Update Dockerfile location and use tar dist as an arg

Consensys · Feb 23, 2025 · 6c0c5e5 · 6c0c5e5
1 parent 97e0fbb
commit 6c0c5e5
Show file tree

Hide file tree

Showing 3 changed files with 104 additions and 93 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,6 @@
+# Ignore everything
+**
+
+# Whitelist specific directories
+!build/distributions/
+!docker/
diff --git a/.github/workflows/ci_main.yml b/.github/workflows/ci_main.yml
@@ -28,115 +28,60 @@ jobs:
         run: ./gradlew distTar distZip
 
       # TODO: Attach distTar as artifact (lowest retention) so that it is available for docker and release jobs
+      - name: Upload distribution artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: distribution
+          path: build/distributions/
+          retention-days: 1
+          if-no-files-found: error
+
 
        # TODO: Test docker image
 
        # TODO: Publish Docker image - develop for merges to master, tags/latest for tags
 
-       # Create release notes
-      - name: Create Release Notes
-        if: startsWith(github.ref, 'refs/tags/')
-        run: |
-          prevTag=$(git tag --sort=-creatordate | sed -n '2p')
-          echo "# Release ${{ github.ref_name }}" > output.md
-          echo "### Downloads" >> output.md
-          echo "| Module | SHA-256 |" >> output.md
-          echo "|--------|--------------|" >> output.md
-          echo "| web3signer.tar.gz | $(sha256sum build/distributions/web3signer-${{ github.ref_name }}.tar.gz | awk '{ print $1 }' ) |" >> output.md
-          echo "| web3signer.zip | $(sha256sum build/distributions/web3signer-${{ github.ref_name }}.zip | awk '{ print $1 }' ) |" >> output.md 
-          echo "" >> output.md
-
-          ### Full Changelog: https://github.com/$REPOSITORY/compare/${prevTag}...${{ github.ref_name }}
-          echo "" >> output.md
-
-      - name: Create Release
-        id: release_publish
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v2
-        with:
-          name: Release ${{ github.ref_name }}
-          body_path: output.md
-          generate_release_notes: true
-          fail_on_unmatched_files: true
-          files: |
-            build/distributions/web3signer-${{ github.ref_name }}.tar.gz
-            build/distributions/web3signer-${{ github.ref_name }}.zip  
-
-  publishDocker:
-    if: false
+  docker:
     runs-on: ubuntu-24.04
+    strategy:
+      matrix:
+        platform: [linux/amd64, linux/arm64]
+    needs: build
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: 'recursive'
+          fetch-depth: 0
+          fetch-tags: true
 
-      - name: Prepare
-        id: prepare
-        uses: ./.github/actions/prepare         
-
-      - name: Download workspace build
-        uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v4
         with:
-          name: workspace
+          name: distribution
+          path: build/distributions/
+
+      - name: Display build distributions
+        run: ls -l build/distributions/
 
-      - name: get workflow_details
-        id: details
-        shell: bash
+      - name: Prepair Docker Platfor Pair
         run: |
-          echo "id=${{ github.run_id }}" >> $GITHUB_OUTPUT
-          echo "build_date=$(date --rfc-3339=date)" >> $GITHUB_OUTPUT
-
-          # on a release tag also add `latest` and `maj.min` version tags if it's not an `rc`
-          if [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref_type }}" == "tag" ]; then
-            echo "buildVersion=${{ github.ref_name }}" >> $GITHUB_OUTPUT
-            dockertags="consensys/web3signer:${{ github.ref_name }},consensys/web3signer:${{ github.ref_name }}-jdk21"
-            
-            semver=${{ github.ref_name }}
-            if [[ ${semver,,} != *"-rc"* ]]; then
-              echo "It's not an rc version, proceeding with extra tags..."
-              # Extract major.minor 
-              if [[ $semver =~ ^([0-9]+)\.([0-9]+)\.[0-9]+(-rc)?$ ]]; then
-                major_minor="${BASH_REMATCH[1]}.${BASH_REMATCH[2]}"
-                echo "major.minor: $major_minor"
-              else
-                echo "Invalid semver string"
-              fi              
-              dockertags="${dockertags},consensys/web3signer:${major_minor},consensys/web3signer:${major_minor}-jdk21"
-              dockertags="${dockertags},consensys/web3signer:latest,consensys/web3signer:latest-jdk21"
-            fi
-            echo "dockertags=${dockertags}" >> $GITHUB_OUTPUT
-
-          else
-            echo "buildVersion=develop" >> $GITHUB_OUTPUT
-            dockertags="consensys/web3signer:develop,consensys/web3signer:develop-jdk21"
-            echo "dockertags=${dockertags}" >> $GITHUB_OUTPUT
-          fi
-          
-      - name: Get the artifacts in one place
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
+      - name: Build and test docker image
         run: |
-          mkdir -p build/docker-web3signer/
-          ./gradlew dockerDistUntar
-          cp docker/jdk21/Dockerfile build/docker-web3signer/
-
-          echo "Creating buildVersion: ${{ steps.details.outputs.buildVersion }}"
-          echo "Creating dockertags: ${{ steps.details.outputs.dockertags }}"
-          
-      - name: build and push the combined manifest
-        uses: docker/build-push-action@v6
-        env:
-          DOCKER_BUILD_SUMMARY: false
+          ./gradlew "-Pbranch=${GITHUB_REF##*/}" testDocker
+
+      - name: Upload Docker image
+        uses: docker/login-action@v2
         with:
-          context: build/docker-web3signer/.
-          platforms: linux/arm64,linux/amd64
-          provenance: false
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache          
-          build-args: |
-            VERSION=${{ steps.details.outputs.buildVersion }}
-            VCS_REF=${{ github.sha }}
-            BUILD_DATE=${{ steps.details.outputs.build_date }}
-          push: true
-          tags: ${{ steps.details.outputs.dockertags }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image
+        run: |
+          docker build . -t ghcr.io/consensys/web3signer:${GITHUB_REF##*/}
+          docker push ghcr.io/consensys/web3signer:${GITHUB_REF##*/}
 
