earthly · janishorsts · Jun 22, 2025 · Jun 25, 2025 · Jul 2, 2025 · Jul 3, 2025
@@ -1,3 +1,4 @@
-DOCKERHUB_USER=earthly
+CR_HOST=ghcr.io
+CR_ORG=earthbuild
 IMAGE_NAME=dind
-EARTHLY_REPO_VERSION=0b28ef80785fd88df1ec7e674475b02e046d5b36
+EARTHLY_REPO_VERSION=d70bd9ab5ebf3eb29728deb1f8c46976c01f2757
@@ -1,2 +1,2 @@
-# PRs require approval from the earthly core team
-* @earthly/core
+# PRs require approval from the EarthBuild admin team
+* @EarthBuild/fork-admins
@@ -1,51 +1,48 @@
 {
-  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
   extends: [
-    "config:recommended"
+    'config:recommended',
+    'security:openssf-scorecard'
   ],
+  forkProcessing: 'enabled',
   configMigration: true,
   prHourlyLimit: 1,
-  schedule: [ // utc timezone
-    'after 6am on monday',
-  ],
+  schedule: [],
   enabledManagers: [
     'dockerfile',
     'custom.regex',
     'github-actions',
   ],
   dockerfile: {
-    fileMatch: [
-      'Earthfile',
+    managerFilePatterns: [
+      '/Earthfile/',
     ],
   },
   customManagers: [
     {
-      // Earthly Version in GH Actions
       customType: 'regex',
-      fileMatch: [
-        '.*?\\.yml', 
+      managerFilePatterns: [
+        '/.*?\\.yml/',
       ],
       matchStrings: [
-        '- uses: earthly/actions/setup-earthly@.*?[\\s\\n]+.*?[\\s\\n]+with:[\\s\\n]*version: (?<currentValue>.*?)[\\s\\n/]+',
+        '- uses: earthbuild/actions-setup@.*?[\\s\\n]+.*?[\\s\\n]+with:[\\s\\n]*version: (?<currentValue>.*?)[\\s\\n/]+',
       ],
-      depNameTemplate: 'earthly/earthly',
+      depNameTemplate: 'earthbuild/earthbuild',
       datasourceTemplate: 'github-releases',
     },
     {
-      // ARG/LET in Earthfile that have a Renovate comment
       customType: 'regex',
-      fileMatch: [
-        'Earthfile',
+      managerFilePatterns: [
+        '/Earthfile/',
       ],
       matchStrings: [
         '\\s*#\\s*renovate:\\s*datasource=(?<datasource>.*?)\\s+depName=(?<depName>.*?)[\\s\\n]+(versioning=(?<versioning>.*?)\\s+)?(ARG|LET)\\s+.*?(_VERSION|_VER|version)=(?<currentValue>.*?)($|\\s|\\n)',
       ],
     },
     {
-      // Updating the Repology alpine version
       customType: 'regex',
-      fileMatch: [
-        'Earthfile',
+      managerFilePatterns: [
+        '/Earthfile/',
       ],
       matchStrings: [
         '# renovate: datasource=repology depName=alpine_(?<currentValue>\\d+_\\d+)',
@@ -57,41 +54,36 @@
       autoReplaceStringTemplate: '# renovate: datasource=repology depName=alpine_{{{newMajor}}}_{{{newMinor}}}',
     },
     {
-      // Updating the commit hash of earthly/earthly
       customType: 'regex',
-      fileMatch: ['^\\.arg$'],
+      managerFilePatterns: [
+        '/^\\.arg$/',
+      ],
       matchStrings: [
         'EARTHLY_REPO_VERSION=(?<currentDigest>.*?)($|\\s|\\n)',
       ],
       currentValueTemplate: 'main',
-      depNameTemplate: 'earthly/earthly',
-      packageNameTemplate: 'https://github.com/earthly/earthly',
+      depNameTemplate: 'earthbuild/earthbuild',
+      packageNameTemplate: 'https://github.com/earthbuild/earthbuild',
       datasourceTemplate: 'git-refs',
     },
     {
       customType: 'regex',
-      fileMatch: [
-        'docs/dockerhub.md$',
+      managerFilePatterns: [
+        '/^README.md$/',
       ],
       matchStrings: [
         '\\*\\s+\\`(?<currentValue>.+?)\\`\\n',
       ],
-      depNameTemplate: 'earthly/dind',
+      depNameTemplate: 'earthbuild/dind',
