From 5fbcb0ebb51a54e6d72209e22f54dc56bcc0ba6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?T=C3=A9rence=20Chateign=C3=A9?= Date: Fri, 3 Nov 2023 17:26:09 +0100 Subject: [PATCH] feat: add dockerfile and build ci --- .github/workflows/ci.yaml | 49 +++++++++++++++++++++++++++ Dockerfile | 71 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 120 insertions(+) create mode 100644 .github/workflows/ci.yaml create mode 100644 Dockerfile diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml new file mode 100644 index 00000000..4ae3f25d --- /dev/null +++ b/.github/workflows/ci.yaml @@ -0,0 +1,49 @@ +name: Continuous Integration + +on: + push: + branches: + - main + tags: + - v* + pull_request: + branches: + - main + +env: + GO_VERSION: "1.20" + +jobs: + build-and-push: + name: Build & Push + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Login to GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Get Build timestamp and branch name + run: | + echo "BUILD_TIMESTAMP=$(date +'%s')" >> $GITHUB_ENV + echo "VERSION=$( echo ${{ github.head_ref || github.ref_name }} | tr '/' '-' )" >> $GITHUB_ENV + + - name: Build and push + uses: docker/build-push-action@v4 + with: + push: true + build-args: | + VERSION=${{ env.VERSION }} + BUILD_TIMESTAMP=${{ env.BUILD_TIMESTAMP }} + COMMIT_HASH=${{ github.sha }} + tags: | + ghcr.io/${{ github.repository }}:${{ env.VERSION }} + ghcr.io/${{ github.repository }}:${{ github.sha }} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 00000000..f9b47924 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,71 @@ +# Build the guacamole binary +FROM docker.io/library/golang:1.20.7@sha256:bc5f0b5e43282627279fe5262ae275fecb3d2eae3b33977a7fd200c7a760d6f1 as builder +ARG TARGETOS +ARG TARGETARCH +ARG PACKAGE=github.com/padok-team/guacamole +ARG VERSION +ARG COMMIT_HASH +ARG BUILD_TIMESTAMP + +WORKDIR /workspace +# Copy the Go Modules manifests +COPY go.mod go.mod +COPY go.sum go.sum +# cache deps before building and copying source so that we don't need to re-download as much +# and so that source changes don't invalidate our downloaded layer +RUN go mod download + +# Copy the go source +COPY checks/ checks/ +COPY cmd/ cmd/ +COPY data/ data/ +COPY helpers/ helpers/ +COPY internal/ internal/ +COPY main.go main.go + +# Build +# the GOARCH has not a default value to allow the binary be built according to the host where the command +# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO +# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, +# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a \ + -ldflags="\ + -X ${PACKAGE}/internal/version.Version=${VERSION} \ + -X ${PACKAGE}/internal/version.CommitHash=${COMMIT_HASH} \ + -X ${PACKAGE}/internal/version.BuildTimestamp=${BUILD_TIMESTAMP}" \ + -o bin/guacamole main.go + +FROM docker.io/library/alpine:3.18.2@sha256:82d1e9d7ed48a7523bdebc18cf6290bdb97b82302a8a9c27d4fe885949ea94d1 + +WORKDIR /home/guacamole + +# Install required packages +# RUN apk add --update --no-cache git bash openssh + +ENV UID=65532 +ENV GID=65532 +ENV USER=guacamole +ENV GROUP=guacamole + +# Create a non-root user to run the app +RUN addgroup \ + -g $GID \ + $GROUP && \ + adduser \ + --disabled-password \ + --no-create-home \ + --home $(pwd) \ + --uid $UID \ + --ingroup $GROUP \ + $USER + +# Copy the binary to the production image from the builder stage +COPY --from=builder /workspace/bin/guacamole /usr/local/bin/guacamole + +RUN chmod +x /usr/local/bin/guacamole + +# Use an unprivileged user +USER 65532:65532 + +# Run guacamole on container startup +ENTRYPOINT ["guacamole"]