Merge branch 'master' into patch-3

.github/workflows/docs-preview-deploy.yml

@@ -16,14 +16,20 @@ jobs:
   preview:
     name: 'Deploy Preview'
     runs-on: ubuntu-22.04
-    if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
+    # Requires a PR event triggered `docs-preview-prepare.yml` workflow run that was successful + ensure the head SHA belongs to an associated PR:
+    # NOTE: A multi-line `if` GHA expression must avoid wrapping with `${{ }}`, otherwise it is unintentionally parsed as a string:
+    # https://github.com/nikitastupin/pwnhub/blob/main/writings/if-condition.md
+    if: |
+      github.event.workflow_run.conclusion == 'success'
+      && github.event.workflow_run.event == 'pull_request'
+      && contains(github.event.workflow_run.pull_requests.*.head.sha, github.event.workflow_run.head_sha)
     steps:
 
       # ======================== #
       # Restore workflow context #
       # ======================== #
 
-      # Retrieve the artifact uploaded from `docs-preview-prepare.yml` workflow run that triggered this deployment
+      # Retrieve the build artifact uploaded from the `docs-preview-prepare.yml` workflow run (that triggered this deployment workflow):
       - name: 'Download build artifact'
         uses: actions/download-artifact@v4
         with:
@@ -34,8 +40,20 @@ jobs:
       - name: 'Extract build artifact'
         run: tar -xf artifact.tar.zst
 
-      - name: 'Restore preserved ENV'
-        run: cat pr.env >> "${GITHUB_ENV}"
+      # The `workflow_run` metadata contains an array of `pull_requests`, get the `workflow_run` equivalent of `github.event.pull_request.number`.
+      # There should only be one PR item in the array, verify that it shares the same `head_sha` (latest commit of PR).
+      # NOTE: Careful when using GHA context expressions that may have untrusted input here. The expressions are evaluated before the script content itself is run:
+      # https://github.com/docker-mailserver/docker-mailserver/pull/4247#discussion_r1827067475
+      - name: 'Get PR number'
+        env:
+          head_sha: ${{ github.event.workflow_run.head_sha }}
+          pull_requests: ${{ tojson(github.event.workflow_run.pull_requests) }}
+        run: |
+          PR_NUMBER=$(jq -r '[.[] | select(.head.sha == "${{ env.head_sha }}")][0].number' <<< "${pull_requests}")
+          {
+            echo "PR_NUMBER=${PR_NUMBER}"
+            echo 'PR_HEADSHA=${{ env.head_sha }}'
+          } >> "${GITHUB_ENV}"
 
       # ==================== #
       # Deploy preview build #
@@ -61,6 +79,9 @@ jobs:
         env:
           NETLIFY_AUTH_TOKEN: ${{ secrets.NETLIFY_AUTH_TOKEN }}
           NETLIFY_SITE_ID: ${{ secrets.NETLIFY_SITE_ID }}
+          # Keep these two ENV in sync with the `docs-preview-prepare.yml` workflow:
+          BUILD_DIR: docs/site
+          NETLIFY_SITE_PREFIX: pullrequest-${{ env.PR_NUMBER }}
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           # Fail the job early if credentials are missing / invalid:
@@ -71,7 +92,7 @@ jobs:
           # Only publish the contents of the build output:
           publish-dir: ${{ env.BUILD_DIR }}
           # Custom message for the deploy log on Netlify:
-          deploy-message: '${{ env.PR_TITLE }} (PR #${{ env.PR_NUMBER }} @ commit: ${{ env.PR_HEADSHA }})'
+          deploy-message: 'Preview Build (PR #${{ env.PR_NUMBER }} @ commit: ${{ env.PR_HEADSHA }})'
 
           # Note: Split workflow incorrectly references latest primary branch commit for deployment.
           # Assign to non-default Deployment Environment for better management:

.github/workflows/docs-preview-prepare.yml

@@ -54,23 +54,8 @@ jobs:
       # ============================== #
 
       # Minimize risk of upload failure by bundling files to a single compressed archive (tar + zstd).
-      # Bundles build dir and env file into a compressed archive, nested file paths will be preserved.
       - name: 'Prepare artifact for transfer'
-        env:
-          # As a precaution, reference this value by an interpolated ENV var;
-          # instead of interpolating user controllable input directly in the shell script..
-          # https://github.com/docker-mailserver/docker-mailserver/issues/2332#issuecomment-998326798
-          PR_TITLE: ${{ github.event.pull_request.title }}
-        run: |
-          # Save ENV for transfer
-          {
-            echo "PR_HEADSHA=${{ github.event.pull_request.head.sha }}"
-            echo "PR_NUMBER=${{ github.event.pull_request.number }}"
-            echo "PR_TITLE=${PR_TITLE}"
-            echo "NETLIFY_SITE_PREFIX=${{ env.NETLIFY_SITE_PREFIX }}"
-            echo "BUILD_DIR=${{ env.BUILD_DIR }}"
-          } >> pr.env
-          tar --zstd -cf artifact.tar.zst pr.env ${{ env.BUILD_DIR }}
+        run: tar --zstd -cf artifact.tar.zst ${{ env.BUILD_DIR }}
 
       - name: 'Upload artifact for workflow transfer'
         uses: actions/upload-artifact@v4

.github/workflows/generic_vulnerability-scan.yml

@@ -55,7 +55,7 @@ jobs:
           provenance: false
 
       - name: 'Run the Anchore Grype scan action'
-        uses: anchore/scan-action@v5.1.0
+        uses: anchore/scan-action@v5.2.0
         id: scan
         with:
           image: mailserver-testing:ci

target/bin/rspamd-dkim

@@ -55,6 +55,10 @@ ${ORANGE}EXAMPLES${RESET}
     ${LWHITE}setup config dkim domain example.com${RESET}
         Generate the DKIM key for a different domain (example.com).
 
+    ${LWHITE}setup config dkim keytype ed25519 domain edward.com selector elliptic-test${RESET}
+        Generate the DKIM key using the ED25519 elliptic curve for the domain
+        edward.com and the selector elliptic-test.
+
 ${ORANGE}EXIT STATUS${RESET}
     Exit status is 0 if command was successful. If wrong arguments are provided or arguments contain
     errors, the script will exit early with a non-zero exit status.