redux of GH actions and Docker image building

.github/workflows/on-push-pr.yml

@@ -0,0 +1,81 @@
+on:
+  push:
+    branches: [main]
+    tags: ["v*.*.*"]
+  pull_request:
+    types: [opened, reopened, synchronize]
+jobs:
+  format-build-test:
+    strategy:
+      matrix:
+        go-version: ['1.19.x', '1.21.x']
+        platform: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.platform }}
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744  # v3.6.0
+
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe  # v4.1.0
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - if: matrix.platform == 'ubuntu-latest'
+        run: if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then exit 1; fi
+
+      - run: go build -v ./...
+
+      - run: make test
+  docker-build-push:
+    if: github.event_name != 'pull_request'
+    needs: format-build-test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744  # v3.6.0
+
+      - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc  # v2.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55  # v2.10.0
+
+      - uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175  # v4.6.0
+        id: meta
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+      - uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825  # v4.1.1
+        with:
+          context: .
+          push: true
+          file: Dockerfile.buildx
+          platforms: linux/amd64,linux/arm64,linux/arm
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+  release-zips:
+    if: github.event_name != 'pull_request'
+    needs: format-build-test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744  # v3.6.0
+
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe  # v4.1.0
+        with:
+          go-version: '1.19.x'
+
+      - run: CGO_ENABLED=0 make release
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: release-zips
+          path: "*.zip"

.github/workflows/on-release.yml

@@ -0,0 +1,20 @@
+on:
+  release:
+    types: [published]
+jobs:
+  release-zips:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744  # v3.6.0
+
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe  # v4.1.0
+        with:
+          go-version: '1.19.x'
+
+      - run: CGO_ENABLED=0 make release
+
+      - run: gh release upload ${{ github.event.release.tag_name }} *.zip
+        env:
+            GH_TOKEN: ${{ github.token }}

Dockerfile

@@ -1,7 +1,13 @@
 FROM gcr.io/distroless/static
 
-COPY nanocmd-linux-amd64 /nanocmd
+ARG TARGETOS TARGETARCH
+
+COPY nanocmd-$TARGETOS-$TARGETARCH /app/nanocmd
 
 EXPOSE 9003
 
-ENTRYPOINT ["/nanocmd"]
+VOLUME ["/app/db"]
+
+WORKDIR /app
+
+ENTRYPOINT ["/app/nanocmd"]

Dockerfile.buildx

@@ -0,0 +1,25 @@
+FROM --platform=$BUILDPLATFORM golang:1.19 AS builder
+
+WORKDIR /go/app
+
+COPY . .
+
+ARG TARGETOS TARGETARCH
+
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    CGO_ENABLED=0 make nanocmd-$TARGETOS-$TARGETARCH
+
+FROM gcr.io/distroless/static
+
+ARG TARGETOS TARGETARCH
+
+COPY --from=builder /go/app/nanocmd-$TARGETOS-$TARGETARCH /app/nanocmd
+
+EXPOSE 9003
+
+VOLUME ["/app/db"]
+
+WORKDIR /app
+
+ENTRYPOINT ["/app/nanocmd"]

Makefile

@@ -5,12 +5,13 @@ OSARCH=$(shell go env GOHOSTOS)-$(shell go env GOHOSTARCH)
 NANOCMD=\
 	nanocmd-darwin-amd64 \
 	nanocmd-darwin-arm64 \
-	nanocmd-linux-amd64
+	nanocmd-linux-amd64 \
+	nanocmd-linux-arm64 \
+	nanocmd-linux-arm \
+	nanocmd-windows-amd64.exe
 
 my: nanocmd-$(OSARCH)
 
-docker: nanocmd-linux-amd64
-
 $(NANOCMD): cmd/nanocmd
 	GOOS=$(word 2,$(subst -, ,$@)) GOARCH=$(word 3,$(subst -, ,$(subst .exe,,$@))) go build $(LDFLAGS) -o $@ ./$<
 
@@ -31,12 +32,9 @@ nanocmd-%-$(VERSION).zip: nanocmd-%
 clean:
 	rm -rf nanocmd-*
 
-release: \
-	nanocmd-darwin-amd64-$(VERSION).zip \
-	nanocmd-darwin-arm64-$(VERSION).zip \
-	nanocmd-linux-amd64-$(VERSION).zip
+release: $(foreach bin,$(NANOCMD),$(subst .exe,,$(bin))-$(VERSION).zip)
 
 test:
 	go test -v -cover -race ./...
 
-.PHONY: my docker $(NANOCMD) clean release test
+.PHONY: my $(NANOCMD) clean release test

README.md

@@ -22,6 +22,15 @@ A guide to getting NanoCMD up and running quickly.
 - [Operations Guide](docs/operations-guide.md)  
 A brief overview of operating the NanoCMD server including command line and API interfaces.
 
+## Getting the latest version
+
+* Release `.zip` files containing the servershould be attached to every [GitHub release](https://github.com/micromdm/nanocmd/releases).
+  * Release zips are also [published](https://github.com/micromdm/nanocmd/actions) for every `main` branch commit.
+* A Docker container is built and [published to the GHCR.io](http://ghcr.io/micromdm/nanocmd) registry for every release.
+  * `docker pull ghcr.io/micromdm/nanocmd:latest` — `docker run ghcr.io/jessepeterson/kmfddm:latest`
+  * A Docker container is also published for every `main` branch commit (and tagged with `:main`)
+* If you have a [Go toolchain installed](https://go.dev/doc/install) you can checkout the source and simply run `make`.
+
 ## What NanoCMD is not
 
 NanoCMD is neat. But there are some things it does not do. There are also some things that are out of scope that it may never do. Here's some of the things NanoCMD is not: