temporalio · chaptersix · Nov 20, 2025 · Nov 20, 2025 · Nov 20, 2025 · Nov 20, 2025
@@ -0,0 +1 @@
+build/
@@ -0,0 +1,34 @@
+# syntax=docker/dockerfile:1
+
+ARG ALPINE_IMAGE
+ARG BUILDARCH
+
+# Build stage - copy binaries from goreleaser output
+FROM --platform=$BUILDARCH scratch AS dist
+COPY dist/nix_linux_amd64_v1/temporal /dist/amd64/temporal
+COPY dist/nix_linux_arm64_v8.0/temporal /dist/arm64/temporal
+
+# Stage to extract CA certificates and create user files
+FROM ${ALPINE_IMAGE} AS certs
+RUN apk add --no-cache ca-certificates && \
+    adduser -u 1000 -D temporal
+
+# Final stage - minimal scratch-based image
+FROM scratch
+
+ARG TARGETARCH
+
+# Copy CA certificates from certs stage
+COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+# Copy passwd and group files for non-root user
+COPY --from=certs /etc/passwd /etc/passwd
+COPY --from=certs /etc/group /etc/group
+
+# Copy the appropriate binary for target architecture
+COPY --from=dist /dist/$TARGETARCH/temporal /temporal
+
+# Run as non-root user temporal (uid 1000)
+USER 1000:1000
+
+ENTRYPOINT ["/temporal"]
@@ -0,0 +1,55 @@
+variable "IMAGE_REPO" {
+  default = "ghcr.io"
+}
+
+variable "IMAGE_NAMESPACE" {
+  default = ""
+}
+
+variable "IMAGE_NAME" {
+  default = "temporal"
+}
+
+variable "IMAGE_SHA_TAG" {}
+
+variable "IMAGE_BRANCH_TAG" {}
+
+variable "CLI_SHA" {
+  default = ""
+}
+
+variable "VERSION" {
+  default = "dev"
+}
+
+variable "TAG_LATEST" {
+  default = false
+}
+
+# Alpine base image with digest for reproducible builds
+variable "ALPINE_IMAGE" {
+  default = "alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412"
+}
+
+target "cli" {
+  dockerfile = ".github/docker/cli.Dockerfile"
+  context = "."
+  tags = compact([
+    IMAGE_REPO == "" ? "${IMAGE_NAMESPACE}/${IMAGE_NAME}:${IMAGE_SHA_TAG}" : "${IMAGE_REPO}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${IMAGE_SHA_TAG}",
+    IMAGE_REPO == "" ? "${IMAGE_NAMESPACE}/${IMAGE_NAME}:${VERSION}" : "${IMAGE_REPO}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${VERSION}",
+    TAG_LATEST ? (IMAGE_REPO == "" ? "${IMAGE_NAMESPACE}/${IMAGE_NAME}:latest" : "${IMAGE_REPO}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:latest") : "",
+  ])
+  platforms = ["linux/amd64", "linux/arm64"]
+  args = {
+    ALPINE_IMAGE = "${ALPINE_IMAGE}"
+  }
+  labels = {
+    "org.opencontainers.image.title" = "temporal"
+    "org.opencontainers.image.description" = "Temporal CLI"
+    "org.opencontainers.image.url" = "https://github.com/temporalio/cli"
+    "org.opencontainers.image.source" = "https://github.com/temporalio/cli"
+    "org.opencontainers.image.licenses" = "MIT"
+    "org.opencontainers.image.revision" = "${CLI_SHA}"
+    "org.opencontainers.image.created" = timestamp()
+  }
+}
@@ -0,0 +1,235 @@
+name: Build and Publish (Reusable)
+
+on:
+  workflow_call:
+    inputs:
+      publish:
+        description: "Whether to publish the release and Docker image"
+        required: true
+        type: boolean
+      version:
+        description: "Version tag for the release (required if publish is true)"
+        required: false
+        type: string
+      registry:
+        description: "Container registry (docker.io, ghcr.io, etc.)"
