add a dockerfile and all the stuff to publish

Closes #131

Author: mattrobenolt

.dockerignore

@@ -0,0 +1,2 @@
+.venv
+dist/

.github/workflows/ci.yml

@@ -2,7 +2,8 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches:
+      - main
   pull_request:
 
 jobs:
@@ -23,11 +24,14 @@ jobs:
           cache-python: true
       - name: Install bats
         uses: bats-core/[email protected]
+        id: setup-bats
       - name: Install dependencies
         run: just sync
       - name: Run tests
         run: just test
       - name: Run bats
         run: just bats
+        env:
+          BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
       - name: Lint
         run: just lint

.github/workflows/docker.yml

@@ -0,0 +1,59 @@
+name: Docker
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '0 0 * * 0' # Weekly on Sunday at midnight UTC
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Checkout latest tag on schedule
+        if: github.event_name == 'schedule'
+        run: |
+          git checkout $(git describe --tags --abbrev=0)
+
+      - uses: astral-sh/setup-uv@v7
+
+      - name: Get version
+        id: version
+        run: |
+          VERSION=$(uv version --short)
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/bake-action@v6
+        with:
+          push: ${{ github.event_name != 'pull_request' }}
+          set: |
+            *.cache-from=type=gha
+            *.cache-to=type=gha,mode=max
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+          LATEST_TAG: ${{ github.ref == 'refs/heads/main' && 'main' || 'latest' }}

Dockerfile

@@ -0,0 +1,29 @@
+FROM cgr.dev/chainguard/wolfi-base:latest AS build
+COPY --from=ghcr.io/astral-sh/uv:0.9 /uv /bin
+
+USER nonroot
+
+WORKDIR /app
+
+COPY . /app
+RUN uv sync \
+    --verbose --no-dev --all-extras --locked \
+    --no-cache-dir --no-editable --compile-bytecode \
+    && rm -rf /home/nonroot/.local/share/uv/python/cpython-*-gnu/share \
+    && rm -rf /home/nonroot/.local/share/uv/python/cpython-*-gnu/lib/tcl8* \
+    && rm -rf /home/nonroot/.local/share/uv/python/cpython-*-gnu/lib/libtcl8* \
+    && rm -rf /home/nonroot/.local/share/uv/python/cpython-*-gnu/lib/tk8* \
+    && rm -rf /home/nonroot/.local/share/uv/python/cpython-*-gnu/lib/libtk8*
+
+RUN /app/.venv/bin/jinja2 --version
+
+FROM cgr.dev/chainguard/wolfi-base:latest
+COPY --from=build --chown=nonroot:nonroot \
+    /home/nonroot/.local/share/uv/ /home/nonroot/.local/share/uv/
+COPY --from=build --chown=nonroot:nonroot \
+    /app/.venv/ /app/.venv/
+
+USER nonroot
+
+ENTRYPOINT ["/app/.venv/bin/jinja2"]
+CMD ["--help"]

Justfile

@@ -1,33 +1,76 @@
+[default]
+[private]
 default:
     @just --list
 
+[doc('Install all dependencies')]
+[group('dev')]
 sync:
     uv sync --all-groups --all-extras
 
+[doc('Format code')]
+[group('dev')]
+fmt:
+    uv run ruff check --select I --fix
+    uv run ruff format
+
+[doc('Remove build artifacts')]
+[group('dev')]
+clean:
+    rm -rf dist .pytest_cache .ruff_cache
+
+[doc('Run pytest tests')]
+[group('test')]
 test:
     uv run pytest -v
 
+[doc('Run bats integration tests')]
+[group('test')]
 bats:
     bats -T tests/bats
 
+[doc('Run all tests')]
+[group('test')]
 test-all: test bats
 
+[doc('Run linters')]
+[group('test')]
 lint:
     uv run ruff check
     uv run ty check
 
+[doc('Benchmark startup time')]
+[group('bench')]
 bench-startup:
     hyperfine --warmup 3 --min-runs 10 ".venv/bin/jinja2 --version"
 
-fmt:
-    uv run ruff check --select I --fix
-    uv run ruff format
+[doc('Build docker image')]
+[group('docker')]
+docker:
+    docker build --rm -t jinja2-cli .
 
+[doc('Print docker bake configuration')]
+[group('docker')]
+bake:
+    VERSION=$(uv version --short) LATEST_TAG=dev \
+        docker buildx bake --print
+
+[doc('Build distribution packages')]
+[group('release')]
 build: clean
     uv build
 
+[doc('Publish to PyPI')]
+[group('release')]
 publish: build
     uv publish
 
-clean:
-    rm -rf dist .pytest_cache .ruff_cache
+[doc('Bump version, commit, tag, and push')]
+[group('release')]
+bump kind:
+    git diff --quiet --exit-code
+    uv version --bump {{ kind }}
+    git commit -am "bump $(uv version --short)"
+    git tag -a "v$(uv version --short)" -a "v$(uv version --short)"
+    git push
+    git push origin "v$(uv version --short)"

