From 5a4072c9647419655a780bcb8c3e36e10af3b55f Mon Sep 17 00:00:00 2001 From: Alexey <247128645+axkurcom@users.noreply.github.com> Date: Sun, 22 Mar 2026 00:08:16 +0300 Subject: [PATCH 1/2] Update release.yml --- .github/workflows/release.yml | 226 +++++++++++++--------------------- 1 file changed, 88 insertions(+), 138 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5cf034a..b870054 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,7 +4,6 @@ on: push: tags: - '[0-9]+.[0-9]+.[0-9]+' - - '[0-9]+.[0-9]+.[0-9]+-*' workflow_dispatch: concurrency: @@ -13,204 +12,155 @@ concurrency: permissions: contents: read + packages: write env: CARGO_TERM_COLOR: always - RUST_BACKTRACE: "1" BINARY_NAME: telemt jobs: - prepare: + build: + name: Build ${{ matrix.target }} runs-on: ubuntu-latest - outputs: - version: ${{ steps.meta.outputs.version }} - prerelease: ${{ steps.meta.outputs.prerelease }} - release_enabled: ${{ steps.meta.outputs.release_enabled }} - steps: - - id: meta - run: | - set -euo pipefail - - if [[ "${GITHUB_REF}" == refs/tags/* ]]; then - VERSION="${GITHUB_REF#refs/tags/}" - RELEASE_ENABLED=true - else - VERSION="manual-${GITHUB_SHA::7}" - RELEASE_ENABLED=false - fi - - if [[ "$VERSION" == *"-alpha"* || "$VERSION" == *"-beta"* || "$VERSION" == *"-rc"* ]]; then - PRERELEASE=true - else - PRERELEASE=false - fi - - echo "version=$VERSION" >> "$GITHUB_OUTPUT" - echo "prerelease=$PRERELEASE" >> "$GITHUB_OUTPUT" - echo "release_enabled=$RELEASE_ENABLED" >> "$GITHUB_OUTPUT" - - checks: - runs-on: ubuntu-latest - container: - image: debian:trixie - steps: - - run: | - apt-get update - apt-get install -y build-essential clang llvm pkg-config curl git - - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable - with: - components: rustfmt, clippy - - - uses: actions/cache@v4 - with: - path: | - /github/home/.cargo/registry - /github/home/.cargo/git - target - key: checks-${{ hashFiles('**/Cargo.lock') }} - - - run: cargo fetch --locked - - run: cargo fmt --all -- --check - - run: cargo clippy - - run: cargo test - - build-binaries: - needs: [prepare, checks] - runs-on: ubuntu-latest - container: - image: debian:trixie strategy: fail-fast: false matrix: include: - - rust_target: x86_64-unknown-linux-gnu - zig_target: x86_64-unknown-linux-gnu.2.28 - asset_name: telemt-x86_64-linux-gnu - - rust_target: aarch64-unknown-linux-gnu - zig_target: aarch64-unknown-linux-gnu.2.28 - asset_name: telemt-aarch64-linux-gnu - - rust_target: x86_64-unknown-linux-musl - zig_target: x86_64-unknown-linux-musl + - target: x86_64-unknown-linux-musl asset_name: telemt-x86_64-linux-musl - - rust_target: aarch64-unknown-linux-musl - zig_target: aarch64-unknown-linux-musl + - target: aarch64-unknown-linux-musl asset_name: telemt-aarch64-linux-musl steps: - - run: | - apt-get update - apt-get install -y clang llvm pkg-config curl git python3 python3-pip file tar xz-utils - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable + + - uses: dtolnay/rust-toolchain@v1 with: - targets: ${{ matrix.rust_target }} + toolchain: stable + targets: ${{ matrix.target }} + + - name: Pull cross images + run: | + docker pull ghcr.io/cross-rs/${{ matrix.target }}:latest || true + + - name: Install cross + run: cargo install cross --git https://github.com/cross-rs/cross - uses: actions/cache@v4 with: path: | - /github/home/.cargo/registry - /github/home/.cargo/git + ~/.cargo/registry + ~/.cargo/git target - key: build-${{ matrix.zig_target }}-${{ hashFiles('**/Cargo.lock') }} + key: ${{ runner.os }}-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }} - - run: | - python3 -m pip install --user --break-system-packages cargo-zigbuild - echo "/github/home/.local/bin" >> "$GITHUB_PATH" + - name: Build + run: cross build --release --target ${{ matrix.target }} - - run: cargo fetch --locked + - name: Package + run: | + mkdir -p dist + BIN=target/${{ matrix.target }}/release/${{ env.BINARY_NAME }} - - run: | - cargo zigbuild --release --locked --target "${{ matrix.zig_target }}" + cp "$BIN" dist/${{ env.BINARY_NAME }}-${{ matrix.target }} - - run: | - BIN="target/${{ matrix.rust_target }}/release/${BINARY_NAME}" - llvm-strip "$BIN" || true - - - run: | - BIN="target/${{ matrix.rust_target }}/release/${BINARY_NAME}" - OUT="$RUNNER_TEMP/${{ matrix.asset_name }}" - mkdir -p "$OUT" - install -m755 "$BIN" "$OUT/${BINARY_NAME}" - - tar -C "$RUNNER_TEMP" -czf "${{ matrix.asset_name }}.tar.gz" "${{ matrix.asset_name }}" - sha256sum "${{ matrix.asset_name }}.tar.gz" > "${{ matrix.asset_name }}.sha256" + cd dist + tar -czf ${{ matrix.asset_name }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }} + sha256sum ${{ matrix.asset_name }}.tar.gz > ${{ matrix.asset_name }}.sha256 - uses: actions/upload-artifact@v4 with: name: ${{ matrix.asset_name }} path: | - ${{ matrix.asset_name }}.tar.gz - ${{ matrix.asset_name }}.sha256 + dist/${{ matrix.asset_name }}.tar.gz + dist/${{ matrix.asset_name }}.sha256 - docker-image: - name: Docker ${{ matrix.platform }} - needs: [prepare, build-binaries] + docker: + name: Docker runs-on: ubuntu-latest - - strategy: - matrix: - include: - - platform: linux/amd64 - artifact: telemt-x86_64-linux-gnu - - platform: linux/arm64 - artifact: telemt-aarch64-linux-gnu + needs: build + continue-on-error: true steps: - uses: actions/checkout@v4 - uses: actions/download-artifact@v4 with: - name: ${{ matrix.artifact }} - path: dist + path: artifacts - - run: | - mkdir docker-build - tar -xzf dist/*.tar.gz -C docker-build --strip-components=1 + - name: Extract binaries + run: | + mkdir dist + find artifacts -name "*.tar.gz" -exec tar -xzf {} -C dist \; + # нормализуем имя + cp dist/telemt-x86_64-unknown-linux-musl dist/telemt || true + + - uses: docker/setup-qemu-action@v3 - uses: docker/setup-buildx-action@v3 - - name: Login - if: ${{ needs.prepare.outputs.release_enabled == 'true' }} + - name: Login to GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: docker/build-push-action@v6 + - name: Extract version + id: vars + run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + + # 🟢 prod (distroless) + - name: Build & Push prod + uses: docker/build-push-action@v6 with: - context: ./docker-build - platforms: ${{ matrix.platform }} - push: ${{ needs.prepare.outputs.release_enabled == 'true' }} - tags: ghcr.io/${{ github.repository }}:${{ needs.prepare.outputs.version }} - cache-from: type=gha,scope=telemt-${{ matrix.platform }} - cache-to: type=gha,mode=max,scope=telemt-${{ matrix.platform }} - provenance: false - sbom: false + context: . + target: prod + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository }}:${{ steps.vars.outputs.VERSION }} + ghcr.io/${{ github.repository }}:latest + build-args: | + BINARY=dist/telemt + + # 🟡 debug + - name: Build & Push debug + uses: docker/build-push-action@v6 + with: + context: . + target: debug + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ghcr.io/${{ github.repository }}:${{ steps.vars.outputs.VERSION }}-debug + ghcr.io/${{ github.repository }}:debug + build-args: | + BINARY=dist/telemt