Skip to content
Build and Push Devcontainer Image (Production)

fix(Dockerfile): production harden with global Bun/Foundry setup and … #79

Sign in to view logs

fix(Dockerfile): production harden with global Bun/Foundry setup and …

fix(Dockerfile): production harden with global Bun/Foundry setup and … #79

Workflow file for this run

.github/workflows/build-push.yml at dff4cdf
name: Build and Push Devcontainer Image (Production)
on:
push:
branches:
- main
permissions:
contents: read
packages: write
actions: read
id-token: write
env:
IMAGE_NAME: ghcr.io/beaniezombie/zombiekit-devcontainer
VERSION: dev
jobs:
build-amd64:
if: github.repository == 'BeanieZombie/zombiekit-devcontainer'
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure Docker to skip credential helpers
run: |
mkdir -p ~/.docker
echo '{"credsStore":""}' > ~/.docker/config.json
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
install: true
driver-opts: image=moby/buildkit:latest
buildkitd-flags: --debug
name: build-amd64-builder
- name: Prune Buildx Builder
run: docker buildx prune --force
- name: Trivy Scan (ubuntu:jammy)
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ubuntu:jammy'
severity: 'CRITICAL,HIGH'
exit-code: '0'
scanners: 'vuln'
- name: Build & Push Docker Image (AMD64)
uses: docker/build-push-action@v6
with:
context: .
push: true
platforms: linux/amd64
tags: ghcr.io/beaniezombie/zombiekit-devcontainer:temp-amd64
provenance: false
cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:cache-amd64
cache-to: type=registry,ref=${{ env.IMAGE_NAME }}:cache-amd64,mode=max
- name: Verify Image Push to GHCR (AMD64)
run: |
for i in {1..5}; do
docker manifest inspect ${{ env.IMAGE_NAME }}:temp-amd64 && break || sleep 5
done || {
echo "::error::temp-amd64 not found in GHCR after retries. Check push step."; exit 1;
}
build-arm64:
if: github.repository == 'BeanieZombie/zombiekit-devcontainer'
runs-on: [self-hosted, linux, ARM64]
timeout-minutes: 60
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure Docker to skip credential helpers
run: |
mkdir -p ~/.docker
echo '{"credsStore":""}' > ~/.docker/config.json
- name: Check Docker + Buildx
run: |
docker info
docker system info
df -h
free -h
docker buildx version
docker buildx inspect
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
install: true
driver-opts: image=moby/buildkit:latest
buildkitd-flags: --debug
name: build-arm64-builder
- name: Prune Buildx Builder
run: docker buildx prune --force
- name: Set up QEMU with Retry
run: |
for i in {1..3}; do
docker run --rm --privileged tonistiigi/binfmt:latest --install all && break || sleep 5
done
- name: Trivy Scan (ubuntu:jammy)
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ubuntu:jammy'
severity: 'CRITICAL,HIGH'
exit-code: '0'
scanners: 'vuln'
- name: Build & Push Docker Image (ARM64)
uses: docker/build-push-action@v6
with:
context: .
push: true
platforms: linux/arm64
tags: ghcr.io/beaniezombie/zombiekit-devcontainer:temp-arm64
provenance: false
cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:cache-arm64
cache-to: type=registry,ref=${{ env.IMAGE_NAME }}:cache-arm64,mode=max
- name: Verify Image Push to GHCR (ARM64)
run: |
for i in {1..5}; do
docker manifest inspect ${{ env.IMAGE_NAME }}:temp-arm64 && break || sleep 5
done || {
echo "::error::temp-arm64 not found in GHCR after retries. Check push step."; exit 1;
}
combine-images:
needs: [build-amd64, build-arm64]
if: github.repository == 'BeanieZombie/zombiekit-devcontainer'
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install jq
run: sudo apt-get update && sudo apt-get install -y jq
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
install: true
driver-opts: image=moby/buildkit:latest
buildkitd-flags: --debug
name: combine-images-builder
- name: Set up QEMU with Retry
run: |
for i in {1..3}; do
docker run --rm --privileged tonistiigi/binfmt:latest --install all && break || sleep 5
done
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure Docker to skip credential helpers
run: |
mkdir -p ~/.docker
echo '{"credsStore":""}' > ~/.docker/config.json
- name: Check GHCR Availability
run: curl -sI https://ghcr.io || exit 1
- name: Pre-Check Architecture Manifests
run: |
docker manifest inspect ${{ env.IMAGE_NAME }}:temp-amd64 || exit 1
docker manifest inspect ${{ env.IMAGE_NAME }}:temp-arm64 || exit 1
- name: Pull Images with Retry
run: |
for i in {1..5}; do
docker pull ${{ env.IMAGE_NAME }}:temp-amd64 && break || sleep 10
done
for i in {1..5}; do
docker pull ${{ env.IMAGE_NAME }}:temp-arm64 && break || sleep 10
done
- name: Combine & Push Multi-Arch Manifest (:dev)
run: |
docker buildx imagetools create \
--provenance=false \
-t ghcr.io/beaniezombie/zombiekit-devcontainer:dev \
ghcr.io/beaniezombie/zombiekit-devcontainer:temp-amd64 \
ghcr.io/beaniezombie/zombiekit-devcontainer:temp-arm64
- name: Combine & Push Multi-Arch Manifest (:latest)
run: |
docker buildx imagetools create \
--provenance=false \
-t ghcr.io/beaniezombie/zombiekit-devcontainer:latest \
ghcr.io/beaniezombie/zombiekit-devcontainer:temp-amd64 \
ghcr.io/beaniezombie/zombiekit-devcontainer:temp-arm64
- name: Log Dev Visibility
run: echo "::notice::Container published as :dev and :latest — multi-arch, production ready."