From 49df473b5b79271f556d323647d3c07488d80974 Mon Sep 17 00:00:00 2001
From: Anthony Donlon <idonlon@hotmail.com>
Date: Mon, 29 Dec 2025 23:42:47 +0800
Subject: [PATCH] add github ci configuration for building docker image

---
 .dockerignore                |  3 ++
 .github/workflows/docker.yml | 61 ++++++++++++++++++++++++++++++++++++
 editor/editor.dockerfile     | 33 ++++++++++++-------
 3 files changed, 86 insertions(+), 11 deletions(-)
 create mode 100644 .github/workflows/docker.yml

diff --git a/.dockerignore b/.dockerignore
index 9700dbf..d748b5f 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -9,3 +9,6 @@ dist/
 __pycache__/
 .ruff_cache/
 instance/
+
+*.tgz
+*.log
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
new file mode 100644
index 0000000..2ffe19d
--- /dev/null
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,61 @@
+name: Build Docker image
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: Tag name of image
+        required: true
+        type: string
+        default: latest
+      push-attestation:
+        description: Push artifact attestation to registry
+        required: true
+        type: boolean
+        default: true
+
+env:
+  IMAGE_NAME: editor
+  REGISTRY: ghcr.io
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f #v3.12.0
+
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          file: editor/editor.dockerfile
+          context: .
+          push: true
+          tags: ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ inputs.tag }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: ${{ inputs.push-attestation }}
diff --git a/editor/editor.dockerfile b/editor/editor.dockerfile
index 5c53c7c..4fa90e1 100644
--- a/editor/editor.dockerfile
+++ b/editor/editor.dockerfile
@@ -1,6 +1,10 @@
-# To build docker image:
+# ===================================
+# Dockerfile for the editor server
+# 
+# Run the following commands to build Docker image:
 #   cd ..
 #   docker build -t cferr-editor:latest -f editor/editor.dockerfile .
+# ===================================
 
 # =========================
 # Stage 1 — Build frontend
@@ -16,9 +20,7 @@ RUN cd /work/javascript && npm ci && \
     cd /work/editor/web && yarn install
 
 # Copy source and build
-COPY ["editor/web/", "./editor/web"]
-COPY ["resources/", "./resources"]
-COPY ["javascript/", "./javascript"]
+COPY . .
 RUN cd /work/javascript && npm run build && \
     cd /work/editor/web && yarn add ../../javascript && yarn build
 
@@ -29,15 +31,18 @@ FROM python:3.14-alpine AS backend-builder
 
 WORKDIR /work
 
+# Disable bytecode to reduce image size
+ENV PYTHONDONTWRITEBYTECODE=1
+# Don't save cache
+ENV PIP_NO_CACHE_DIR=true
+# Don't warn on root user action
+ENV PIP_ROOT_USER_ACTION=ignore
+
 # Install dependencies first (better caching)
 RUN pip install hatch
 
 # Copy source and build
-COPY ["cloudflare_error_page/", "./cloudflare_error_page"]
-COPY ["editor/server/", "./editor/server"]
-COPY ["resources/", "./resources"]
-COPY ["scripts/", "./scripts"]
-COPY ["pyproject.toml", "README.md", "LICENSE.txt", "./"]
+COPY . .
 COPY --from=frontend-builder /work/editor/web/dist ./web/dist
 
 RUN hatch build -t wheel && \
@@ -50,13 +55,19 @@ FROM python:3.14-alpine
 
 WORKDIR /app
 
+# Disable bytecode to reduce image size
+ENV PYTHONDONTWRITEBYTECODE=1
+# Don't save cache
+ENV PIP_NO_CACHE_DIR=true
+# Don't warn on root user action
+ENV PIP_ROOT_USER_ACTION=ignore
+
 # Install some dependencies first (better caching)
 RUN pip install gunicorn Flask Flask-Limiter Flask-SqlAlchemy
 
 # Copy only the built artifacts from the previous stages
 COPY --from=frontend-builder /work/editor/web/dist ./web/dist
-COPY --from=backend-builder /work/dist/*.whl ./packages/
-COPY --from=backend-builder /work/editor/server/dist/*.whl ./packages/
+COPY --from=backend-builder /work/dist/*.whl /work/editor/server/dist/*.whl ./packages/
 
 # Install packages
 RUN sh -c 'pip install ./packages/*.whl'