From 6b92e965824924ea7f78399758cb4c4a1057e2fb Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Wed, 16 Apr 2025 18:54:36 +0100
Subject: [PATCH] feat: Docker images built with Forgejo Actions

---
 .dockerignore                        |   4 +-
 .forgejo/workflows/release-image.yml | 223 +++++++++++++++++++++++++++
 docker/Dockerfile                    | 216 ++++++++++++++++++++++++++
 3 files changed, 441 insertions(+), 2 deletions(-)
 create mode 100644 .forgejo/workflows/release-image.yml
 create mode 100644 docker/Dockerfile

diff --git a/.dockerignore b/.dockerignore
index 35d35e1b..453634df 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,9 +1,9 @@
 # Local build and dev artifacts
-target
-tests
+target/
 
 # Docker files
 Dockerfile*
+docker/
 
 # IDE files
 .vscode
diff --git a/.forgejo/workflows/release-image.yml b/.forgejo/workflows/release-image.yml
new file mode 100644
index 00000000..3a6c93eb
--- /dev/null
+++ b/.forgejo/workflows/release-image.yml
@@ -0,0 +1,223 @@
+name: Release Docker Image
+
+on:
+  pull_request:
+  push:
+    paths-ignore:
+      - '.gitlab-ci.yml'
+      - '.gitignore'
+      - 'renovate.json'
+      - 'debian/**'
+      - 'docker/**'
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+env:
+    BUILTIN_REGISTRY: forgejo.ellis.link
+    BUILTIN_REGISTRY_ENABLED: "${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false) && 'true' || 'false' }}"
+
+jobs:
+  define-variables:
+    runs-on: ubuntu-latest
+
+    outputs:
+      images: ${{ steps.var.outputs.images }}
+      images_list: ${{ steps.var.outputs.images_list }}
+      build_matrix: ${{ steps.var.outputs.build_matrix }}
+
+    steps:
+      - name: Setting variables
+        uses: https://github.com/actions/github-script@v7
+        id: var
+        with:
+          script: |
+            const githubRepo = '${{ github.repository }}'.toLowerCase()
+            const repoId = githubRepo.split('/')[1]
+            
+            core.setOutput('github_repository', githubRepo)
+            const builtinImage = '${{ env.BUILTIN_REGISTRY }}/' + githubRepo
+            let images = []
+            if (process.env.BUILTIN_REGISTRY_ENABLED === "true") {
+              images.push(builtinImage)
+            }
+            core.setOutput('images', images.join("\n"))
+            core.setOutput('images_list', images.join(","))
+            const platforms = ['linux/amd64', 'linux/arm64']
+            core.setOutput('build_matrix', JSON.stringify({
+              platform: platforms, 
+              include: platforms.map(platform => { return {
+                platform,
+                slug: platform.replace('/', '-')
+              }})
+            }))
+
+  build-image:
+    runs-on: not-nexy
+    container: ghcr.io/catthehacker/ubuntu:act-latest
+    needs: define-variables
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    strategy:
+      matrix: ${{ fromJSON(needs.define-variables.outputs.build_matrix) }}
+    steps:
+      - name: Echo strategy
+        run: echo '${{ toJSON(fromJSON(needs.define-variables.outputs.build_matrix)) }}'
+      - name: Echo matrix
+        run: echo '${{ toJSON(matrix) }}'
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Login to builtin registry
+        uses: docker/login-action@v3
+        with:
+            registry: ${{ env.BUILTIN_REGISTRY }}
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
+      - name: Extract metadata (labels, annotations) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{needs.define-variables.outputs.images}}
+          # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
+
+      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
+      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
+      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
+      # It will not push images generated from a pull request
+      - name: Get short git commit SHA
+        id: sha
+        run: |
