From 277749a70e98f668a177593a860545c606b17301 Mon Sep 17 00:00:00 2001 From: Nando Vieira Date: Wed, 11 Mar 2026 10:21:36 -0700 Subject: [PATCH 1/6] Publish docker image. --- .github/workflows/docker.yml | 63 +++++++++++++++++++++++++++++++++++- Dockerfile | 2 +- 2 files changed, 63 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 50071ee46..c7185481f 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -3,6 +3,14 @@ name: Docker on: workflow_dispatch: + inputs: + ref: + description: "The git ref to build from (branch, tag, or commit SHA)." + type: string + required: true + default: main + release: + types: [published] defaults: run: @@ -13,4 +21,57 @@ jobs: runs-on: ubuntu-latest permissions: {} steps: - - run: echo "Building and pushing Docker image..." + # Check out the repository at the specified ref so that git ls-remote can + # resolve branch names and git refs correctly. For workflow_dispatch, this + # uses the user-provided ref; for release events, this uses the published + # tag. + - uses: actions/checkout@v6 + with: + ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref_name }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@v4 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + # Use the published tag as the ref; set both the versioned and `latest` tags. + - name: Setup vars (release) + if: github.event_name == 'release' + run: | + ref="${{ github.ref_name }}" + version="${ref#v}" + echo "STELLAR_CLI_REF=${ref}" >> $GITHUB_ENV + echo "DOCKER_TAGS=stellar/cli:${version},stellar/cli:latest" >> $GITHUB_ENV + + # If the ref looks like a version tag (e.g. v1.2.3), treat it like a + # release and include the `latest` tag. Otherwise, resolve the ref to a + # commit SHA via git rev-parse, which handles branch names, tags, full + # SHAs, and partial SHAs. + - name: Setup vars (workflow_dispatch) + if: github.event_name == 'workflow_dispatch' + run: | + ref="${{ inputs.ref }}" + + if [[ "$ref" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "STELLAR_CLI_REF=${ref}" >> $GITHUB_ENV + echo "DOCKER_TAGS=stellar/cli:${ref#v},stellar/cli:latest" >> $GITHUB_ENV + elif commit="$(git rev-parse --verify "$ref^{commit}" 2>/dev/null)"; then + echo "STELLAR_CLI_REF=${commit}" >> $GITHUB_ENV + echo "DOCKER_TAGS=stellar/cli:${commit}" >> $GITHUB_ENV + else + echo "::error::Could not resolve ref '${ref}' to a commit." + exit 1 + fi + + - name: Build and push + uses: docker/build-push-action@v7 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + build-args: STELLAR_CLI_REF=${{ env.STELLAR_CLI_REF }} + tags: ${{ env.DOCKER_TAGS }} diff --git a/Dockerfile b/Dockerfile index 83552048e..017a29bec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ RUN apt-get update && \ RUN git clone https://github.com/stellar/stellar-cli.git /tmp/stellar-cli && \ cd /tmp/stellar-cli && \ - git fetch origin "${STELLAR_CLI_REF}" && \ + git fetch origin && \ git checkout "${STELLAR_CLI_REF}" && \ cargo install --locked --path cmd/stellar-cli && \ rm -rf /tmp/stellar-cli From 0d3a782c5d7575eccfea231df688eab359a7ee2f Mon Sep 17 00:00:00 2001 From: Nando Vieira Date: Wed, 11 Mar 2026 11:16:42 -0700 Subject: [PATCH 2/6] Address pr feedback. --- .github/workflows/docker.yml | 22 ++++++++++++++-------- Dockerfile | 1 - 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index c7185481f..350e859ff 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -21,13 +21,14 @@ jobs: runs-on: ubuntu-latest permissions: {} steps: - # Check out the repository at the specified ref so that git ls-remote can - # resolve branch names and git refs correctly. For workflow_dispatch, this - # uses the user-provided ref; for release events, this uses the published - # tag. + # Check out the repository at a known ref with full history so that git + # can resolve branch names, tags, full SHAs, and partial SHAs correctly. + # For workflow_dispatch, this uses the default branch; for release events, + # this uses the published tag. - uses: actions/checkout@v6 with: - ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref_name }} + ref: ${{ github.event_name == 'workflow_dispatch' && 'main' || github.ref_name }} + fetch-depth: 0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 @@ -43,9 +44,14 @@ jobs: if: github.event_name == 'release' run: | ref="${{ github.ref_name }}" - version="${ref#v}" - echo "STELLAR_CLI_REF=${ref}" >> $GITHUB_ENV - echo "DOCKER_TAGS=stellar/cli:${version},stellar/cli:latest" >> $GITHUB_ENV + if [[ "$ref" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + version="${ref#v}" + echo "STELLAR_CLI_REF=${ref}" >> $GITHUB_ENV + echo "DOCKER_TAGS=stellar/cli:${version},stellar/cli:latest" >> $GITHUB_ENV + else + echo "::error::Release tag '${ref}' is not a valid version tag (expected vX.Y.Z)." + exit 1 + fi # If the ref looks like a version tag (e.g. v1.2.3), treat it like a # release and include the `latest` tag. Otherwise, resolve the ref to a diff --git a/Dockerfile b/Dockerfile index 017a29bec..46728cdd4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,6 @@ RUN apt-get update && \ RUN git clone https://github.com/stellar/stellar-cli.git /tmp/stellar-cli && \ cd /tmp/stellar-cli && \ - git fetch origin && \ git checkout "${STELLAR_CLI_REF}" && \ cargo install --locked --path cmd/stellar-cli && \ rm -rf /tmp/stellar-cli From d010d03d24dae989682fa7cb618ae241d6c7c714 Mon Sep 17 00:00:00 2001 From: Nando Vieira Date: Wed, 11 Mar 2026 11:19:37 -0700 Subject: [PATCH 3/6] Build image when pushing to main. --- .github/workflows/docker.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 350e859ff..2cffdd44c 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -2,6 +2,9 @@ name: Docker on: + push: + branches: [main] + paths: [Dockerfile] workflow_dispatch: inputs: ref: @@ -34,11 +37,18 @@ jobs: uses: docker/setup-buildx-action@v4 - name: Log in to Docker Hub + if: github.event_name != 'push' uses: docker/login-action@v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} + # Build only (no push) to validate the Dockerfile on changes to main. + - name: Setup vars (push) + if: github.event_name == 'push' + run: | + echo "STELLAR_CLI_REF=${{ github.sha }}" >> $GITHUB_ENV + # Use the published tag as the ref; set both the versioned and `latest` tags. - name: Setup vars (release) if: github.event_name == 'release' @@ -78,6 +88,6 @@ jobs: with: context: . platforms: linux/amd64,linux/arm64 - push: true + push: ${{ github.event_name != 'push' }} build-args: STELLAR_CLI_REF=${{ env.STELLAR_CLI_REF }} tags: ${{ env.DOCKER_TAGS }} From 89758f1984d88887bdf6c9b6abb3999e0abae547 Mon Sep 17 00:00:00 2001 From: Nando Vieira Date: Wed, 11 Mar 2026 12:48:55 -0700 Subject: [PATCH 4/6] Improve build so it runs faster. --- .github/workflows/docker.yml | 158 +++++++++++++++++++++++++---------- Dockerfile | 16 +--- 2 files changed, 116 insertions(+), 58 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 2cffdd44c..0c8b36fe7 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -20,18 +20,42 @@ defaults: shell: bash jobs: - docker: - runs-on: ubuntu-latest - permissions: {} + build: + strategy: + matrix: + include: + - platform: linux/amd64 + runs-on: ubuntu-latest + arch: amd64 + - platform: linux/arm64 + runs-on: ubuntu-24.04-arm + arch: arm64 + runs-on: ${{ matrix.runs-on }} + permissions: + contents: read steps: - # Check out the repository at a known ref with full history so that git - # can resolve branch names, tags, full SHAs, and partial SHAs correctly. - # For workflow_dispatch, this uses the default branch; for release events, - # this uses the published tag. - uses: actions/checkout@v6 with: - ref: ${{ github.event_name == 'workflow_dispatch' && 'main' || github.ref_name }} - fetch-depth: 0 + ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }} + + - name: Install build dependencies + run: sudo apt-get update && sudo apt-get install -y --no-install-recommends libudev-dev libdbus-1-dev + + - name: Cache Rust build + uses: actions/cache@v4 + with: + path: | + ~/.cargo/registry + ~/.cargo/git + target/ + key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} + restore-keys: ${{ runner.os }}-cargo- + + - name: Build binary + run: cargo build --package stellar-cli --release + + - name: Copy binary for Docker context + run: cp target/release/stellar stellar - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 @@ -43,51 +67,99 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - # Build only (no push) to validate the Dockerfile on changes to main. - - name: Setup vars (push) + # Validation only — build without pushing. + - name: Build if: github.event_name == 'push' + uses: docker/build-push-action@v7 + with: + context: . + platforms: ${{ matrix.platform }} + push: false + cache-from: type=gha,scope=${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + + # Publish — push by digest so the merge job can assemble the manifest. + - name: Build and push by digest + if: github.event_name != 'push' + id: build + uses: docker/build-push-action@v7 + with: + context: . + platforms: ${{ matrix.platform }} + outputs: type=image,name=stellar/cli,push-by-digest=true,name-canonical=true,push=true + cache-from: type=gha,scope=${{ matrix.arch }} + cache-to: type=gha,mode=max,scope=${{ matrix.arch }} + + - name: Upload digest + if: github.event_name != 'push' run: | - echo "STELLAR_CLI_REF=${{ github.sha }}" >> $GITHUB_ENV + mkdir -p /tmp/digests + digest="${{ steps.build.outputs.digest }}" + touch "/tmp/digests/${digest#sha256:}" + + - name: Upload digest artifact + if: github.event_name != 'push' + uses: actions/upload-artifact@v4 + with: + name: digest-${{ matrix.arch }} + path: /tmp/digests/* + if-no-files-found: error + retention-days: 1 + + merge: + needs: build + if: github.event_name != 'push' + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v6 + with: + ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }} + fetch-depth: 0 - # Use the published tag as the ref; set both the versioned and `latest` tags. - - name: Setup vars (release) - if: github.event_name == 'release' + # Compute Docker tags from the ref. + # - Version tag (e.g. v1.2.3): push versioned + latest tags. + # - Any other ref: push a tag for the resolved commit SHA. + - name: Compute tags run: | - ref="${{ github.ref_name }}" + ref="${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref_name }}" + if [[ "$ref" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then version="${ref#v}" - echo "STELLAR_CLI_REF=${ref}" >> $GITHUB_ENV echo "DOCKER_TAGS=stellar/cli:${version},stellar/cli:latest" >> $GITHUB_ENV - else + elif [[ "${{ github.event_name }}" == "release" ]]; then echo "::error::Release tag '${ref}' is not a valid version tag (expected vX.Y.Z)." exit 1 + else + commit="$(git rev-parse HEAD)" + echo "DOCKER_TAGS=stellar/cli:${commit}" >> $GITHUB_ENV fi - # If the ref looks like a version tag (e.g. v1.2.3), treat it like a - # release and include the `latest` tag. Otherwise, resolve the ref to a - # commit SHA via git rev-parse, which handles branch names, tags, full - # SHAs, and partial SHAs. - - name: Setup vars (workflow_dispatch) - if: github.event_name == 'workflow_dispatch' - run: | - ref="${{ inputs.ref }}" + - name: Download digests + uses: actions/download-artifact@v4 + with: + path: /tmp/digests + pattern: digest-* + merge-multiple: true - if [[ "$ref" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "STELLAR_CLI_REF=${ref}" >> $GITHUB_ENV - echo "DOCKER_TAGS=stellar/cli:${ref#v},stellar/cli:latest" >> $GITHUB_ENV - elif commit="$(git rev-parse --verify "$ref^{commit}" 2>/dev/null)"; then - echo "STELLAR_CLI_REF=${commit}" >> $GITHUB_ENV - echo "DOCKER_TAGS=stellar/cli:${commit}" >> $GITHUB_ENV - else - echo "::error::Could not resolve ref '${ref}' to a commit." - exit 1 - fi + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 - - name: Build and push - uses: docker/build-push-action@v7 + - name: Log in to Docker Hub + uses: docker/login-action@v4 with: - context: . - platforms: linux/amd64,linux/arm64 - push: ${{ github.event_name != 'push' }} - build-args: STELLAR_CLI_REF=${{ env.STELLAR_CLI_REF }} - tags: ${{ env.DOCKER_TAGS }} + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Create and push manifest + working-directory: /tmp/digests + run: | + tag_args="" + IFS=',' read -ra tag_list <<< "$DOCKER_TAGS" + for tag in "${tag_list[@]}"; do + tag_args+=" --tag ${tag}" + done + + docker buildx imagetools create $tag_args \ + $(printf 'stellar/cli@sha256:%s ' *) diff --git a/Dockerfile b/Dockerfile index 46728cdd4..2dac5aab9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,3 @@ -FROM rust:latest AS builder - -ARG STELLAR_CLI_REF=main - -RUN apt-get update && \ - apt-get install -y --no-install-recommends libdbus-1-dev libudev-dev pkg-config git && \ - rm -rf /var/lib/apt/lists/* - -RUN git clone https://github.com/stellar/stellar-cli.git /tmp/stellar-cli && \ - cd /tmp/stellar-cli && \ - git checkout "${STELLAR_CLI_REF}" && \ - cargo install --locked --path cmd/stellar-cli && \ - rm -rf /tmp/stellar-cli - FROM rust:latest RUN rustup target add wasm32v1-none @@ -20,7 +6,7 @@ RUN apt-get update && \ apt-get install -y --no-install-recommends dbus gnome-keyring libdbus-1-3 libudev1 libssl3 && \ rm -rf /var/lib/apt/lists/* -COPY --from=builder /usr/local/cargo/bin/stellar /usr/local/bin/stellar +COPY stellar /usr/local/bin/stellar ENV STELLAR_CONFIG_HOME=/config ENV STELLAR_DATA_HOME=/data From e66cad92476001dcf9050643b1504d2d8dd3dfcc Mon Sep 17 00:00:00 2001 From: Nando Vieira Date: Wed, 11 Mar 2026 15:38:57 -0700 Subject: [PATCH 5/6] Address pr feedback. --- .github/workflows/docker.yml | 41 +++++++++++++----------------------- 1 file changed, 15 insertions(+), 26 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 0c8b36fe7..7ed33af45 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -4,7 +4,6 @@ name: Docker on: push: branches: [main] - paths: [Dockerfile] workflow_dispatch: inputs: ref: @@ -34,23 +33,13 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }} - name: Install build dependencies run: sudo apt-get update && sudo apt-get install -y --no-install-recommends libudev-dev libdbus-1-dev - - name: Cache Rust build - uses: actions/cache@v4 - with: - path: | - ~/.cargo/registry - ~/.cargo/git - target/ - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - restore-keys: ${{ runner.os }}-cargo- - - name: Build binary run: cargo build --package stellar-cli --release @@ -58,11 +47,11 @@ jobs: run: cp target/release/stellar stellar - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Log in to Docker Hub - if: github.event_name != 'push' - uses: docker/login-action@v4 + if: github.event_name == 'workflow_dispatch' || github.event_name == 'release' + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -70,7 +59,7 @@ jobs: # Validation only — build without pushing. - name: Build if: github.event_name == 'push' - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 with: context: . platforms: ${{ matrix.platform }} @@ -80,9 +69,9 @@ jobs: # Publish — push by digest so the merge job can assemble the manifest. - name: Build and push by digest - if: github.event_name != 'push' + if: github.event_name == 'workflow_dispatch' || github.event_name == 'release' id: build - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 with: context: . platforms: ${{ matrix.platform }} @@ -91,15 +80,15 @@ jobs: cache-to: type=gha,mode=max,scope=${{ matrix.arch }} - name: Upload digest - if: github.event_name != 'push' + if: github.event_name == 'workflow_dispatch' || github.event_name == 'release' run: | mkdir -p /tmp/digests digest="${{ steps.build.outputs.digest }}" touch "/tmp/digests/${digest#sha256:}" - name: Upload digest artifact - if: github.event_name != 'push' - uses: actions/upload-artifact@v4 + if: github.event_name == 'workflow_dispatch' || github.event_name == 'release' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: digest-${{ matrix.arch }} path: /tmp/digests/* @@ -108,12 +97,12 @@ jobs: merge: needs: build - if: github.event_name != 'push' + if: github.event_name == 'workflow_dispatch' || github.event_name == 'release' runs-on: ubuntu-latest permissions: contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }} fetch-depth: 0 @@ -137,17 +126,17 @@ jobs: fi - name: Download digests - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: /tmp/digests pattern: digest-* merge-multiple: true - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Log in to Docker Hub - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} From 03bfb76db62bba6846e23bb4b24bdd612fc76b03 Mon Sep 17 00:00:00 2001 From: Nando Vieira Date: Thu, 12 Mar 2026 14:49:23 -0700 Subject: [PATCH 6/6] Address pr feedback. --- .github/workflows/docker.yml | 118 +++++++++++------------------------ Dockerfile | 3 +- 2 files changed, 38 insertions(+), 83 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 7ed33af45..3d5cae7f8 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -2,8 +2,6 @@ name: Docker on: - push: - branches: [main] workflow_dispatch: inputs: