4d3cff6a16
* add compose.yaml * add Dockerfile * update README * Dockerfile: uncomment CMD instruction * add .dockerignore * Dockerfile: use scratch image for second stage * Dockerfile: use newer OpenSSL version (3.0.9) * Dockerfile: use Alpine-based Rust image to skip building OpenSSL * Dockerfile: expose to localhost only by default * Dockerfile: allow building for different architectures (AMD64 and ARM64) Dockerfile now detects the architecture being used during the build process and templates in the correct Rust target architecture * compose.yaml: include command line * compose.yaml: listen on 127.0.0.1 only * compose.yaml: remove healthcheck due to using scratch image * README.md: restore old table format * rename compose.yaml to docker-compose.yml * docker-compose.yml: include version line * update .dockerignore * README.md: update Docker instructions to expose only on localhost * add workflow to build and push container images to quay.io * docker-compose.yml: harden configuration * docker workflow: add paths-ignore section * Dockerfile: let Rustup handle architecture detection More flexible as the build process will now automatically adapt to whatever architecture the container is being built on, without needing to explicitly list out each supported architecture * Docker: further security hardening - Run as a non-privileged user within the scratch container - Add security_opt: - no-new-privileges:true to docker-compose.yml * Dockerfile: Switch to Debian-based images and simplify build command - rust:1.80-alpine replaced with rust:1.80 for the builder stage - alpine:3.20 replaced with debian:12.6-slim for the user-stage - Build command simplified to use default target architecture * Cargo.toml: correct note on optimisations * docker-compose.yml: use quay.io image by default * rename docker-compose.yml to docker-compose.yaml * compose: build image from local repo by default * Revert "Dockerfile: Switch to Debian-based images and simplify build command" This reverts commit ff9a37856463062f31af2d1aa00a87dc23bedb6c. Reasons for reverting: 1. Compiling via musl is necessary to statically link dependencies and create a truly standalone Rust binary. [1] 2. Alpine-based Rust images are required for the build stage because such systems support dynamic linking, which is also needed for statically-linked binaries. [2] 3. Determining the target architecture and templating the correct value for the --target flag is necessary for the statically-linked binary to be built correctly. [2] [1]: https://doc.rust-lang.org/1.13.0/book/advanced-linking.html#linux [2]: https://github.com/rust-lang/rust/issues/40174#issuecomment-538791091
72 lines
2.2 KiB
YAML
72 lines
2.2 KiB
YAML
name: Build and Push Docker Image
|
|
|
|
# Define when this workflow will run
|
|
on:
|
|
push:
|
|
branches:
|
|
- master # Trigger on pushes to master branch
|
|
tags:
|
|
- '[0-9]+.[0-9]+.[0-9]+' # Trigger on semantic version tags
|
|
paths-ignore:
|
|
- 'Cargo.lock'
|
|
- 'LICENSE'
|
|
- 'README.md'
|
|
- 'docker-compose.yml'
|
|
workflow_dispatch: # Allow manual triggering of the workflow
|
|
|
|
# Define environment variables used throughout the workflow
|
|
env:
|
|
REGISTRY: quay.io
|
|
IMAGE_NAME: invidious/inv-sig-helper
|
|
|
|
jobs:
|
|
build-and-push:
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
# Step 1: Check out the repository code
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
# Step 2: Set up QEMU for multi-architecture builds
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v2
|
|
|
|
# Step 3: Set up Docker Buildx for enhanced build capabilities
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
|
|
# Step 4: Authenticate with Quay.io registry
|
|
- name: Log in to Quay.io
|
|
uses: docker/login-action@v2
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ secrets.QUAY_USERNAME }}
|
|
password: ${{ secrets.QUAY_PASSWORD }}
|
|
|
|
# Step 5: Extract metadata for Docker image tagging and labeling
|
|
- name: Extract metadata for Docker
|
|
id: meta
|
|
uses: docker/metadata-action@v4
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
# Define tagging strategy
|
|
tags: |
|
|
type=semver,pattern={{version}}
|
|
type=semver,pattern={{major}}.{{minor}}
|
|
type=semver,pattern={{major}}
|
|
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }}
|
|
type=sha,prefix={{branch}}-
|
|
# Define labels
|
|
labels: |
|
|
quay.expires-after=12w
|
|
|
|
# Step 6: Build and push the Docker image
|
|
- name: Build and push Docker image
|
|
uses: docker/build-push-action@v4
|
|
with:
|
|
context: .
|
|
push: true
|
|
platforms: linux/amd64,linux/arm64 # Build for multiple architectures
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|