Global enhancements

.dockerignore

@@ -0,0 +1 @@
+/dist

.github/SUPPORT.md

@@ -0,0 +1,35 @@
+# Support [![](https://isitmaintained.com/badge/resolution/tianon/gosu.svg)](https://isitmaintained.com/project/tianon/gosu)
+
+First, [be a good guy](https://github.com/kossnocorp/etiquette/blob/master/README.md).
+
+## Reporting an issue
+
+Please do a search in [open issues](https://github.com/tianon/gosu/issues?utf8=%E2%9C%93&q=) to see if the issue
+or feature request has already been filed.
+
+If you find your issue already exists, make relevant comments and add your
+[reaction](https://github.com/blog/2119-add-reactions-to-pull-requests-issues-and-comments). Use a reaction in
+place of a "+1" comment.
+
+:+1: - upvote
+
+:-1: - downvote
+
+If you cannot find an existing issue that describes your bug or feature, submit an issue using the guidelines below.
+
+## Writing good bug reports and feature requests
+
+File a single issue per problem and feature request.
+
+* Do not enumerate multiple bugs or feature requests in the same issue.
+* Do not add your issue as a comment to an existing issue unless it's for the identical input. Many issues look similar, but have different causes.
+
+The more information you can provide, the more likely someone will be successful reproducing the issue and finding
+a fix.
+
+You are now ready to [create a new issue](https://github.com/tianon/gosu/issues/new/choose)!
+
+## Closure policy
+
+* Issues that don't have the information requested above (when applicable) will be closed immediately and the poster directed to the support guidelines.
+* Issues that go a week without a response from original poster are subject to closure at my discretion.

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    open-pull-requests-limit: 10
+    directory: "/"
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "github-actions"
+    open-pull-requests-limit: 10
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/build.yml

@@ -0,0 +1,119 @@
+name: build
+
+on:
+  push:
+    branches:
+      - 'master'
+    tags:
+      - 'v*'
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    branches:
+      - 'master'
+    paths-ignore:
+      - '**.md'
+
+env:
+  DOCKERHUB_SLUG: tianon/gosu
+  GHCR_SLUG: ghcr.io/tianon/gosu
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      -
+        name: Docker meta
+        id: docker_meta
+        uses: crazy-max/ghaction-docker-meta@v1
+        with:
+          images: |
+            ${{ env.DOCKERHUB_SLUG }}
+            ${{ env.GHCR_SLUG }}
+          tag-semver: |
+            {{version}}
+          tag-edge: true
+          label-custom: |
+            org.opencontainers.image.title=gosu
+            org.opencontainers.image.description=Simple Go-based setuid+setgid+setgroups+exec
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Test
+        uses: docker/bake-action@v1
+        with:
+          targets: test
+      -
+        name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      -
+        name: Login to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_TOKEN }}
+      -
+        name: Build artifacts
+        uses: docker/bake-action@v1
+        with:
+          targets: artifact-all
+      -
+        name: Move artifacts
+        run: |
+          mv ./dist/**/* ./dist/
+      -
+        name: Upload artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: gosu
+          path: ./dist/*
+          if-no-files-found: error
+      -
+        name: Build
+        uses: docker/bake-action@v1
+        with:
+          files: |
+            ./docker-bake.hcl
+            ${{ steps.docker_meta.outputs.bake-file }}
+          targets: image-all
+          push: ${{ github.event_name != 'pull_request' }}
+      -
+        name: GitHub Release
+        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          draft: true
+          files: |
+            dist/*.tar.gz
+            dist/*.zip
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Check manifest
+        if: github.event_name != 'pull_request'
+        run: |
+          docker buildx imagetools inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.docker_meta.outputs.version }}
+          docker buildx imagetools inspect ${{ env.GHCR_SLUG }}:${{ steps.docker_meta.outputs.version }}
+      -
+        name: Inspect image
+        if: github.event_name != 'pull_request'
+        run: |
+          docker pull ${{ env.DOCKERHUB_SLUG }}:${{ steps.docker_meta.outputs.version }}
+          docker image inspect ${{ env.DOCKERHUB_SLUG }}:${{ steps.docker_meta.outputs.version }}
+          docker pull ${{ env.GHCR_SLUG }}:${{ steps.docker_meta.outputs.version }}
+          docker image inspect ${{ env.GHCR_SLUG }}:${{ steps.docker_meta.outputs.version }}

.github/workflows/codeql.yml

@@ -0,0 +1,33 @@
+name: codeql
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 12 * * 6'
+
+jobs:
+  codeql:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 2
+      -
+        name: Checkout HEAD on PR
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          git checkout HEAD^2
+      -
+        name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: go
+      -
+        name: Autobuild
+        uses: github/codeql-action/autobuild@v1
+      -
+        name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1

.github/workflows/validate.yml

@@ -0,0 +1,28 @@
+name: validate
+
+on:
+  push:
+    branches:
+      - 'master'
+    tags:
+      - 'v*'
+      - 'dockerfile/*'
+  pull_request:
+    branches:
+      - 'master'
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      -
+        name: Validate
+        uses: docker/bake-action@v1
+        with:
+          targets: validate

