new file: .gitea/workflows/deploy.yml

new file:   mariadb.yml
	new file:   nginx.yml

.gitea/workflows/deploy.yml

@@ -0,0 +1,79 @@
+name: Dynamic Build and Deploy Hardened Images
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '**.yml'
+      - '**.yaml'
+  schedule:
+    - cron: '0 0 * * 5'
+  workflow_dispatch:
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to DHI Registry
+        uses: docker/login-action@v3
+        with:
+          registry: dhi.io
+          username: ${{ secrets.DHI_USERNAME }}
+          password: ${{ secrets.DHI_PASSWORD }}
+
+      - name: Log in to Private Registry
+        uses: docker/login-action@v3
+        with:
+          registry: registry.chillcog.com
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Detect and Build Images
+        run: |
+          FILES_TO_BUILD=""
+
+          # 1. Determine the trigger type
+          if [ "${{ github.event_name }}" = "schedule" ] || [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            echo "Scheduled or manual run triggered. Processing all YAML files..."
+            # Find all .yml and .yaml files, excluding the workflow file itself
+            FILES_TO_BUILD=$(find . -maxdepth 1 -name "*.yml" -o -name "*.yaml")
+          else
+            echo "Push triggered. Detecting changed files..."
+            # Get list of added/modified files in this push commit
+            FILES_TO_BUILD=$(git diff-tree --no-commit-id --name-only -r ${{ github.sha }} | grep -E '\.(yml|yaml)$' || true)
+          fi
+
+          # 2. Process each detected file
+          for file in $FILES_TO_BUILD; do
+            # Clean path string and ensure file still exists (handles deleted files safely)
+            file=$(echo "$file" | sed 's|^\./||')
+            if [ ! -f "$file" ]; then continue; fi
+            
+            # Skip the workflow directory completely
+            if [[ "$file" == .gitea/* ]]; then continue; fi
+
+            # Extract the filename without path and without extension
+            filename=$(basename -- "$file")
+            image_name="${filename%.*}"
+
+            echo "---------------------------------------------------"
+            echo "Processing: $file -> Image target: $image_name:latest"
+            echo "---------------------------------------------------"
+
+            # Execute the DHI BuildKit build and push natively via CLI
+            docker buildx build \
+              --push \
+              --no-cache \
+              -f "$file" \
+              -t "registry.chillcog.com/${image_name}:latest" \
+              .
+          done

mariadb.yml

@@ -0,0 +1,33 @@
+# syntax=dhi.io/build:2-alpine3.23
+
+contents:
+  repositories:
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
+  packages:
+    - mariadb
+    - mariadb-client
+    - ca-certificates
+
+accounts:
+  groups:
+    - gid: 65532
+      name: mysql
+  users:
+    - uid: 65532
+      gid: 65532
+      name: mysql
+  run-as: mysql
+
+environment:
+  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+  DATADIR: /var/lib/mysql
+
+entrypoint:
+  - /usr/bin/mariadbd
+  - --user=mysql
+  - --datadir=/var/lib/mysql
+
+annotations:
+  org.opencontainers.image.title: "hardened-mariadb"
+  org.opencontainers.image.description: "A secure, minimal MariaDB container image built with DHI"

nginx.yml

@@ -0,0 +1,44 @@
+# syntax=dhi.io/build:2-alpine3.23
+
+contents:
+  repositories:
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/main
+    - https://dl-cdn.alpinelinux.org/alpine/v3.23/community
+  packages:
+    - nginx
+    - ca-certificates
+
+accounts:
+  groups:
+    - gid: 65532
+      name: nginx
+  users:
+    - uid: 65532
+      gid: 65532
+      name: nginx
+  run-as: nginx
+
+environment:
+  PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# Custom directory assignments to handle permission drops safely
+paths:
+  - path: /var/lib/nginx
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0755
+  - path: /var/log/nginx
+    type: directory
+    uid: 65532
+    gid: 65532
+    permissions: 0755
+
+entrypoint:
+  - /usr/sbin/nginx
+  - -g
+  - "daemon off;"
+
+annotations:
+  org.opencontainers.image.title: "hardened-nginx"
+  org.opencontainers.image.description: "Minimal enterprise-hardened Nginx image built with DHI"