Update release.yml

Update release.yml

.github/workflows/release.yml

@@ -6,36 +6,34 @@ on:
       - '[0-9]+.[0-9]+.[0-9]+'
   workflow_dispatch:
 
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
   packages: write
 
 env:
   CARGO_TERM_COLOR: always
+  BINARY_NAME: telemt
 
 jobs:
-  build:
+# ==========================
-    name: Build ${{ matrix.target }}
+# GNU / glibc
+# ==========================
+  build-gnu:
+    name: GNU ${{ matrix.target }}
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
 
     strategy:
       fail-fast: false
       matrix:
         include:
           - target: x86_64-unknown-linux-gnu
-            artifact_name: telemt
+            asset: telemt-x86_64-linux-gnu
-            asset_name: telemt-x86_64-linux-gnu
           - target: aarch64-unknown-linux-gnu
-            artifact_name: telemt
+            asset: telemt-aarch64-linux-gnu
-            asset_name: telemt-aarch64-linux-gnu
-          - target: x86_64-unknown-linux-musl
-            artifact_name: telemt
-            asset_name: telemt-x86_64-linux-musl
-          - target: aarch64-unknown-linux-musl
-            artifact_name: telemt
-            asset_name: telemt-aarch64-linux-musl
 
     steps:
       - uses: actions/checkout@v4
@@ -43,12 +41,20 @@ jobs:
       - uses: dtolnay/rust-toolchain@v1
         with:
           toolchain: stable
-          targets: ${{ matrix.target }}
+          targets: |
+            x86_64-unknown-linux-gnu
+            aarch64-unknown-linux-gnu
 
-      - name: Install cross-compilation tools
+      - name: Install deps
         run: |
           sudo apt-get update
-          sudo apt-get install -y gcc-aarch64-linux-gnu
+          sudo apt-get install -y \
+            build-essential \
+            clang \
+            lld \
+            pkg-config \
+            gcc-aarch64-linux-gnu \
+            g++-aarch64-linux-gnu
 
       - uses: actions/cache@v4
         with:
@@ -56,41 +62,183 @@ jobs:
             ~/.cargo/registry
             ~/.cargo/git
             target
-          key: ${{ runner.os }}-${{ matrix.target }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: gnu-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: |
-            ${{ runner.os }}-${{ matrix.target }}-cargo-
 
-      - name: Install cross
+      - name: Build
-        run: cargo install cross --git https://github.com/cross-rs/cross
-
-      - name: Build Release
-        env:
-          RUSTFLAGS: ${{ contains(matrix.target, 'musl') && '-C target-feature=+crt-static' || '' }}
-        run: cross build --release --target ${{ matrix.target }}
-
-      - name: Package binary
         run: |
-          cd target/${{ matrix.target }}/release
+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-gnu" ]; then
-          tar -czvf ${{ matrix.asset_name }}.tar.gz ${{ matrix.artifact_name }}
+            export CC=aarch64-linux-gnu-gcc
-          sha256sum ${{ matrix.asset_name }}.tar.gz > ${{ matrix.asset_name }}.sha256
+            export CXX=aarch64-linux-gnu-g++
+            export CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc
+            export CXX_aarch64_unknown_linux_gnu=aarch64-linux-gnu-g++
+            export RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc"
+          else
+            export CC=clang
+            export CXX=clang++
+            export CC_x86_64_unknown_linux_gnu=clang
+            export CXX_x86_64_unknown_linux_gnu=clang++
+            export RUSTFLAGS="-C linker=clang -C link-arg=-fuse-ld=lld"
+          fi
+
+          cargo build --release --target ${{ matrix.target }}
+
+      - name: Package
+        run: |
+          mkdir -p dist
+          BIN=target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}
+
+          cp "$BIN" dist/${{ env.BINARY_NAME }}-${{ matrix.target }}
+
+          cd dist
+          tar -czf ${{ matrix.asset }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }}
+          sha256sum ${{ matrix.asset }}.tar.gz > ${{ matrix.asset }}.sha256
 
       - uses: actions/upload-artifact@v4
         with:
-          name: ${{ matrix.asset_name }}
+          name: ${{ matrix.asset }}
           path: |
-            target/${{ matrix.target }}/release/${{ matrix.asset_name }}.tar.gz
+            dist/${{ matrix.asset }}.tar.gz
-            target/${{ matrix.target }}/release/${{ matrix.asset_name }}.sha256
+            dist/${{ matrix.asset }}.sha256
 
