chore: set up docker buildx bake

.dockerignore

@@ -0,0 +1,25 @@
+.env
+*.deb
+*.rpm
+
+# Additional package locks
+pnpm-lock.yaml
+yarn.lock
+
+# Go binaries and test artifacts
+main
+*.test
+
+node_modules
+
+# MacOS
+.DS_store
+
+# Intellij
+.idea
+
+# how does this get here
+doc/VERSION
+
+web/static/js/*
+!web/static/js/.gitignore

.github/actions/spelling/expect.txt

@@ -6,6 +6,7 @@ amazonbot
 anthro
 anubis
 anubistest
+apk
 Applebot
 archlinux
 asnc
@@ -113,6 +114,7 @@ fsys
 fullchain
 gaissmai
 Galvus
+gcflags
 geoip
 geoipchecker
 gha
@@ -268,6 +270,7 @@ runtimedirectory
 Ryzen
 sas
 sasl
+sbom
 screenshots
 searchbot
 searx

.github/workflows/docker-pr.yml

@@ -2,7 +2,7 @@ name: Docker image builds (pull requests)
 
 on:
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
 
 env:
   DOCKER_METADATA_SET_OUTPUT_ENV: "true"
@@ -11,7 +11,7 @@ permissions:
   contents: read
 
 jobs:
-  build:
+  buildx-bake:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
@@ -21,48 +21,17 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@main
-
-      - name: Setup Homebrew cellar cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        with:
-          path: |
-            /home/linuxbrew/.linuxbrew/Cellar
-            /home/linuxbrew/.linuxbrew/bin
-            /home/linuxbrew/.linuxbrew/etc
-            /home/linuxbrew/.linuxbrew/include
-            /home/linuxbrew/.linuxbrew/lib
-            /home/linuxbrew/.linuxbrew/opt
-            /home/linuxbrew/.linuxbrew/sbin
-            /home/linuxbrew/.linuxbrew/share
-            /home/linuxbrew/.linuxbrew/var
-          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-homebrew-cellar-
-
-      - name: Install Brew dependencies
-        run: |
-          brew bundle
-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-        with:
-          images: ghcr.io/${{ github.repository }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Build and push
         id: build
-        run: |
-          npm ci
-          npm run container
-        env:
-          PULL_REQUEST_ID: ${{ github.event.number }}
-          DOCKER_REPO: ghcr.io/${{ github.repository }}
-          SLOG_LEVEL: debug
-
-      - run: |
-          echo "Test this with:"
-          echo "docker pull ${DOCKER_IMAGE}"
-        env:
-          DOCKER_IMAGE: ${{ steps.build.outputs.docker_image }}
+        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
+        with:
+          source: .
+          push: true
+          sbom: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          set: |
+            anubis.tags=ttl.sh/techaro/pr-${{ github.event.number }}/anubis:24h

.github/workflows/docker.yml

@@ -17,7 +17,7 @@ permissions:
   pull-requests: write
 
 jobs:
-  build:
+  buildx-bake:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
@@ -27,33 +27,8 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: Set lowercase image name
-        run: |
-          echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
-
-      - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@main
-
-      - name: Setup Homebrew cellar cache
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
-        with:
-          path: |
-            /home/linuxbrew/.linuxbrew/Cellar
-            /home/linuxbrew/.linuxbrew/bin
-            /home/linuxbrew/.linuxbrew/etc
-            /home/linuxbrew/.linuxbrew/include
-            /home/linuxbrew/.linuxbrew/lib
-            /home/linuxbrew/.linuxbrew/opt
-            /home/linuxbrew/.linuxbrew/sbin
-            /home/linuxbrew/.linuxbrew/share
-            /home/linuxbrew/.linuxbrew/var
-          key: ${{ runner.os }}-go-homebrew-cellar-${{ hashFiles('go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-homebrew-cellar-
-
-      - name: Install Brew dependencies
-        run: |
-          brew bundle
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Log into registry
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
@@ -62,24 +37,16 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
-        with:
-          images: ${{ env.IMAGE }}
+      - name: Set version
+        run: |
+          echo "VERSION=$(git describe --tags --always --dirty) >> $GITHUB_ENV
 
       - name: Build and push
         id: build
-        run: |
-          npm ci
-          npm run container
-        env:
-          DOCKER_REPO: ${{ env.IMAGE }}
-          SLOG_LEVEL: debug
-
-      - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
+        uses: docker/bake-action@76f9fa3a758507623da19f6092dc4089a7e61592 # v6.6.0
         with:
-          subject-name: ${{ env.IMAGE }}
-          subject-digest: ${{ steps.build.outputs.digest }}
-          push-to-registry: true
+          source: .
+          push: true
+          sbom: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

docker-bake.hcl

@@ -0,0 +1,33 @@
+variable "ALPINE_VERSION" { default = "3.22" }
+variable "GITHUB_SHA" { default = "devel" }
+variable "VERSION" { default = "devel-docker" }
+
+group "default" {
+  targets = [
+    "anubis",
+  ]
+}
+
+target "anubis" {
+  args = {
+    ALPINE_VERSION = "3.22"
+    VERSION        = "${VERSION}"
+  }
+  context    = "."
+  dockerfile = "./docker/anubis.Dockerfile"
+  platforms = [
+    "linux/386",
+    "linux/amd64",
+    "linux/arm64",
+    "linux/arm/v7",
+    "linux/ppc64le",
+    "linux/riscv64",
+  ]
+  pull       = true
+  sbom       = true
+  provenance = true
+  tags = [
+    "ghcr.io/techarohq/anubis:${VERSION}",
+    "ghcr.io/techarohq/anubis:main"
+  ]
+}

