fix: rename index in down migration

.docker/Dockerfile-alpine

@@ -1,8 +1,9 @@
-FROM alpine:3.16
+FROM alpine:3.20
 
 RUN addgroup -S ory; \
-    adduser -S ory -G ory -D -H -s /bin/nologin
-RUN apk --no-cache --upgrade --latest add ca-certificates
+    adduser -S ory -G ory -D -H -s /bin/nologin && \
+    apk upgrade --no-cache && \
+    apk add --no-cache --upgrade ca-certificates
 
 COPY hydra /usr/bin/hydra
 

.docker/Dockerfile-build

@@ -1,46 +1,32 @@
-FROM golang:1.19-alpine3.16 AS builder
-
-RUN apk -U --no-cache --upgrade --latest add build-base git gcc bash
+FROM golang:1.22 AS builder
 
 WORKDIR /go/src/github.com/ory/hydra
-RUN mkdir -p ./internal/httpclient
+
+RUN apt-get update && apt-get upgrade -y &&\
+    mkdir -p /var/lib/sqlite &&\
+    mkdir -p ./internal/httpclient
 
 COPY go.mod go.sum ./
-COPY internal/httpclient/go.* ./internal/httpclient
+COPY internal/httpclient/go.* ./internal/httpclient/
 
-ENV GO111MODULE on
-ENV CGO_ENABLED 1
+ENV CGO_ENABLED=1
 
 RUN go mod download
 
 COPY . .
+RUN go build -ldflags="-extldflags=-static" -tags sqlite,sqlite_omit_load_extension -o /usr/bin/hydra
 
-RUN go build -tags sqlite,json1 -o /usr/bin/hydra
+#########################
 
-FROM alpine:3.15
-
-RUN addgroup -S ory; \
-    adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
-    chown -R ory:ory /home/ory
+FROM gcr.io/distroless/static-debian12:nonroot AS runner
 
+COPY --from=builder --chown=nonroot:nonroot /var/lib/sqlite /var/lib/sqlite
 COPY --from=builder /usr/bin/hydra /usr/bin/hydra
 
-# By creating the sqlite folder as the ory user, the mounted volume will be owned by ory:ory, which
-# is required for read/write of SQLite.
-RUN mkdir -p /var/lib/sqlite && \
-    chown ory:ory /var/lib/sqlite
-
 VOLUME /var/lib/sqlite
 
-# Exposing the ory home directory
-VOLUME /home/ory
-
 # Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
 EXPOSE 4444 4445
 
-USER ory
-
 ENTRYPOINT ["hydra"]
-CMD ["serve"]
-
-
+CMD ["serve", "all"]

.docker/Dockerfile-distroless-static

@@ -0,0 +1,8 @@
+FROM gcr.io/distroless/static-debian12:nonroot
+
+COPY hydra /usr/bin/hydra
+# Declare the standard ports used by hydra (4444 for public service endpoint, 4445 for admin service endpoint)
+EXPOSE 4444 4445
+
+ENTRYPOINT ["hydra"]
+CMD ["serve", "all"]

.docker/Dockerfile-hsm

@@ -1,9 +1,10 @@
-FROM golang:1.19-alpine3.16 AS builder
-
-RUN apk -U --no-cache --upgrade --latest add build-base git gcc bash
+FROM golang:1.22 AS builder
 
 WORKDIR /go/src/github.com/ory/hydra
-RUN mkdir -p ./internal/httpclient
+
+RUN apt-get update && apt-get upgrade -y &&\
+    mkdir -p /var/lib/sqlite &&\
+    mkdir -p ./internal/httpclient
 
 COPY go.mod go.sum ./
 COPY internal/httpclient/go.* ./internal/httpclient
@@ -12,26 +13,36 @@ ENV GO111MODULE on
 ENV CGO_ENABLED 1
 
 RUN go mod download
-
 COPY . .
 
+###############################
+
 FROM builder as build-hydra
-RUN go build -tags sqlite,json1,hsm -o /usr/bin/hydra
+RUN go build -tags sqlite,hsm -o /usr/bin/hydra
+
+###############################
 
 FROM builder as test-hsm
 ENV HSM_ENABLED=true
 ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
 ENV HSM_TOKEN_LABEL=hydra
 ENV HSM_PIN=1234
 
-RUN apk --no-cache --upgrade --latest add softhsm opensc; \
-    pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra; \
+RUN apt-get -y install softhsm opensc &&\
+    pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL" &&\
     go test -p 1 -v -failfast -short -tags=sqlite,hsm ./...
 
