Merge branch 'main' of https://git.pi-farm.de/pi-farm/docker-baseimage-alpine

.gitea/workflows/docker-builder.yml

@@ -3,7 +3,9 @@ name: Docker Build Smart Logic
 on:
   push:
     branches:
-      - '**'
+      - main
+    tags:
+      - 'v*'
   workflow_dispatch:
 
 env:
@@ -20,13 +22,13 @@ jobs:
         uses: http://git.pi-farm.de/pi-farm/checkout@v4
         with:
           fetch-depth: 0
+          fetch-tags: true
 
       - name: Dynamic Template Fix
         id: template_fix
         run: |
           if grep -q "{{.RepoName}}" README.md 2>/dev/null; then
-            echo "Ersetze Platzhalter in README, docker-compose und LICENSE..."
+            echo "Ersetze Platzhalter..."
-            
             REPO_NAME=$(echo "${{ gitea.repository }}" | cut -d'/' -f2)
             OWNER_NAME=$(echo "${{ gitea.repository }}" | cut -d'/' -f1)
             BRANCH_NAME="${{ gitea.ref_name }}"
@@ -38,90 +40,123 @@ jobs:
             git config user.name "Gitea Bot"
             git config user.email "bot@gitea.local"
             git add README.md docker-compose.yml LICENSE
-            
+            if ! git diff --staged --quiet; then
-            if git diff --staged --quiet; then
-              echo "Keine Änderungen zum Committen."
-            else
               git commit -m "docs: fix template placeholders [skip ci]"
               git push origin HEAD:${{ gitea.ref_name }}
             fi
-          else
-            echo "Platzhalter bereits ersetzt."
           fi
 
-      - name: Set dynamic variables and check Dockerfiles
+      - name: Detect version and Prepare Files
-        id: check_files
+        id: prepare
         run: |
-          if [ -s "Dockerfile" ]; then
+          # Versionierung
-            echo "Dockerfile gefunden und nicht leer. Build wird vorbereitet."
+          if [ "$GITHUB_REF_TYPE" = "tag" ]; then
-            echo "should_build=true" >> $GITEA_OUTPUT
+            VERSION="$GITHUB_REF_NAME"
+            IS_TAG=true
           else
-            echo "Dockerfile ist leer oder fehlt. Build wird übersprungen."
+            VERSION="main"
+            IS_TAG=false
+          fi
+          
+          # Dockerfile Auswahl
+          if [ ! -s "Dockerfile" ]; then
             echo "should_build=false" >> $GITEA_OUTPUT
             exit 0
           fi
+          echo "should_build=true" >> $GITEA_OUTPUT
 
-          AMD64_FILE="Dockerfile"
+          # Multiarch Files
-          if [ -s "Dockerfile.aarch64" ]; then
+          echo "AMD64_DOCKERFILE=Dockerfile" >> $GITEA_ENV
-            echo "Spezielles Dockerfile.aarch64 erkannt."
+          echo "ARM64_DOCKERFILE=$([ -s Dockerfile.aarch64 ] && echo Dockerfile.aarch64 || echo Dockerfile)" >> $GITEA_ENV
-            ARM64_FILE="Dockerfile.aarch64"
-          else
-            ARM64_FILE="Dockerfile"
-          fi
           
-          echo "VERSION=${{ gitea.ref_name }}" >> $GITEA_ENV
+          # Global Env
-          echo "IMAGE_NAME=${{ env.REGISTRY_HOST }}/${{ env.IMAGE_BASE }}" >> $GITEA_ENV
+          echo "VERSION=$VERSION" >> $GITEA_ENV
-          echo "CACHE_IMAGE_NAME=${{ env.REGISTRY_HOST }}/${{ env.IMAGE_BASE }}-cache" >> $GITEA_ENV
+          echo "IS_TAG=$IS_TAG" >> $GITEA_ENV
-          echo "AMD64_DOCKERFILE=$AMD64_FILE" >> $GITEA_ENV
+          echo "IMAGE_NAME=${REGISTRY_HOST}/${IMAGE_BASE}" >> $GITEA_ENV
-          echo "ARM64_DOCKERFILE=$ARM64_FILE" >> $GITEA_ENV
+          echo "CACHE_IMAGE_NAME=${REGISTRY_HOST}/${IMAGE_BASE}-cache" >> $GITEA_ENV
           echo "BUILD_DATE=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITEA_ENV
 