-  build-docker-image:
+# ==========================
-    needs: build
+# MUSL
+# ==========================
+  build-musl:
+    name: MUSL ${{ matrix.target }}
     runs-on: ubuntu-latest
-    permissions:
+
-      contents: read
+    container:
-      packages: write
+      image: rust:slim-bookworm
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - target: x86_64-unknown-linux-musl
+            asset: telemt-x86_64-linux-musl
+          - target: aarch64-unknown-linux-musl
+            asset: telemt-aarch64-linux-musl
 
     steps:
       - uses: actions/checkout@v4
 
+      - name: Install deps
+        run: |
+          apt-get update
+          apt-get install -y \
+            musl-tools \
+            pkg-config \
+            curl
+
+      # 💾 cache toolchain
+      - uses: actions/cache@v4
+        if: matrix.target == 'aarch64-unknown-linux-musl'
+        with:
+          path: ~/.musl-aarch64
+          key: musl-toolchain-aarch64-v1
+
+      # 🔥 надёжная установка
+      - name: Install aarch64 musl toolchain
+        if: matrix.target == 'aarch64-unknown-linux-musl'
+        run: |
+          set -e
+
+          TOOLCHAIN_DIR="$HOME/.musl-aarch64"
+          ARCHIVE="aarch64-linux-musl-cross.tgz"
+
+          if [ -x "$TOOLCHAIN_DIR/bin/aarch64-linux-musl-gcc" ]; then
+            echo "✅ musl toolchain already installed"
+          else
+            echo "⬇️ downloading musl toolchain..."
+
+            download() {
+              url="$1"
+              echo "→ trying $url"
+              curl -fL \
+                --retry 5 \
+                --retry-delay 3 \
+                --connect-timeout 10 \
+                --max-time 120 \
+                -o "$ARCHIVE" "$url" && return 0
+              return 1
+            }
+
+            download "https://musl.cc/$ARCHIVE" || \
+            download "https://more.musl.cc/$ARCHIVE" || \
+            { echo "❌ failed to download musl toolchain"; exit 1; }
+
+            mkdir -p "$TOOLCHAIN_DIR"
+            tar -xzf "$ARCHIVE" --strip-components=1 -C "$TOOLCHAIN_DIR"
+          fi
+
+          echo "$TOOLCHAIN_DIR/bin" >> $GITHUB_PATH
+
+      - name: Add rust target
+        run: rustup target add ${{ matrix.target }}
+
+      - uses: actions/cache@v4
+        with:
+          path: |
+            /usr/local/cargo/registry
+            /usr/local/cargo/git
+            target
+          key: musl-${{ matrix.target }}-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Build
+        run: |
+          if [ "${{ matrix.target }}" = "aarch64-unknown-linux-musl" ]; then
+            export CC=aarch64-linux-musl-gcc
+            export CC_aarch64_unknown_linux_musl=aarch64-linux-musl-gcc
+            export RUSTFLAGS="-C target-feature=+crt-static -C linker=aarch64-linux-musl-gcc"
+          else
+            export CC=musl-gcc
+            export CC_x86_64_unknown_linux_musl=musl-gcc
+            export RUSTFLAGS="-C target-feature=+crt-static"
+          fi
+
+          cargo build --release --target ${{ matrix.target }}
+
+      - name: Package
+        run: |
+          mkdir -p dist
+          BIN=target/${{ matrix.target }}/release/${{ env.BINARY_NAME }}
+
+          cp "$BIN" dist/${{ env.BINARY_NAME }}-${{ matrix.target }}
+
+          cd dist
+          tar -czf ${{ matrix.asset }}.tar.gz ${{ env.BINARY_NAME }}-${{ matrix.target }}
+          sha256sum ${{ matrix.asset }}.tar.gz > ${{ matrix.asset }}.sha256
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.asset }}
+          path: |
+            dist/${{ matrix.asset }}.tar.gz
+            dist/${{ matrix.asset }}.sha256
+
+# ==========================
+# Docker
+# ==========================
+  docker:
+    name: Docker
+    runs-on: ubuntu-latest
+    needs: [build-gnu, build-musl]
+    continue-on-error: true
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+
+      - name: Extract binaries
+        run: |
+          mkdir dist
+          find artifacts -name "*.tar.gz" -exec tar -xzf {} -C dist \;
+
+          cp dist/telemt-x86_64-unknown-linux-musl dist/telemt || true
+
       - uses: docker/setup-qemu-action@v3
       - uses: docker/setup-buildx-action@v3
 
@@ -105,35 +253,43 @@ jobs:
         id: vars
         run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
 
-      - name: Build and push
+      - name: Build & Push
         uses: docker/build-push-action@v6
         with:
           context: .
           push: true
+          platforms: linux/amd64,linux/arm64
           tags: |
             ghcr.io/${{ github.repository }}:${{ steps.vars.outputs.VERSION }}
             ghcr.io/${{ github.repository }}:latest
+          build-args: |
+            BINARY=dist/telemt
 
+# ==========================
+# Release
+# ==========================
   release:
-    name: Create Release
+    name: Release
-    needs: build
     runs-on: ubuntu-latest
+    needs: [build-gnu, build-musl]
+
     permissions:
       contents: write
 
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
       - uses: actions/download-artifact@v4
         with:
           path: artifacts
 
+      - name: Flatten artifacts
+        run: |
+          mkdir dist
+          find artifacts -type f -exec cp {} dist/ \;
+
       - name: Create Release
         uses: softprops/action-gh-release@v2
         with:
-          files: artifacts/**/*
+          files: dist/*
           generate_release_notes: true
           draft: false
           prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-beta') || contains(github.ref, '-alpha') }}

Dockerfile

@@ -1,3 +1,5 @@
+# syntax=docker/dockerfile:1
+
 # ==========================
 # Stage 1: Build
 # ==========================
@@ -5,36 +7,87 @@ FROM rust:1.88-slim-bookworm AS builder
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     pkg-config \
+    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /build
 
+# Depcache
 COPY Cargo.toml Cargo.lock* ./
 RUN mkdir src && echo 'fn main() {}' > src/main.rs && \
     cargo build --release 2>/dev/null || true && \
     rm -rf src
 
+# Build
 COPY . .
 RUN cargo build --release && strip target/release/telemt
 
 # ==========================
-# Stage 2: Runtime
+# Stage 2: Compress (strip + UPX)
 # ==========================
-FROM debian:bookworm-slim
+FROM debian:12-slim AS minimal
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    upx \
+    binutils \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /build/target/release/telemt /telemt
+
+RUN strip /telemt || true
+RUN upx --best --lzma /telemt || true
+
+# ==========================
+# Stage 3: Debug base
+# ==========================
+FROM debian:12-slim AS debug-base
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
+    tzdata \
+    curl \
+    iproute2 \
+    busybox \
     && rm -rf /var/lib/apt/lists/*
 
-RUN useradd -r -s /usr/sbin/nologin telemt
+# ==========================
+# Stage 4: Debug image
+# ==========================
+FROM debug-base AS debug
 
 WORKDIR /app
 
-COPY --from=builder /build/target/release/telemt /app/telemt
+COPY --from=minimal /telemt /app/telemt
 COPY config.toml /app/config.toml
 
-RUN chown -R telemt:telemt /app
+USER root
-USER telemt
+
+EXPOSE 443
+EXPOSE 9090
+EXPOSE 9091
+
+ENTRYPOINT ["/app/telemt"]
+CMD ["config.toml"]
+
+# ==========================
+# Stage 5: Production (distroless)
+# ==========================
+FROM gcr.io/distroless/base-debian12 AS prod
+
+WORKDIR /app
+
+COPY --from=minimal /telemt /app/telemt
+COPY config.toml /app/config.toml
+
+# TLS + timezone + shell
+COPY --from=debug-base /etc/ssl/certs /etc/ssl/certs
+COPY --from=debug-base /usr/share/zoneinfo /usr/share/zoneinfo
+COPY --from=debug-base /bin/busybox /bin/busybox
+
+RUN ["/bin/busybox", "--install", "-s", "/bin"]
+
+# distroless user
+USER nonroot:nonroot
 
 EXPOSE 443
 EXPOSE 9090

docs/QUICK_START_GUIDE.ru.md

@@ -178,7 +178,7 @@ docker compose down
 > - По умолчанию публикуются порты 443:443, а контейнер запускается со сброшенными привилегиями (добавлена только `NET_BIND_SERVICE`)  
 > - Если вам действительно нужна сеть хоста (обычно это требуется только для некоторых конфигураций IPv6), раскомментируйте `network_mode: host`
 
-**Запуск в Docker Compose**
+**Запуск без Docker Compose**
 ```bash
 docker build -t telemt:local .
 docker run --name telemt --restart unless-stopped \