refactor: Optimize dockerfiles for production images (#4302)

Co-authored-by: Romain Beauxis <[email protected]>

Author: vitoyucepi

.github/docker/Dockerfile.production

@@ -0,0 +1,20 @@
+FROM alpine:edge AS downloader
+
+ARG APK_FILE
+
+COPY $APK_FILE /downloads/liquidsoap.apk
+
+FROM alpine:edge
+
+RUN --mount=type=bind,from=downloader,source=/downloads,target=/downloads \
+    set -eux; \
+      echo 'https://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories; \
+      apk add --allow-untrusted --no-cache \
+        /downloads/liquidsoap.apk \
+      ;
+
+USER liquidsoap
+
+RUN liquidsoap --cache-stdlib
+
+ENTRYPOINT ["/usr/bin/liquidsoap"]

.github/docker/Dockerfile.production-alpine

@@ -0,0 +1,55 @@
+FROM debian:12-slim AS downloader
+
+ARG DEB_FILE
+ARG DEB_DEBUG_FILE
+COPY $DEB_FILE /downloads/liquidsoap.deb
+COPY $DEB_DEBUG_FILE /downloads/liquidsoap-debug.deb
+
+ARG DEB_MULTIMEDIA_KEYRING="https://www.deb-multimedia.org/pool/main/d/deb-multimedia-keyring/deb-multimedia-keyring_2024.9.1_all.deb"
+ARG DEB_MULTIMEDIA_KEYRING_SHA256SUM="8dc6cbb266c701cfe58bd1d2eb9fe2245a1d6341c7110cfbfe3a5a975dcf97ca"
+
+RUN set -eux; \
+      apt-get update; \
+      apt-get install -y --no-install-recommends \
+        ca-certificates \
+        wget \
+      ; \
+      wget "$DEB_MULTIMEDIA_KEYRING" -O /downloads/deb-multimedia-keyring.deb; \
+      echo "$DEB_MULTIMEDIA_KEYRING_SHA256SUM  /downloads/deb-multimedia-keyring.deb" | sha256sum -c -;
+
+FROM debian:12-slim
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+# For ffmpeg with libfdk-aac
+RUN --mount=type=bind,from=downloader,source=/downloads,target=/downloads \
+    set -eux; \
+      apt-get update; \
+      apt-get install -y --no-install-recommends \
+        /downloads/deb-multimedia-keyring.deb \
+        ca-certificates \
+      ; \
+      echo 'deb https://www.deb-multimedia.org bookworm main non-free' > \
+        /etc/apt/sources.list.d/deb-multimedia.list; \
+      rm -rf \
+        /var/lib/apt/lists \
+        /var/lib/dpkg/status-old \
+      ;
+
+RUN --mount=type=bind,from=downloader,source=/downloads,target=/downloads \
+    set -eux; \
+      apt-get update; \
+      apt-get install -y --no-install-recommends \
+        /downloads/liquidsoap.deb \
+        /downloads/liquidsoap-debug.deb \
+      ; \
+      rm -rf \
+        /var/lib/apt/lists \
+        /var/lib/dpkg/status-old \
+      ;
+
+USER liquidsoap
+
+RUN liquidsoap --cache-stdlib
+
+ENTRYPOINT ["/usr/bin/liquidsoap"]

.github/docker/alpine.dockerfile

@@ -7,7 +7,7 @@ BASE_DIR=$(cd "${PWD}/../.." && pwd)
 
 DOCKER_IMAGE=savonet/liquidsoap-github-actions-website
 
-docker build --no-cache --tag "${DOCKER_IMAGE}" --file "${BASE_DIR}/.github/docker/Dockerfile.website" .
+docker build --no-cache --tag "${DOCKER_IMAGE}" --file "${BASE_DIR}/.github/docker/website.dockerfile" .
 
 id="$(docker create "${DOCKER_IMAGE}")"
 docker cp "$id:/tmp/liquidsoap-full/website/html" html/

