feat: add distroless Docker image and GHCR publish (#271)

retr0h · claude · web-flow · commit e5c0fc4e0b4b · 2026-03-15T16:55:13.000-07:00
* feat: add distroless Docker image and GHCR publish workflow Update Dockerfile to use distroless base image with multi-stage build. Add docker-publish.yml workflow that builds and pushes to ghcr.io on every push to main. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: simplify Go builder image tag 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * feat: wire docker module and document container image Add docker module to justfile with fetch lines. Update docker-publish workflow to use just docker::build and push. Add Docker install section to intro docs. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * feat: multi-arch Docker image via GoReleaser + buildx GoReleaser builds snapshot binaries with version ldflags, then buildx builds and pushes a multi-arch image (amd64 + arm64) to ghcr.io on every push to main. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * feat: add Dockerfile.local for local multi-stage builds 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -0,0 +1,51 @@
+---
+name: Docker Publish
+
+on:
+  push:
+    branches: ["main"]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: stable
+
+      - name: Build binaries with GoReleaser
+        uses: goreleaser/goreleaser-action@v7
+        with:
+          distribution: goreleaser
+          version: latest
+          args: build --snapshot --clean
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          tags: ghcr.io/${{ github.repository }}:latest
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -12,6 +12,9 @@ builds:
       - linux
       - darwin
       - windows
+    goarch:
+      - amd64
+      - arm64
     ldflags:
       - -s -w -X {{ .ModulePath }}/cmd.date={{ .CommitDate }}
       - -X {{ .ModulePath }}/cmd.commit={{ .Commit }}
diff --git a/Dockerfile b/Dockerfile
@@ -1,30 +1,7 @@
-FROM golang:1.22-bookworm AS builder
+FROM gcr.io/distroless/static-debian12:nonroot
 
-ENV CGO_ENABLED=0 GOOS=linux GOARCH=amd64
+ARG TARGETARCH
 
-WORKDIR /build
+COPY dist/osapi_linux_${TARGETARCH}*/osapi /usr/local/bin/osapi
 
-# Copy only the go.mod and go.sum files to cache dependencies
-COPY go.mod go.sum ./
-
-# Download dependencies; this layer will be cached if go.mod and go.sum haven't changed
-RUN go mod download
-
-# Copy the rest of the application source code
-COPY . .
-
-RUN go build -o osapi .
-
-FROM ubuntu:22.04
-
-WORKDIR /app
-
-COPY --from=builder /build/osapi .
-COPY --from=builder /build/osapi.yaml .
-
-# Non root
-RUN useradd -m -d /home/nonroot -s /bin/bash nonroot
-RUN chown -R nonroot:nonroot /app
-USER nonroot
-
-CMD ["./osapi", "server", "start"]
+ENTRYPOINT ["osapi"]
diff --git a/Dockerfile.local b/Dockerfile.local
@@ -0,0 +1,18 @@
+FROM golang:1.25 AS builder
+
+ENV CGO_ENABLED=0
+
+WORKDIR /build
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+RUN go build -o osapi .
+
+FROM gcr.io/distroless/static-debian12:nonroot
+
+COPY --from=builder /build/osapi /usr/local/bin/osapi
+
+ENTRYPOINT ["osapi"]
diff --git a/docs/docs/sidebar/intro.md b/docs/docs/sidebar/intro.md
@@ -23,6 +23,16 @@ go install github.com/retr0h/osapi@latest
 
 Or download a prebuilt binary from the [releases][] page.
 
+### Docker
+
+A distroless image is published to GitHub Container Registry on every commit to
+main:
+
+```bash
+docker pull ghcr.io/osapi-io/osapi:latest
+docker run ghcr.io/osapi-io/osapi:latest --help
+```
+
 ## Quickstart
 
 Install OSAPI and start all three components in a single process:
diff --git a/justfile b/justfile
@@ -5,6 +5,7 @@
 mod? go '.just/remote/go.mod.just'
 mod? docs '.just/remote/docs.mod.just'
 mod? just '.just/remote/just.mod.just'
+mod? docker '.just/remote/docker.mod.just'
 
 # --- Fetch ---
 
@@ -17,6 +18,8 @@ fetch:
     curl -sSfL https://raw.githubusercontent.com/osapi-io/osapi-justfiles/refs/heads/main/docs.just -o .just/remote/docs.just
     curl -sSfL https://raw.githubusercontent.com/osapi-io/osapi-justfiles/refs/heads/main/just.mod.just -o .just/remote/just.mod.just
     curl -sSfL https://raw.githubusercontent.com/osapi-io/osapi-justfiles/refs/heads/main/just.just -o .just/remote/just.just
+    curl -sSfL https://raw.githubusercontent.com/osapi-io/osapi-justfiles/refs/heads/main/docker.mod.just -o .just/remote/docker.mod.just
+    curl -sSfL https://raw.githubusercontent.com/osapi-io/osapi-justfiles/refs/heads/main/docker.just -o .just/remote/docker.just
 
 # --- Top-level orchestration ---
 
