Build and publish container images

.github/workflows/build-and-push-stable-image.yml

@@ -0,0 +1,79 @@
+name: Build and Push Release Image
+
+# Configures this workflow to run for every new version tag
+on:
+  push:
+    tags: ["v*.*.*"]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Log into GHCR
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Extract version from tag name
+      # example: tag name `v1.0.0` sets env.VERSION=1.0.0
+      - name: Extract build args
+        run: |
+          echo "VERSION=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
+
+      # Set up QEMU for cross-compiling
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      # Set up docker-buildx for cross-compiling
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            balzack/databag
+            ghcr.io/balzack/databag
+          tags: |
+            type=semver,pattern={{version}},value=${{ env.VERSION }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ env.VERSION }}
+            type=raw,value=stable
+          flavor: |
+            latest=false
+          labels: |
+            org.opencontainers.image.version=${{ env.VERSION }}
+
+      # Build and push container image with associated labels and tags.
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # Generate attestation
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.github/workflows/build-and-push-test-image.yml

@@ -0,0 +1,69 @@
+name: Build and Push Test Image
+
+# Configures this workflow to run for every PR
+on:
+  pull_request:
+    branches: ["main"]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Log into GHCR
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Set up QEMU for cross-compiling
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      # Set up docker-buildx for cross-compiling
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            balzack/databag
+            ghcr.io/balzack/databag
+          tags: |
+            type=raw,value=test
+          flavor: |
+            latest=false
+
+      # Build and push container image with associated labels and tags.
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # Generate attestation
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

Dockerfile

@@ -2,12 +2,16 @@ FROM node:22-alpine AS node
 WORKDIR /app
 
 # Download the node dependencies first before adding the rest for caching
+# target=/usr/local/share/.cache/yarn/v6 is the default cache directory for yarn.
+# This can be obtained via `docker run -it node:22-alpine yarn cache dir`
+# sharing=locked: this will force docker to wait for each parallel build in sequence.
+# This prevents multi-architecture builds from running over each otther.
 COPY ./net/web/package.json ./net/web/yarn.lock ./
-RUN --mount=type=cache,target=/root/.yarn YARN_CACHE_FOLDER=/root/.yarn \
+RUN --mount=type=cache,target=/usr/local/share/.cache/yarn/v6,sharing=locked \
   yarn --frozen-lockfile
 
 COPY ./net/web/ ./
-RUN --mount=type=cache,target=/root/.yarn YARN_CACHE_FOLDER=/root/.yarn \
+RUN --mount=type=cache,target=/usr/local/share/.cache/yarn/v6,sharing=locked \
   yarn run build
 
 FROM golang:alpine AS go
@@ -24,22 +28,16 @@ COPY ./net/server /app/databag/net/server
 COPY ./net/transform /opt/databag/transform
 
 WORKDIR /app/databag/net/server
-RUN --mount=type=cache,target=/go/pkg/mod \
-  if [ -n "${DATABAG_GOARCH}" ]; then GOARCH=${DATABAG_GOARCH}; fi; \
-  if [ -n "${DATABAG_GOOS}" ]; then GOOS=${DATABAG_GOOS}; fi; \
-  go mod download
+RUN --mount=type=cache,target=/go/pkg/mod go mod download
 
 ARG DATABAG_GOARCH
 ARG DATABAG_GOOS
 
-RUN --mount=type=cache,target=/go/pkg/mod \
-  if [ -n "${DATABAG_GOARCH}" ]; then GOARCH=${DATABAG_GOARCH}; fi; \
-  if [ -n "${DATABAG_GOOS}" ]; then GOOS=${DATABAG_GOOS}; fi; \
-  CGO_ENABLED=1 go build -o databag .
+RUN --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=1 go build -o databag .
 
 COPY --from=node /app/build /app/databag/net/web/build
 
 ENV DEV=0
 ENV ADMIN=password
 
-ENTRYPOINT /app/databag/net/server/entrypoint.sh
+ENTRYPOINT ["/app/databag/net/server/entrypoint.sh"]

README.md

@@ -56,11 +56,31 @@ Read the [Design Guidelines](https://github.com/balzack/databag/blob/main/.desig
 
 ## Installation
 
-To use databag, you will need a DNS name pointing to your node with a certificate. You can deploy a node manually, but you will have a much easier time using a container service. Containers for arm64 and amd64 are available [here](https://hub.docker.com/r/balzack/databag/tags). 
+To use databag, you will need a DNS name pointing to your node with a certificate. You can deploy a node manually, but you will have a much easier time using a container service. Containers for arm64 and amd64 are available [here](https://github.com/balzack/databag/pkgs/container/databag). 
 
 ### Docker Compose 
 
-Launch with dockerhub container using docker compose:
+#### Example Compose File
+```shell
+services:
+  databag:
+    container_name: databag
+    image: ghcr.io/balzack/databag:main
+    ports:
+      - "7000:7000"
+    volumes:
+      - ./data:/var/lib/databag
+    restart: unless-stopped
+```
+
+#### Example Docker Run Command
+```shell
+docker run -d \
+  -v "$(pwd)/data:/var/lib/databag" \
+  -p "7000:7000" \
+  ghcr.io/balzack/databag:main
+```
+
 
 #### Standard launch
 ```shell

docker-compose.yml

@@ -3,14 +3,6 @@ name: databag
 services:
   app:
     build: .
-
-    # # For building cross environment containers
-    # build:
-    #   context: .
-    #   args:
-    #     DATABAG_GOARCH: arm64
-    #     DATABAG_GOOS: linux
-    # platform: "linux/arm64"
     ports:
       - 127.0.0.1:7000:7000
     volumes:

net/repeater/Dockerfile

@@ -6,4 +6,4 @@ RUN go mod download
 COPY . .
 RUN go build -o repeater .
 EXPOSE 7878
-ENTRYPOINT ./repeater
+ENTRYPOINT ["./repeater"]