Add GitHub Actions for GHCR.io image publishing and SOCKS5 outgoing proxy support

[Copilot]

Implements automated Docker image builds to GHCR.io and adds SOCKS5 outgoing proxy configuration for routing traffic through upstream proxies.

GitHub Actions Workflow

• Publishes to ghcr.io/xrh0905/mtprotoproxy on push to edge branch
• Multi-tag strategy: branch names, semver, SHA, and latest for edge
• Build caching via GitHub Actions cache
• PR builds without publishing

SOCKS5 Proxy Support

Added environment variable configuration for outgoing SOCKS5 proxy in config.py:

SOCKS5_HOST = os.environ.get("SOCKS5_HOST", None)
SOCKS5_PORT = int(os.environ.get("SOCKS5_PORT", 0)) if os.environ.get("SOCKS5_PORT", "").isdigit() else None
SOCKS5_USER = os.environ.get("SOCKS5_USER", None)
SOCKS5_PASS = os.environ.get("SOCKS5_PASS", None)

Docker Compose example:

environment:
  - SOCKS5_HOST=proxy.example.com
  - SOCKS5_PORT=1080
  - SOCKS5_USER=username
  - SOCKS5_PASS=password

Note: SOCKS5 mode disables middle proxy and uvloop (incompatible).

Documentation Updates

• Pre-built image usage instructions with GHCR pull commands
• Docker Compose examples updated to v3.8
• Repository references updated from alexbers to xrh0905, branch from stable to edge
• SOCKS5 configuration examples for config.py, environment variables, and Docker Compose

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add GHCR.io image Actions</issue_title>
<issue_description>Add github actions for automated image pack
Update README
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add GHCR.io image Actions #3

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

This PR adds automated Docker image packaging via GitHub Actions and introduces SOCKS5 outgoing proxy support to the MTProto proxy. The workflow builds and publishes images to GitHub Container Registry (GHCR.io) on pushes to the edge branch and version tags. The PR also updates documentation to guide users on using pre-built images and configuring SOCKS5 proxies.

Key Changes:

• GitHub Actions workflow for automated Docker image building and publishing to GHCR.io
• SOCKS5 proxy configuration support via environment variables in config.py
• Comprehensive documentation updates for Docker usage and SOCKS5 configuration

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.

File	Description
.github/workflows/docker-publish.yml	Adds CI/CD pipeline for building and publishing Docker images to GHCR with multi-tag strategy
config.py	Introduces SOCKS5 proxy configuration variables with environment variable support
README.md	Updates documentation with GHCR image usage instructions, Docker Compose examples, and SOCKS5 configuration guide

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The tagging strategy includes type=sha,prefix={{branch}}- which will attempt to use {{branch}} as a literal prefix. The docker/metadata-action doesn't support {{branch}} as a template variable in the prefix. This will result in tags like {{branch}}-abc1234 instead of edge-abc1234.

Consider using one of these approaches:

• Remove the SHA tagging: delete line 51
• Use a fixed prefix: type=sha,prefix=edge- (but this only works for the edge branch)
• Use type=sha without a prefix for simpler SHA-based tags

Suggested change

	type=sha,prefix={{branch}}-
	type=sha,prefix=edge-

[Copilot]

Spelling error: "automaticaly" should be "automatically".

Suggested change

	- several times, clients will be automaticaly balanced between instances
	- several times, clients will be automatically balanced between instances

[Copilot]

The volumes section is indented with 8 spaces instead of 4 spaces, which is inconsistent with the rest of the YAML structure and violates YAML best practices. All keys at the same level should have the same indentation.

Change:

    volumes:
        - ./config.py:/home/tgproxy/config.py

To:

    volumes:
      - ./config.py:/home/tgproxy/config.py

Suggested change

	- ./config.py:/home/tgproxy/config.py
	- ./config.py:/home/tgproxy/config.py

[Copilot]

The volumes section is indented with 8 spaces instead of 4 spaces, which is inconsistent with the rest of the YAML structure and violates YAML best practices. All keys at the same level should have the same indentation.

Change:

    volumes:
        - ./config.py:/home/tgproxy/config.py

To:

    volumes:
      - ./config.py:/home/tgproxy/config.py

Suggested change

	- ./config.py:/home/tgproxy/config.py
	- ./config.py:/home/tgproxy/config.py

[Copilot]

[nitpick] The documentation shows example credentials (TG_KEY, SOCKS5_USER, SOCKS5_PASS) but doesn't emphasize strongly enough that these are placeholder values that MUST be changed. While there is a comment on line 44 about replacing values, sensitive credentials like SOCKS5_USER and SOCKS5_PASS in the SOCKS5 example (lines 128-129) lack this warning.

Consider adding a similar comment in the SOCKS5 Docker Compose example to make it clear these are placeholder values:

    environment: 
      # Replace these values with your own configuration
      - TG_KEY=00000000000000000000000000000001
      - SECURE_ONLY=true
      - TLS_ONLY=true
      - TLS_DOMAIN=www.drive.google.com
      # SOCKS5 proxy configuration - replace with your actual SOCKS5 proxy details
      - SOCKS5_HOST=your.socks5.server.com

Suggested change

	# SOCKS5 proxy configuration
	- SOCKS5_HOST=your.socks5.server.com
	- SOCKS5_PORT=1080
	# SOCKS5 proxy configuration - replace with your actual SOCKS5 proxy details
	- SOCKS5_HOST=your.socks5.server.com
	- SOCKS5_PORT=1080
	# Replace these placeholder credentials with your actual SOCKS5 username and password

[Copilot]

[nitpick] The workflow doesn't include any security scanning or vulnerability checking for the built Docker images. Consider adding a security scanning step using tools like Trivy or Snyk to detect vulnerabilities before pushing images to the registry.

Example addition after the build step:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
          format: 'sarif'
          output: 'trivy-results.sarif'

Suggested change

	cache-to: type=gha,mode=max
	cache-to: type=gha,mode=max
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
	format: 'sarif'
	output: 'trivy-results.sarif'

[Copilot]

The SOCKS5_PORT handling has a logical issue. If SOCKS5_PORT is set to "0" (a valid string that is all digits), isdigit() returns True and int(0) is 0, which is a falsy value. This means the condition if config.SOCKS5_HOST and config.SOCKS5_PORT: in mtprotoproxy.py (line 325) won't activate SOCKS5 mode even though port 0 was specified. While port 0 is unusual, if specified, it should either be rejected with an error or properly handled.

Consider validating the port range explicitly:

SOCKS5_PORT = int(os.environ.get("SOCKS5_PORT", 0)) if os.environ.get("SOCKS5_PORT", "").isdigit() and int(os.environ.get("SOCKS5_PORT", 0)) > 0 else None

Suggested change

	SOCKS5_PORT = int(os.environ.get("SOCKS5_PORT", 0)) if os.environ.get("SOCKS5_PORT", "").isdigit() else None
	SOCKS5_PORT = (
	int(os.environ.get("SOCKS5_PORT", 0))
	if os.environ.get("SOCKS5_PORT", "").isdigit()
	and 1 <= int(os.environ.get("SOCKS5_PORT", 0)) <= 65535
	else None
	)