       - name: Login to registry
-        if: steps.check_files.outputs.should_build == 'true'
+        if: steps.prepare.outputs.should_build == 'true'
         run: |
           echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login \
             ${{ env.REGISTRY_HOST }} -u ${{ secrets.REGISTRY_USER }} --password-stdin
 
       - name: Setup buildx
-        if: steps.check_files.outputs.should_build == 'true'
+        if: steps.prepare.outputs.should_build == 'true'
         run: |
           docker buildx rm multiarch || true
           docker buildx create --name multiarch --driver docker-container --use
           docker buildx inspect --bootstrap
 
-      - name: Build & push amd64 (Cache)
+      - name: Build & push multiarch
-        if: steps.check_files.outputs.should_build == 'true'
+        if: steps.prepare.outputs.should_build == 'true'
+        shell: bash
         run: |
-          docker buildx build --platform linux/amd64 -f ${AMD64_DOCKERFILE} \
+          echo "== Universeller Multiarch Build Start =="
-            --build-arg BUILD_DATE=${BUILD_DATE} --build-arg VERSION=${VERSION} \
-            -t ${CACHE_IMAGE_NAME}:${VERSION}-amd64 --push .
 
-      - name: Build & push arm64 (Cache)
+          # 1. Dynamisches Laden aller Variablen aus versions.env als Build-Args
-        if: steps.check_files.outputs.should_build == 'true'
+          BUILD_ARGS=""
-        run: |
+          while IFS='=' read -r key value || [ -n "$key" ]; do
-          docker buildx build --platform linux/arm64 -f ${ARM64_DOCKERFILE} \
+            [[ "$key" =~ ^#.*$ || -z "$key" ]] && continue
-            --build-arg BUILD_DATE=${BUILD_DATE} --build-arg VERSION=${VERSION} \
+            clean_value=$(echo "$value" | xargs)
-            -t ${CACHE_IMAGE_NAME}:${VERSION}-arm64 --push .
+            # Exportiere für Script-Nutzung UND baue Build-Args String
+            export "$key=$clean_value"
+            BUILD_ARGS="$BUILD_ARGS --build-arg $key=$clean_value"
+          done < versions.env
 
-      - name: Create and push manifest to Prod
+          # 2. Zusätzliche System-Args hinzufügen
-        if: steps.check_files.outputs.should_build == 'true'
+          BUILD_ARGS="$BUILD_ARGS --build-arg VERSION=$VERSION --build-arg BUILD_DATE=$BUILD_DATE"
-        run: |
-          docker buildx imagetools create -t ${IMAGE_NAME}:${VERSION} \
-            ${CACHE_IMAGE_NAME}:${VERSION}-amd64 \
-            ${CACHE_IMAGE_NAME}:${VERSION}-arm64
 
-      - name: Cleanup Cache Images
+          # 3. Tags berechnen
-        if: steps.check_files.outputs.should_build == 'true'
+          if [[ "$IS_TAG" == "true" ]]; then
-        run: |
+            DOCKER_TAGS="${IMAGE_NAME}:${VERSION} ${IMAGE_NAME}:latest"
-          # Wir nutzen die Gitea API, um die temporären Cache-Tags zu löschen
+          else
-          REPO_NAME=$(echo "${{ gitea.repository }}" | cut -d'/' -f2)
+            DOCKER_TAGS="${IMAGE_NAME}:main"
-          OWNER_NAME=$(echo "${{ gitea.repository }}" | cut -d'/' -f1)
+          fi
 
-          echo "Bereinige Cache-Images für ${REPO_NAME}-cache..."
+          # 4. Builds ausführen
+          CACHE_REF="${CACHE_IMAGE_NAME}"
 
