.github/workflows: add containers.yaml (#46)

mostlygeek · web-flow · commit 21038be6e4b0 · 2025-09-18T10:04:12.000-07:00
Add a GH action to build and publish a docker container when a new tag is pushed.

Signed-off-by: Benson Wong &lt;benson@tailscale.com&gt;
diff --git a/.github/workflows/containers.yaml b/.github/workflows/containers.yaml
@@ -0,0 +1,72 @@
+name: Publish Containers
+
+permissions:
+  contents: read
+  packages: write
+
+on:
+  push:
+    tags:
+      - '*'
+
+  # Allows manual triggering of the workflow
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag release (e.g. v1.2.3)'
+        required: true
+
+  # allow for testing of PR updating this file
+  pull_request:
+    paths:
+      - ".github/workflows/containers.yaml"
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # 4.3.0
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.inputs.tag || github.ref }}
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # 3.5.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Determine docker image tags
+        id: image_tags
+        run: |
+          # For PRs to this file tag the container "pull_request_test"
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            echo "tags=ghcr.io/tailscale/tsidp:pull_request_test" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          # For tag push: use the tag name and also push "latest"
+          if [ "${{ github.event_name }}" = "push" ]; then
+            REF="${{ github.ref }}"
+            TAG="${REF#refs/tags/}"
+            echo "tags=ghcr.io/tailscale/tsidp:${TAG},ghcr.io/tailscale/tsidp:latest" >> $GITHUB_OUTPUT
+            exit 0
+          fi
+
+          # For workflow_dispatch: use the provided tag
+          TAG="${{ github.event.inputs.tag }}"
+          echo "tags=ghcr.io/tailscale/tsidp:${TAG}" >> $GITHUB_OUTPUT
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # 3.11.1
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.image_tags.outputs.tags }}
+          platforms: linux/amd64,linux/arm64
diff --git a/Dockerfile b/Dockerfile
@@ -1,22 +1,31 @@
-# Build stage
-FROM golang:1.24-alpine AS builder
+#
+# local testing build:
+# > docker build -t tsidp-server:local .
+#
+# To build for a container for linux/amd64:
+# docker buildx build --platform linux/amd64 -t tsidp-server:amd64 --load .
 
+# Build stage
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS builder
 WORKDIR /app
 
+# BuildKit will set these automatically when using buildx
+ARG TARGETOS
+ARG TARGETARCH
+
 # Copy go mod files from root
 COPY go.mod go.sum ./
-
 # Download dependencies
 RUN go mod download
-
 # Copy the entire project
 COPY . ./
 
-# Build the binary from the server directory
-RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o tsidp-server .
+# Build the binary for the target platform
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
+    go build -a -installsuffix cgo -o tsidp-server .
 
 # Final stage
-FROM alpine:latest
+FROM --platform=$TARGETPLATFORM alpine:latest
 RUN apk --no-cache add ca-certificates
 WORKDIR /app
 
