From 42e4d3a5fcea3a7d5072e9b354265e2ced18367b Mon Sep 17 00:00:00 2001 From: Marni Date: Sun, 6 Aug 2023 20:22:54 +0200 Subject: [PATCH] Docker support (#99) * add Dockerfile * add basic documentation for docker image * change cmd to entrypoint in Dockerfile This is so that you can add args without docker assuming you're trying to override the command * Create docker-publish.yml github CI action This is taken from the marketplace, I didn't write this * correct docker image tag * fix checkpoint loading (use carry for add) * Fix digit typos in README * revamp docker support don't use volume, use latest alpine so i won't need to bump it use multistage static build for minimal size with stripping correctly save git version details * tweak workflows * try making cosign work * Revert "try making cosign work" This reverts commit a70723db665821147b7b2996c510679f3f5dddc1. * fix * remove root dockerfile --------- Co-authored-by: cathugger Co-authored-by: dunsany <118174187+dunsany@users.noreply.github.com> --- .github/workflows/docker-publish.yml | 85 ++++++++++++++++++++++++++++ README.md | 9 +++ 2 files changed, 94 insertions(+) create mode 100644 .github/workflows/docker-publish.yml diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..6193e82 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,85 @@ +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@v3 + + - name: Setup Docker buildx + uses: docker/setup-buildx-action@v2 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@v2 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@v4 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v4 + with: + file: ./contrib/docker/Dockerfile + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign --yes {}@${{ steps.build-and-push.outputs.digest }} diff --git a/README.md b/README.md index 9dc4d5f..8185082 100644 --- a/README.md +++ b/README.md @@ -103,6 +103,15 @@ performance-related tips. It appears that onionbalance supports loading usual `hs_ed25519_secret_key` key so it should work. +* Is there a docker image? + + Yes, if you do not wish to compile mkp224o yourself, you can use + the `ghcr.io/cathugger/mkp224o` image like so: + + ```bash + docker run --rm -it -v $PWD:/keys ghcr.io/cathugger/mkp224o:master -d /keys neko + ``` + ### Acknowledgements & Legal To the extent possible under law, the author(s) have dedicated all