diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..0bc58da --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,72 @@ +name: Build image + +on: + workflow_dispatch: + push: + branches: main + pull_request: + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + strategy: + matrix: + platform: + - linux/arm64 + - linux/amd64 + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract container metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + type=sha + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v3 + + # login to ghcr only when tagged with "v*" + # - name: Login to image registry ${{ env.REGISTRY }} + # uses: docker/login-action@v3 + # with: + # registry: ${{ env.REGISTRY }} + # username: ${{ github.actor }} + # password: ${{ secrets.GITHUB_TOKEN }} + + # Build image with Buildx (don't push) + - name: Build image + id: build-and-push + uses: docker/build-push-action@v5 + with: + context: . + platforms: ${{ matrix.platform }} + push: false + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + provenance: mode=max + sbom: true + outputs: | + type=image,name=target \ No newline at end of file diff --git a/.github/workflows/docker-publish..yml b/.github/workflows/docker-publish..yml deleted file mode 100644 index 1635ae8..0000000 --- a/.github/workflows/docker-publish..yml +++ /dev/null @@ -1,96 +0,0 @@ -name: Publish Docker Image to GHCR - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -on: - workflow_dispatch: - release: - types: - - created - pull_request: - -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} - -jobs: - build-n-publish: - - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Setup Docker buildx - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 - - # Login against a Docker registry only when tag "vM.M.P" - # https://github.com/docker/login-action - - name: Login to image registry ${{ env.REGISTRY }} - if: startsWith(github.ref, 'refs/tags/v') - uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - flavor: | - latest=auto - tags: | - type=ref,event=branch - type=ref,event=pr - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@v5 - with: - context: . - push: ${{ startsWith(github.ref, 'refs/tags/v') }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: startsWith(github.ref, 'refs/tags/v') - uses: sigstore/cosign-installer@main - with: - cosign-release: 'v1.13.1' - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: startsWith(github.ref, 'refs/tags/v') - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/publish-containers.yml b/.github/workflows/publish-containers.yml new file mode 100644 index 0000000..7edd7dc --- /dev/null +++ b/.github/workflows/publish-containers.yml @@ -0,0 +1,138 @@ +name: Publish container image to GHCR + +on: + release: + types: + - created + +env: + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} + +jobs: + build-n-push-digest: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + strategy: + fail-fast: false + matrix: + platform: + - linux/arm64 + - linux/amd64 + + steps: + - name: Prepare + run: | + platform=${{ matrix.platform }} + echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Extract container metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + # env: + # DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to image registry ${{ env.REGISTRY }} + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build and push by digest + id: build + uses: docker/build-push-action@v5 + with: + context: . + platforms: ${{ matrix.platform }} + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + provenance: mode=max + sbom: true + outputs: | + type=image, + name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}, + push-by-digest=true, + name-canonical=true + #annotation-index.org.opencontainers.image.description=Container image that contains unoserver and LibreOffice including large set of fonts for file format conversions + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + - name: Export digest + run: | + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest + uses: actions/upload-artifact@v4 + with: + name: digests-${{ env.PLATFORM_PAIR }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + merge: + runs-on: ubuntu-latest + needs: + - build-n-push-digest + steps: + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digests-* + merge-multiple: true + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=schedule + type=ref,event=branch + type=ref,event=pr + type=semver,pattern={{version}} + # env: + # DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index + + + - name: Login to image registry ${{ env.REGISTRY }} + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Create manifest list and push + working-directory: /tmp/digests + run: | + docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ + $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) + + - name: Inspect image + run: | + docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 496d27d..c646104 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM eclipse-temurin:21.0.2_13-jdk-alpine +FROM --platform=$BUILDPLATFORM eclipse-temurin:21.0.2_13-jdk-alpine ARG BUILD_CONTEXT="build-context" ARG UID=worker @@ -6,9 +6,9 @@ ARG GID=worker ARG VERSION_UNOSERVER=2.0.1 LABEL org.opencontainers.image.title="unoserver-docker" -LABEL org.opencontainers.image.description="Custom Docker Image that contains unoserver, LibreOffice and major set of fonts for file format conversions" +LABEL org.opencontainers.image.description="Container image that contains unoserver and LibreOffice including large set of fonts for file format conversions" LABEL org.opencontainers.image.licenses="MIT" -LABEL org.opencontainers.image.documentation="https://github.com/unoconv/unoserver-docker/blob/master/README.adoc" +LABEL org.opencontainers.image.documentation="https://github.com/unoconv/unoserver-docker/blob/main/README.adoc" LABEL org.opencontainers.image.source="https://github.com/unoconv/unoserver-docker" LABEL org.opencontainers.image.url="https://github.com/unoconv/unoserver-docker" diff --git a/README.adoc b/README.adoc index 582a67e..7e255ac 100644 --- a/README.adoc +++ b/README.adoc @@ -1,10 +1,10 @@ -= Unoserver Docker Image += Unoserver Container Image -Docker image for unoserver +Container image for unoserver == The environment -This Docker image uses Alpine Linux as a base image and provides: +This Container image uses Alpine Linux as a base image and provides: * link:https://www.libreoffice.org/[LibreOffice] * link:https://github.com/unoconv/unoserver[unoserver] @@ -25,6 +25,8 @@ This Docker image uses Alpine Linux as a base image and provides: == How to use it +NOTE: The `docker` can normally be replaced with `podman` as well. + === In interactive mode Just run: @@ -80,6 +82,7 @@ You need the following tools: === How to build +[source,bash] ---- docker build . ----