Replace binary release with Docker image build and push

Multi-stage Dockerfile builds the Rust binary then copies it into a
slim runtime image with git and ca-certificates. CI workflow follows
the ketchup pattern: single ci.yml with test, zizmor, and build jobs.
Build pushes to GHCR on green main, tags with YYYYMMDD-<short-sha>,
and creates a GitHub release. Removes the old release workflow and
dotslash config.

Assisted-by: GLM-5.1 via pi

diff --git a/.github/dotslash-config.json b/.github/dotslash-config.json
deleted file mode 100644 (file)
index 6e8b89d..0000000
--- a/.github/dotslash-config.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-  "outputs": {
-    "quire": {
-      "platforms": {
-        "macos-aarch64": {
-          "regex": "^quire-aarch64-apple-darwin\\.tar\\.gz$",
-          "path": "quire"
-        }
-      }
-    }
-  }
-}

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a524560e5f56b2d927e991d4b62951916959ac03..401dac3eb94bed3157e267f25fbb69952572dbf9 100644 (file)
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,16 +5,78 @@ on:
     branches: [main]
   pull_request:
 
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 jobs:
-  ci:
+  test:
+    name: Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - run: rustup component add clippy rustfmt llvm-tools
       - run: cargo install grcov cargo-mutants just
-      - uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       - run: cargo fmt --check
       - run: just clippy coverage
       - run: just mutants
+
+  zizmor:
+    name: Audit workflows
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+
+  build:
+    name: Build
+    needs: test
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+    outputs:
+      version: ${{ steps.meta.outputs.version }}
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7398ccc52663121 # v4.1.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - id: short-sha
+        run: echo "sha=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
+      - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        id: meta
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=raw,value={{date 'YYYYMMDD'}}-${{ steps.short-sha.outputs.sha }}
+      - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      - env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          STEPS_META_OUTPUTS_VERSION: ${{ steps.meta.outputs.version }}
+        run: gh release create "${STEPS_META_OUTPUTS_VERSION}" --generate-notes

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644 (file)
index 696ea43..0000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-name: Release
-
-on:
-  workflow_dispatch:
-  workflow_run:
-    workflows: [CI]
-    types: [completed]
-    branches: [main]
-
-permissions: {}
-
-jobs:
-  build:
-    if: >-
-      github.event_name == 'workflow_dispatch'
-      || github.event.workflow_run.conclusion == 'success'
-    runs-on: macos-latest
-    permissions:
-      contents: write
-    outputs:
-      version: ${{ steps.version.outputs.version }}
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          persist-credentials: false
-
-      - name: Calculate version
-        id: version
-        run: |
-          CALVER=$(date -u +"%Y-%m-%d")
-          SHORT_SHA="${GITHUB_SHA::7}"
-          echo "version=${CALVER}+${SHORT_SHA}" >> $GITHUB_OUTPUT
-
-      - name: Build
-        run: |
-          QUIRE_VERSION="${STEPS_VERSION_OUTPUTS_VERSION}" cargo build --release
-          tar -czf quire-aarch64-apple-darwin.tar.gz -C target/release quire
-        env:
-          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
-
-      - name: Publish
-        run: |
-          VERSION="${STEPS_VERSION_OUTPUTS_VERSION}"
-          gh release create "v${VERSION}" \
-            --title "v${VERSION}" \
-            --generate-notes \
-            --target "${GITHUB_SHA}" \
-            quire-aarch64-apple-darwin.tar.gz
-        env:
-          GH_TOKEN: ${{ github.token }}
-          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
-
-  dotslash:
-    needs: build
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-        with:
-          persist-credentials: false
-
-      - name: Generate DotSlash file
-        uses: facebook/dotslash-publish-release@2539c4d8ae00a42773306c8731d2dd3724d979d2 # v1
-        with:
-          config: .github/dotslash-config.json
-          tag: v${{ needs.build.outputs.version }}
-        env:
-          GITHUB_TOKEN: ${{ github.token }}

diff --git a/Dockerfile b/Dockerfile
index 18c6bbe586b70616e3ef8e0b9397eba85ae1b5ca..cd2a3935f97323c42391a056196bcc21d2078b0f 100644 (file)
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,13 @@
+# Build stage.
+FROM rust:1.88-bookworm AS builder
+
+WORKDIR /usr/src/quire
+COPY . .
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/src/quire/target \
+    cargo install --path .
+
+# Runtime stage.
 FROM debian:bookworm-slim
 
 RUN apt-get update \
@@ -6,6 +16,8 @@ RUN apt-get update \
         ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
+COPY --from=builder /usr/local/cargo/bin/quire /usr/local/bin/quire
+
 RUN groupadd --system quire \
     && useradd --system --gid quire --create-home quire
 
@@ -13,20 +25,8 @@ RUN groupadd --system quire \
 RUN mkdir -p /var/quire/repos /var/quire/runs \
     && chown -R quire:quire /var/quire
 
-# Pre-create a test repo for step 1 verification.
-RUN git init --bare /var/quire/repos/foo.git \
-    && chown -R quire:quire /var/quire/repos/foo.git
-
-COPY <<'EOF' /usr/local/bin/entrypoint
-#!/usr/bin/env bash
-set -euo pipefail
-
-exec "$@"
-EOF
-RUN chmod +x /usr/local/bin/entrypoint
-
 USER quire
 WORKDIR /var/quire
 
-ENTRYPOINT ["/usr/local/bin/entrypoint"]
-CMD ["sleep", "infinity"]
+ENTRYPOINT ["quire"]
+CMD ["serve"]