refactor: refactor docker

Signed-off-by: 陳鈞 <[email protected]>

.dockerignore

@@ -21,5 +21,3 @@
 **/obj
 **/secrets.dev.yaml
 **/values.dev.yaml
-LICENSE
-README.md

.github/workflows/docker_publish.yml

@@ -12,6 +12,11 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+# Sets the permissions granted to the GITHUB_TOKEN for the actions in this job.
+permissions:
+  contents: read
+  packages: write
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"
@@ -22,13 +27,13 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: true
 
       - name: Docker meta
         id: meta_ApacheCouchDB
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ github.event.repository.name }},ghcr.io/${{ github.repository }}
           flavor: |
@@ -38,47 +43,72 @@ jobs:
 
       - name: Docker meta
         id: meta_AzureCosmosDB
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ github.event.repository.name }},ghcr.io/${{ github.repository }}
           tags: |
             type=raw,value=AzureCosmosDB
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       # Create a Access Token and save it as as Actions secret
       # https://hub.docker.com/settings/security
       # DOCKERHUB_USERNAME
       # DOCKERHUB_TOKEN
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      # Create a Access Token with `read:packages` and `write:packages` scopes
-      # CR_PAT
+      # You may need to manage write and read access of GitHub Actions for repositories in the container settings.
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.CR_PAT }}
+          password: ${{ github.token }}
 
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
+          file: ./Dockerfile
           push: true
+          target: final
           tags: ${{ steps.meta_ApacheCouchDB.outputs.tags }}
           labels: ${{ steps.meta_ApacheCouchDB.outputs.labels }}
           build-args: |
             BUILD_CONFIGURATION=ApacheCouchDB_Release
+            VERSION=${{ github.ref_name }}
+            RELEASE=${{ github.run_number }}
+          platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository }}:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository }}:cache,mode=max
+          sbom: true
+          provenance: true
 
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
+          file: ./Dockerfile
           push: true
+          target: final
           tags: ${{ steps.meta_AzureCosmosDB.outputs.tags }}
           labels: ${{ steps.meta_AzureCosmosDB.outputs.labels }}
           build-args: |
             BUILD_CONFIGURATION=AzureCosmosDB_Release
+            VERSION=${{ github.ref_name }}
+            RELEASE=${{ github.run_number }}
+          platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository }}:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository }}:cache,mode=max
+          sbom: true
+          provenance: true

.github/workflows/docker_publish_dev.yml

@@ -10,6 +10,11 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+# Sets the permissions granted to the GITHUB_TOKEN for the actions in this job.
+permissions:
+  contents: read
+  packages: write
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   # This workflow contains a single job called "build"
@@ -20,13 +25,12 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           submodules: true
-
       - name: Docker meta
         id: meta_ApacheCouchDB
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ github.event.repository.name }},ghcr.io/${{ github.repository }}
           flavor: |
@@ -36,47 +40,73 @@ jobs:
 
       - name: Docker meta
         id: meta_AzureCosmosDB
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ secrets.DOCKERHUB_ORGANIZATION_NAME }}/${{ github.event.repository.name }},ghcr.io/${{ github.repository }}
           tags: |
             type=raw,value=AzureCosmosDB_dev
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       # Create a Access Token and save it as as Actions secret
       # https://hub.docker.com/settings/security
       # DOCKERHUB_USERNAME
       # DOCKERHUB_TOKEN
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       # Create a Access Token with `read:packages` and `write:packages` scopes
       # CR_PAT
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.CR_PAT }}
+          password: ${{ github.token }}
 
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
+          file: ./Dockerfile
           push: true
+          target: final
           tags: ${{ steps.meta_ApacheCouchDB.outputs.tags }}
           labels: ${{ steps.meta_ApacheCouchDB.outputs.labels }}
           build-args: |
             BUILD_CONFIGURATION=ApacheCouchDB_Release
+            VERSION=${{ github.ref_name }}
+            RELEASE=${{ github.run_number }}
+          platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository }}:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository }}:cache,mode=max
+          sbom: true
+          provenance: true
 
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
+          file: ./Dockerfile
           push: true
+          target: final
           tags: ${{ steps.meta_AzureCosmosDB.outputs.tags }}
           labels: ${{ steps.meta_AzureCosmosDB.outputs.labels }}
           build-args: |
             BUILD_CONFIGURATION=AzureCosmosDB_Release
+            VERSION=${{ github.ref_name }}
+            RELEASE=${{ github.run_number }}
+          platforms: linux/amd64,linux/arm64
+          # Cache to regietry instead of gha to avoid the capacity limit.
+          cache-from: type=registry,ref=ghcr.io/${{ github.repository }}:cache
+          cache-to: type=registry,ref=ghcr.io/${{ github.repository }}:cache,mode=max
+          sbom: true
+          provenance: true