+        required: false
+        type: string
+        default: ""
+      registry_namespace:
+        description: "Registry namespace/organization"
+        required: false
+        type: string
+        default: ""
+      image_name:
+        description: "Image name"
+        required: false
+        type: string
+        default: "temporal"
+    secrets:
+      DOCKER_USERNAME:
+        required: false
+      DOCKER_PASSWORD:
+        required: false
+
+jobs:
+  build:
+    name: Build and Publish
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+        with:
+          go-version-file: "go.mod"
+          check-latest: true
+          cache: true
+
+      - name: Get build date
+        id: date
+        run: echo "date=$(date '+%F-%T')" >> $GITHUB_OUTPUT
+
+      - name: Get build unix timestamp
+        id: timestamp
+        run: echo "timestamp=$(date '+%s')" >> $GITHUB_OUTPUT
+
+      - name: Get git branch
+        id: branch
+        run: echo "branch=$(git rev-parse --abbrev-ref HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Get build platform
+        id: platform
+        run: echo "platform=$(go version | cut -d ' ' -f 4)" >> $GITHUB_OUTPUT
+
+      - name: Get Go version
+        id: go
+        run: echo "go=$(go version | cut -d ' ' -f 3)" >> $GITHUB_OUTPUT
+
+      - name: Run GoReleaser (release)
+        if: inputs.publish
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          version: v2.12.7
+          args: release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BUILD_DATE: ${{ steps.date.outputs.date }}
+          BUILD_TS_UNIX: ${{ steps.timestamp.outputs.timestamp }}
+          GIT_BRANCH: ${{ steps.branch.outputs.branch }}
+          BUILD_PLATFORM: ${{ steps.platform.outputs.platform }}
+          GO_VERSION: ${{ steps.go.outputs.go }}
+
+      - name: Run GoReleaser (snapshot)
+        if: ${{ !inputs.publish }}
+        uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+        with:
+          version: v2.12.7
+          args: release --snapshot --clean
+        env:
+          BUILD_DATE: ${{ steps.date.outputs.date }}
+          BUILD_TS_UNIX: ${{ steps.timestamp.outputs.timestamp }}
+          GIT_BRANCH: ${{ steps.branch.outputs.branch }}
+          BUILD_PLATFORM: ${{ steps.platform.outputs.platform }}
+          GO_VERSION: ${{ steps.go.outputs.go }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Get build metadata
+        id: meta
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
+          INPUT_PUBLISH: ${{ inputs.publish }}
+          INPUT_REGISTRY: ${{ inputs.registry }}
+          INPUT_REGISTRY_NAMESPACE: ${{ inputs.registry_namespace }}
+          INPUT_IMAGE_NAME: ${{ inputs.image_name }}
+          REPO_OWNER: ${{ github.repository_owner }}
+        run: |
+          echo "cli_sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+          echo "image_sha_tag=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+          echo "image_branch_tag=$(git rev-parse --abbrev-ref HEAD)" >> $GITHUB_OUTPUT
+
+          if [[ "$INPUT_PUBLISH" == "true" ]]; then
+            # Get version from input, strip 'v' prefix
+            VERSION="$INPUT_VERSION"
+            VERSION="${VERSION#v}"
+            echo "version=$VERSION" >> $GITHUB_OUTPUT
+          else
+            echo "version=snapshot" >> $GITHUB_OUTPUT
+          fi
+
+          # Determine registry (with auto-detection for temporalio vs forks)
+          REGISTRY="$INPUT_REGISTRY"
+          if [[ -z "$REGISTRY" ]]; then
+            if [[ "$REPO_OWNER" == "temporalio" ]]; then
+              REGISTRY="docker.io"
+            else
+              REGISTRY="ghcr.io"
+            fi
+          fi
+
+          # Determine registry type for authentication
