Simplify Dockerfile and chain docker publish after release

Author: binbashing

.github/workflows/docker-release.yml

@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: write
+  packages: write
 
 jobs:
   build:
@@ -90,3 +91,63 @@ jobs:
             dist/sops-cop_*
             dist/checksums.txt
           generate_release_notes: true
+
+  docker:
+    name: Build and push container images
+    runs-on: ubuntu-latest
+    needs: release
+    if: startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: read
+      packages: write
+    env:
+      VERSION: ${{ github.ref_name }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          scope: binbashing/sops-cop@push
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/${{ github.repository }}
+            docker.io/binbashing/sops-cop
+          tags: |
+            type=raw,value=${{ env.VERSION }}
+            type=sha
+            type=raw,value=latest,enable=${{ startsWith(env.VERSION, 'v') }}
+
+      - name: Build and push image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ env.VERSION }}

.github/workflows/release.yml

@@ -1,27 +1,21 @@
-FROM --platform=$BUILDPLATFORM golang:1-alpine AS builder
-
-WORKDIR /src
-
-COPY go.mod go.sum ./
-RUN go mod download
+FROM alpine:3
 
-COPY . .
+WORKDIR /app
 
 ARG VERSION=dev
 ARG TARGETOS
 ARG TARGETARCH
-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build \
-  -trimpath \
-  -ldflags="-s -w -X main.version=${VERSION}" \
-  -o /out/sops-cop .
-
-FROM alpine:3
+RUN apk add --no-cache ca-certificates curl && \
+  case "${TARGETARCH}" in amd64|arm64) ;; *) echo "unsupported arch: ${TARGETARCH}"; exit 1 ;; esac && \
+  BINARY_NAME="sops-cop_${VERSION}_${TARGETOS}_${TARGETARCH}" && \
+  URL="https://github.com/binbashing/sops-cop/releases/download/${VERSION}/${BINARY_NAME}" && \
+  curl --fail --silent --show-error --location \
+    --retry 8 --retry-delay 5 --retry-connrefused \
+    "${URL}" --output /usr/local/bin/sops-cop && \
+  chmod +x /usr/local/bin/sops-cop
 
 RUN addgroup -S app && adduser -S app -G app
 
-WORKDIR /app
-COPY --from=builder /out/sops-cop /usr/local/bin/sops-cop
-
 USER app
 ENTRYPOINT ["/usr/local/bin/sops-cop"]
 CMD ["-target", "."]