ref: @@ -23,11 +21,9 @@ jobs: strategy: matrix: include: - - platform: linux/amd64 - runs-on: ubuntu-latest + - runs-on: ubuntu-latest arch: amd64 - - platform: linux/arm64 - runs-on: ubuntu-24.04-arm + - runs-on: ubuntu-24.04-arm arch: arm64 runs-on: ${{ matrix.runs-on }} permissions: @@ -43,61 +39,15 @@ jobs: - name: Build binary run: cargo build --package stellar-cli --release - - name: Copy binary for Docker context - run: cp target/release/stellar stellar - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - - - name: Log in to Docker Hub - if: github.event_name == 'workflow_dispatch' || github.event_name == 'release' - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - # Validation only — build without pushing. - - name: Build - if: github.event_name == 'push' - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 - with: - context: . - platforms: ${{ matrix.platform }} - push: false - cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} - - # Publish — push by digest so the merge job can assemble the manifest. - - name: Build and push by digest - if: github.event_name == 'workflow_dispatch' || github.event_name == 'release' - id: build - uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 - with: - context: . - platforms: ${{ matrix.platform }} - outputs: type=image,name=stellar/cli,push-by-digest=true,name-canonical=true,push=true - cache-from: type=gha,scope=${{ matrix.arch }} - cache-to: type=gha,mode=max,scope=${{ matrix.arch }} - - - name: Upload digest - if: github.event_name == 'workflow_dispatch' || github.event_name == 'release' - run: | - mkdir -p /tmp/digests - digest="${{ steps.build.outputs.digest }}" - touch "/tmp/digests/${digest#sha256:}" - - - name: Upload digest artifact - if: github.event_name == 'workflow_dispatch' || github.event_name == 'release' + - name: Upload binary uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: - name: digest-${{ matrix.arch }} - path: /tmp/digests/* - if-no-files-found: error + name: stellar-${{ matrix.arch }} + path: target/release/stellar retention-days: 1 - merge: + docker: needs: build - if: github.event_name == 'workflow_dispatch' || github.event_name == 'release' runs-on: ubuntu-latest permissions: contents: read @@ -107,6 +57,30 @@ jobs: ref: ${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref }} fetch-depth: 0 + - name: Download binaries + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + with: + pattern: stellar-* + merge-multiple: false + + - name: Stage binaries for Docker context + run: | + mv stellar-amd64/stellar stellar-amd64 + mv stellar-arm64/stellar stellar-arm64 + chmod +x stellar-amd64 stellar-arm64 + + - name: Set up QEMU + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 + + - name: Log in to Docker Hub + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + # Compute Docker tags from the ref. # - Version tag (e.g. v1.2.3): push versioned + latest tags. # - Any other ref: push a tag for the resolved commit SHA. @@ -125,30 +99,10 @@ jobs: echo "DOCKER_TAGS=stellar/cli:${commit}" >> $GITHUB_ENV fi - - name: Download digests - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 - with: - path: /tmp/digests - pattern: digest-* - merge-multiple: true - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - - - name: Log in to Docker Hub - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 + - name: Build and push + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - - name: Create and push manifest - working-directory: /tmp/digests - run: | - tag_args="" - IFS=',' read -ra tag_list <<< "$DOCKER_TAGS" - for tag in "${tag_list[@]}"; do - tag_args+=" --tag ${tag}" - done - - docker buildx imagetools create $tag_args \ - $(printf 'stellar/cli@sha256:%s ' *) + context: . + platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ env.DOCKER_TAGS }} diff --git a/Dockerfile b/Dockerfile index 2dac5aab9..24951e6ac 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,8 @@ RUN apt-get update && \ apt-get install -y --no-install-recommends dbus gnome-keyring libdbus-1-3 libudev1 libssl3 && \ rm -rf /var/lib/apt/lists/* -COPY stellar /usr/local/bin/stellar +ARG TARGETARCH +COPY stellar-${TARGETARCH} /usr/local/bin/stellar ENV STELLAR_CONFIG_HOME=/config ENV STELLAR_DATA_HOME=/data