       datasourceTemplate: 'docker',
     },
   ],
   labels: [
     'renovate',
   ],
   packageRules: [
-    // set the group name for alpine dind dependencies
     {
       groupName: "{{{ replace 'os\\/(.*?)$' '$1' packageFileDir}}}-dind-image",
-      matchPackagePatterns: [
-        'alpine',
-        'alpine.*?/docker',
-        'docker/docker',
-      ],
       matchManagers: [
         'custom.regex',
       ],
@@ -103,46 +95,75 @@
       matchFileNames: [
         'os/**/Earthfile',
       ],
+      matchPackageNames: [
+        '/alpine/',
+        '/alpine.*?/docker/',
+        '/docker/docker/',
+      ],
+    },
+    {
+      // Lock docker to v28.1.1 for Ubuntu 20.04.
+      matchFileNames: [
+        'os/ubuntu-20.04/Earthfile',
+      ],
+      matchPackageNames: [
+        'docker/docker',
+      ],
+      allowedVersions: '28.1.1',
+    },
+    {
+      // Lock docker to v25.0.2 for Ubuntu 23.04.
+      matchFileNames: [
+        'os/ubuntu-23.04/Earthfile',
+      ],
+      matchPackageNames: [
+        'docker/docker',
+      ],
+      allowedVersions: '25.0.2',
     },
     {
-      // let all package updates auto merge
-      matchPackagePatterns: [ '*' ],
       automerge: true,
+      matchPackageNames: [
+        '*',
+      ],
     },
     {
-      // rule to update earthly/dind:alpine-* images
       groupName: 'docs-dind-images',
-      matchPackageNames: ['earthly/dind'],
-      matchCurrentVersion: "/^alpine-.*/",
-      allowedVersions: "/^alpine-.*/",
-      versioning: "regex:^(?<compatibility>.*)-(?<major>\\d+\\.\\d+)-docker-(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)-r(?<revision>\\d+)$",
+      matchPackageNames: [
+        'earthbuild/dind',
+      ],
+      matchCurrentVersion: '/^alpine-.*/',
+      allowedVersions: '/^alpine-.*/',
+      versioning: 'regex:^(?<compatibility>.*)-(?<major>\\d+\\.\\d+)-docker-(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)-r(?<revision>\\d+)$',
     },
     {
-      // rule to update earthly/dind:ubuntu:20.04-* images
       groupName: 'docs-dind-images',
-      matchPackageNames: ['earthly/dind'],
-      matchCurrentVersion: "/^ubuntu-20\\.04-.*/",
-      allowedVersions: "/^ubuntu-20\\.04-.*/",
-      versioning: "regex:^(?<compatibility>.*)-(?<major>\\d+\\.\\d+)-docker-(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)-(?<revision>\\d+)$",
+      matchPackageNames: [
+        'earthbuild/dind',
+      ],
+      matchCurrentVersion: '/^ubuntu-20\\.04-.*/',
+      allowedVersions: '/^ubuntu-20\\.04-.*/',
+      versioning: 'regex:^(?<compatibility>.*)-(?<major>\\d+\\.\\d+)-docker-(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)-(?<revision>\\d+)$',
     },
     {
-      // rule to update earthly/dind:ubuntu:23.04-* images
       groupName: 'docs-dind-images',
-      matchPackageNames: ['earthly/dind'],
-      matchCurrentVersion: "/^ubuntu-23\\.04-.*/",
-      allowedVersions: "/^ubuntu-23\\.04-.*/",
-      versioning: "regex:^(?<compatibility>.*)-(?<major>\\d+\\.\\d+)-docker-(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)-(?<revision>\\d+)$",
+      matchPackageNames: [
+        'earthbuild/dind',
+      ],
+      matchCurrentVersion: '/^ubuntu-23\\.04-.*/',
+      allowedVersions: '/^ubuntu-23\\.04-.*/',
+      versioning: 'regex:^(?<compatibility>.*)-(?<major>\\d+\\.\\d+)-docker-(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)-(?<revision>\\d+)$',