.hadolint.yml

@@ -0,0 +1,9 @@
+ignored:
+  - DL3041 # Specify version with `dnf install -y <package>-<version>`.
+  - DL3042 # Avoid use of cache directory with pip. Use `pip install --no-cache-dir <package>`
+  - DL4006 # Set the SHELL option -o pipefail before RUN with a pipe in it
+  - DL3013 # Pin versions in pip. Instead of `pip install <package>` use `pip install <package>==<version>`
+  - SC2015 # Note that A && B || C is not if-then-else. C may run when A is true.
+  - DL3006 # Always tag the version of an image explicitly
+  - DL3018 # Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
+  - DL3008 # Pin versions in apt. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`

Dockerfile

@@ -1,59 +1,121 @@
-### Debug image
-### Setup the same as base image but used dotnet/runtime
+# syntax=docker/dockerfile:1
+ARG UID=1654
+ARG VERSION=EDGE
+ARG RELEASE=0
+ARG BUILD_CONFIGURATION=ApacheCouchDB_Release
+
+########################################
+# Debug stage
+########################################
 FROM mcr.microsoft.com/dotnet/runtime:8.0-alpine AS debug
 
 WORKDIR /app
-RUN apk add --no-cache python3 && \
-    apk add --no-cache --virtual build-deps musl-dev gcc g++ python3-dev py3-pip && \
-    python3 -m venv /venv && \
-    source /venv/bin/activate && \
-    pip install --no-cache-dir yt-dlp && \
-    pip uninstall -y setuptools pip && \
-    apk del build-deps
 
-ENV PATH="/venv/bin:$PATH"
+# RUN mount cache for multi-arch: https://github.com/docker/buildx/issues/549#issuecomment-1788297892
+ARG TARGETARCH
+ARG TARGETVARIANT
+
+RUN --mount=type=cache,id=apk-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apk \
+    --mount=from=ghcr.io/jim60105/static-ffmpeg-upx:7.0-1,source=/ffmpeg,target=/ffmpeg,rw \
+    --mount=from=ghcr.io/jim60105/static-ffmpeg-upx:7.0-1,source=/ffprobe,target=/ffprobe,rw \
+    apk update && apk add -u \
+    # These branches follows the yt-dlp release
+    -X "https://dl-cdn.alpinelinux.org/alpine/edge/main" \
+    -X "https://dl-cdn.alpinelinux.org/alpine/edge/community" \
+    yt-dlp && \
+    # Copy the compressed ffmpeg and ffprobe and overwrite the apk installed ones
+    cp /ffmpeg /usr/bin/ && \
+    cp /ffprobe /usr/bin/
 
-COPY --link --from=mwader/static-ffmpeg:6.0 /ffmpeg /usr/local/bin/ffmpeg
-COPY --link --from=mwader/static-ffmpeg:6.0 /ffprobe /usr/local/bin/ffprobe
+########################################
+# Build stage
+########################################
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS build
 
-### Base image for yt-dlp
-FROM mcr.microsoft.com/dotnet/runtime-deps:8.0-alpine AS base
-WORKDIR /app
-RUN apk add --no-cache python3 && \
-    apk add --no-cache --virtual build-deps musl-dev gcc g++ python3-dev py3-pip && \
-    python3 -m venv /venv && \
-    source /venv/bin/activate && \
-    pip install --no-cache-dir yt-dlp && \
-    pip uninstall -y setuptools pip && \
-    apk del build-deps
+WORKDIR /source
 
-ENV PATH="/venv/bin:$PATH"
+ARG TARGETARCH
+RUN --mount=source=LivestreamRecorderService.csproj,target=LivestreamRecorderService.csproj \
+    --mount=source=LivestreamRecorder.DB/LivestreamRecorder.DB.csproj,target=LivestreamRecorder.DB/LivestreamRecorder.DB.csproj \
+    dotnet restore -a $TARGETARCH "LivestreamRecorderService.csproj"
 
-COPY --link --from=mwader/static-ffmpeg:6.0 /ffmpeg /usr/local/bin/ffmpeg
-COPY --link --from=mwader/static-ffmpeg:6.0 /ffprobe /usr/local/bin/ffprobe
+########################################
+# Publish stage
+########################################
+FROM build AS publish
+
+ARG BUILD_CONFIGURATION
 
