Erich Blume
b96a80e864
- Dockerfile: deterministic build from pinned CONTAINER_APP_VERSION + FEATURES - Merges named feature branches at specific SHAs for reproducibility - Switch CronJob to custom image with --clone-url-base and --all-organizations - Add kingfisher to service-versions.yaml (version tracks upstream main SHA) - Document spork container builds in new how-to card - Document spork workflow in CLAUDE.md - Update kingfisher service docs for custom image Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
67 lines
2.1 KiB
Docker
67 lines
2.1 KiB
Docker
# Kingfisher — deterministic build from sporked feature branches
|
|
#
|
|
# Builds a fully-pinned kingfisher binary by checking out a specific upstream
|
|
# SHA and merging feature branches at specific SHAs on top. Independent of
|
|
# the 'deploy' branch, which is a convenience view and may have moved.
|
|
#
|
|
# Inputs:
|
|
# CONTAINER_APP_VERSION — commit on the upstream 'main' branch to base on
|
|
# FEATURES — space-separated "branch=sha" pairs to merge on top
|
|
#
|
|
# The resulting binary includes upstream code + local patches, reproducible
|
|
# from the same inputs regardless of when the build runs.
|
|
|
|
# --- Build stage ---
|
|
FROM rust:1.92-bookworm AS build
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
cmake pkg-config libboost-dev git ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
WORKDIR /build
|
|
|
|
ARG CONTAINER_APP_VERSION=1d37d29
|
|
ARG FEATURES="feature/upstream/clone-url-base=677c7a5"
|
|
|
|
RUN git clone https://forge.ops.eblu.me/eblume/kingfisher.git . \
|
|
&& git checkout "${CONTAINER_APP_VERSION}" \
|
|
&& git config user.name "container-build" \
|
|
&& git config user.email "build@blumeops"
|
|
|
|
# Merge each pinned feature branch
|
|
RUN set -e; \
|
|
for spec in ${FEATURES}; do \
|
|
branch="${spec%%=*}"; \
|
|
sha="${spec##*=}"; \
|
|
echo "Merging ${branch} at ${sha}..."; \
|
|
git fetch origin "${branch}"; \
|
|
git merge --no-ff "${sha}" \
|
|
-m "container-build: merge ${branch} at ${sha}" \
|
|
|| { echo "ERROR: merge conflict on ${branch}"; exit 1; }; \
|
|
done; \
|
|
echo "Build tree ready at $(git rev-parse --short HEAD)"
|
|
|
|
RUN cargo build --release -j 4 \
|
|
&& install -m 0755 target/release/kingfisher /usr/local/bin/kingfisher
|
|
|
|
# Quick smoke-test
|
|
RUN kingfisher --version
|
|
|
|
# --- Runtime stage ---
|
|
FROM debian:bookworm-slim
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
git ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
COPY --from=build /usr/local/bin/kingfisher /usr/local/bin/kingfisher
|
|
|
|
RUN groupadd -r app && useradd -r -g app -d /app app \
|
|
&& mkdir -p /app && chown app:app /app
|
|
|
|
USER app
|
|
WORKDIR /app
|
|
|
|
RUN kingfisher --version
|
|
|
|
ENTRYPOINT ["kingfisher"]
|