docker/bake-action v6.6.0

Use bake-action instead of build-and-push action.

.gitea/workflows/ci.yaml

@@ -20,16 +20,16 @@ jobs:
       contents: write
     steps:
       - name: Login to Docker
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           username: ${{ vars.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Ruby Setup
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@dffc446db9ba5a0c4446edb5bca1c5c473a806c5 # v1.235.0
         with:
           ruby-version: '3.4'
           bundler-cache: true
@@ -45,10 +45,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Test
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@dffc446db9ba5a0c4446edb5bca1c5c473a806c5 # v1.235.0
         with:
           ruby-version: '3.4'
           bundler-cache: true
@@ -66,9 +66,11 @@ jobs:
     defaults:
       run:
         shell: bash
+    outputs:
+      metadata: ${{ steps.output.outputs.metadata }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # all history for all branches and tags
 
@@ -83,12 +85,25 @@ jobs:
           printf "GITHUB_SHA=%s\n" "$GITHUB_SHA"
           printf "VERSION=%s\n" "$VERSION" | tee -a "$GITHUB_OUTPUT"
 
-      - name: Docker meta
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Login to Gitea registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: git.kill0.net
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Docker meta (debian)
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: |
             git.kill0.net/ryanc/kubernaut
+          flavor: |
+            latest=auto
+          bake-target: docker-metadata-action
           tags: |
             type=schedule
             type=ref,event=branch
@@ -98,25 +113,36 @@ jobs:
             type=semver,pattern={{major}}
             type=sha
 
-      - name: Set up Docker Buildx
+      - name: Docker meta (alpine)
-        uses: docker/setup-buildx-action@v3
+        id: meta-alpine
-
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-      - name: Login to Gitea registry
-        uses: docker/login-action@v3
         with:
-          registry: git.kill0.net
+          images: |
-          username: ${{ secrets.DOCKER_USERNAME }}
+            git.kill0.net/ryanc/kubernaut
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          bake-target: docker-metadata-action-alpine
+          flavor: |
+            latest=auto
+            suffix=-alpine,onlatest=true
+          tags: |
+            type=schedule
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
 
       - name: Docker build and push
-        uses: docker/build-push-action@v5
+        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
         with:
           push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
+          files: |
-          labels: ${{ steps.meta.outputs.labels }}
+            ./docker-bake.hcl
+            cwd://${{ steps.meta.outputs.bake-file }}
+            cwd://${{ steps.meta-alpine.outputs.bake-file }}
 
       - name: Setup Helm
-        uses: azure/setup-helm@v4.3.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
 
       - name: Publish Helm chart
         if: ${{ contains(github.ref, 'refs/tags/') }}

Dockerfile

@@ -1,19 +1,19 @@
-FROM ruby:alpine AS base
+ARG RUBY_VERSION="3.4.3"
+FROM ruby:${RUBY_VERSION} AS base
 
 WORKDIR /app
 
 RUN <<EOT
+  apt-get update
   gem update --system --no-document
   gem install -N bundler
-  apk update
-  apk upgrade --no-cache
 EOT
 
 
 FROM base AS build
 
 RUN <<EOT
-  apk add gcc musl-dev ruby-dev make
+  apt-get install --yes gcc make
 EOT
 
 COPY Gemfile* .
@@ -26,15 +26,17 @@ EOT
 
 FROM base
 
-# RUN useradd ruby --home /app --shell /bin/sh
+ENV PORT=4567
-RUN adduser ruby -h /app -D
 
-USER ruby:ruby
+# RUN useradd ruby --home /app --shell /bin/sh
+RUN useradd --home /app --create-home app
+
+USER app:app
 
 COPY --from=build /usr/local/bundle /usr/local/bundle
-COPY --from=build --chown=ruby:ruby /app /app
+COPY --from=build --chown=app:app /app /app
 
-COPY --chown=ruby:ruby . .
+COPY --chown=app:app . .
 
 EXPOSE 4567
-CMD [ "bundle", "exec", "rackup", "--host", "0.0.0.0", "--port", "4567" ]
+CMD [ "puma", "--bind", "0.0.0.0", "--port", "$PORT" ]