-### Build .NET
-FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:8.0-alpine AS build
-ARG BUILD_CONFIGURATION=ApacheCouchDB_Release
 ARG TARGETARCH
-WORKDIR /src
+RUN --mount=source=.,target=.,rw \
+    dotnet publish "LivestreamRecorderService.csproj" -a $TARGETARCH -c $BUILD_CONFIGURATION -o /app --self-contained true
 
-COPY ["LivestreamRecorderService.csproj", "."]
-COPY ["LivestreamRecorder.DB/LivestreamRecorder.DB.csproj", "LivestreamRecorder.DB/"]
-RUN dotnet restore -a $TARGETARCH "LivestreamRecorderService.csproj"
+########################################
+# Final stage
+########################################
+FROM alpine:3 as final
 
-FROM build AS publish
-COPY . .
-ARG BUILD_CONFIGURATION=ApacheCouchDB_Release
+# RUN mount cache for multi-arch: https://github.com/docker/buildx/issues/549#issuecomment-1788297892
 ARG TARGETARCH
-RUN dotnet publish "LivestreamRecorderService.csproj" -a $TARGETARCH -c $BUILD_CONFIGURATION -o /app/publish --self-contained true
+ARG TARGETVARIANT
+
+ARG UID
+ENV APP_UID=$UID
+
+ENV DOTNET_RUNNING_IN_CONTAINER=true 
+ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true
+
+RUN --mount=type=cache,id=apk-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apk \
+    apk update && apk add -u \
+    ca-certificates-bundle libgcc libssl3 libstdc++ zlib 
+
+# Create directories with correct permissions
+RUN install -d -m 775 -o $UID -g 0 /app && \
+    install -d -m 775 -o $UID -g 0 /licenses
+
+# Copy licenses (OpenShift Policy)
+COPY --link --chown=$UID:0 --chmod=775 LICENSE /licenses/LICENSE
+ADD --link --chown=$UID:0 --chmod=775 https://raw.githubusercontent.com/yt-dlp/yt-dlp/master/LICENSE /licenses/yt-dlp.LICENSE
 
-### Final image
-FROM base AS final
+RUN --mount=type=cache,id=apk-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/var/cache/apk \
+    --mount=from=ghcr.io/jim60105/static-ffmpeg-upx:7.0-1,source=/ffmpeg,target=/ffmpeg,rw \
+    --mount=from=ghcr.io/jim60105/static-ffmpeg-upx:7.0-1,source=/ffprobe,target=/ffprobe,rw \
+    --mount=from=ghcr.io/jim60105/static-ffmpeg-upx:7.0-1,source=/dumb-init,target=/dumb-init,rw \
+    apk update && apk add -u \
+    # These branches follows the yt-dlp release
+    -X "https://dl-cdn.alpinelinux.org/alpine/edge/main" \
+    -X "https://dl-cdn.alpinelinux.org/alpine/edge/community" \
+    yt-dlp && \
+    # Copy the compressed ffmpeg and ffprobe and overwrite the apk installed ones
+    cp /ffmpeg /usr/bin/ && \
+    cp /ffprobe /usr/bin/ && \
+    cp /dumb-init /usr/bin/
+
+COPY --link --chown=$UID:0 --chmod=775 --from=publish /app /app
 
 ENV PATH="/app:$PATH"
 
-COPY --link --from=publish --chown=$APP_UID:$APP_UID /app/publish /app
+WORKDIR /app
+
+USER $UID
+
+STOPSIGNAL SIGINT
+
+# Use dumb-init as PID 1 to handle signals properly
+ENTRYPOINT [ "dumb-init", "--", "/app/LivestreamRecorderService" ]
 
-USER $APP_UID
-ENTRYPOINT ["/app/LivestreamRecorderService"]
+ARG VERSION
+ARG RELEASE
+LABEL name="Recorder-moe/LivestreamRecorderService" \
+    # Authors for LivestreamRecorderService
+    vendor="Recorder-moe" \
+    # Maintainer for this docker image
+    maintainer="jim60105" \
+    # Dockerfile source repository
+    url="https://github.com/Recorder-moe/LivestreamRecorderService" \
+    version=${VERSION} \
+    # This should be a number, incremented with each change
+    release=${RELEASE} \
+    io.k8s.display-name="LivestreamRecorderService" \
+    summary="LivestreamRecorderService: The monitoring worker service for the Recorder.moe project." \
+    description="Recorder.moe is an advanced live stream recording system. We utilize containerization technology to achieve horizontal scalability, enabling us to monitor and record an unlimited number of channels simultaneously. For more information about this tool, please visit the following website: https://github.com/Recorder-moe"