update rocket.chat

[sampaiodiego]

No description provided.

[github-actions]

Diff for e58b973:

diff --git a/_bashbrew-cat b/_bashbrew-cat
index 6660df3..cd97e34 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,5 +1,6 @@
 Maintainers: Rocket.Chat Image Team <buildmaster@rocket.chat> (@RocketChat)
 GitRepo: https://github.com/RocketChat/Docker.Official.Image.git
+GitFetch: refs/heads/main
 
 Tags: 6.8.7, 6.8
 GitCommit: 3a4113f1de4aa921dfe26c53f88b4d1f59fac3f5
@@ -26,5 +27,5 @@ GitCommit: 3a4113f1de4aa921dfe26c53f88b4d1f59fac3f5
 Directory: 6.13
 
 Tags: 7.0.0, 7.0, 7, latest
-GitCommit: 3a4113f1de4aa921dfe26c53f88b4d1f59fac3f5
+GitCommit: de2e3d91dcd18296cb0edbe37620c23e809376d5
 Directory: 7.0
diff --git a/rocket.chat_latest/Dockerfile b/rocket.chat_latest/Dockerfile
index 5674a5b..b7e47f3 100644
--- a/rocket.chat_latest/Dockerfile
+++ b/rocket.chat_latest/Dockerfile
@@ -57,6 +57,9 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
   | xargs -r apt-mark manual \
   && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false
 
+# Deno installation based on https://github.com/denoland/deno_docker?tab=readme-ov-file#using-your-own-base-image
+COPY --from=denoland/deno:bin-1.37.1 /deno /usr/local/bin/deno
+
 RUN groupadd -r rocketchat \
   && useradd -r -g rocketchat rocketchat \
   && mkdir -p /app/uploads \

Relevant Maintainers:

• rocket.chat: @RocketChat

[sampaiodiego]

need help on how to proceed with the following error https://github.com/docker-library/official-images/actions/runs/12054469860/job/33612565432?pr=17982#step:4:11

is this something we can't do? or I just need to specify an architecture? if we can't do that, I can do what they do on their Dockerfile..

for context, this is the new code that triggered the error:

COPY --from=denoland/deno:bin-1.37.1 /deno /usr/local/bin/deno

[tianon]

Yep, unfortunately that's not something we can allow 😅; https://github.com/docker-library/official-images#repeatability

No official images can be derived from, or depend on, non-official images

The code in their Dockerfile is also not acceptable 🙈 Instead of relying on TARGETARCH, it should be doing userspace architecture detection (dpkg --print-architecture / apk --print-arch), and ought to include some kind of validation of the downloaded binary (checksum, signature, etc).

---

However, given it's for an otherwise optional plugin, is it really something you want installed by default for all users? See https://github.com/docker-library/docs/blob/388c9515404a569d8eea75ae9a3c2e6b3b7a3dee/wordpress/README.md#adding-additional-libraries--extensions for an example of how we handle this in images like WordPress (that have a similar problem, where it's unreasonable for us to include everything users might need for every plugin they might install 😅).

Ultimately it's up to you, but I want to make sure you're aware it's a tradeoff (it's ~easy for users to add more things to an image they consume, but it's somewhere between hard and impossible for them to remove things due to the immutable nature of container images). ❤️

[sampaiodiego]

thx @tianon for the very detailed explanation.. for some reason I thought that rule would apply only to FROM command but not for a COPY 🤦 but it makes sense..

for this case I'll need to come up with a solution to install Deno, since it is a mandatory dependency for something crucial to Rocket.Chat.. I'll probably open a PR on our repo and ask for help there if that's ok.. tia

[sampaiodiego]

closing in favor of #17984 created by the new automation