feat(docker): add multi-stage Dockerfile for server using xgo, and enabled to targets (scratch and alpine) from the containerfile

MartinSchmidt · MartinSchmidt · commit dc8742f6e4e8 · 2025-12-12T11:28:45.000Z
diff --git a/docker/Dockerfile.server b/docker/Dockerfile.server
@@ -0,0 +1,84 @@
+# -------------- Build frontend --------------
+FROM --platform=$BUILDPLATFORM docker.io/node:24-alpine AS web-build
+
+RUN corepack enable && corepack prepare pnpm@latest --activate
+
+WORKDIR /src
+
+COPY web/package.json web/pnpm-lock.yaml ./
+RUN pnpm install --frozen-lockfile
+
+COPY web/ ./
+RUN pnpm build
+
+# -------------- Prepare user --------------
+
+FROM --platform=$BUILDPLATFORM docker.io/golang:1.25 AS prepare
+
+RUN groupadd -g 1000 woodpecker && \
+    useradd -u 1000 -g 1000 woodpecker && \
+    mkdir -p /var/lib/woodpecker && \
+    chown -R woodpecker:woodpecker /var/lib/woodpecker
+
+# -------------- Build backend --------------
+
+FROM --platform=$BUILDPLATFORM docker.io/techknowlogick/xgo:go-1.25.x AS build
+
+ARG TARGETOS TARGETARCH CI_COMMIT_SHA CI_COMMIT_TAG CI_COMMIT_BRANCH
+ARG TAGS="sqlite sqlite_unlock_notify"
+ARG VERSION="next"
+
+WORKDIR /src
+COPY . .
+COPY --from=web-build /src/dist ./web/dist
+
+RUN xgo -go go-1.25.x \
+    -dest /build \
+    -tags "netgo osusergo grpcnotrace ${TAGS}" \
+    -ldflags '-linkmode external -X go.woodpecker-ci.org/woodpecker/v3/version.Version=${VERSION} -s -w -extldflags "-static"' \
+    -targets "${TARGETOS}/${TARGETARCH}" \
+    -out woodpecker-server \
+    -pkg cmd/server . && \
+    ls -la /build/
+
+# -------------- Alpine final image --------------
+FROM docker.io/alpine:3.22 AS alpine-final
+ARG TARGETOS TARGETARCH
+
+RUN apk add -U --no-cache ca-certificates && \
+    adduser -u 1000 -g 1000 woodpecker -D && \
+    mkdir -p /var/lib/woodpecker && \
+    chown -R woodpecker:woodpecker /var/lib/woodpecker
+
+# from here both final images are identical
+ENV GODEBUG=netdns=go \
+    WOODPECKER_IN_CONTAINER=true \
+    XDG_CACHE_HOME=/var/lib/woodpecker \
+    XDG_DATA_HOME=/var/lib/woodpecker
+
+EXPOSE 8000 9000 80 443
+COPY --from=build /build/woodpecker-server-* /bin/woodpecker-server
+USER woodpecker
+HEALTHCHECK CMD ["/bin/woodpecker-server", "ping"]
+ENTRYPOINT ["/bin/woodpecker-server"]
+
+# -------------- Scratch final image --------------
+FROM scratch AS final
+ARG TARGETOS TARGETARCH
+
+COPY --from=prepare /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=prepare /etc/passwd /etc/passwd
+COPY --from=prepare /etc/group /etc/group
+COPY --from=prepare --chown=woodpecker:woodpecker /var/lib/woodpecker /var/lib/woodpecker
+
+# from here both final images are identical
+ENV GODEBUG=netdns=go \
+    WOODPECKER_IN_CONTAINER=true \
+    XDG_CACHE_HOME=/var/lib/woodpecker \
+    XDG_DATA_HOME=/var/lib/woodpecker
+
+EXPOSE 8000 9000 80 443
+COPY --from=build /build/woodpecker-server-* /bin/woodpecker-server
+USER woodpecker
+HEALTHCHECK CMD ["/bin/woodpecker-server", "ping"]
+ENTRYPOINT ["/bin/woodpecker-server"]
diff --git a/docs/docs/92-development/07-guides.md b/docs/docs/92-development/07-guides.md
@@ -27,35 +27,17 @@ All official default images, are saved in [shared/constant/constant.go](https://
 ### Server
 
 ```sh
-### build web component
-make vendor
-cd web/
-pnpm install --frozen-lockfile
-pnpm build
-cd ..
-
-### define the platforms to build for (e.g. linux/amd64)
-# (the | is not a typo here)
-export PLATFORMS='linux|amd64'
-make cross-compile-server
-
-### build the image
-docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.server.multiarch.rootless --push .
+export PLATFORMS='linux/amd64' # supported 'linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/riscv64'
+export TAG='username/repo:tag' # Your image name
+docker buildx build . --platform $PLATFORMS -t $TAG -f docker/Dockerfile.server --push # This will push the image to the registry, use --load to load it only locally (only single arch allowed)
 ```
 
-:::info
-The `cross-compile-server` rule makes use of `xgo`, a go cross-compiler. You need to be on a `amd64` host to do this, as `xgo` is only available for `amd64` (see [xgo#213](https://github.com/techknowlogick/xgo/issues/213)).
-You can try to use the `build-server` rule instead, however this one fails for some OS (e.g. macOS).
-:::
-
 ### Agent
 
 ```sh
-### build the agent
-make build-agent
-
-### build the image
-docker buildx build --platform linux/amd64 -t username/repo:tag -f docker/Dockerfile.agent.multiarch --push .
+export PLATFORMS='linux/amd64' # supported 'linux/386,linux/amd64,freebsd/amd64,openbsd/amd64,linux/arm/v6,linux/arm/v7,linux/arm64,openbsd/arm64,freebsd/arm64,linux/ppc64le,linux/riscv64,linux/s390x'
+export TAG='username/repo:tag' # Your image name
+docker buildx build . --platform $PLATFORMS -t $TAG -f docker/Dockerfile.agent.multiarch --load # This will push the image to the registry, use --load to load it only locally (only single arch allowed)
 ```
 
 ### CLI
