feat: Docker build with amd64 and arm64 support (#290)

frrist · web-flow · commit bcaffd667ebc · 2026-03-11T12:38:43.000-07:00
Dockerfile with arm64 and amd64 targets Follows RFC https://github.com/storacha/RFC/blob/main/rfc/container-release-process.md
diff --git a/.dockerignore b/.dockerignore
@@ -1,9 +1,13 @@
+.git
+.env*
+*.md
+LICENSE
+LICENSE-*
+docker-compose*.yml
 .github
 deploy
 .tfworkspace
 build
 docs
 .goreleaser.yaml
 codecov.yml
-*.md
-LICENSE-*
diff --git a/.github/workflows/publish-ghcr.yml b/.github/workflows/publish-ghcr.yml
@@ -3,64 +3,154 @@ name: Container
 on:
   push:
     branches:
-      - 'main'
+      - main
     tags:
       - 'v*'
   workflow_run:
-    workflows: [ Releaser ]
+    workflows: [Releaser]
     types:
       - completed
   pull_request:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
+  # PR Build Check - validate Dockerfile compiles, single platform, no push
+  build-check:
+    if: github.event_name == 'pull_request'
+    name: Build Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build (amd64 only, no push)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: false
+          platforms: linux/amd64
+          cache-from: type=gha
+
+  # Prepare ref for Releaser workflow integration
   prepare-checkout:
-    if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
+    if: github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success'
     name: Prepare ref
     runs-on: ubuntu-latest
     outputs:
-      ref: ${{ github.event_name != 'workflow_run' && github.ref || steps.releaser.outputs.version }}
+      ref: ${{ steps.releaser.outputs.version }}
     steps:
-      - name: Get Ref from releaser
+      - name: Get ref from Releaser
         id: releaser
-        if: github.event_name == 'workflow_run'
         uses: ipdxco/unified-github-workflows/.github/actions/inspect-releaser@v1.0
         with:
           artifacts-url: ${{ github.event.workflow_run.artifacts_url }}
-  publish:
-    name: Publish
-    needs: [ prepare-checkout ]
+
+  # Publish on push to main branch
+  publish-main:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    name: Publish (main)
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          ref: ${{ needs.prepare-checkout.outputs.ref }}
+        uses: actions/checkout@v4
+
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      - name: Log in to the Container registry
-        uses: docker/login-action@v2
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container registry
+        uses: docker/login-action@v3
         with:
-          registry: ghcr.io
+          registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
-          password: ${{ github.token }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
-          images: ghcr.io/${{ github.repository }}
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
-            type=semver,pattern={{raw}}
-            type=ref,event=branch
-            type=raw,value=${{ needs.prepare-checkout.outputs.ref }}
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v4
+            type=raw,value=main
+            type=sha,prefix=sha-,format=short
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
         with:
           context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-          push: ${{ github.event_name != 'pull_request' }}
+
+  # Publish on release tag (v*) - direct push or via Releaser
+  publish-release:
+    name: Publish (release)
+    needs: [prepare-checkout]
+    # Run if: direct tag push OR workflow_run completed successfully
+    # always() allows running even when prepare-checkout was skipped (direct tag push)
+    if: |
+      always() && !cancelled() && !failure() &&
+      ((github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) ||
+       (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success'))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Determine ref
+        id: ref
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_run" ]; then
+            echo "ref=${{ needs.prepare-checkout.outputs.ref }}" >> $GITHUB_OUTPUT
+          else
+            echo "ref=${{ github.ref }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.ref.outputs.ref }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=semver,pattern={{version}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
@@ -1,16 +1,25 @@
-FROM golang:1.25-bookworm AS build
+# Build stage - use native platform for faster cross-compilation
+FROM --platform=$BUILDPLATFORM golang:1.25-bookworm AS build
 
-WORKDIR /indexing-service
+ARG TARGETARCH
+ARG TARGETOS=linux
 
-COPY go.* .
+WORKDIR /src
+
+# Copy dependency files first for better layer caching
+COPY go.mod go.sum ./
 RUN go mod download
+
+# Copy source code
 COPY . .
 
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags="-w -s" -o indexer ./cmd
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -ldflags="-s -w" -o /app ./cmd
+
+FROM alpine:latest AS prod
+
+USER nobody
 
-FROM scratch
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=build /indexing-service/indexer /usr/bin/
+COPY --from=build /app /usr/bin/indexer
 
 EXPOSE 8080
 