.github/docker/debian.dockerfile

@@ -31,6 +31,7 @@ jobs:
       is_release: ${{ steps.build_details.outputs.is_release }}
       is_rolling_release: ${{ steps.build_details.outputs.is_rolling_release }}
       is_fork: ${{ steps.build_details.outputs.is_fork }}
+      publish_docker_image: ${{ steps.build_details.outputs.is_fork != 'true' && github.event_name != 'merge_group' }}
       build_os: ${{ steps.build_details.outputs.build_os }}
       build_platform: ${{ steps.build_details.outputs.build_platform }}
       build_include: ${{ steps.build_details.outputs.build_include }}
@@ -615,7 +616,6 @@ jobs:
   build_docker:
     runs-on: ${{ matrix.runs-on }}
     needs: [build_details, build_posix, fetch_s3_artifacts]
-    if: needs.build_details.outputs.is_fork != 'true' && github.event_name != 'merge_group'
     strategy:
       fail-fast: false
       matrix:
@@ -638,15 +638,36 @@ jobs:
         run: |
           echo "deb-file=$(find artifacts/${{ needs.build_details.outputs.sha }} -type f | grep ${{ matrix.docker-debian-os }} | grep -v minimal | grep '${{ matrix.platform }}\.deb$' | grep dbgsym | grep deb)" >> "${GITHUB_OUTPUT}"
         id: debian_debug_package
-      - name: Log in to the github registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Build docker image
-        run: .github/scripts/build-docker.sh ${{ steps.debian_package.outputs.deb-file }} ${{ steps.debian_debug_package.outputs.deb-file }} ${{ needs.build_details.outputs.branch }} ${{ secrets.DOCKERHUB_USER }} ${{ secrets.DOCKERHUB_PASSWORD }} ${{ matrix.platform }}
+      - name: Login to Docker Hub
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push docker image
+        uses: docker/build-push-action@v6
+        with:
+          build-args: |
+            "DEB_FILE=${{ steps.debian_package.outputs.deb-file }}"
+            "DEB_DEBUG_FILE=${{ steps.debian_debug_package.outputs.deb-file }}"
+          context: .
+          file: .github/docker/debian.dockerfile
+          tags: |
+            "savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}_${{ matrix.platform }}"
+            "ghcr.io/savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}_${{ matrix.platform }}"
+          push: ${{ needs.build_details.outputs.publish_docker_image }}
 
   build_docker_alpine:
     runs-on: ${{ matrix.runs-on }}
-    needs: [build_details, run_tests, build_posix, fetch_s3_artifacts]
-    if: needs.build_details.outputs.is_fork != 'true' && github.event_name != 'merge_group'
+    needs: [build_details, build_posix, fetch_s3_artifacts]
+    if: needs.build_details.outputs.is_fork != 'true'
     strategy:
       fail-fast: false
       matrix:
@@ -665,15 +686,34 @@ jobs:
         run: |
           echo "apk-file=$(find artifacts/${{ needs.build_details.outputs.sha }} -type f | grep -v minimal | grep 'apk$' | grep -v dbg | grep ${{ matrix.alpine-arch }})" >> "${GITHUB_OUTPUT}"
         id: alpine_package
-      - name: Log in to the github registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Build docker image
-        run: .github/scripts/build-docker-alpine.sh ${{ steps.alpine_package.outputs.apk-file }} ${{ needs.build_details.outputs.branch }} ${{ secrets.DOCKERHUB_USER }} ${{ secrets.DOCKERHUB_PASSWORD }} ${{ matrix.platform }}
+      - name: Login to Docker Hub
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push docker image
+        uses: docker/build-push-action@v6
+        with:
+          build-args: |
+            "APK_FILE=${{ steps.alpine_package.outputs.apk-file }}"
+          context: .
+          file: .github/docker/alpine.dockerfile
+          tags: |
+            "savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}_alpine_${{ matrix.platform }}"
+            "ghcr.io/savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}_alpine_${{ matrix.platform }}"
+          push: ${{ needs.build_details.outputs.publish_docker_image }}
 