.gitignore

@@ -1,3 +1,2 @@
-.git
-SHA256SUMS*
-gosu*
+/dist
+/.goreleaser.yml

Dockerfile

@@ -1,63 +1,57 @@
-FROM golang:1.14-alpine3.12
-
-RUN apk add --no-cache file
-
-# disable CGO for ALL THE THINGS (to help ensure no libc)
-ENV CGO_ENABLED 0
-
-WORKDIR /go/src/github.com/tianon/gosu
-
-COPY go.mod go.sum ./
-RUN set -eux; \
-	go mod download; \
-	go mod verify
-
-ENV BUILD_FLAGS="-v -ldflags '-d -s -w'"
-
-COPY *.go ./
-
-# gosu-$(dpkg --print-architecture)
-RUN set -eux; \
-	eval "GOARCH=amd64 go build $BUILD_FLAGS -o /go/bin/gosu-amd64"; \
-	file /go/bin/gosu-amd64; \
-	/go/bin/gosu-amd64 --version; \
-	/go/bin/gosu-amd64 nobody id; \
-	/go/bin/gosu-amd64 nobody ls -l /proc/self/fd
-
-RUN set -eux; \
-	eval "GOARCH=386 go build $BUILD_FLAGS -o /go/bin/gosu-i386"; \
-	file /go/bin/gosu-i386; \
-	/go/bin/gosu-i386 --version; \
-	/go/bin/gosu-i386 nobody id; \
-	/go/bin/gosu-i386 nobody ls -l /proc/self/fd
-
-RUN set -eux; \
-	eval "GOARCH=arm GOARM=5 go build $BUILD_FLAGS -o /go/bin/gosu-armel"; \
-	file /go/bin/gosu-armel
-
-RUN set -eux; \
-	eval "GOARCH=arm GOARM=6 go build $BUILD_FLAGS -o /go/bin/gosu-armhf"; \
-	file /go/bin/gosu-armhf
-
-# boo Raspberry Pi, making life hard (armhf-is-v7 vs armhf-is-v6 ...)
-#RUN set -eux; \
-#	eval "GOARCH=arm GOARM=7 go build $BUILD_FLAGS -o /go/bin/gosu-armhf"; \
-#	file /go/bin/gosu-armhf
-
-RUN set -eux; \
-	eval "GOARCH=arm64 go build $BUILD_FLAGS -o /go/bin/gosu-arm64"; \
-	file /go/bin/gosu-arm64
-
-RUN set -eux; \
-	eval "GOARCH=mips64le go build $BUILD_FLAGS -o /go/bin/gosu-mips64el"; \
-	file /go/bin/gosu-mips64el
-
-RUN set -eux; \
-	eval "GOARCH=ppc64le go build $BUILD_FLAGS -o /go/bin/gosu-ppc64el"; \
-	file /go/bin/gosu-ppc64el
-
-RUN set -eux; \
-	eval "GOARCH=s390x go build $BUILD_FLAGS -o /go/bin/gosu-s390x"; \
-	file /go/bin/gosu-s390x
-
-RUN set -eux; ls -lAFh /go/bin/gosu-*; file /go/bin/gosu-*
+# syntax=docker/dockerfile:1.2
+ARG GO_VERSION=1.14
+ARG GORELEASER_VERSION=0.157.0
+
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS base
+ARG GORELEASER_VERSION
+RUN apk add --no-cache ca-certificates curl gcc file git linux-headers musl-dev tar
+RUN wget -qO- https://github.com/goreleaser/goreleaser/releases/download/v${GORELEASER_VERSION}/goreleaser_Linux_x86_64.tar.gz | tar -zxvf - goreleaser \
+  && mv goreleaser /usr/local/bin/goreleaser
+WORKDIR /src
+
+FROM base AS gomod
+RUN --mount=type=bind,target=.,rw \
+  --mount=type=cache,target=/go/pkg/mod \
+  go mod tidy && go mod download
+
+FROM gomod AS build
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG GIT_REF
+RUN --mount=type=bind,target=/src,rw \
+  --mount=type=cache,target=/root/.cache/go-build \
+  --mount=target=/go/pkg/mod,type=cache \
+  ./hack/goreleaser.sh "gosu" "/out"
+
+FROM scratch AS artifacts
+COPY --from=build /out/*.tar.gz /
+COPY --from=build /out/*.zip /
+
+FROM alpine AS test-alpine
+COPY --from=build /usr/local/bin/gosu /usr/local/bin/gosu
+RUN cut -d: -f1 /etc/group | xargs -n1 addgroup nobody
+RUN chgrp nobody /usr/local/bin/gosu && chmod +s /usr/local/bin/gosu
+USER nobody
+ENV HOME /omg/really/gosu/nowhere
+# now we should be nobody, ALL groups, and have a bogus useless HOME value
+WORKDIR /src
+RUN --mount=type=bind,target=/src \
+  ./hack/test.sh
+
+FROM debian:buster-slim AS test-debian
+COPY --from=build /usr/local/bin/gosu /usr/local/bin/gosu
+RUN cut -d: -f1 /etc/group | xargs -n1 -I'{}' usermod -aG '{}' nobody
+# emulate Alpine's "games" user (which is part of the "users" group)
+RUN usermod -aG users games
+RUN chgrp nogroup /usr/local/bin/gosu && chmod +s /usr/local/bin/gosu
+USER nobody
+ENV HOME /omg/really/gosu/nowhere
+# now we should be nobody, ALL groups, and have a bogus useless HOME value
+WORKDIR /src
+RUN --mount=type=bind,target=/src \
+  ./hack/test.sh
+
+FROM scratch
+COPY --from=build /usr/local/bin/gosu /usr/local/bin/gosu