diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..6c4df72 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,27 @@ +name: CI +env: + DOCKER_BUILDKIT: 1 +on: + push: + workflow_dispatch: + +jobs: + release: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + - name: Docker Login + env: + DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} + run: | + echo "${DOCKER_PASSWORD}" | docker login --username "${DOCKER_USERNAME}" --password-stdin + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v2 + with: + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }} \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 0000000..fbb95bc --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,7 @@ +dockers: + - goos: linux + goarch: amd64 + image_templates: + - "ii64/obs-access-signer:latest" + - "ii64/obs-access-signer:v{{ .Version }}" + skip_push: auto \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 18a1029..e04ed45 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,13 +6,15 @@ COPY . /build RUN apk add --no-cache \ make -RUN --mount=type=cache,mode=0755,target=/go/pkg/mod make dep +RUN make dep RUN make build -FROM gcr.io/distroless/static-debian11 +FROM scratch WORKDIR /app + +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=builder /build/obs-access-signer /app/obs-access-signer ENTRYPOINT [ "/app/obs-access-signer" ] \ No newline at end of file diff --git a/Makefile b/Makefile index d27b0d5..3c37d9b 100644 --- a/Makefile +++ b/Makefile @@ -2,8 +2,6 @@ all: build export DOCKER_BUILDKIT=1 -IMAGE := obs-access-signer:dev - # use zig cc/c++ to statically link deps TARGET_TRIPLE := x86_64-linux @@ -14,11 +12,9 @@ CXXFLAGS += -target $(TARGET_TRIPLE) GOFLAGS ?= GOFLAGS += -x -trimpath +.PHONY: dep dep: go mod download build: - CGO_ENABLED=0 CC="zig cc $(CFLAGS)" CXX="zig c++ $(CXXFLAGS)" go build $(GOFLAGS) . - -build.docker: - "docker" build --progress=plain -t $(IMAGE) . \ No newline at end of file + CGO_ENABLED=0 CC="zig cc $(CFLAGS)" CXX="zig c++ $(CXXFLAGS)" go build $(GOFLAGS) . \ No newline at end of file diff --git a/README.md b/README.md index c8571f3..aa28994 100644 --- a/README.md +++ b/README.md @@ -4,12 +4,11 @@ S3 Object Storage access signer. Run `obs-access-signer` behind a gateway/cache proxy is preferred as the response is static. -There's an example of using it with Varnish Cache, you can see [here](docker/docker-compose.yaml). +There's an example of using it with Varnish Cache, which you can see [here](docker/docker-compose.yaml). ## Why? -Some S3-compatible gateway might not support ACL endpoints but they are support presigned access. Currently, the behavior of `obs-access-signer` is similar to `public-read` ACL where clients can access objects anonymously and redirect them (permanently) to presigned url with `Expires` set to the max signed value of `int64` which has roughly 250yrs lifetime since unix time started. - +Some S3-compatible gateways might not support ACL endpoints but they support presigned access. Currently, the behavior of `obs-access-signer` is similar to `public-read` ACL where clients can access objects anonymously and redirect them (permanently) to presigned URL with `Expires` set to the max signed value of `int64` which has roughly 250yrs lifetime since UNIX time started. ## License