   build_docker_minimal:
     runs-on: ${{ matrix.runs-on }}
-    needs: [build_details, run_tests, build_posix, fetch_s3_artifacts]
-    if: needs.build_details.outputs.is_fork != 'true' && github.event_name != 'merge_group'
+    needs: [build_details, build_posix, fetch_s3_artifacts]
     strategy:
       fail-fast: false
       matrix:
@@ -696,15 +736,36 @@ jobs:
         run: |
           echo "deb-file=$(find artifacts/${{ needs.build_details.outputs.sha }} -type f | grep ${{ matrix.docker-debian-os }} | grep minimal | grep '${{ matrix.platform }}\.deb$' | grep dbgsym | grep deb)" >> "${GITHUB_OUTPUT}"
         id: debian_debug_package
-      - name: Log in to the github registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Build docker image
-        run: .github/scripts/build-docker.sh ${{ steps.debian_package.outputs.deb-file }} ${{ steps.debian_debug_package.outputs.deb-file }} ${{ needs.build_details.outputs.branch }}-minimal ${{ secrets.DOCKERHUB_USER }} ${{ secrets.DOCKERHUB_PASSWORD }} ${{ matrix.platform }}
+      - name: Login to Docker Hub
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push docker image
+        uses: docker/build-push-action@v6
+        with:
+          build-args: |
+            "DEB_FILE=${{ steps.debian_package.outputs.deb-file }}"
+            "DEB_DEBUG_FILE=${{ steps.debian_debug_package.outputs.deb-file }}"
+          context: .
+          file: .github/docker/debian.dockerfile
+          tags: |
+            "savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}-minimal_${{ matrix.platform }}"
+            "ghcr.io/savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}-minimal_${{ matrix.platform }}"
+          push: ${{ needs.build_details.outputs.publish_docker_image }}
 
   build_docker_alpine_minimal:
     runs-on: ${{ matrix.runs-on }}
-    needs: [build_details, run_tests, build_posix, fetch_s3_artifacts]
-    if: needs.build_details.outputs.is_fork != 'true' && github.event_name != 'merge_group'
+    needs: [build_details, build_posix, fetch_s3_artifacts]
+    if: needs.build_details.outputs.is_fork != 'true'
     strategy:
       fail-fast: false
       matrix:
@@ -723,14 +784,30 @@ jobs:
         run: |
           echo "apk-file=$(find artifacts/${{ needs.build_details.outputs.sha }} -type f | grep minimal | grep 'apk$' | grep -v dbg | grep ${{ matrix.alpine-arch }})" >> "${GITHUB_OUTPUT}"
         id: alpine_package
-      - name: Get alpine debug package
-        run: |
-          echo "apk-file=$(find artifacts/${{ needs.build_details.outputs.sha }} -type f | grep minimal | grep 'apk$' | grep dbg | grep ${{ matrix.alpine-arch }})" >> "${GITHUB_OUTPUT}"
-        id: alpine_dbg_package
-      - name: Log in to the github registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Build docker image
-        run: .github/scripts/build-docker-alpine.sh ${{ steps.alpine_package.outputs.apk-file }} ${{ steps.alpine_dbg_package.outputs.apk-file }} ${{ needs.build_details.outputs.branch }}-minimal ${{ secrets.DOCKERHUB_USER }} ${{ secrets.DOCKERHUB_PASSWORD }} ${{ matrix.platform }}
+      - name: Login to Docker Hub
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Login to GitHub Container Registry
+        if: needs.build_details.outputs.publish_docker_image == 'true'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push docker image
+        uses: docker/build-push-action@v6
+        with:
+          build-args: |
+            "APK_FILE=${{ steps.alpine_package.outputs.apk-file }}"
+          context: .
+          file: .github/docker/alpine.dockerfile
+          tags: |
+            "savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}-minimal_alpine_${{ matrix.platform }}"
+            "ghcr.io/savonet/liquidsoap-ci-build:${{ needs.build_details.outputs.branch }}-minimal_alpine_${{ matrix.platform }}"
+          push: ${{ needs.build_details.outputs.publish_docker_image }}
 
   build_docker_release:
     runs-on: ubuntu-latest