     },
     {
-      // rule to update earthly/dind:ubuntu:24.04-* images
       groupName: 'docs-dind-images',
-      matchPackageNames: ['earthly/dind'],
-      matchCurrentVersion: "/^ubuntu-24\\.04-.*/",
-      allowedVersions: "/^ubuntu-24\\.04-.*/",
-      versioning: "regex:^(?<compatibility>.*)-(?<major>\\d+\\.\\d+)-docker-(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)-(?<revision>\\d+)$",
+      matchPackageNames: [
+        'earthbuild/dind',
+      ],
+      matchCurrentVersion: '/^ubuntu-24\\.04-.*/',
+      allowedVersions: '/^ubuntu-24\\.04-.*/',
+      versioning: 'regex:^(?<compatibility>.*)-(?<major>\\d+\\.\\d+)-docker-(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)-(?<revision>\\d+)$',
     },
     {
-      // create PRs for multiple docker versions in case we're more than one major version behind
       matchPackageNames: [
         'docker/docker',
       ],

@@ -5,35 +5,51 @@ on:
   # push:
   #   branches: [ "main" ]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
-  
+
 jobs:
   test:
-    name: test
+    name: test (${{ matrix.os }})
+    strategy:
+
+      matrix:
+        os: [alpine, ubuntu-20.04, ubuntu-23.04, ubuntu-24.04]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     env:
       FORCE_COLOR: 1
       EARTHLY_CONVERSION_PARALLELISM: "5"
-      EARTHLY_TOKEN: "${{ secrets.EARTHLY_TOKEN }}"
-      EARTHLY_INSTALL_ID: "earthly-dind-githubactions"
+      EARTHLY_INSTALL_ID: "earthbuild-dind-githubactions"
     steps:
-      - uses: earthly/actions/setup-earthly@v1
+      - uses: actions/checkout@v5
+      # The dind (common+alpine-kind-test and common+ubuntu-kind-test) detects
+      # the host's IPv6 capability and then requires IPv6 NAT to create networks
+      # for kind. So we load it here.
+      # Ref: https://github.com/moby/moby/pull/47062
+      - name: Load kernel module IPv6 NAT
+        run: sudo modprobe ip6table_nat
+      - name: Set up Docker Hub mirrors
+        run: |
+          sudo mkdir -p /etc/docker
+          echo '{"registry-mirrors": ["https://mirror.gcr.io", "https://public.ecr.aws"]}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+      - name: Set up QEMU
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y qemu-user-static binfmt-support
+          sudo update-binfmts --display
+      - uses: earthbuild/actions-setup@main
         with:
           version: v0.8.15
-      - uses: actions/checkout@v4
-      - name: Docker login (non fork only)
-        run: |-
-          docker login --username "${{ secrets.DOCKERHUB_USERNAME }}" --password "${{ secrets.DOCKERHUB_TOKEN }}"
-          docker login registry-1.docker.io.mirror.corp.earthly.dev --username "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" --password "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}"
-        if: github.event.pull_request.head.repo.full_name == github.repository
-      - name: Configure Earthly to use mirror (non fork only)
-        run: |-
-          earthly config global.buildkit_additional_config "'[registry.\"docker.io\"]
-          mirrors = [\"registry-1.docker.io.mirror.corp.earthly.dev\"]'"
+      - name: Log in to GitHub Container Registry (non fork only)
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
         if: github.event.pull_request.head.repo.full_name == github.repository
       - name: Run tests
-        run: earthly --ci -P --push --org earthly-technologies --satellite dind +test
