Merge remote-tracking branch 'origin/master' into pr/3143

.docker/Dockerfile-alpine

@@ -1,4 +1,4 @@
-FROM alpine:3.16
+FROM alpine:3.18.3
 
 # Because this image supports SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user
 # and declare /home/ory/sqlite a volume.

.docker/Dockerfile-build

@@ -1,53 +1,43 @@
 # syntax = docker/dockerfile:1-experimental
-FROM golang:1.19-alpine3.16 AS base
+# Workaround for https://github.com/GoogleContainerTools/distroless/issues/1342
+FROM golang:1.21 AS builder
 
-RUN apk --update upgrade && apk --no-cache --update-cache --upgrade --latest add ca-certificates build-base gcc
+RUN apt-get update && apt-get upgrade -y &&\
+  mkdir -p /var/lib/sqlite
 
 WORKDIR /go/src/github.com/ory/kratos
 
-ADD go.mod go.mod
-ADD go.sum go.sum
-ADD internal/httpclient/go.* internal/httpclient/
-ADD internal/client-go/go.* internal/client-go/
+COPY go.mod go.mod
+COPY go.sum go.sum
+COPY internal/httpclient/go.* internal/httpclient/
+COPY internal/client-go/go.* internal/client-go/
 
 ENV GO111MODULE on
 ENV CGO_ENABLED 1
 ENV CGO_CPPFLAGS -DSQLITE_DEFAULT_FILE_PERMISSIONS=0600
 
 RUN go mod download
 
-ADD . .
+COPY . .
 
 ARG VERSION
 ARG COMMIT
 ARG BUILD_DATE
 
 RUN --mount=type=cache,target=/root/.cache/go-build go build -tags sqlite \
-    -ldflags="-X 'github.com/ory/kratos/driver/config.Version=${VERSION}' -X 'github.com/ory/kratos/driver/config.Date=${BUILD_DATE}' -X 'github.com/ory/kratos/driver/config.Commit=${COMMIT}'" \
-    -o /usr/bin/kratos
+  -ldflags="-X 'github.com/ory/kratos/driver/config.Version=${VERSION}' -X 'github.com/ory/kratos/driver/config.Date=${BUILD_DATE}' -X 'github.com/ory/kratos/driver/config.Commit=${COMMIT}'" \
+  -o /usr/bin/kratos
 
-FROM alpine:3.16
+#########################
+FROM gcr.io/distroless/base-nossl-debian12:nonroot AS runner
 
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D -u 10000 -h /home/ory -s /bin/nologin; \
-    chown -R ory:ory /home/ory
+COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
+COPY --from=builder --chown=nonroot:nonroot /usr/bin/kratos /usr/bin/kratos
 
-COPY --from=base /usr/bin/kratos /usr/bin/kratos
-
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite
-RUN chown ory:ory /var/lib/sqlite
 VOLUME /var/lib/sqlite
 
-# Exposing the ory home directory to simplify passing in Kratos configuration (e.g. if the file $HOME/.kratos.yaml
-# exists, it will be automatically used as the configuration file).
-VOLUME /home/ory
-
 # Declare the standard ports used by Kratos (4433 for public service endpoint, 4434 for admin service endpoint)
 EXPOSE 4433 4434
 
-USER 10000
-
 ENTRYPOINT ["kratos"]
 CMD ["serve"]

.docker/Dockerfile-debug

@@ -1,4 +1,4 @@
-FROM golang:1.19-buster
+FROM golang:1.21
 ENV CGO_ENABLED 1
 
 RUN apt-get update && apt-get install -y --no-install-recommends inotify-tools psmisc

.docker/Dockerfile-distroless-static

@@ -0,0 +1,7 @@
+FROM gcr.io/distroless/static-debian12:nonroot
+
+COPY kratos /usr/bin/kratos
+EXPOSE 4433 4434
+
+ENTRYPOINT ["kratos"]
+CMD ["serve"]

.github/CODEOWNERS

@@ -1,3 +1,3 @@
-*            @aeneasr @zepatrik
+*            @aeneasr @zepatrik @hperl
 
 /docs/       @ory/documenters

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -12,27 +12,26 @@ body:
   - attributes:
       label: "Preflight checklist"
       options:
-        - label:
-            "I could not find a solution in the existing issues, docs, nor
+        - label: "I could not find a solution in the existing issues, docs, nor
             discussions."
           required: true
-        - label:
-            "I agree to follow this project's [Code of
+        - label: "I agree to follow this project's [Code of
             Conduct](https://github.com/ory/kratos/blob/master/CODE_OF_CONDUCT.md)."
           required: true
-        - label:
-            "I have read and am following this repository's [Contribution
+        - label: "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/kratos/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
-        - label:
-            "I have joined the [Ory Community Slack](https://slack.ory.sh)."
-        - label:
-            "I am signed up to the [Ory Security Patch
+        - label: "I have joined the [Ory Community Slack](https://slack.ory.sh)."
+        - label: "I am signed up to the [Ory Security Patch
             Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
+  - attributes:
+      description: "Enter the slug or API URL of the affected Ory Network project. Leave empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
   - attributes:
       description: "A clear and concise description of what the bug is."
       label: "Describe the bug"
@@ -56,8 +55,7 @@ body:
     validations:
       required: true
   - attributes:
-      description:
-        "Please copy and paste any relevant log output. This will be
+      description: "Please copy and paste any relevant log output. This will be
         automatically formatted into code, so no need for backticks. Please
         redact any sensitive information"
       label: "Relevant log output"

