Create multiplatform image, add curl to image for healthcheck (#45)

hailey.at / cocoon

fork atom

An atproto PDS written in Go

fork atom

authored by

Aadi Desai and committed by

GitHub 3 months ago 113ced56 3bff74e0

+57 -9

2 changed files

expand all

unified split

.github

workflows

docker-image.yml

Dockerfile

+56 -8

.github/workflows/docker-image.yml

··· 14 15 jobs: 16 build-and-push-image: 17 - runs-on: ubuntu-latest 18 # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. 19 permissions: 20 contents: read 21 packages: write 22 attestations: write 23 id-token: write 24 - # 25 steps: 26 - name: Checkout repository 27 uses: actions/checkout@v4 ··· 41 with: 42 images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 43 tags: | 44 - type=raw,value=latest,enable={{is_default_branch}} 45 - type=sha 46 - type=sha,format=long 47 - type=semver,pattern={{version}} 48 - type=semver,pattern={{major}}.{{minor}} 49 50 # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. 51 # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. ··· 59 tags: ${{ steps.meta.outputs.tags }} 60 labels: ${{ steps.meta.outputs.labels }} 61 62 # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." 63 - name: Generate artifact attestation 64 uses: actions/attest-build-provenance@v1 65 with: 66 subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} 67 - subject-digest: ${{ steps.push.outputs.digest }} 68 push-to-registry: true

··· 14 15 jobs: 16 build-and-push-image: 17 + strategy: 18 + matrix: 19 + include: 20 + - arch: amd64 21 + runner: ubuntu-latest 22 + - arch: arm64 23 + runner: ubuntu-24.04-arm 24 + runs-on: ${{ matrix.runner }} 25 # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job. 26 permissions: 27 contents: read 28 packages: write 29 attestations: write 30 id-token: write 31 + outputs: 32 + digest-amd64: ${{ matrix.arch == 'amd64' && steps.push.outputs.digest || '' }} 33 + digest-arm64: ${{ matrix.arch == 'arm64' && steps.push.outputs.digest || '' }} 34 steps: 35 - name: Checkout repository 36 uses: actions/checkout@v4 ··· 50 with: 51 images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 52 tags: | 53 + type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.arch }} 54 + type=sha,suffix=-${{ matrix.arch }} 55 + type=sha,format=long,suffix=-${{ matrix.arch }} 56 + type=semver,pattern={{version}},suffix=-${{ matrix.arch }} 57 + type=semver,pattern={{major}}.{{minor}},suffix=-${{ matrix.arch }} 58 59 # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages. 60 # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository. ··· 68 tags: ${{ steps.meta.outputs.tags }} 69 labels: ${{ steps.meta.outputs.labels }} 70 71 + publish-manifest: 72 + needs: build-and-push-image 73 + runs-on: ubuntu-latest 74 + permissions: 75 + packages: write 76 + attestations: write 77 + id-token: write 78 + steps: 79 + - name: Log in to the Container registry 80 + uses: docker/login-action@v3 81 + with: 82 + registry: ${{ env.REGISTRY }} 83 + username: ${{ github.actor }} 84 + password: ${{ secrets.GITHUB_TOKEN }} 85 + 86 + - name: Extract metadata (tags, labels) for Docker 87 + id: meta 88 + uses: docker/metadata-action@v5 89 + with: 90 + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 91 + tags: | 92 + type=raw,value=latest,enable={{is_default_branch}} 93 + type=sha 94 + type=sha,format=long 95 + type=semver,pattern={{version}} 96 + type=semver,pattern={{major}}.{{minor}} 97 + 98 + - name: Create and push manifest 99 + run: | 100 + # Split tags into an array 101 + readarray -t tags <<< "${{ steps.meta.outputs.tags }}" 102 + 103 + # Create and push manifest for each tag 104 + for tag in "${tags[@]}"; do 105 + docker buildx imagetools create -t "$tag" \ 106 + "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push-image.outputs.digest-amd64 }}" \ 107 + "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push-image.outputs.digest-arm64 }}" 108 + done 109 + 110 # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)." 111 - name: Generate artifact attestation 112 uses: actions/attest-build-provenance@v1 113 with: 114 subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} 115 + subject-digest: ${{ needs.build-and-push-image.outputs.digest-amd64 }} 116 push-to-registry: true

+1 -1

Dockerfile

··· 11 ### Run stage 12 FROM debian:bookworm-slim AS run 13 14 - RUN apt-get update && apt-get install -y dumb-init runit ca-certificates && rm -rf /var/lib/apt/lists/* 15 ENTRYPOINT ["dumb-init", "--"] 16 17 WORKDIR /

··· 11 ### Run stage 12 FROM debian:bookworm-slim AS run 13 14 + RUN apt-get update && apt-get install -y dumb-init runit ca-certificates curl && rm -rf /var/lib/apt/lists/* 15 ENTRYPOINT ["dumb-init", "--"] 16 17 WORKDIR /