+        run: earthly --ci -P --push +test --OS=${{ matrix.os }}
+
@@ -0,0 +1,21 @@
+name: Update Docker Hub description
+
+on:
+  push:
+    branches: [ main ]
+    paths: [ README.md ]
+
+jobs:
+  docker-hub-description:
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Update DockerHub description
+        uses: peter-evans/dockerhub-description@v4.0.2
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          repository: earthbuild/dind
+          short-description: The `dind` image is designed for EarthBuild targets
@@ -9,25 +9,40 @@ jobs:
     name: release after merging ${{ github.head_ref }}
     if: github.event.pull_request.merged == true && startsWith(github.head_ref, 'renovate/') && endsWith(github.head_ref, '-dind-image')
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     env:
       FORCE_COLOR: 1
       EARTHLY_CONVERSION_PARALLELISM: "5"
-      EARTHLY_TOKEN: "${{ secrets.EARTHLY_TOKEN }}"
-      EARTHLY_INSTALL_ID: "earthly-dind-githubactions"
+      EARTHLY_INSTALL_ID: "earthbuild-dind-githubactions"
     steps:
-      - uses: earthly/actions/setup-earthly@v1
+      - uses: actions/checkout@v5
+      # The dind (common+alpine-kind-test and common+ubuntu-kind-test) detects
+      # the host's IPv6 capability and then requires IPv6 NAT to create networks
+      # for kind. So we load it here.
+      # Ref: https://github.com/moby/moby/pull/47062
+      - name: Load kernel module IPv6 NAT
+        run: sudo modprobe ip6table_nat
+      - name: Set up Docker Hub mirrors
+        run: |
+          sudo mkdir -p /etc/docker
+          echo '{"registry-mirrors": ["https://mirror.gcr.io", "https://public.ecr.aws"]}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+      - name: Set up QEMU
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y qemu-user-static binfmt-support
+          sudo update-binfmts --display
+      - uses: earthbuild/actions-setup@main
         with:
           version: v0.8.15
-      - uses: actions/checkout@v4
-      - name: Docker login (non fork only)
+      - name: Log in to container registries (non fork only)
         run: |-
-          docker login --username "${{ secrets.DOCKERHUB_USERNAME }}" --password "${{ secrets.DOCKERHUB_TOKEN }}"
-          docker login registry-1.docker.io.mirror.corp.earthly.dev --username "${{ secrets.DOCKERHUB_MIRROR_USERNAME }}" --password "${{ secrets.DOCKERHUB_MIRROR_PASSWORD }}"
-        if: github.event.pull_request.head.repo.full_name == github.repository
-      - name: Configure Earthly to use mirror (non fork only)
-        run: |-
-          earthly config global.buildkit_additional_config "'[registry.\"docker.io\"]
-          mirrors = [\"registry-1.docker.io.mirror.corp.earthly.dev\"]'"
+          docker login --username "${{ vars.DOCKERHUB_USERNAME }}" --password "${{ secrets.DOCKERHUB_TOKEN }}"
+          docker login ghcr.io --username ${{ github.actor }} --password "${{ secrets.GITHUB_TOKEN }}"
         if: github.event.pull_request.head.repo.full_name == github.repository
       - name: Build & Push image
-        run: earthly --ci -P --push --org earthly-technologies --satellite dind +release --RENOVATE_BRANCH=${{github.head_ref}}
+        run: |
+          earthly --ci -P --push +release --RENOVATE_BRANCH=${{github.head_ref}} # default:ghcr.io
+          earthly --ci -P --push +release --RENOVATE_BRANCH=${{github.head_ref}} --CR_HOST=docker.io