From 7fe4c5a9fa5da23b0030b9940d9fa40503f1422c Mon Sep 17 00:00:00 2001
From: Sascha <sascha.heilmeier@netlogix.de>
Date: Thu, 27 Nov 2025 09:08:36 +0100
Subject: [PATCH 1/4] feat: add dex Docker image

---
 .github/dependabot.yml    |  1 +
 .github/workflows/dex.yml | 71 +++++++++++++++++++++++++++++++++++++++
 dex/Dockerfile            |  4 +++
 3 files changed, 76 insertions(+)
 create mode 100644 .github/workflows/dex.yml
 create mode 100644 dex/Dockerfile

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 1d8e0ef8..718a28f7 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -13,6 +13,7 @@ updates:
     directories:
       - '/cfssl'
       - '/chromium'
+      - '/dex'
       - '/elasticsearch'
       - '/httpd'
       - '/imgproxy'
diff --git a/.github/workflows/dex.yml b/.github/workflows/dex.yml
new file mode 100644
index 00000000..8aaf91c8
--- /dev/null
+++ b/.github/workflows/dex.yml
@@ -0,0 +1,71 @@
+name: 'Build dex docker image'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  schedule:
+    - cron: 0 7 * * THU
+  push:
+    branches:
+      - main
+    paths:
+      - dex/**
+  pull_request:
+    branches:
+      - main
+    paths:
+      - dex/**
+  workflow_dispatch:
+    inputs: { }
+
+jobs:
+  build-docker-image:
+    name: 'Build dex-${{ matrix.image.version }} docker image'
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      max-parallel: 10
+      matrix:
+        image:
+          - version: 2
+            latest: true
+            dockerfile: Dockerfile
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Read version from Dockerfile
+        id: docker
+        run: echo "version=$(../extract-version.sh ./dex/Dockerfile)" >> $GITHUB_OUTPUT
+
+      - name: Login to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push (dex)
+        uses: docker/build-push-action@v6
+        with:
+          builder: ${{ steps.buildx.outputs.name }}
+          context: ./dex
+          target: dex
+          file: ./dex/${{matrix.image.dockerfile}}
+          build-args: ${{ matrix.image.build-args }}
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ghcr.io/netlogix/docker/dex:${{ matrix.image.version }},ghcr.io/netlogix/docker/dex:${{ steps.docker.outputs.version }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=gha, scope=${{ github.workflow }}-dex
+          cache-to: type=gha, scope=${{ github.workflow }}-dex, mode=max
diff --git a/dex/Dockerfile b/dex/Dockerfile
new file mode 100644
index 00000000..81c841b4
--- /dev/null
+++ b/dex/Dockerfile
@@ -0,0 +1,4 @@
+FROM ghcr.io/dexidp/dex:v2.43.1 AS dex
+
+HEALTHCHECK  --interval=30s --timeout=5s --start-period=10s \
+    CMD wget --no-verbose --tries=1 --spider http://localhost:5556/dex/.well-known/openid-configuration || exit 1

From 6e243a3c198014a091bb4a7fc520f105d20dad70 Mon Sep 17 00:00:00 2001
From: Sascha Heilmeier <sascha.heilmeier@netlogix.de>
Date: Thu, 27 Nov 2025 09:32:48 +0100
Subject: [PATCH 2/4] Potential fix for code scanning alert no. 215: Workflow
 does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/dex.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/dex.yml b/.github/workflows/dex.yml
index 8aaf91c8..b3fc627a 100644
--- a/.github/workflows/dex.yml
+++ b/.github/workflows/dex.yml
@@ -20,6 +20,10 @@ on:
   workflow_dispatch:
     inputs: { }
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build-docker-image:
     name: 'Build dex-${{ matrix.image.version }} docker image'

From a4e6fa8d078df97b1c6410bb6f556c4b7eacc267 Mon Sep 17 00:00:00 2001
From: Sascha <sascha.heilmeier@netlogix.de>
Date: Thu, 27 Nov 2025 09:37:17 +0100
Subject: [PATCH 3/4] fix: set correct script path

---
 .github/workflows/dex.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dex.yml b/.github/workflows/dex.yml
index b3fc627a..0b990eca 100644
--- a/.github/workflows/dex.yml
+++ b/.github/workflows/dex.yml
@@ -50,7 +50,7 @@ jobs:
 
       - name: Read version from Dockerfile
         id: docker
-        run: echo "version=$(../extract-version.sh ./dex/Dockerfile)" >> $GITHUB_OUTPUT
+        run: echo "version=$(./extract-version.sh ./dex/Dockerfile)" >> $GITHUB_OUTPUT
 
       - name: Login to GHCR
         if: github.event_name != 'pull_request'

From fd234e3ccef448a36d1109fdd59453a214ff4cb9 Mon Sep 17 00:00:00 2001
From: Sascha <sascha.heilmeier@netlogix.de>
Date: Thu, 27 Nov 2025 09:37:45 +0100
Subject: [PATCH 4/4] fix: remove build args

---
 .github/workflows/dex.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/dex.yml b/.github/workflows/dex.yml
index 0b990eca..9ee1c825 100644
--- a/.github/workflows/dex.yml
+++ b/.github/workflows/dex.yml
@@ -67,7 +67,6 @@ jobs:
           context: ./dex
           target: dex
           file: ./dex/${{matrix.image.dockerfile}}
-          build-args: ${{ matrix.image.build-args }}
           push: ${{ github.event_name != 'pull_request' }}
           tags: ghcr.io/netlogix/docker/dex:${{ matrix.image.version }},ghcr.io/netlogix/docker/dex:${{ steps.docker.outputs.version }}
           platforms: linux/amd64,linux/arm64