feat(Docker): add Docker support with multi-arch builds and automated publishing workflow

chris2k20 · chris2k20 · commit 6c67b4d3808b · 2025-10-10T11:56:25.000+02:00
7m ago add a awesome Dockerfile and github action that will build the image and publish it to dockerhub only use the imapbackup38.py I'll scan the repository to understand imapbackup38.py's dependencies and runtime requirements so the Dockerfile can be correct, and then add a Dockerfile, a .dockerignore, and a GitHub Actions workflow that builds and publishes to Docker Hub. I'll create three files: Dockerfile to containerize imapbackup38.py with sane defaults and optional GPG/AWS CLI support. .dockerignore to keep the image small. GitHub Actions workflow to build multi-arch images and push to Docker Hub using repo secrets. I'll also set up a small TODO list to track progress. 1 Create Dockerfile that runs imapbackup38.py as entrypoint (non-root, tini, optional GPG and AWS CLI) Add .dockerignore to reduce build context (ignore backups, __pycache__, VCS) Add GitHub Actions workflow to build multi-arch image and publish to Docker Hub I'll create three new files: Dockerfile at the repository root that only includes and runs imapbackup38.py , with optional GPG and AWS CLI support. .dockerignore to restrict build context to imapbackup38.py and docker files. A GitHub Actions workflow to build multi-arch images and push to Docker Hub using repository secrets. I'll now generate these files. Dockerfile new +51 .dockerignore new +10 docker-publish.yml new +61 Added Docker support and CI publish I created: Dockerfile .dockerignore .github/workflows/docker-publish.yml The image only includes and runs imapbackup38.py . Optional tools for features used by the script are preinstalled: gnupg (GPG encryption) and awscli (S3 upload). Files imapbackup/Dockerfile Base: python:3.12-slim Installs: tini, gnupg, ca-certificates, awscli Copies only imapbackup38.py Runs as non-root user app Default workdir: /data (mount your backup volume here) Entry: tini -- /app/imapbackup38.py Labels include repo and revision when passed via build-args imapbackup/.dockerignore Excludes everything by default, allows: imapbackup38.py , Dockerfile , .dockerignore , LICENSE , README.md imapbackup/.github/workflows/docker-publish.yml Builds multi-arch images (linux/amd64, linux/arm64) with Buildx Pushes to Docker Hub on pushes to main /master and on tags Uses metadata-action for sensible tags (branch, tag, SHA) Reads Docker Hub credentials from repo secrets How to use Build locally bash docker build \ --build-arg GIT_SHA=$(git rev-parse --short HEAD) \ --build-arg GITHUB_REPOSITORY=$(git config --get remote.origin.url | sed 's|.*github.com[:/]$.*$\.git|\1|') \ -t youruser/imapbackup:dev . Run bash # Backup mboxes into ./backup on host docker run --rm -it \ -v "$PWD/backup:/data" \ youruser/imapbackup:dev \ --ssl \ --server imap.example.com:993 \ --user you@example.com \ --pass '@/run/secrets/imap_pass' \ --mbox-dir /data \ --nospinner GPG encryption (optional) bash # mount your GPG keyring so the recipient key is available inside docker run --rm -it \ -v "$PWD/backup:/data" \ -v "$HOME/.gnupg:/home/app/.gnupg:ro" \ youruser/imapbackup:dev \ --gpg-encrypt --gpg-recipient you@example.com \ ... usual flags ... S3 upload (optional) bash docker run --rm -it \ -v "$PWD/backup:/data" \ youruser/imapbackup:dev \ --s3-upload \ --s3-endpoint https://s3.example.com \ --s3-bucket my-bucket \ --s3-access-key AKIA... \ --s3-secret-key SECRET... \ --s3-prefix backups/imap \ ... usual flags ... GitHub Actions setup Create repo secrets: DOCKERHUB_USERNAME: your Docker Hub username DOCKERHUB_TOKEN: a Docker Hub access token with write permissions Default image name: docker.io/${DOCKERHUB_USERNAME}/imapbackup Pushes to main /master or tags will build and publish. PRs build but do not push. Notes The image writes mboxes to /data by default. Mount a host directory there with -v $PWD/backup:/data or another path of your choice. Only imapbackup38.py is copied into the image as requested. Summary Implemented Dockerfile, .dockerignore, and GitHub Actions workflow for multi-arch build and automatic publish to Docker Hub. Image runs only imapbackup38.py , includes optional tools needed by the script. Provide run/build instructions and required repository secrets.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,9 @@
+# Exclude everything by default
+*
+
+# Allow only what the image actually needs
+!imapbackup38.py
+!Dockerfile
+!.dockerignore
+!LICENSE
+!README.md
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,60 @@
+name: Build and Publish Docker image
+
+on:
+  push:
+    branches: [ "main", "master" ]
+    tags: [ "v*", "release-*" ]
+  workflow_dispatch: {}
+
+env:
+  IMAGE_NAME: docker.io/${{ secrets.DOCKERHUB_USERNAME }}/imapbackup
+
+jobs:
+  docker:
+    name: Build and Publish
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU (multi-arch)
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=ref,event=tag
+            type=sha
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            GIT_SHA=${{ github.sha }}
+            GITHUB_REPOSITORY=${{ github.repository }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,50 @@
+# syntax=docker/dockerfile:1
+
+FROM python:3.12-slim
+
+# Build-time args for labeling
+ARG GIT_SHA=unknown
+ARG GITHUB_REPOSITORY=unknown
+
+# Environment for reliable Python behavior
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PIP_NO_CACHE_DIR=1
+
+# Install minimal runtime deps
+# - tini: proper signal handling (PID 1)
+# - gnupg: optional GPG encryption used by the script
+# - ca-certificates: sane TLS defaults
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+       tini gnupg ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Optional S3 support via AWS CLI (pure Python, multi-arch friendly)
+RUN pip install --no-cache-dir awscli
+
+# Create non-root user and working dirs
+RUN useradd -r -u 10001 -m app \
+    && mkdir -p /app /data \
+    && chown -R app:app /app /data
+
+# Copy ONLY the requested script
+WORKDIR /app
+COPY imapbackup38.py /app/imapbackup38.py
+RUN chmod +x /app/imapbackup38.py
+
+USER app
+
+# Default data directory where mboxes will be written (mount a volume here)
+WORKDIR /data
+VOLUME ["/data"]
+
+# OCI labels
+LABEL org.opencontainers.image.title="imapbackup" \
+      org.opencontainers.image.description="IMAP incremental backup tool packaged as a container. Runs imapbackup38.py only." \
+      org.opencontainers.image.licenses="MIT" \
+      org.opencontainers.image.source="https://github.com/${GITHUB_REPOSITORY}" \
+      org.opencontainers.image.revision="${GIT_SHA}"
+
+# Use tini as entrypoint and forward args to the script
+ENTRYPOINT ["tini","--","/app/imapbackup38.py"]
