ci: add docker build & push to GHCR (#397)

Author: MickaelCa

.github/workflows/docker_image.yml

@@ -1,24 +1,81 @@
-name: Build Docker Image
-
+name: Build & Push Container
 on:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - '*'
+  merge_group:
   pull_request:
-    branches: [ main ]
-  workflow_dispatch:
+    types: [assigned, opened, synchronize, reopened]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  docker:
+  docker-build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+
+      - name: Set current timestamp
+        id: vars
+        run: |
+          echo "timestamp=$(date +%s)" >> $GITHUB_OUTPUT
+          echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker Meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: |
+            latest=false
+          tags: |
+            type=ref,event=branch,branch=main,suffix=-${{ steps.vars.outputs.sha_short }}-${{ steps.vars.outputs.timestamp }}
+            type=pep440,pattern={{raw}}
+            type=ref,event=pr
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Build
+      - name: Build and push
         uses: docker/build-push-action@v6
+        id: push
         with:
-          push: false
           context: .
-          file: Dockerfile
-          tags: "${{ github.sha }}"
+          platforms: linux/amd64, linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Generate artifact attestation
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

Dockerfile

@@ -1,42 +1,45 @@
 # Stage 1: Install Python dependencies
 FROM python:3.13-slim AS python-builder
+
 WORKDIR /build
 
-# System build tools
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends gcc python3-dev \
-    && rm -rf /var/lib/apt/lists/*
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends gcc python3-dev; \
+    rm -rf /var/lib/apt/lists/*
 
-# Metadata and code that setuptools needs
 COPY pyproject.toml .
 COPY src/ ./src/
 
-# Install runtime dependencies defined in pyproject.toml
-RUN pip install --no-cache-dir --upgrade pip \
-    && pip install --no-cache-dir --timeout 1000 .
-
+RUN set -eux; \
+    pip install --no-cache-dir --upgrade pip; \
+    pip install --no-cache-dir --timeout 1000 .
 
 # Stage 2: Runtime image
 FROM python:3.13-slim
-LABEL org.opencontainers.image.source="https://github.com/coderamp-labs/gitingest"
 
-# Minimal runtime utilities
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends git curl \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+ARG UID=1000
+ARG GID=1000
+
+ENV PYTHONUNBUFFERED=1 \
+    PYTHONDONTWRITEBYTECODE=1
+
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends git curl; \
+    apt-get clean; \
+    rm -rf /var/lib/apt/lists/*
 
-ENV PYTHONUNBUFFERED=1 PYTHONDONTWRITEBYTECODE=1
 WORKDIR /app
-RUN useradd -m -u 1000 appuser
+RUN set -eux; \
+    groupadd -g "$GID" appuser; \
+    useradd -m -u "$UID" -g "$GID" appuser
 
-# Copy Python site-packages and code
-COPY --from=python-builder /usr/local/lib/python3.13/site-packages/ \
-                           /usr/local/lib/python3.13/site-packages/
-COPY src/ ./
+COPY --from=python-builder --chown=$UID:$GID /usr/local/lib/python3.13/site-packages/ /usr/local/lib/python3.13/site-packages/
+COPY --chown=$UID:$GID src/ ./
 
-# Set permissions
-RUN chown -R appuser:appuser /app
+RUN set -eux; \
+    chown -R appuser:appuser /app
 USER appuser
 
 EXPOSE 8000