chore: set up docker buildx bake

Closes #417 Closes #584 Closes #658 Closes #630 Signed-off-by: Xe Iaso <me@xeiaso.net>
2025-09-15 07:36:31 -04:00 · 2025-07-19 04:57:42 +00:00 · 2025-07-19 04:57:42 +00:00 · 05bc02f6f6
commit 05bc02f6f6
parent 6b639cd911
5 changed files with 135 additions and 90 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,25 @@
+.env
+*.deb
+*.rpm
+
+# Additional package locks
+pnpm-lock.yaml
+yarn.lock
+
+# Go binaries and test artifacts
+main
+*.test
+
+node_modules
+
+# MacOS
+.DS_store
+
+# Intellij
+.idea
+
+# how does this get here
+doc/VERSION
+
+web/static/js/*
+!web/static/js/.gitignore
--- a/.github/workflows/docker-pr.yml
+++ b/.github/workflows/docker-pr.yml
@ -2,7 +2,7 @@ name: Docker image builds (pull requests)

 on:
  pull_request:
-    branches: [ "main" ]
+    branches: ["main"]

 env:
  DOCKER_METADATA_SET_OUTPUT_ENV: "true"
@ -11,7 +11,7 @@ permissions:
  contents: read

 jobs:
-  build:
+  buildx-bake:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
@ -21,48 +21,17 @@ jobs:
          fetch-depth: 0
          persist-credentials: false

-      - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@main
-
-      - name: Setup Homebrew cellar cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        with:
-          path: |
-            /home/linuxbrew/.linuxbrew/Cellar
-            /home/linuxbrew/.linuxbrew/bin
-            /home/linuxbrew/.linuxbrew/etc
-            /home/linuxbrew/.linuxbrew/include
-            /home/linuxbrew/.linuxbrew/lib
-            /home/linuxbrew/.linuxbrew/opt
-            /home/linuxbrew/.linuxbrew/sbin
-            /home/linuxbrew/.linuxbrew/share
-            /home/linuxbrew/.linuxbrew/var
-          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-homebrew-cellar-
-
-      - name: Install Brew dependencies
-        run: |
-          brew bundle
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-        with:
-          images: ghcr.io/${{ github.repository }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Build and push
        id: build
-        run: |
-          npm ci
-          npm run container
-        env:
-          PULL_REQUEST_ID: ${{ github.event.number }}
-          DOCKER_REPO: ghcr.io/${{ github.repository }}
-          SLOG_LEVEL: debug
-
-      - run: |
-          echo "Test this with:"
-          echo "docker pull ${DOCKER_IMAGE}"
-        env:
-          DOCKER_IMAGE: ${{ steps.build.outputs.docker_image }}
+        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
+        with:
+          source: .
+          push: true
+          sbom: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          set: |
+            anubis.tags=ttl.sh/techaro/pr-${{ github.event.number }}/anubis:24h
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -17,7 +17,7 @@ permissions:
  pull-requests: write

 jobs:
-  build:
+  buildx-bake:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout code
@ -27,33 +27,8 @@ jobs:
          fetch-depth: 0
          persist-credentials: false

-      - name: Set lowercase image name
-        run: |
-          echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
-
-      - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@main
-
-      - name: Setup Homebrew cellar cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        with:
-          path: |
-            /home/linuxbrew/.linuxbrew/Cellar
-            /home/linuxbrew/.linuxbrew/bin
-            /home/linuxbrew/.linuxbrew/etc
-            /home/linuxbrew/.linuxbrew/include
-            /home/linuxbrew/.linuxbrew/lib
-            /home/linuxbrew/.linuxbrew/opt
-            /home/linuxbrew/.linuxbrew/sbin
-            /home/linuxbrew/.linuxbrew/share
-            /home/linuxbrew/.linuxbrew/var
-          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-homebrew-cellar-
-
-      - name: Install Brew dependencies
-        run: |
-          brew bundle
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Log into registry
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@ -62,24 +37,13 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-        with:
-          images: ${{ env.IMAGE }}
-
      - name: Build and push
        id: build
-        run: |
-          npm ci
-          npm run container
-        env:
-          DOCKER_REPO: ${{ env.IMAGE }}
-          SLOG_LEVEL: debug
-
-      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
+        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
        with:
-          subject-name: ${{ env.IMAGE }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
+          source: .
+          push: true
+          sbom: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          set: ""
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@ -0,0 +1,33 @@
+variable "ALPINE_VERSION" { default = "3.22" }
+variable "GITHUB_SHA" { default = "devel" }
+variable "VERSION" { default = "devel-docker" }
+
+group "default" {
+  targets = [
+    "anubis",
+  ]
+}
+
+target "anubis" {
+  args = {
+    ALPINE_VERSION = "3.22"
+    VERSION        = "${VERSION}"
+  }
+  context    = "."
+  dockerfile = "./docker/anubis.Dockerfile"
+  platforms = [
+    "linux/386",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/arm/v7",
+    "linux/ppc64le",
+    "linux/riscv64",
+  ]
+  pull       = true
+  sbom       = true
+  provenance = true
+  tags = [
+    "ghcr.io/techarohq/anubis:${VERSION}",
+    "ghcr.io/techarohq/anubis:main"
+  ]
+}
--- a/docker/anubis.Dockerfile
+++ b/docker/anubis.Dockerfile
@ -0,0 +1,54 @@
+ARG ALPINE_VERSION=edge
+FROM --platform=${BUILDPLATFORM} alpine:${ALPINE_VERSION} AS build
+
+RUN apk -U add go nodejs git build-base git npm bash zstd brotli gzip
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN \
+  --mount=type=cache,target=/root/.cache \
+  --mount=type=cache,target=/root/go \
+  go mod download
+
+COPY package.json package-lock.json ./
+RUN \
+  --mount=type=cache,target=/app/node_modules \
+  npm ci
+
+COPY . .
+RUN \
+  --mount=type=cache,target=/root/.cache \
+  --mount=type=cache,target=/root/go \
+  --mount=type=cache,target=/app/node_modules \
+  npm run assets
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG VERSION=devel-docker
+
+RUN \
+  --mount=type=cache,target=/root/.cache \
+  --mount=type=cache,target=/root/go \
+  --mount=type=cache,target=/app/node_modules \
+  GOOS=${TARGETOS} \
+  GOARCH=${TARGETARCH} \
+  CGO_ENABLED=0 \
+  GOARM=7 \
+  go build \
+  -gcflags "all=-N -l" \
+  -o /app/bin/anubis \
+  -ldflags "-s -w -extldflags -static -X github.com/TecharoHQ/anubis.Version=${VERSION}" \
+  ./cmd/anubis
+
+FROM alpine:${ALPINE_VERSION} AS run
+WORKDIR /app
+
+RUN apk -U add ca-certificates mailcap
+
+COPY --from=build /app/bin/anubis /app/bin/anubis
+
+CMD ["/app/bin/anubis"]
+HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "/app/bin/anubis", "--healthcheck" ]
+
+LABEL org.opencontainers.image.source="https://github.com/TecharoHQ/anubis"