Docker: Image optimization (#111)

.github/workflows/build-docker-images.yaml

@@ -1,59 +0,0 @@
-name: Build Docker images and push
-
-on:
-  workflow_run:
-    workflows: ["Build"]
-    types:
-      - completed
-  workflow_dispatch:
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    if: >
-      (github.event_name == 'workflow_run' &&
-      github.event.workflow_run.conclusion == 'success' &&
-      github.event.workflow_run.event == 'release') ||
-      github.event_name == 'workflow_dispatch'
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            docker_arch: x86_64
-          - arch: arm64
-            docker_arch: arm64
-    steps:
-    - uses: actions/checkout@v4
-    - uses: docker/setup-buildx-action@v3
-    - name: Get release version
-      id: vars
-      run: |
-        LATEST_TAG=$(curl -s https://api.github.com/repos/heiher/natmap/releases/latest | jq -r .tag_name)
-        if [ -z "$LATEST_TAG" ]; then
-          LATEST_TAG="master"
-        fi
-        echo "version=$LATEST_TAG" >> $GITHUB_OUTPUT
-        echo "Using version: $LATEST_TAG"
-
-    - name: Login GitHub Packages Docker Image Repository
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: Set lowercase owner name
-      run: echo "REPO_OWNER_LC=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
-
-    - uses: docker/build-push-action@v5
-      with:
-        context: .
-        file: ./docker/Dockerfile
-        push: true
-        platforms: linux/${{ matrix.arch }}
-        build-args: |
-          VERSION=${{ steps.vars.outputs.version }}
-          ARCH=${{ matrix.docker_arch }}
-        tags: |
-          ghcr.io/${{ env.REPO_OWNER_LC }}/natmap:${{ steps.vars.outputs.version }}-${{ matrix.arch }}
-          ghcr.io/${{ env.REPO_OWNER_LC }}/natmap:latest-${{ matrix.arch }}

.github/workflows/build.yaml

@@ -275,3 +275,141 @@ jobs:
       - name: Build
         run: |
           make CC=clang ENABLE_STATIC=1 -j`nproc`
+
+  docker-prepare:
+    needs: linux
+    runs-on: ubuntu-latest
+    outputs:
+      repo_name_lc: ${{ steps.set-repo.outputs.repo_name_lc }}
+    steps:
+      - name: Set lowercase repo name
+        id: set-repo
+        run: |
+          REPO_NAME_LC=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+          echo "repo_name_lc=$REPO_NAME_LC" >> $GITHUB_OUTPUT
+
+  docker-build-and-push:
+    needs: docker-prepare
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - arch: amd64
+            natmap_arch: x86_64
+          - arch: arm64
+            natmap_arch: arm64
+          - arch: arm
+            natmap_arch: arm32v7
+          - arch: riscv64
+            natmap_arch: riscv64
+          - arch: s390x
+            natmap_arch: s390x
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+        with:
+          driver: docker-container
+          platforms: linux/${{ matrix.arch }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Download built arch artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: natmap-linux-${{matrix.natmap_arch}}
+          path: ./tmp/artifact
+
+      - name: Build and push platform-specific image
+        id: build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./docker/Dockerfile
+          platforms: linux/${{ matrix.arch }}
+          outputs: type=image,name=ghcr.io/${{ needs.docker-prepare.outputs.repo_name_lc }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
+          build-args: |
+            NATMAP_ARCH=${{ matrix.natmap_arch }}
+          provenance: false
+          sbom: false
+
+      - name: Export Digest
+        if: github.event_name != 'pull_request'
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+          ls -l /tmp/digests/
+
+      - name: Upload Digest
+        uses: actions/upload-artifact@v4
+        if: github.event_name != 'pull_request'
+        with:
+          name: docker-digest-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  docker-merge:
+    needs: [docker-prepare, docker-build-and-push]
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
+    steps:
+      - name: Download Digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: docker-digest-*
+          merge-multiple: true
+
+      - name: Prepare Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Format Docker Image Meta
+        uses: docker/metadata-action@v5
+        id: docker_meta
+        with:
+          images: ghcr.io/${{ needs.docker-prepare.outputs.repo_name_lc }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=nightly,enable={{is_default_branch}}
+            type=ref,event=tag
+      - name: Create Manifest List and Push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'ghcr.io/${{ needs.docker-prepare.outputs.repo_name_lc }}@sha256:%s ' *)
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ghcr.io/${{ needs.docker-prepare.outputs.repo_name_lc }}:${{ steps.docker_meta.outputs.version }}
+
+      - name: Delete current run's built artifacts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RUN_ID: ${{ github.run_id }}
+        run: |
+          sudo apt-get update && sudo apt-get install -y gh
+          echo "Deleting docker-digests artifacts for run ID: $RUN_ID"
+
+          gh api \
+            "repos/${{ github.repository }}/actions/runs/$RUN_ID/artifacts" \
+            -q '.artifacts[] | select(.name | startswith("docker-digest")) | .id' |
+          while read ARTIFACT_ID; do
+            echo "Deleting artifact ID: $ARTIFACT_ID"
+            gh api --method DELETE "repos/${{ github.repository }}/actions/artifacts/$ARTIFACT_ID"
+          done

README.md

@@ -171,8 +171,8 @@ ports for easy distribution through DNS AAAA records.
 
 ### Docker
 
-* Support **amd64** and **arm64**.
-* image tags: latest-amd64, latest-arm64 or [release tags]-amd64 like 20250512-amd64
+* Support **amd64**, **arm64**, **arm**, **riscv64**, **s390x**.
+* image tags: latest, [release tags] like 20250512
 * Change command to what you want.
 * volumes script path, and make sure have permission to run.
 
@@ -181,7 +181,7 @@ docker-compose.yml
 services:
   natmap:
     container_name: natmap
-    image: heiher/natmap:latest-amd64
+    image: ghcr.io/heiher/natmap:latest
     command: -u -s stun.qq.com -b 30101 -t 127.0.0.1 -p 51820 -e /opt/cf_ip4p.sh -k 60
     volumes:
       - ./natmap/cf_ip4p.sh:/opt/cf_ip4p.sh

docker/Dockerfile

@@ -1,14 +1,14 @@
 FROM ubuntu:latest
-ARG VERSION
-ARG ARCH
+ARG NATMAP_ARCH
+
+LABEL org.opencontainers.image.source="https://github.com/heiher/natmap"
 
 RUN apt update \
     && apt upgrade -y \
     && apt install -y curl
 
 WORKDIR /opt
-
-ADD https://github.com/heiher/natmap/releases/download/${VERSION}/natmap-linux-${ARCH} /opt/natmap
+COPY ./tmp/artifact/natmap-linux-${NATMAP_ARCH}/natmap-linux-${NATMAP_ARCH} /opt/natmap
 RUN chmod +x /opt/natmap
 
 ENTRYPOINT ["/opt/natmap"]