Gemfile.lock

@@ -5,7 +5,7 @@ GEM
     ast (2.4.3)
     base64 (0.2.0)
     bigdecimal (3.1.9)
-    csv (3.3.3)
+    csv (3.3.4)
     diff-lcs (1.6.1)
     httparty (0.23.1)
       csv
@@ -27,15 +27,15 @@ GEM
       ruby2_keywords (~> 0.0.1)
     nanoid (2.0.0)
     nio4r (2.7.4)
-    parallel (1.26.3)
+    parallel (1.27.0)
-    parser (3.3.7.4)
+    parser (3.3.8.0)
       ast (~> 2.4.1)
       racc
     prism (1.4.0)
     puma (6.6.0)
       nio4r (~> 2.0)
     racc (1.8.1)
-    rack (3.1.12)
+    rack (3.1.13)
     rack-protection (4.1.1)
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
@@ -65,7 +65,7 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.2)
-    rubocop (1.73.2)
+    rubocop (1.75.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -73,17 +73,17 @@ GEM
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.43.0)
+    rubocop-ast (1.44.1)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
-    rubocop-performance (1.24.0)
+    rubocop-performance (1.25.0)
       lint_roller (~> 1.1)
-      rubocop (>= 1.72.1, < 2.0)
+      rubocop (>= 1.75.0, < 2.0)
       rubocop-ast (>= 1.38.0, < 2.0)
-    ruby-lsp (0.23.13)
+    ruby-lsp (0.23.14)
       language_server-protocol (~> 3.17.0)
       prism (>= 1.2, < 2.0)
       rbs (>= 3, < 4)
@@ -103,19 +103,19 @@ GEM
       rack-protection (= 4.1.1)
       sinatra (= 4.1.1)
       tilt (~> 2.0)
-    sorbet-runtime (0.5.11971)
+    sorbet-runtime (0.5.12026)
-    standard (1.47.0)
+    standard (1.49.0)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.0)
-      rubocop (~> 1.73.0)
+      rubocop (~> 1.75.2)
       standard-custom (~> 1.0.0)
-      standard-performance (~> 1.7)
+      standard-performance (~> 1.8)
     standard-custom (1.0.2)
       lint_roller (~> 1.0)
       rubocop (~> 1.50)
-    standard-performance (1.7.0)
+    standard-performance (1.8.0)
       lint_roller (~> 1.1)
-      rubocop-performance (~> 1.24.0)
+      rubocop-performance (~> 1.25.0)
     tilt (2.6.0)
     ulid (1.4.0)
     unicode-display_width (3.1.4)
@@ -149,4 +149,4 @@ DEPENDENCIES
   uuid7
 
 BUNDLED WITH
-   2.6.6
+   2.6.8

docker-bake.hcl

@@ -0,0 +1,22 @@
+group "default" {
+    targets = [ "bookworm", "alpine" ]
+}
+
+target "docker-metadata-action" {}
+target "docker-metadata-action-alpine" {}
+
+target "_common" {
+    args = {
+        RUBY_VERSION = "3.4.3"
+    }
+}
+
+target "bookworm" {
+    dockerfile = "./dockerfiles/bookworm.Dockerfile"
+    inherits = [ "_common", "docker-metadata-action" ]
+}
+
+target "alpine" {
+    dockerfile = "./dockerfiles/alpine.Dockerfile"
+    inherits = [ "_common", "docker-metadata-action-alpine" ]
+}

dockerfiles/alpine.Dockerfile

@@ -0,0 +1,41 @@
+ARG RUBY_VERSION="3.4.3"
+FROM ruby:${RUBY_VERSION}-alpine AS base
+
+WORKDIR /app
+
+RUN <<EOT
+  apk update
+  gem update --system --no-document
+  gem install -N bundler
+EOT
+
+
+FROM base AS build
+
+RUN <<EOT
+  apk add musl-dev gcc make
+EOT
+
+COPY Gemfile* .
+
+RUN <<EOT
+  bundle config set --local without development
+  bundle install
+EOT
+
+
+FROM base
+
+ENV PORT=4567
+
+RUN adduser --home /app --disabled-password app
+
+USER app:app
+
+COPY --from=build /usr/local/bundle /usr/local/bundle
+COPY --from=build --chown=app:app /app /app
+
+COPY --chown=app:app . .
+
+EXPOSE 4567
+CMD [ "puma", "--bind", "0.0.0.0", "--port", "$PORT" ]

dockerfiles/bookworm.Dockerfile

@@ -0,0 +1,42 @@
+ARG RUBY_VERSION="3.4.3"
+FROM ruby:${RUBY_VERSION}-slim-bookworm AS base
+
+WORKDIR /app
+
+RUN <<EOT
+  apt-get update
+  gem update --system --no-document
+  gem install -N bundler
+EOT
+
+
+FROM base AS build
+
+RUN <<EOT
+  apt-get install --yes gcc make
+EOT
+
+COPY Gemfile* .
+
+RUN <<EOT
+  bundle config set --local without development
+  bundle install
+EOT
+
+
+FROM base
+
+ENV PORT=4567
+
+# RUN useradd ruby --home /app --shell /bin/sh
+RUN useradd --home /app --create-home app
+
+USER app:app
+
+COPY --from=build /usr/local/bundle /usr/local/bundle
+COPY --from=build --chown=app:app /app /app
+
+COPY --chown=app:app . .
+
+EXPOSE 4567
+CMD [ "puma", "--bind", "0.0.0.0", "--port", "$PORT" ]