added container - resolves #94

robled · robled · commit 9fd3577dba56 · 2025-12-30T10:05:54.000-05:00
* Dockerfile for image build

* GitHub actions pushes to GitHub container registry

* Example docker-compose.yml with integrated Discord client for headless
  operation

* Updated README with info about it
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
@@ -0,0 +1,85 @@
+# https://docs.github.com/en/actions/tutorials/publish-packages/publish-docker-images#publishing-images-to-github-packages
+name: Create and publish a Docker image
+
+# Configures this workflow to run every time a change is pushed to the branch called `main`.
+on:
+  push:
+    branches: ['main']
+
+# Defines two custom environment variables for the workflow. These are used for the Container
+# registry domain, and a name for the Docker image that this workflow builds.
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+# There is a single job in this workflow. It's configured to run on the latest available version of
+# Ubuntu.
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+      #
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the
+      # account and password that will publish the packages. Once published, the packages are scoped
+      # to the account defined here.
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to
+      # extract tags and labels that will be applied to the specified image. The `id` "meta" allows
+      # the output of this step to be referenced in a subsequent step. The `images` value provides
+      # the base name for the tags and labels.
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            # Tag as 'latest' only on default branch
+            type=raw,value=latest,enable={{is_default_branch}}
+            # Tag with branch name
+            type=ref,event=branch
+            # Tag with git SHA
+            type=sha,prefix={{branch}}-
+            # Tag with the git tag that triggered the workflow
+            type=ref,event=tag
+      # This step uses the `docker/build-push-action` action to build the image, based on your
+      # repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
+      # It uses the `context` parameter to define the build's context as the set of files located in
+      # the specified path. For more information, see
+      # [Usage](https://github.com/docker/build-push-action#usage) in the README of the
+      # `docker/build-push-action` repository.
+      # It uses the `tags` and `labels` parameters to tag and label the image with the output from
+      # the "meta" step.
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # This step generates an artifact attestation for the image, which is an unforgeable statement
+      # about where and how it was built. It increases supply chain security for people who consume
+      # the image. For more information, see [Using artifact attestations to establish provenance
+      # for
+      # builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds).
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,25 @@
+FROM python:3.14-slim
+
+# Create a non-root user
+RUN groupadd -r app -g 1000 && \
+    useradd -r -u 1000 -g app app
+
+WORKDIR /app
+
+# Copy requirements first (better layer caching)
+COPY requirements.txt .
+
+# Install dependencies as root
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy application code and set ownership
+COPY --chown=app:app . .
+
+# Make /app writable by appuser (for runtime file creation)
+RUN chown -R app:app /app
+
+# Switch to non-root user
+USER app
+
+# Run the application
+CMD ["python", "-u", "main.py"]
diff --git a/README.md b/README.md
@@ -90,6 +90,8 @@ follow the **setup** guide
 
 and for linux users, run the [Installer](#automatic-installer)
 
+for Docker users, see the [Docker](#docker) section at the bottom.
+
 for Nix/NixOS users, see the [Nix/NixOS](#nixnixos) section at the bottom.
 
 ## Setup
@@ -476,6 +478,14 @@ then run `crontab -e` and add `@reboot  /home/USER/startup.sh` to the end of the
 
 if you've done these steps the script should launch itself after your computer turns on.
 
+## Docker
+
+A Compose file example is available [here](docker-compose.yml).  The example includes the desktop
+Discord client provided by [kasmweb](https://hub.docker.com/r/kasmweb/discord) which will allow you
+to run a headless stack on a server without requiring a traditional desktop Discord client.
+
+The [config.json](#minimal) file is bind-mounted from the host filesystem to the necessary path in the `steam-presence` container.
+
 ## Nix/NixOS
 
 If you use Nix flakes, this repository provides a package and a NixOS module.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,37 @@
+services:
+  steam-presence:
+    image: ghcr.io/JustTemmie/steam-presence:latest
+    container_name: steam-presence
+    restart: unless-stopped
+    depends_on:
+      discord:
+        condition: service_healthy    # wait until discord passes its health‑check
+    volumes:
+      - tmp:/tmp
+      - ./config.json:/app/config.json
+
+  # https://hub.docker.com/r/kasmweb/discord
+  discord:
+    image: kasmweb/discord:1.16.0
+    container_name: discord
+    restart: unless-stopped
+    ports:
+      - 6901:6901/tcp
+    environment:
+      # username is 'kasm_user'
+      VNC_PW: changeme
+    shm_size: 512m
+    # check if the discord desktop app is running
+    healthcheck:
+      test: ["CMD", "curl", "127.0.0.1:6463"]
+      interval: 5s
+      timeout: 2s
+      retries: 6
+      start_period: 10s
+    volumes:
+      - tmp:/tmp
+      - kasm-user:/home/kasm-user
+
+volumes:
+  tmp:  # discord IPC socket is located in /tmp, so we share that dir to both containers
+  kasm-user:  # persist home directory of kasm user