+          if [[ "$REGISTRY" == "ghcr.io" ]]; then
+            echo "registry_type=ghcr" >> $GITHUB_OUTPUT
+          elif [[ "$REGISTRY" == "docker.io" ]]; then
+            echo "registry_type=dockerhub" >> $GITHUB_OUTPUT
+          else
+            echo "registry_type=other" >> $GITHUB_OUTPUT
+          fi
+
+          # Set namespace (defaults to repository owner)
+          NAMESPACE="$INPUT_REGISTRY_NAMESPACE"
+          if [[ -z "$NAMESPACE" ]]; then
+            NAMESPACE="$REPO_OWNER"
+          fi
+
+          # Set image name (defaults to 'temporal')
+          IMAGE_NAME="$INPUT_IMAGE_NAME"
+          if [[ -z "$IMAGE_NAME" ]]; then
+            IMAGE_NAME="temporal"
+          fi
+
+          # For Docker Hub, use empty string as registry (special case)
+          if [[ "$REGISTRY" == "docker.io" ]]; then
+            echo "image_repo=" >> $GITHUB_OUTPUT
+          else
+            echo "image_repo=${REGISTRY}" >> $GITHUB_OUTPUT
+          fi
+
+          echo "image_namespace=${NAMESPACE}" >> $GITHUB_OUTPUT
+          echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
+
+      - name: Log in to GitHub Container Registry
+        if: inputs.publish && steps.meta.outputs.registry_type == 'ghcr'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        if: inputs.publish && steps.meta.outputs.registry_type == 'dockerhub'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Check if release is latest
+        if: inputs.publish
+        id: check_latest
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const { data: release } = await github.rest.repos.getReleaseByTag({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              tag: context.ref.replace('refs/tags/', '')
+            });
+            // Tag as latest only if release is marked as latest (not pre-release)
+            core.setOutput('tag_latest', release.prerelease ? 'false' : 'true');
+            console.log(`Release prerelease: ${release.prerelease}, tag_latest: ${!release.prerelease}`)
+
+      - name: Build and push Docker image
+        if: inputs.publish
+        run: |
+          docker buildx bake \
+            --file .github/docker/docker-bake.hcl \
+            --push \
+            cli
+        env:
+          CLI_SHA: ${{ steps.meta.outputs.cli_sha }}
+          IMAGE_SHA_TAG: ${{ steps.meta.outputs.image_sha_tag }}
+          IMAGE_BRANCH_TAG: ${{ steps.meta.outputs.image_branch_tag }}
+          VERSION: ${{ steps.meta.outputs.version }}
+          TAG_LATEST: ${{ steps.check_latest.outputs.tag_latest }}
+          IMAGE_REPO: ${{ steps.meta.outputs.image_repo }}
+          IMAGE_NAMESPACE: ${{ steps.meta.outputs.image_namespace }}
+          IMAGE_NAME: ${{ steps.meta.outputs.image_name }}
+
+      - name: Build Docker image
+        if: ${{ !inputs.publish }}
+        run: |
+          docker buildx bake \
+            --file .github/docker/docker-bake.hcl \
+            cli
+        env:
+          CLI_SHA: ${{ steps.meta.outputs.cli_sha }}
+          IMAGE_SHA_TAG: ${{ steps.meta.outputs.image_sha_tag }}
+          IMAGE_BRANCH_TAG: ${{ steps.meta.outputs.image_branch_tag }}
+          VERSION: ${{ steps.meta.outputs.version }}
+          TAG_LATEST: false
+          IMAGE_REPO: ${{ steps.meta.outputs.image_repo }}
+          IMAGE_NAMESPACE: ${{ steps.meta.outputs.image_namespace }}
+          IMAGE_NAME: ${{ steps.meta.outputs.image_name }}
+
+      - name: Upload build artifacts
+        if: ${{ !inputs.publish }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: temporal-cli-dist
+          path: dist/
+          retention-days: 7
@@ -0,0 +1,15 @@
+name: Build Docker Image
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/build-and-publish.yml
+    with:
+      publish: false