Merge pull request #133 from zcash/dockerfile

Create Dockerfile

Author: str4d

.dockerignore

@@ -0,0 +1,20 @@
+# Before the docker CLI sends the context to the docker daemon, it looks for a file
+# named .dockerignore in the root directory of the context. If this file exists, the
+# CLI modifies the context to exclude files and directories that match patterns in it.
+#
+# You may want to specify which files to include in the context, rather than which
+# to exclude. To achieve this, specify * as the first pattern, followed by one or
+# more ! exception patterns.
+#
+# https://docs.docker.com/engine/reference/builder/#dockerignore-file
+
+# Exclude everything:
+#
+*
+
+# Now un-exclude required files and folders:
+#
+!.cargo
+!*.toml
+!*.lock
+!zallet

.github/workflows/build-and-push-docker-hub.yaml

@@ -0,0 +1,46 @@
+name: Build and Push Docker Image to Docker Hub
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  set_env:
+    name: Create version tag
+    runs-on: ubuntu-latest
+    outputs:
+      tags: ${{ steps.version_step.outputs.tags }}
+    env:
+      VERSION: ${{ github.ref_name }}
+      SHA: ${{ github.sha }}
+    steps:
+    - id: version_step
+      run: |
+        set -Eeuo pipefail
+        IFS=$'\n\t'
+
+        if [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-rc-[0-9]+)?$ ]]; then
+          echo "Valid version: $VERSION"
+          echo "tags=latest,$VERSION,$SHA" >> "$GITHUB_OUTPUT"
+        else
+          echo "Invalid ref_name format: $VERSION" >&2
+          exit 1
+        fi
+
+  build_push:
+    uses: zcash/.github/.github/workflows/build-and-push-docker-hub.yaml@main
+    needs: set_env
+    with:
+      image_name: zallet
+      image_tags: ${{ needs.set_env.outputs.tags }}
+      dockerfile: Dockerfile
+      context: .
+      build-args: ""
+    secrets:
+      dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
+      dockerhub_password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      dockerhub_registry: ${{ secrets.DOCKERHUB_REGISTRY }}

.github/workflows/test-docker-container.yml

@@ -0,0 +1,26 @@
+name: Build and Run Docker Container
+
+on:
+  pull_request:
+  push:
+    branches: main
+
+permissions: {}
+
+jobs:
+  build_and_run:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Build Docker image
+        run: |
+          docker build -t zallet .
+
+      - name: Run command inside Docker container
+        run: |
+          docker run --rm zallet -h

Dockerfile

@@ -0,0 +1,39 @@
+# syntax=docker/dockerfile:1
+# --- Stage 1: Build with Rust --- (amd64) (RUST version: 1.86.0)
+FROM rust:1.86.0-slim@sha256:57d415bbd61ce11e2d5f73de068103c7bd9f3188dc132c97cef4a8f62989e944 AS builder
+
+WORKDIR /app
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        clang \
+        libclang-dev \
+        pkg-config \
+        git && \
+    rm -rf /var/lib/apt/lists/*
+
+COPY --link . .
+
+# Build the zallet binary
+# Leverage a cache mount to ${CARGO_HOME} for downloaded dependencies,
+# and a cache mount to ${CARGO_TARGET_DIR} for compiled dependencies.
+RUN --mount=type=bind,source=zallet,target=zallet \
+    --mount=type=bind,source=Cargo.toml,target=Cargo.toml \
+    --mount=type=bind,source=Cargo.lock,target=Cargo.lock \
+    --mount=type=cache,target=/app/.cargo \
+    --mount=type=cache,target=/app/target/ \
+    cargo build --locked --release --package zallet --bin zallet && \
+    cp /app/target/release/zallet /usr/local/bin/
+
+
+# --- Stage 2: Minimal runtime with distroless ---
+FROM gcr.io/distroless/cc AS runtime
+
+COPY --link --from=builder /usr/local/bin/zallet /usr/local/bin/
+
+# USER nonroot (UID 65532) — for K8s, use runAsUser: 65532
+USER nonroot
+
+WORKDIR /var/lib/zallet
+
+ENTRYPOINT ["zallet"]