   --button-active-bg: #f5f0e1;
   --button-active-text: #002b5c;
@@ -44,7 +42,7 @@ body {
   flex-direction: column;
   font-family: var(--font-stack);
   color: var(--text);
-  background: linear-gradient(135deg, var(--bg) 0%, var(--bg-accent) 100%);
+  background: var(--bg);
   transition: background 0.4s ease, color 0.4s ease;
 }
 
@@ -65,10 +63,13 @@ body {
   padding: 1.5rem;
 }
 
+/* Segmented control: both options joined in one rounded container,
+   with the active segment filled. */
 .theme-toggle {
-  display: flex;
+  display: inline-flex;
-  gap: 0.5rem;
+  border: 2px solid var(--button-bg);
-  border: none;
+  border-radius: 999px;
+  overflow: hidden;
   margin: 0;
   padding: 0;
 }
@@ -77,19 +78,22 @@ body {
   font-family: inherit;
   font-size: 0.9rem;
   font-weight: 600;
-  padding: 0.5rem 1rem;
+  padding: 0.5rem 1.1rem;
-  border: 2px solid var(--button-bg);
+  border: none;
-  border-radius: 999px;
   background: transparent;
   color: var(--text);
   cursor: pointer;
   transition: background 0.2s ease, color 0.2s ease;
 }
 
+/* Divider between the two segments. */
+.theme-button + .theme-button {
+  border-left: 2px solid var(--button-bg);
+}
+
 .theme-button[aria-pressed="true"] {
   background: var(--button-active-bg);
   color: var(--button-active-text);
-  border-color: var(--button-active-bg);
 }
 
 .stage {