-          for TAG in "${VERSION}-amd64" "${VERSION}-arm64"; do
+          echo "Starte AMD64 Build..."
-            echo "Lösche Tag: ${TAG}"
+          docker buildx build \
-            curl -X DELETE \
+            --platform linux/amd64 \
-              -H "Authorization: token ${{ secrets.REGISTRY_TOKEN }}" \
+            -f ${AMD64_DOCKERFILE} \
-              "https://${{ env.REGISTRY_HOST }}/api/v1/packages/${OWNER_NAME}/container/${REPO_NAME}-cache/${TAG}" || echo "Tag ${TAG} konnte nicht gelöscht werden oder existierte nicht."
+            ${BUILD_ARGS} \
+            --cache-from type=registry,ref=${CACHE_REF}:amd64 \
+            --cache-to type=registry,ref=${CACHE_REF}:amd64,mode=min \
+            -t ${CACHE_IMAGE_NAME}:${VERSION}-amd64 \
+            --push .
+
+          echo "Starte ARM64 Build..."
+          docker buildx build \
+            --platform linux/arm64 \
+            -f ${ARM64_DOCKERFILE} \
+            ${BUILD_ARGS} \
+            --cache-from type=registry,ref=${CACHE_REF}:arm64 \
+            --cache-to type=registry,ref=${CACHE_REF}:arm64,mode=min \
+            -t ${CACHE_IMAGE_NAME}:${VERSION}-arm64 \
+            --push .
+
+          # 5. Manifest Erstellung
+          for TAG in $DOCKER_TAGS; do
+            echo "Creating manifest for: $TAG"
+            docker buildx imagetools create -t $TAG \
+              ${CACHE_IMAGE_NAME}:${VERSION}-amd64 \
+              ${CACHE_IMAGE_NAME}:${VERSION}-arm64
           done
+
+      - name: Generate SBOM
+        if: steps.prepare.outputs.should_build == 'true'
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+          TARGET_IMAGE="${IMAGE_NAME}:${VERSION}"
+          echo "Generating SBOM for $TARGET_IMAGE"
+          syft $TARGET_IMAGE -o spdx-json > sbom.spdx.json || true
+      
+      - name: Upload SBOM
+        if: steps.prepare.outputs.should_build == 'true'
+        uses: actions/upload-artifact@v3
+        with:
+          name: sbom
+          path: sbom.spdx.json

Dockerfile

@@ -1,11 +1,14 @@
 # syntax=docker/dockerfile:1
+ARG BASE_IMAGE=alpine:latest #Fallback alpine:latest
+ARG S6_OVERLAY_VERSION=3.2.0.2 
+ARG APP_VERSION=3.22
 
-FROM alpine:3.23 AS rootfs-stage
+FROM ${BASE_IMAGE} AS rootfs-stage
 
-ARG S6_OVERLAY_VERSION="3.2.2.0"
+ARG S6_OVERLAY_VERSION=${S6_OVERLAY_VERSION}
 ARG ROOTFS=/root-out
-ARG REL=v3.23
+ARG REL=${APP_VERSION}
-ARG ARCH=x86_64
+ARG ARCH=${TARGET_PLATFORMS}
 ARG MIRROR=http://dl-cdn.alpinelinux.org/alpine
 ARG PACKAGES=alpine-baselayout,\
 alpine-keys,\
@@ -50,8 +53,8 @@ ARG MODS_VERSION="v3"
 ARG PKG_INST_VERSION="v1"
 ARG LSIOWN_VERSION="v1"
 ARG WITHCONTENV_VERSION="v1"
-LABEL build_version="Pi-Farm version:- ${VERSION} Build-date:- ${BUILD_DATE}"
+LABEL build_version="${MAINTAINER} version:- ${APP_VERSION} Build-date:- ${BUILD_DATE}"
-LABEL maintainer="Pi-Farm"
+LABEL maintainer="${MAINTAINER}"
 
 ADD --chmod=755 "https://raw.githubusercontent.com/linuxserver/docker-mods/mod-scripts/docker-mods.${MODS_VERSION}" "/docker-mods"
 ADD --chmod=755 "https://raw.githubusercontent.com/linuxserver/docker-mods/mod-scripts/package-install.${PKG_INST_VERSION}" "/etc/s6-overlay/s6-rc.d/init-mods-package-install/run"
@@ -84,9 +87,9 @@ RUN \
     shadow \
     tzdata && \
   echo "**** create abc user and make our folders ****" && \
-  groupmod -g 1000 users && \
+  groupmod -g ${APP_GID} users && \
-  useradd -u 911 -U -d /config -s /bin/false abc && \
+  useradd -u 911 -U -d /config -s /bin/false ${APP_USER} && \
-  usermod -G users abc && \
+  usermod -G users ${APP_USER} && \
   mkdir -p \
     /app \
     /config \

versions.env

@@ -0,0 +1,19 @@
+APP_NAME=docker-baseimage-alpine
+APP_VERSION=3.22
+APP_DESCRIPTION=Alpine Baseimage with S6-Overlay
+
+BASE_IMAGE=alpine:3.22
+S6_OVERLAY_VERSION=3.2.0.2
+
+MAINTAINER=pi-farm
+OCI_VENDOR=pi-farm
+OCI_LICENSE=Apache
+
+TARGET_PLATFORMS=x86_64,aarch64
+
+APP_PORT=8080
+APP_USER=app
+APP_UID=1000
+APP_GID=1000
+
+GENERATE_SBOM=true