.github/ISSUE_TEMPLATE/DESIGN-DOC.yml

@@ -1,8 +1,7 @@
 # AUTO-GENERATED, DO NOT EDIT!
 # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml
 
-description:
-  "A design document is needed for non-trivial changes to the code base."
+description: "A design document is needed for non-trivial changes to the code base."
 labels:
   - rfc
 name: "Design Document"
@@ -23,27 +22,26 @@ body:
   - attributes:
       label: "Preflight checklist"
       options:
-        - label:
-            "I could not find a solution in the existing issues, docs, nor
+        - label: "I could not find a solution in the existing issues, docs, nor
             discussions."
           required: true
-        - label:
-            "I agree to follow this project's [Code of
+        - label: "I agree to follow this project's [Code of
             Conduct](https://github.com/ory/kratos/blob/master/CODE_OF_CONDUCT.md)."
           required: true
-        - label:
-            "I have read and am following this repository's [Contribution
+        - label: "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/kratos/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
-        - label:
-            "I have joined the [Ory Community Slack](https://slack.ory.sh)."
-        - label:
-            "I am signed up to the [Ory Security Patch
+        - label: "I have joined the [Ory Community Slack](https://slack.ory.sh)."
+        - label: "I am signed up to the [Ory Security Patch
             Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
+  - attributes:
+      description: "Enter the slug or API URL of the affected Ory Network project. Leave empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
   - attributes:
       description: |
         This section gives the reader a very rough overview of the landscape in which the new system is being built and what is actually being built. This isn’t a requirements doc. Keep it succinct! The goal is that readers are brought up to speed but some previous knowledge can be assumed and detailed info can be linked to. This section should be entirely focused on objective background facts.

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml

@@ -1,8 +1,7 @@
 # AUTO-GENERATED, DO NOT EDIT!
 # Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml
 
-description:
-  "Suggest an idea for this project without a plan for implementation"
+description: "Suggest an idea for this project without a plan for implementation"
 labels:
   - feat
 name: "Feature Request"
@@ -16,30 +15,28 @@ body:
   - attributes:
       label: "Preflight checklist"
       options:
-        - label:
-            "I could not find a solution in the existing issues, docs, nor
+        - label: "I could not find a solution in the existing issues, docs, nor
             discussions."
           required: true
-        - label:
-            "I agree to follow this project's [Code of
+        - label: "I agree to follow this project's [Code of
             Conduct](https://github.com/ory/kratos/blob/master/CODE_OF_CONDUCT.md)."
           required: true
-        - label:
-            "I have read and am following this repository's [Contribution
+        - label: "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/kratos/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
-        - label:
-            "I have joined the [Ory Community Slack](https://slack.ory.sh)."
-        - label:
-            "I am signed up to the [Ory Security Patch
+        - label: "I have joined the [Ory Community Slack](https://slack.ory.sh)."
+        - label: "I am signed up to the [Ory Security Patch
             Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
   - attributes:
-      description:
-        "Is your feature request related to a problem? Please describe."
+      description: "Enter the slug or API URL of the affected Ory Network project. Leave empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
+  - attributes:
+      description: "Is your feature request related to a problem? Please describe."
       label: "Describe your problem"
       placeholder:
         "A clear and concise description of what the problem is. Ex. I'm always
@@ -73,8 +70,7 @@ body:
     validations:
       required: true
   - attributes:
-      description:
-        "Add any other context or screenshots about the feature request here."
+      description: "Add any other context or screenshots about the feature request here."
       label: Additional Context
     id: additional
     type: textarea

.github/ISSUE_TEMPLATE/config.yml

@@ -5,10 +5,8 @@ blank_issues_enabled: false
 contact_links:
   - name: Ory Kratos Forum
     url: https://github.com/ory/kratos/discussions
-    about:
-      Please ask and answer questions here, show your implementations and
+    about: Please ask and answer questions here, show your implementations and
       discuss ideas.
   - name: Ory Chat
     url: https://www.ory.sh/chat
-    about:
-      Hang out with other Ory community members to ask and answer questions.
+    about: Hang out with other Ory community members to ask and answer questions.