 
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -0,0 +1,60 @@
+# syntax=docker/dockerfile:1
+FROM eclipse-temurin:21 AS jre-build
+
+# Create a custom Java runtime
+RUN JAVA_TOOL_OPTIONS="-Djdk.lang.Process.launchMechanism=vfork" $JAVA_HOME/bin/jlink \
+         --add-modules ALL-MODULE-PATH \
+         --strip-debug \
+         --no-man-pages \
+         --no-header-files \
+         --compress=2 \
+         --output /javaruntime
+
+FROM ubuntu:latest
+# Build-time metadata as defined at http://label-schema.org
+ARG BUILD_DATE
+ARG VCS_REF
+ARG VERSION
+LABEL org.label-schema.build-date=$BUILD_DATE \
+      org.label-schema.name="Web3Signer" \
+      org.label-schema.description="Ethereum 2.0 Signing Service" \
+      org.label-schema.url="https://docs.web3signer.consensys.net" \
+      org.label-schema.vcs-ref=$VCS_REF \
+      org.label-schema.vcs-url="https://github.com/ConsenSys/web3signer.git" \
+      org.label-schema.vendor="Consensys" \
+      org.label-schema.version=$VERSION \
+      org.label-schema.schema-version="1.0"
+
+# Web3Signer tar.gz file (from gradlew distTar)
+ARG TAR_FILE
+# Validate that the TAR_FILE argument is provided
+RUN if [ -z "$TAR_FILE" ]; then echo "TAR_FILE build argument is required" && exit 1; fi
+
+ENV JAVA_HOME=/opt/java/openjdk
+ENV PATH="${JAVA_HOME}/bin:${PATH}"
+COPY --from=jre-build /javaruntime $JAVA_HOME
+
+RUN apt-get -y update && apt-get -y install adduser libc-bin libc6 curl iputils-ping net-tools && rm -rf /var/lib/api/lists/*
+RUN adduser --disabled-password --gecos "" --home /opt/web3signer web3signer && \
+    chown web3signer:web3signer /opt/web3signer && chmod 755 /opt/web3signer
+
+COPY --chown=web3signer:web3signer ${TAR_FILE} /tmp/web3signer.tar.gz
+
+# Extract the tar.gz file and rename the directory
+RUN mkdir -p /opt/web3signer && \
+    tar -xzf /tmp/web3signer.tar.gz -C /opt/web3signer --strip-components=1 && \
+    rm /tmp/web3signer.tar.gz
+
+USER web3signer
+WORKDIR /opt/web3signer
+
+ENV WEB3SIGNER_HTTP_LISTEN_HOST="0.0.0.0"
+ENV WEB3SIGNER_METRICS_HOST="0.0.0.0"
+
+# List Exposed Ports
+# Metrics, Rest API
+EXPOSE 9001 9000 9000/udp
+
+# specify default command
+ENTRYPOINT ["/opt/web3signer/bin/web3signer"]
+