From 7d54dd0ee6e3f5bab0b4d2ed7b5d8a48e754db65 Mon Sep 17 00:00:00 2001
From: Houmgaor <contact@houmgaor.com>
Date: Tue, 17 Feb 2026 00:28:37 +0100
Subject: [PATCH] ci: add Docker CD workflow to push images to GHCR

Multi-stage Dockerfile for smaller runtime image, CD workflow triggers
on main branch pushes and version tags, docker-compose defaults to the
prebuilt GHCR image.
---
 .github/workflows/docker.yml | 42 ++++++++++++++++++++++--------------
 Dockerfile                   | 31 +++++++++++++++++++-------
 docker/docker-compose.yml    |  8 ++++---
 3 files changed, 54 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index f49ec5d7c..8b0d9e323 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,48 +1,58 @@
-name: Create and publish a Docker image
+name: Docker
 
-# Configures this workflow to run every time a tag is created.
 on:
   push:
+    branches:
+      - main
     tags:
-      - '*'
+      - 'v*'
 
-# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
-# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
 jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
-    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
     permissions:
       contents: read
       packages: write
-      # 
+      attestations: write
+      id-token: write
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
-      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+
       - name: Log in to the Container registry
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
+
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
-      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
-      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+
       - name: Build and push Docker image
-        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        id: push
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
\ No newline at end of file
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/Dockerfile b/Dockerfile
index 459aead11..c5c8c4209 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,29 @@
-FROM golang:1.25-alpine3.21
+# Build stage
+FROM golang:1.25-alpine3.21 AS builder
 
-ENV GO111MODULE=on
-
-WORKDIR /app/erupe
-
-COPY go.mod .
-COPY go.sum .
+WORKDIR /build
 
+COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
+RUN CGO_ENABLED=0 go build -o erupe-ce .
 
-CMD [ "go", "run", "." ]
\ No newline at end of file
+# Runtime stage
+FROM alpine:3.21
+
+RUN adduser -D -h /app erupe
+WORKDIR /app
+
+COPY --from=builder /build/erupe-ce .
+COPY --from=builder /build/www/ ./www/
+COPY --from=builder /build/schemas/ ./schemas/
+# bundled-schema/ is optional demo data, copy if present
+RUN mkdir -p bundled-schema
+
+# bin/ and savedata/ are mounted at runtime via docker-compose
+# config.json is also mounted at runtime
+
+USER erupe
+
+ENTRYPOINT ["./erupe-ce"]
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index c961a3ce4..6f01a9d10 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -38,9 +38,11 @@ services:
     depends_on:
       db:
         condition: service_healthy
-    # If using prebuilt container change paths and config
-    build:
-      context: ../
+    image: ghcr.io/mezeporta/erupe:main
+    # To build locally instead of using the prebuilt image, comment out
+    # the 'image' line above and uncomment the 'build' section below:
+    # build:
+    #   context: ../
     volumes:
       - ../config.json:/app/erupe/config.json
       - ../bin:/app/erupe/bin