release: - if: ${{ needs.prepare.outputs.release_enabled == 'true' }} - needs: [prepare, build-binaries] + name: Release runs-on: ubuntu-latest + needs: build + permissions: contents: write steps: - uses: actions/download-artifact@v4 with: - path: release-artifacts - pattern: telemt-* + path: artifacts - - run: | - mkdir upload - find release-artifacts -type f \( -name '*.tar.gz' -o -name '*.sha256' \) -exec cp {} upload/ \; + - name: Flatten artifacts + run: | + mkdir dist + find artifacts -type f -exec cp {} dist/ \; - - uses: softprops/action-gh-release@v2 + - name: Create Release + uses: softprops/action-gh-release@v2 with: - files: upload/* + files: dist/* generate_release_notes: true - prerelease: ${{ needs.prepare.outputs.prerelease == 'true' }} + draft: false + prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-beta') || contains(github.ref, '-alpha') }} From 269fce839f8f2c20b1fa2fc0e75ddc19dbc992d7 Mon Sep 17 00:00:00 2001 From: Alexey <247128645+axkurcom@users.noreply.github.com> Date: Sun, 22 Mar 2026 00:10:19 +0300 Subject: [PATCH 2/2] Update Dockerfile --- Dockerfile | 65 +++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 59 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 15a4900..e5c802b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,3 +1,5 @@ +# syntax=docker/dockerfile:1 + # ========================== # Stage 1: Build # ========================== @@ -5,36 +7,87 @@ FROM rust:1.88-slim-bookworm AS builder RUN apt-get update && apt-get install -y --no-install-recommends \ pkg-config \ + ca-certificates \ && rm -rf /var/lib/apt/lists/* WORKDIR /build +# Depcache COPY Cargo.toml Cargo.lock* ./ RUN mkdir src && echo 'fn main() {}' > src/main.rs && \ cargo build --release 2>/dev/null || true && \ rm -rf src +# Build COPY . . RUN cargo build --release && strip target/release/telemt # ========================== -# Stage 2: Runtime +# Stage 2: Compress (strip + UPX) # ========================== -FROM debian:bookworm-slim +FROM debian:12-slim AS minimal + +RUN apt-get update && apt-get install -y --no-install-recommends \ + upx \ + binutils \ + && rm -rf /var/lib/apt/lists/* + +COPY --from=builder /build/target/release/telemt /telemt + +RUN strip /telemt || true +RUN upx --best --lzma /telemt || true + +# ========================== +# Stage 3: Debug base +# ========================== +FROM debian:12-slim AS debug-base RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ + tzdata \ + curl \ + iproute2 \ + busybox \ && rm -rf /var/lib/apt/lists/* -RUN useradd -r -s /usr/sbin/nologin telemt +# ========================== +# Stage 4: Debug image +# ========================== +FROM debug-base AS debug WORKDIR /app -COPY --from=builder /build/target/release/telemt /app/telemt +COPY --from=minimal /telemt /app/telemt COPY config.toml /app/config.toml -RUN chown -R telemt:telemt /app -USER telemt +USER root + +EXPOSE 443 +EXPOSE 9090 +EXPOSE 9091 + +ENTRYPOINT ["/app/telemt"] +CMD ["config.toml"] + +# ========================== +# Stage 5: Production (distroless) +# ========================== +FROM gcr.io/distroless/base-debian12 AS prod + +WORKDIR /app + +COPY --from=minimal /telemt /app/telemt +COPY config.toml /app/config.toml + +# TLS + timezone + shell +COPY --from=debug-base /etc/ssl/certs /etc/ssl/certs +COPY --from=debug-base /usr/share/zoneinfo /usr/share/zoneinfo +COPY --from=debug-base /bin/busybox /bin/busybox + +RUN ["/bin/busybox", "--install", "-s", "/bin"] + +# distroless user +USER nonroot:nonroot EXPOSE 443 EXPOSE 9090