Initial commit

.dockerignore

@@ -0,0 +1,3 @@
+.git
+.gitignore
+buildkitd.toml

.env

@@ -0,0 +1,4 @@
+# target
+REG=zima1.abutili.net:3002
+NS=devops
+IMG=container-build-publish

.gitea/workflows/build-publish.yml

@@ -0,0 +1,88 @@
+name: build-publish
+on:
+  push:
+    branches: ["main"]
+    tags: ["*"]
+  pull_request:
+
+# Envrionment required: REG
+# Secrets required: REGISTRY_USER, REGISTRY_PASSWORD
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Load .env
+        run: |
+          set -a
+          source .env
+          set +a
+          echo "REG=$REG" >> $GITHUB_ENV
+          echo "NS=$NS" >> $GITHUB_ENV
+          echo "IMG=$IMG" >> $GITHUB_ENV
+
+      - name: Compute repo and tag
+        id: meta
+        shell: bash
+        run: |
+          REPO="${REG}/${NS}/${IMG}"
+          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+            TAG="${{ github.ref_name }}"
+          else
+            BR="${{ github.ref_name }}"
+            SHA="$(git rev-parse --short HEAD)"
+            TAG="${BR}-${SHA}"
+          fi
+          echo "repo=${REPO}" >> "$GITHUB_OUTPUT"
+          echo "tag=${TAG}"  >> "$GITHUB_OUTPUT"
+          echo "build_date=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "$GITHUB_OUTPUT"
+
+      # Explicitly tell BuildKit the registry is HTTP/insecure
+      - name: Write BuildKit config
+        run: |
+          cat > buildkitd.toml <<EOF
+          [registry."${REG}"]
+            http = true
+            insecure = true
+          EOF
+          echo "BUILDKIT_CONFIG=$PWD/buildkitd.toml" >> "$GITHUB_ENV"
+
+      # qemu is only required for multi-arch builds
+      #- uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+        with:
+          driver-opts: |
+            image=moby/buildkit:latest
+            network=host
+          config: ${{ env.BUILDKIT_CONFIG }}
+
+      - name: Log in
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REG }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Build & Push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.repo }}:${{ steps.meta.outputs.tag }}
+          labels: |
+            org.opencontainers.image.revision=${{ github.sha }}
+            org.opencontainers.image.created=${{ steps.meta.outputs.build_date }}
+          build-args: |
+            VERSION=${{ steps.meta.outputs.tag }}
+            VCS_REF=${{ github.sha }}
+            BUILD_DATE=${{ steps.meta.outputs.build_date }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Also tag :latest (main only)
+        if: ${{ github.ref_name == 'main' && github.event_name != 'pull_request' }}
+        run: |
+          docker build -t "${{ steps.meta.outputs.repo }}:latest" .
+          docker push "${{ steps.meta.outputs.repo }}:latest"

.justfile

@@ -0,0 +1,33 @@
+set shell := ["bash","-eu","-o","pipefail","-c"]
+set dotenv-load := true
+
+repo := `echo "${IMG_REPO:-${REG}/${NS}/${IMG}}"`
+
+# tag = git tag if exact; else branch-shortsha
+tag := `git describe --tags --exact-match 2>/dev/null || echo "$(git rev-parse --abbrev-ref HEAD)-$(git rev-parse --short HEAD)"`
+vcs_ref := `git rev-parse --short HEAD`
+build_date := `date -u +%Y-%m-%dT%H:%M:%SZ`
+
+default: build
+
+print-env:
+	@echo REPO={{repo}}
+	@echo TAG={{tag}}
+
+build:
+	docker build -t "{{repo}}:{{tag}}" \
+	  --build-arg VERSION="{{tag}}" \
+	  --build-arg VCS_REF="{{vcs_ref}}" \
+	  --build-arg BUILD_DATE="{{build_date}}" .
+
+build-latest:
+	docker build -t "{{repo}}:latest" \
+	  --build-arg VERSION="latest" \
+	  --build-arg VCS_REF="{{vcs_ref}}" \
+	  --build-arg BUILD_DATE="{{build_date}}" .
+
+run:
+	docker run --rm "{{repo}}:{{tag}}"
+
+clean:
+	docker images "{{repo}}" --format '{{"{{.Repository}}:{{.Tag}}"}}' | xargs -r -n1 docker rmi

.tool-versions

@@ -0,0 +1 @@
+just 1.40.0

Dockerfile

@@ -0,0 +1,28 @@
+# Small, glibc-based; great compat
+FROM debian:trixie-slim
+
+ARG VERSION=dev
+ARG VCS_REF=unknown
+ARG BUILD_DATE=unknown
+
+LABEL org.opencontainers.image.title="container-build-publish" \
+      org.opencontainers.image.version="${VERSION}" \
+      org.opencontainers.image.revision="${VCS_REF}" \
+      org.opencontainers.image.created="${BUILD_DATE}" \
+      org.opencontainers.image.source="https://git.abutili.net/templates/container-build-publish"
+
+# install system deps
+#RUN apt-get update && apt-get install -y --no-install-recommends \
+#      ca-certificates curl bash jq xz-utils git \
+#    && rm -rf /var/lib/apt/lists/*
+
+# install app
+
+# Non-root user (safer)
+RUN useradd -ms /bin/bash runner
+USER runner
+WORKDIR /workspace
+
+# Default shell
+SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
+# ENTRYPOINT

README.md

@@ -0,0 +1,52 @@
+# Container Build and Publish Template
+
+This repository provides a basic template for building and publishing container images using Gitea Actions.
+
+## Environment Variables
+
+The following environment variables are expected to be set in the `.env` file for local development, and as Gitea repository or organization variables for CI/CD:
+
+*   `REG`: The container registry hostname (e.g., `zima1.abutili.net:3002`)
+*   `NS`: The namespace/project within the registry (e.g., `devops`)
+*   `IMG`: The image name (e.g., `container-build-publish`)
+
+Example `.env` file:
+
+```
+REG=zima1.abutili.net:3002
+NS=devops
+IMG=container-build-publish
+```
+
+## Gitea Secrets
+
+The Gitea workflow requires the following secrets to be configured in your Gitea repository or organization:
+
+*   `REGISTRY_USER`: Username for logging into the container registry.
+*   `REGISTRY_PASSWORD`: Password for logging into the container registry.
+
+## Local Development with `just`
+
+This project uses `just` for local task automation.
+
+### Installation
+
+If you don't have `just` installed, you can find installation instructions [here](https://github.com/casey/just#installation).
+
+### Available Commands
+
+*   `just build`: Builds the Docker image with a tag based on the current Git tag or branch/short SHA.
+*   `just build-latest`: Builds the Docker image with the `:latest` tag.
+*   `just run`: Runs the locally built Docker image.
+*   `just clean`: Removes locally built Docker images for this project.
+*   `just print-env`: Displays the computed `REPO` and `TAG` variables.
+
+## Gitea Workflow (`.gitea/workflows/build-publish.yml`)
+
+This workflow is triggered on pushes to the `main` branch, tags, and pull requests.
+
+*   It logs into the specified container registry using `REGISTRY_USER` and `REGISTRY_PASSWORD` secrets.
+*   It builds the Docker image and pushes it to the registry.
+*   For pushes to `main` and tags, it pushes the image with a tag derived from the Git ref.
+*   For pushes to `main`, it also tags and pushes the image with `:latest`.
+*   Pull requests will build the image but not push it.