-FROM alpine:3.15
+###############################
+
+FROM gcr.io/distroless/base-nossl-debian12:debug-nonroot AS runner
+
+ENV HSM_ENABLED=true
+ENV HSM_LIBRARY=/usr/lib/softhsm/libsofthsm2.so
+ENV HSM_TOKEN_LABEL=hydra
+ENV HSM_PIN=1234
 
-RUN apk --no-cache --upgrade --latest add softhsm opensc; \
-    pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --slot 0 --init-token --so-pin 0000 --init-pin --pin 1234 --label hydra
+RUN apt-get -y install softhsm opensc &&\
+    pkcs11-tool --module "$HSM_LIBRARY" --slot 0 --init-token --so-pin 0000 --init-pin --pin "$HSM_PIN" --label "$HSM_TOKEN_LABEL"
 
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \

.docker/Dockerfile-scratch

@@ -1,6 +1,7 @@
-FROM alpine:3.16
+FROM alpine:3.20
 
-RUN apk --no-cache --upgrade --latest add ca-certificates
+RUN apk upgrade --no-cache && \
+    apk add --no-cache --upgrade ca-certificates
 
 # set up nsswitch.conf for Go's "netgo" implementation
 # - https://github.com/golang/go/blob/go1.9.1/src/net/conf.go#L194-L275

.docker/Dockerfile-sqlite

@@ -1,4 +1,4 @@
-FROM alpine:3.16
+FROM alpine:3.20
 
 # Because this image is built for SQLite, we create /home/ory and /home/ory/sqlite which is owned by the ory user
 # and declare /home/ory/sqlite a volume.
@@ -10,7 +10,8 @@ FROM alpine:3.16
 RUN addgroup -S ory; \
     adduser -S ory -G ory -D  -h /home/ory -s /bin/nologin; \
     chown -R ory:ory /home/ory && \
-    apk --no-cache --upgrade --latest add ca-certificates sqlite
+    apk upgrade --no-cache && \
+    apk add --no-cache --upgrade --latest ca-certificates sqlite
 
 WORKDIR /home/ory
 

.dockerignore

@@ -3,7 +3,6 @@
 docs
 node_modules
 .circleci
-.docker-home
 .github
 scripts
 sdk/js

.github/CODEOWNERS

@@ -1,3 +1,3 @@
-*            @aeneasr
+*            @aeneasr @hperl @alnr
 
 /docs/       @ory/documenters

.github/ISSUE_TEMPLATE/BUG-REPORT.yml

@@ -24,15 +24,21 @@ body:
             "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/hydra/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
         - label:
             "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
             "I am signed up to the [Ory Security Patch
-            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
+            Newsletter](https://www.ory.sh/l/sign-up-newsletter)."
     id: checklist
     type: checkboxes
+  - attributes:
+      description:
+        "Enter the slug or API URL of the affected Ory Network project. Leave
+        empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
   - attributes:
       description: "A clear and concise description of what the bug is."
       label: "Describe the bug"

.github/ISSUE_TEMPLATE/DESIGN-DOC.yml

@@ -35,15 +35,21 @@ body:
             "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/hydra/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
         - label:
             "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
             "I am signed up to the [Ory Security Patch
-            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
+            Newsletter](https://www.ory.sh/l/sign-up-newsletter)."
     id: checklist
     type: checkboxes
+  - attributes:
+      description:
+        "Enter the slug or API URL of the affected Ory Network project. Leave
+        empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
   - attributes:
       description: |
         This section gives the reader a very rough overview of the landscape in which the new system is being built and what is actually being built. This isn’t a requirements doc. Keep it succinct! The goal is that readers are brought up to speed but some previous knowledge can be assumed and detailed info can be linked to. This section should be entirely focused on objective background facts.

