Switch to Docker-based builds and releases

.github/workflows/build_and_release_image.yaml

@@ -1,9 +1,11 @@
 name: Release with goreleaser
 
-on:
-  push:
-    tags:
-      - v*
+# Disabled in favor of upstream-docker-release.yml
+# Kept YAML around for now in case we find an issue and need to revert quickly.
+#on:
+#  push:
+#    tags:
+#      - v*
 
 permissions: write-all # Necessary for the generate-build-provenance action with containers
 
@@ -76,4 +78,4 @@ jobs:
         with:
           subject-name: ghcr.io/openchami/pcs
           subject-digest: ${{ steps.process_goreleaser_output.outputs.digest }}
-          push-to-registry: true
+          push-to-registry: true

.github/workflows/upstream-docker-release.yml

@@ -0,0 +1,43 @@
+name: Build images and release if tagged
+run-name: Build images ${{ startsWith(github.ref, 'refs/tags/v') && 'and release' || 'and publish preview image' }}
+
+on:
+  pull_request:
+    # https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request
+    # and https://docs.github.com/en/webhooks/webhook-events-and-payloads?actionType=synchronize#pull_request
+    # can probably combine with a caller to filter on label following
+    # https://stackoverflow.com/questions/62325286/run-github-actions-when-pull-requests-have-a-specific-label
+    # This saves on Actions costs for PRs that don't really need a preview image (anything that's just CI changes, smaller code changes, etc.)
+    # However, doing that sucht that subsequent build jobs can run still for main branch and tags (which have no labels ever)
+    # is kinda annoying condition-wise. We can maybe use a prelim step that has some simple "if PR event, if label: true, else: false || if other event: true" logic,
+    # require it for the build steps, and proceed only if it's successful?
+    types: [opened, synchronize]
+  push:
+    branches:
+      - 'main'
+    tags:
+      - 'v*'
+
+permissions: write-all # Necessary for the generate-build-provenance action with containers
+
+jobs:
+  image:
+    name: Build Image
+    uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.3
+    with:
+      fetch-depth: 1
+      registry-name: ghcr.io/openchami/pcs
+      cgo-enabled: true
+      platforms: "linux/amd64"
+      docker-file: "Dockerfile.build"
+  image_arm:
+    name: Build ARM Image
+    uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v3.3
+    with:
+      fetch-depth: 1
+      registry-name: ghcr.io/openchami/pcs
+      cgo-enabled: true
+      additional-env-vars: |
+        CC=aarch64-linux-gnu-gcc
+      platforms: "linux/arm64"
+      docker-file: "Dockerfile.build"

Dockerfile.build

@@ -0,0 +1,72 @@
+### builder
+# Build the binary
+# TODO this needs to match go.mod. Unsure how they can be
+# kept in sync.
+FROM --platform=$BUILDPLATFORM golang:1.24 AS builder
+
+ARG GOPATH
+ARG GOCACHE
+
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+
+ARG CC
+
+RUN printf "Building for TARGETPLATFORM=${TARGETPLATFORM}" \
+    && printf ", TARGETARCH=${TARGETARCH}" \
+    && printf ", TARGETOS=${TARGETOS}" \
+    && printf ", TARGETVARIANT=${TARGETVARIANT} \n" \
+    && printf "With 'uname -s': $(uname -s) and 'uname -m': $(uname -m)"
+
+WORKDIR /workspace
+
+# TODO
+# We currently have a lot of variance in directory structure.
+# This is annoying for Dockerfile design; we can't just consistently
+# copy the same set of files. Enforcing pkg/ and internal/ only across
+# the board would maybe help.
+# Original also had this copying to GOPATH, e.g.
+# COPY cmd $GOPATH/src/github.com/OpenCHAMI/power-control/v2/cmd
+# I've encountered enough Dockerfiles that just copy it to workdir
+COPY cmd cmd
+COPY api api
+COPY internal internal
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+# TODO
+# These are more for the final image. Unsure if we need them for build.
+# At worst they're just some extra dead weight, pruning them later is easy, and it's not like we really care about the size of the build image
+COPY configs configs
+COPY scripts scripts
+COPY migrations migrations
+
+# Build
+ARG CGO_ENABLED
+
+RUN mkdir bin
+
+RUN CGO_ENABLED="${CGO_ENABLED}" GOOS=linux GOARCH="${TARGETARCH}" CC="${CC}" GO111MODULE=on go build -v -o bin/power-control ./cmd/power-control
+
+### release image
+# TODO seems kinda off that we don't pin wolfi or tini, but whatever
+FROM chainguard/wolfi-base:latest AS main
+
+RUN set -ex \
+    && apk update \
+    && apk add --no-cache tini \
+    && rm -rf /var/cache/apk/*  \
+    && rm -rf /tmp/*
+
+WORKDIR /
+COPY --from=builder /workspace/bin/power-control /usr/local/bin/
+COPY configs configs
+COPY migrations migrations
+
+#nobody 65534:65534
+USER 65534:65534
+
+CMD /usr/local/bin/power-control
+
+ENTRYPOINT ["/sbin/tini", "--"]