docker/anubis.Dockerfile

@@ -0,0 +1,54 @@
+ARG ALPINE_VERSION=edge
+FROM --platform=${BUILDPLATFORM} alpine:${ALPINE_VERSION} AS build
+
+RUN apk -U add go nodejs git build-base git npm bash zstd brotli gzip
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN \
+  --mount=type=cache,target=/root/.cache \
+  --mount=type=cache,target=/root/go \
+  go mod download
+
+COPY package.json package-lock.json ./
+RUN \
+  --mount=type=cache,target=/app/node_modules \
+  npm ci
+
+COPY . .
+RUN \
+  --mount=type=cache,target=/root/.cache \
+  --mount=type=cache,target=/root/go \
+  --mount=type=cache,target=/app/node_modules \
+  npm run assets
+
+ARG TARGETOS
+ARG TARGETARCH
+ARG VERSION=devel-docker
+
+RUN \
+  --mount=type=cache,target=/root/.cache \
+  --mount=type=cache,target=/root/go \
+  --mount=type=cache,target=/app/node_modules \
+  GOOS=${TARGETOS} \
+  GOARCH=${TARGETARCH} \
+  CGO_ENABLED=0 \
+  GOARM=7 \
+  go build \
+  -gcflags "all=-N -l" \
+  -o /app/bin/anubis \
+  -ldflags "-s -w -extldflags -static -X github.com/TecharoHQ/anubis.Version=${VERSION}" \
+  ./cmd/anubis
+
+FROM alpine:${ALPINE_VERSION} AS run
+WORKDIR /app
+
+RUN apk -U add ca-certificates mailcap
+
+COPY --from=build /app/bin/anubis /app/bin/anubis
+
+CMD ["/app/bin/anubis"]
+HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "/app/bin/anubis", "--healthcheck" ]
+
+LABEL org.opencontainers.image.source="https://github.com/TecharoHQ/anubis"

docs/docs/CHANGELOG.md

@@ -68,8 +68,14 @@ Thanks to [@taviso](https://github.com/taviso) for reporting this issue.
 
 ### Breaking changes
 
+We try to introduce breaking changes as much as possible, but these are the changes that may be relevant for you as an administrator:
+
 - The "slow" frontend solver has been removed in order to reduce maintenance burden. Any existing uses of it will still work, but issue a warning upon startup asking administrators to upgrade to the "fast" frontend solver.
 
+#### Docker image build process has been changed
+
+Previously Docker images were built with [ko](https://ko.build/), which put the Anubis binary at `/ko-app/anubis`. [#862](https://github.com/TecharoHQ/anubis/pull/862) changes this to build with [docker buildx bake](https://docs.docker.com/reference/cli/docker/buildx/bake/) instead. If this causes you problems, please [file an issue](https://github.com/TecharoHQ/anubis/issues/new).
+
 ### New Locales
 
 - [Lithuanian](https://github.com/TecharoHQ/anubis/pull/972)

test/git-clone/docker-compose.yaml

@@ -10,7 +10,7 @@ services:
       - ./var/repos:/srv/git
 
   anubis:
-    image: ko.local/anubis
+    image: ghcr.io/techarohq/anubis:devel-docker
     environment:
       BIND: ":8005"
       TARGET: http://cgit:80

test/git-clone/test.sh

@@ -9,9 +9,7 @@ set -u
 
 (
   cd ../.. && \
-  npm ci && \
-  npm run assets \
-  ko build --platform=all --base-import-paths --tags="latest" --image-user=1000 --image-annotation="" --image-label="" ./cmd/anubis -L
+  docker buildx bake
 )
 
 rm -rf ./var/repos ./var/clones

test/git-push/test.sh

@@ -9,11 +9,10 @@ set -u
 
 (
   cd ../.. && \
-  npm ci && \
-  npm run assets \
-  ko build --platform=all --base-import-paths --tags="latest" --image-user=1000 --image-annotation="" --image-label="" ./cmd/anubis -L
+  docker buildx bake
 )
 
+
 rm -rf ./var/repos ./var/foo
 mkdir -p ./var/repos
 

test/healthcheck/test.sh

@@ -9,11 +9,10 @@ set -u
 
 (
   cd ../.. && \
-  npm ci && \
-  npm run assets \
-  ko build --platform=all --base-import-paths --tags="latest" --image-user=1000 --image-annotation="" --image-label="" ./cmd/anubis -L
+  docker buildx bake
 )
 
+
 docker compose up -d
 
 attempt=1

test/lib/lib.sh

@@ -17,16 +17,7 @@ function build_anubis_ko() {
     cd $REPO_ROOT && npm ci && npm run assets
   )
   (
-    cd $REPO_ROOT &&
-      VERSION=devel ko build \
-        --platform=all \
-        --base-import-paths \
-        --tags="latest" \
-        --image-user=1000 \
-        --image-annotation="" \
-        --image-label="" \
-        ./cmd/anubis \
-        --local
+    cd $REPO_ROOT && docker buildx bake
   )
 }