+          calculatedSha=$(git rev-parse --short ${{ github.sha }})
+          echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV
+      - name: Get Git commit timestamps
+        run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV
+      - uses: https://github.com/Swatinem/rust-cache@v2
+        with:
+          prefix-key: v0-rust-linux/${{ matrix.slug }}
+        id: rust-cache
+      - name: Inject cache into Docker
+        uses: https://github.com/reproducible-containers/buildkit-cache-dance@v3.1.2
+        with:
+          cache-map: |
+            {
+              "/home/runner/.cargo/registry": "/usr/local/cargo/registry",
+              "/home/runner/.cargo/git/db": "/usr/local/cargo/git/db",
+              "./target": "/app/target",
+              "./timelord": "/timelord"
+            }
+      - name: Cache timelord state
+        uses: actions/cache@v4
+        with:
+            path: "./timelord"
+            key: ${{ runner.os }}-${{ matrix.slug }}
+      - name: Build and push Docker image by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: "docker/Dockerfile"
+          build-args: |
+            CONDUWUIT_VERSION_EXTRA=${{ env.COMMIT_SHORT_SHA }}
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          sbom: true
+          outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
+
+      # For publishing multi-platform manifests
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"          
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ matrix.slug }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+  
+  merge:
+    runs-on: not-nexy
+    container: ghcr.io/catthehacker/ubuntu:act-latest
+    needs: [define-variables, build-image]
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Login to builtin registry
+        uses: docker/login-action@v3
+        with:
+            registry: ${{ env.BUILTIN_REGISTRY }}
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract metadata (tags) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          tags: |
+            type=semver,pattern=v{{version}}
+            type=semver,pattern=v{{major}}.{{minor}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.0.') }}
+            type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=sha,format=long
+          images: ${{needs.define-variables.outputs.images}}
+          # default labels & annotations: https://github.com/docker/metadata-action/blob/master/src/meta.ts#L509
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: index         
+
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        env:
+          IMAGES: ${{needs.define-variables.outputs.images}}
+        shell: bash
+        run: |
+          IFS=$'\n'
+          IMAGES_LIST=($IMAGES)
+          ANNOTATIONS_LIST=($DOCKER_METADATA_OUTPUT_ANNOTATIONS)
+          TAGS_LIST=($DOCKER_METADATA_OUTPUT_TAGS)
+          for REPO in "${IMAGES_LIST[@]}"; do
+              docker buildx imagetools create \
+                $(for tag in "${TAGS_LIST[@]}"; do echo "--tag"; echo "$tag"; done) \
+                $(for annotation in "${ANNOTATIONS_LIST[@]}"; do echo "--annotation"; echo "$annotation"; done) \
+                $(for reference in *; do printf "$REPO@sha256:%s\n" $reference; done)
+          done
+
+      - name: Inspect image
+        env:
+          IMAGES: ${{needs.define-variables.outputs.images}}
+        shell: bash
+        run: |
+          IMAGES_LIST=($IMAGES)
+          for REPO in "${IMAGES_LIST[@]}"; do
+            docker buildx imagetools inspect $REPO:${{ steps.meta.outputs.version }}
+          done
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 00000000..10f54d94
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,216 @@
+ARG RUST_VERSION=1
+
+FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
+FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS base
+FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS toolchain
+
+# Prevent deletion of apt cache
+RUN rm -f /etc/apt/apt.conf.d/docker-clean
+
+# Match Rustc version as close as possible
+# rustc -vV
+ARG LLVM_VERSION=19
+# ENV RUSTUP_TOOLCHAIN=${RUST_VERSION}
+
+# Install repo tools
+# Line one: compiler tools
+# Line two: curl, for downloading binaries
+# Line three: for xx-verify
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+apt-get update && apt-get install -y \
+    clang-${LLVM_VERSION} lld-${LLVM_VERSION} pkg-config make jq \
+    curl git \
+    file
+
+# Create symlinks for LLVM tools
+RUN <<EOF
+    # clang
+    ln -s /usr/bin/clang-${LLVM_VERSION} /usr/bin/clang
+    ln -s "/usr/bin/clang++-${LLVM_VERSION}" "/usr/bin/clang++"
+    # lld
+    ln -s /usr/bin/ld64.lld-${LLVM_VERSION} /usr/bin/ld64.lld
+    ln -s /usr/bin/ld.lld-${LLVM_VERSION} /usr/bin/ld.lld
+    ln -s /usr/bin/lld-${LLVM_VERSION} /usr/bin/lld
+    ln -s /usr/bin/lld-link-${LLVM_VERSION} /usr/bin/lld-link
+    ln -s /usr/bin/wasm-ld-${LLVM_VERSION} /usr/bin/wasm-ld
+EOF
+
+# Developer tool versions
+# renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
+ENV BINSTALL_VERSION=1.12.3
+# renovate: datasource=github-releases depName=psastras/sbom-rs
+ENV CARGO_SBOM_VERSION=0.9.1
+# renovate: datasource=crate depName=lddtree
+ENV LDDTREE_VERSION=0.3.7
+
+# renovate: datasource=crate depName=timelord-cli
+ENV TIMELORD_VERSION=3.0.1
+
+# Install unpackaged tools
+RUN <<EOF
+    curl --retry 5 -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | bash
+    cargo binstall --no-confirm cargo-sbom --version $CARGO_SBOM_VERSION
+    cargo binstall --no-confirm lddtree --version $LDDTREE_VERSION
+    cargo binstall --no-confirm timelord-cli --version $TIMELORD_VERSION
+EOF
+
+# Set up xx (cross-compilation scripts)
+COPY --from=xx / /
+ARG TARGETPLATFORM
+
+# Install libraries linked by the binary
+# xx-* are xx-specific meta-packages
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+xx-apt-get install -y \
+    xx-c-essentials xx-cxx-essentials pkg-config \
+    liburing-dev
+
+# Set up Rust toolchain
+WORKDIR /app
+COPY ./rust-toolchain.toml .
+RUN rustc --version \
+    && rustup target add $(xx-cargo --print-target-triple)
+
+# Build binary
+# We disable incremental compilation to save disk space, as it only produces a minimal speedup for this case.
+RUN echo "CARGO_INCREMENTAL=0" >> /etc/environment
+
+# Configure pkg-config
+RUN <<EOF
+    echo "PKG_CONFIG_LIBDIR=/usr/lib/$(xx-info)/pkgconfig" >> /etc/environment
+    echo "PKG_CONFIG=/usr/bin/$(xx-info)-pkg-config" >> /etc/environment
+    echo "PKG_CONFIG_ALLOW_CROSS=true" >> /etc/environment
+EOF
+
+# Configure cc to use clang version
+RUN <<EOF
+    echo "CC=clang" >> /etc/environment
+    echo "CXX=clang++" >> /etc/environment
+EOF
+
+# Cross-language LTO
+RUN <<EOF
+    echo "CFLAGS=-flto" >> /etc/environment
+    echo "CXXFLAGS=-flto" >> /etc/environment
+    # Linker is set to target-compatible clang by xx
+    echo "RUSTFLAGS='-Clinker-plugin-lto -Clink-arg=-fuse-ld=lld'" >> /etc/environment
+EOF
+
+# Apply CPU-specific optimizations if TARGET_CPU is provided
+ARG TARGET_CPU=
+RUN <<EOF
+  set -o allexport
+  . /etc/environment
+  if [ -n "${TARGET_CPU}" ]; then
+    echo "CFLAGS='${CFLAGS} -march=${TARGET_CPU}'" >> /etc/environment
+    echo "CXXFLAGS='${CXXFLAGS} -march=${TARGET_CPU}'" >> /etc/environment
+    echo "RUSTFLAGS='${RUSTFLAGS} -C target-cpu=${TARGET_CPU}'" >> /etc/environment
+  fi
+EOF
+
+# Prepare output directories
+RUN mkdir /out
+
+FROM toolchain AS builder
+
+# Conduwuit version info
+ARG COMMIT_SHA=
+ARG CONDUWUIT_VERSION_EXTRA=
+ENV CONDUWUIT_VERSION_EXTRA=$CONDUWUIT_VERSION_EXTRA
+RUN <<EOF
+if [ -z "${CONDUWUIT_VERSION_EXTRA}" ]; then
+    echo "CONDUWUIT_VERSION_EXTRA='$(set -e; git rev-parse --short ${COMMIT_SHA:-HEAD} || echo unknown revision)'" >> /etc/environment
+fi
+EOF
+
+ARG TARGETPLATFORM
+
+# Verify environment configuration
+RUN cat /etc/environment
+RUN xx-cargo --print-target-triple
+
+# Get source
+COPY . .
+
+# Timelord sync
+RUN --mount=type=cache,target=/timelord/ \
+    timelord sync --source-dir . --cache-dir /timelord/
+
+# Build the binary
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git/db \
+    --mount=type=cache,target=/app/target \
+    bash <<'EOF'
+    set -o allexport
+    . /etc/environment
+    TARGET_DIR=($(cargo metadata --no-deps --format-version 1 | \
+            jq -r ".target_directory"))
+    mkdir /out/sbin
+    PACKAGE=conduwuit
+    xx-cargo build --locked --release \
+        -p $PACKAGE;
+    BINARIES=($(cargo metadata --no-deps --format-version 1 | \
+        jq -r ".packages[] | select(.name == \"$PACKAGE\") | .targets[] | select( .kind | map(. == \"bin\") | any ) | .name"))
+    for BINARY in "${BINARIES[@]}"; do
+        echo $BINARY
+        xx-verify $TARGET_DIR/$(xx-cargo   --print-target-triple)/release/$BINARY
+        cp $TARGET_DIR/$(xx-cargo --print-target-triple)/release/$BINARY /out/sbin/$BINARY
+    done
+EOF
+
+# Generate Software Bill of Materials (SBOM)
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git/db \
+    bash <<'EOF'
+    mkdir /out/sbom
+    typeset -A PACKAGES
+    for BINARY in /out/sbin/*; do
+        BINARY_BASE=$(basename ${BINARY})
+        package=$(cargo metadata --no-deps --format-version 1 | jq -r ".packages[] | select(.targets[] | select( .kind | map(. == \"bin\") | any ) | .name == \"$BINARY_BASE\") | .name")
+        if [ -z "$package" ]; then
+            continue
+        fi
+        PACKAGES[$package]=1
+    done
+    for PACKAGE in $(echo ${!PACKAGES[@]}); do
+        echo $PACKAGE
+        cargo sbom --cargo-package $PACKAGE > /out/sbom/$PACKAGE.spdx.json
+    done
+EOF
+
+# Extract dynamically linked dependencies
+RUN <<EOF
+    mkdir /out/libs
+    mkdir /out/libs-root
+    for BINARY in /out/sbin/*; do
+        lddtree "$BINARY" | awk '{print $(NF-0) " " $1}' | sort -u -k 1,1 | awk '{print "install", "-D", $1, (($2 ~ /^\//) ? "/out/libs-root" $2 : "/out/libs/" $2)}' | xargs -I {} sh -c {}
+    done
+EOF
+
+FROM scratch
+
+WORKDIR /
+
+# Copy root certs for tls into image
+# You can also mount the certs from the host
+# --volume /etc/ssl/certs:/etc/ssl/certs:ro
+COPY --from=base /etc/ssl/certs /etc/ssl/certs
+
+# Copy our build
+COPY --from=builder /out/sbin/ /sbin/
+# Copy SBOM
+COPY --from=builder /out/sbom/ /sbom/
+
+# Copy dynamic libraries to root
+COPY --from=builder /out/libs-root/ /
+COPY --from=builder /out/libs/ /usr/lib/
+
+# Inform linker where to find libraries
+ENV LD_LIBRARY_PATH=/usr/lib
+
+# Continuwuity default port
+EXPOSE 8008
+
+CMD ["/sbin/conduwuit"]