Add GitHub Actions for Docker image publishing to ghcr.io/sirosfoundation

leifj · leifj · commit c731d41a49a4 · 2026-01-06T13:36:25.000+01:00
- Add docker-publish.yml workflow for building and pushing images
- Add multi-stage Dockerfile for containerized builds
- Update release.yml with packages permission and ghcr.io login
- Update goreleaser config to use sirosfoundation org
- Remove Dockerfile from .gitignore
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,66 @@
+name: Build and Publish Docker Image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: sirosfoundation/go-trust
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,prefix=
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,25 +7,33 @@ on:
 
 permissions:
   contents: write
+  packages: write
 
 jobs:
   release:
     name: Create Release
     runs-on: ubuntu-latest
     
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
-        go-version: '1.20'
+        go-version: '1.23'
         cache: true
     
+    - name: Log in to Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v4
+      uses: goreleaser/goreleaser-action@v6
       with:
         distribution: goreleaser
         version: latest
@@ -34,7 +42,7 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     
     - name: Upload artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: binaries
         path: dist/*
diff --git a/.gitignore b/.gitignore
@@ -40,7 +40,6 @@ testdata/postgres
 bin/
 dist/
 build/
-Dockerfile
 
 # Temporary files
 tmp/
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -50,8 +50,8 @@ changelog:
 
 dockers:
   - image_templates:
-      - "ghcr.io/sunet/{{ .ProjectName }}:{{ .Version }}"
-      - "ghcr.io/sunet/{{ .ProjectName }}:latest"
+      - "ghcr.io/sirosfoundation/{{ .ProjectName }}:{{ .Version }}"
+      - "ghcr.io/sirosfoundation/{{ .ProjectName }}:latest"
     dockerfile: Dockerfile.goreleaser
     build_flag_templates:
       - "--label=org.opencontainers.image.created={{.Date}}"
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,41 @@
+# Build stage
+FROM golang:1.23-alpine AS builder
+
+WORKDIR /app
+
+# Install git for fetching dependencies with replace directives
+RUN apk add --no-cache git ca-certificates
+
+# Copy go mod files
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Copy source code
+COPY . .
+
+# Build with version information
+ARG VERSION=dev
+ARG COMMIT=unknown
+ARG BUILD_DATE=unknown
+
+RUN CGO_ENABLED=0 GOOS=linux go build \
+    -ldflags="-s -w -X github.com/sirosfoundation/go-trust/pkg/version.Version=${VERSION} -X github.com/sirosfoundation/go-trust/pkg/version.Commit=${COMMIT} -X github.com/sirosfoundation/go-trust/pkg/version.Date=${BUILD_DATE}" \
+    -o gt ./main.go
+
+# Runtime stage - using distroless for minimal attack surface
+FROM gcr.io/distroless/static-debian12
+
+WORKDIR /app
+
+# Copy binary from builder
+COPY --from=builder /app/gt /app/gt
+
+# Copy example configuration (optional, can be overridden at runtime)
+COPY --from=builder /app/example /app/example
+
+USER nonroot:nonroot
+
+EXPOSE 8080
+
+ENTRYPOINT ["/app/gt"]
+CMD ["serve"]