docker-bake.hcl

@@ -0,0 +1,44 @@
+variable "VERSION" {
+  default = ""
+}
+
+variable "LATEST_TAG" {
+  default = "latest"
+}
+
+variable "REGISTRY" {
+  default = "ghcr.io/mattrobenolt/jinja2-cli"
+}
+
+function "major" {
+  params = [version]
+  result = split(".", version)[0]
+}
+
+function "minor" {
+  params = [version]
+  result = "${split(".", version)[0]}.${split(".", version)[1]}"
+}
+
+function "tags" {
+  params = [registry, version, latest_tag]
+  result = latest_tag != "latest" ? [
+    "${registry}:${latest_tag}"
+  ] : notequal("", version) ? [
+    "${registry}:${version}",
+    "${registry}:${minor(version)}",
+    "${registry}:${major(version)}",
+    "${registry}:${latest_tag}"
+  ] : ["${registry}:${latest_tag}"]
+}
+
+group "default" {
+  targets = ["jinja2-cli"]
+}
+
+target "jinja2-cli" {
+  context = "."
+  dockerfile = "Dockerfile"
+  platforms = ["linux/amd64", "linux/arm64"]
+  tags = tags(REGISTRY, VERSION, LATEST_TAG)
+}

docs/README.md

@@ -5,6 +5,8 @@ Start here, then drill down as needed.
 - Quickstart: [quickstart.md](quickstart.md)
 - Formats: [formats.md](formats.md)
 - Extensions: [extensions.md](extensions.md)
+- Filters: [filters.md](filters.md)
 - Examples: [examples.md](examples.md)
+- Docker: [docker.md](docker.md)
 - CLI reference: [cli.md](cli.md)
 - Development: [development.md](development.md)

docs/docker.md

@@ -0,0 +1,145 @@
+# Docker
+
+The official jinja2-cli Docker image is available at `ghcr.io/mattrobenolt/jinja2-cli`.
+
+## Installation
+
+Pull the latest image:
+
+```bash
+docker pull ghcr.io/mattrobenolt/jinja2-cli:latest
+```
+
+Or use a specific version:
+
+```bash
+docker pull ghcr.io/mattrobenolt/jinja2-cli:1.0.0
+```
+
+## Usage
+
+### Basic Example
+
+Mount your template and data files, then pass them as arguments:
+
+```bash
+docker run --rm \
+  -v $PWD:/workspace \
+  ghcr.io/mattrobenolt/jinja2-cli:latest \
+  /workspace/template.j2 /workspace/data.json
+```
+
+### Using stdin
+
+Pipe a template via stdin using stream mode:
+
+```bash
+echo 'Hello {{ name }}!' | docker run --rm -i \
+  ghcr.io/mattrobenolt/jinja2-cli:latest \
+  -S -D name=World
+```
+
+### With environment variables
+
+Pass environment variables and access them in templates:
+
+```bash
+docker run --rm \
+  -v $PWD:/workspace \
+  -e DATABASE=mysql \
+  -e VERSION=1.0 \
+  ghcr.io/mattrobenolt/jinja2-cli:latest \
+  /workspace/config.j2
+```
+
+Template:
+```jinja2
+database: {{ environ('DATABASE') }}
+version: {{ environ('VERSION') }}
+```
+
+### Output to file
+
+Redirect output to a file on the host:
+
+```bash
+docker run --rm \
+  -v $PWD:/workspace \
+  ghcr.io/mattrobenolt/jinja2-cli:latest \
+  /workspace/template.j2 /workspace/data.yaml --format yaml \
+  > output.txt
+```
+
+Or use the `-o` flag to write inside the container's filesystem:
+
+```bash
+docker run --rm \
+  -v $PWD:/workspace \
+  ghcr.io/mattrobenolt/jinja2-cli:latest \
+  /workspace/template.j2 /workspace/data.json \
+  -o /workspace/output.txt
+```
+
+### Multiple data files
+
+Mount multiple data files and they'll be deep merged:
+
+```bash
+docker run --rm \
+  -v $PWD:/workspace \
+  ghcr.io/mattrobenolt/jinja2-cli:latest \
+  /workspace/template.j2 \
+  /workspace/base.json \
+  /workspace/override.yaml \
+  /workspace/production.json
+```
+
+## Image Details
+
+- **Base**: Chainguard Wolfi (minimal, secure)
+- **Architectures**: `linux/amd64`, `linux/arm64`
+- **User**: Runs as non-root user
+- **Size**: ~90MB
+- **Includes**: All optional dependencies (yaml, toml, xml, hjson, json5)
+
+## Available Tags
+
+- `latest` - Latest stable release
+- `main` - Latest commit on main branch (development)
+- `1`, `1.0`, `1.0.0` - Semantic versioning tags
+
+## CI/CD Usage
+
+The image is useful in CI/CD pipelines for generating configuration files:
+
+### GitHub Actions
+
+```yaml
+- name: Generate config
+  run: |
+    docker run --rm \
+      -v ${{ github.workspace }}:/workspace \
+      ghcr.io/mattrobenolt/jinja2-cli:latest \
+      /workspace/config.j2 /workspace/vars.json \
+      -o /workspace/config.yml
+```
+
+### GitLab CI
+
+```yaml
+generate-config:
+  image: ghcr.io/mattrobenolt/jinja2-cli:latest
+  script:
+    - jinja2 template.j2 data.json -o config.yml
+  artifacts:
+    paths:
+      - config.yml
+```
+
+## Tips
+
+1. **Mount volumes** at `/workspace` or any path you prefer
+2. **Use absolute paths** for template and data files (e.g., `/workspace/file.j2`)
+3. **Stream mode** (`-S`) works great for piping templates via stdin
+4. **Environment variables** are accessible via `environ()` function in templates
+5. The image includes all optional format dependencies pre-installed