.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml

@@ -28,15 +28,21 @@ body:
             "I have read and am following this repository's [Contribution
             Guidelines](https://github.com/ory/hydra/blob/master/CONTRIBUTING.md)."
           required: true
-        - label:
-            "This issue affects my [Ory Network](https://www.ory.sh/) project."
         - label:
             "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
             "I am signed up to the [Ory Security Patch
-            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
+            Newsletter](https://www.ory.sh/l/sign-up-newsletter)."
     id: checklist
     type: checkboxes
+  - attributes:
+      description:
+        "Enter the slug or API URL of the affected Ory Network project. Leave
+        empty when you are self-hosting."
+      label: "Ory Network Project"
+      placeholder: "https://<your-project-slug>.projects.oryapis.com"
+    id: ory-network-project
+    type: input
   - attributes:
       description:
         "Is your feature request related to a problem? Please describe."

.github/workflows/ci.yaml

@@ -23,9 +23,9 @@ jobs:
           # We must fetch at least the immediate parents so that if this is
           # a pull request then we can checkout the head.
           fetch-depth: 2
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
         with:
-          go-version: "1.19"
+          go-version: "1.22"
       - name: Start service
         run: ./test/conformance/start.sh
       - name: Run tests
@@ -49,15 +49,15 @@ jobs:
       - sdk-generate
     services:
       postgres:
-        image: postgres:11.8
+        image: postgres:16
         env:
           POSTGRES_DB: postgres
           POSTGRES_PASSWORD: test
           POSTGRES_USER: test
         ports:
           - 5432:5432
       mysql:
-        image: mysql:8.0.26
+        image: mysql:8.0
         env:
           MYSQL_ROOT_PASSWORD: test
         ports:
@@ -69,7 +69,7 @@ jobs:
     steps:
       - run: |
           docker create --name cockroach -p 26257:26257 \
-            cockroachdb/cockroach:v22.1.10 start-single-node --insecure
+            cockroachdb/cockroach:latest-v24.1 start-single-node --insecure
           docker start cockroach
         name: Start CockroachDB
       - uses: ory/ci/checkout@master
@@ -80,25 +80,26 @@ jobs:
           path: |
             internal/httpclient
           key: ${{ needs.sdk-generate.outputs.sdk-cache-key }}
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v4
         with:
-          go-version: "1.19"
+          go-version: "1.22"
       - run: go list -json > go.list
       - name: Run nancy
         uses: sonatype-nexus-community/[email protected]
+        with:
+          nancyVersion: v1.0.42
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3
         env:
           GOGC: 100
         with:
           args: --timeout 10m0s
-          version: v1.47.3
-          skip-go-installation: true
+          version: v1.61.0
           skip-pkg-cache: true
       - name: Run go-acc (tests)
         run: |
           make .bin/go-acc
-          .bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite,json1
+          .bin/go-acc -o coverage.out ./... -- -failfast -timeout=20m -tags sqlite,sqlite_omit_load_extension
       - name: Submit to Codecov
         run: |
           bash <(curl -s https://codecov.io/bash)
@@ -122,9 +123,9 @@ jobs:
           path: |
             internal/httpclient
           key: ${{ needs.sdk-generate.outputs.sdk-cache-key }}
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
         with:
-          go-version: "1.19"
+          go-version: "1.22"
       - name: Setup HSM libs and packages
         run: |
           sudo apt install -y softhsm opensc
@@ -149,15 +150,15 @@ jobs:
         args: ["", "--jwt"]
     services:
       postgres:
-        image: postgres:11.8
+        image: postgres:16
         env:
           POSTGRES_DB: postgres
           POSTGRES_PASSWORD: test
           POSTGRES_USER: test
         ports:
           - 5432:5432
       mysql:
-        image: mysql:8.0.26
+        image: mysql:8.0
         env:
           MYSQL_ROOT_PASSWORD: test
         ports:
@@ -169,13 +170,13 @@ jobs:
     steps:
       - run: |
           docker create --name cockroach -p 26257:26257 \
-            cockroachdb/cockroach:v22.1.10 start-single-node --insecure
+            cockroachdb/cockroach:latest-v24.1 start-single-node --insecure
           docker start cockroach
         name: Start CockroachDB
       - uses: ory/ci/checkout@master
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
         with:
-          go-version: "1.19"
+          go-version: "1.22"
       - uses: actions/cache@v2
         with:
           path: ./test/e2e/hydra
@@ -254,7 +255,7 @@ jobs:
     steps:
       - uses: ory/ci/releaser/render-version-schema@master
         with:
-          schema-path: spec/config.json
+          schema-path: .schema/config.schema.json
           token: ${{ secrets.ORY_BOT_PAT }}
 
   newsletter-draft: