Merge pull request #83 from InjectiveLabs/f/docker

F/docker

.github/workflows/docker.yml

@@ -1,40 +1,65 @@
-name: docker
-
+name: Docker Release
+defaults:
+  run:
+    shell: bash -leo pipefail {0}
 on:
   push:
-    branches:
-      - 'master'
     tags:
-      - 'v*'
+      - v**
+env:
+  ECR_ENABLED: true
+  ECR_REPO: public.ecr.aws/l9h3g6c6/peggo
+  GHCR_ENABLED: false
+  GHCR_REPO: ghcr.io/InjectiveLabs/peggo
 
 jobs:
-  docker:
+  docker-release:
     runs-on: ubuntu-latest
+    timeout-minutes: 120
     steps:
+      - name: Checkout peggo
+        uses: actions/checkout@master
+        with:
+          repository: InjectiveLabs/peggo
+          fetch-depth: 0
+          ref: ${{ github.ref_name }}
+          token: ${{ secrets.GH_TOKEN }}
+          path: ./peggo
 
-      - name: Checkout
-        uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          platforms: linux/amd64,linux/arm64
 
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v4
-        with:
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=raw,value=latest
-            type=semver,pattern=v{{version}}
+      - name: Log-in to ghcr.io
+        if: env.GHCR_ENABLED == 'true'
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin
 
-      - name: Build and push
-        uses: docker/build-push-action@v3
+      - name: Login to Public ECR
+        if: env.ECR_ENABLED == 'true'
+        uses: docker/login-action@v2
         with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          registry: public.ecr.aws
+          username: ${{ secrets.AWS_KEY }}
+          password: ${{ secrets.AWS_SECRET }}
+        env:
+          AWS_REGION: us-east-1
+
+      - name: Build image and push
+        run: |
+          cd peggo/
+          TAG=$(echo ${GITHUB_REF#refs/heads/} | cut -d '/' -f 2)
+          echo $TAG
+          [[ $ECR_ENABLED == "false" ]] || docker buildx build --tag $ECR_REPO:$TAG --platform linux/amd64,linux/arm64 --push .
+          [[ $GHCR_ENABLED == "false" ]] || docker buildx build --tag $GHCR_REPO:$TAG --platform linux/amd64,linux/arm64 --push .
+
+      - name: NONROOT Build image and push
+        run: |
+          cd peggo/
+          TAG=$(echo ${GITHUB_REF#refs/heads/} | cut -d '/' -f 2)-nonroot
+          echo $TAG
+          [[ $ECR_ENABLED == "false" ]] || docker buildx build -f Dockerfile.nonroot --tag $ECR_REPO:$TAG --platform linux/amd64,linux/arm64 --push .
+          [[ $GHCR_ENABLED == "false" ]] || docker buildx build -f Dockerfile.nonroot --tag $GHCR_REPO:$TAG --platform linux/amd64,linux/arm64 --push .

Dockerfile.nonroot

@@ -0,0 +1,35 @@
+#install packages for build layer
+FROM golang:1.19-alpine as builder
+RUN apk add --no-cache git gcc make perl jq libc-dev linux-headers
+
+#build binary
+WORKDIR /src
+COPY . .
+RUN go mod download
+
+#install binary
+RUN make install
+
+#build main container
+FROM alpine:latest
+
+# Add the "injective" non-root user and group
+RUN addgroup -S injective && adduser -S -G injective injective
+
+# Install dependencies
+RUN apk add --update --no-cache ca-certificates curl
+
+# Copy the peggo binary
+COPY --from=builder /go/bin/* /usr/local/bin/
+
+# Set ownership and permissions
+RUN chown -R injective:injective /usr/local/bin
+
+# Configure container
+USER injective
+VOLUME /apps/data
+WORKDIR /home/injective/.injectived/peggo
+
+# Default command
+CMD peggo orchestrator
+