ci: initial files

.github/workflows/ci.yml

@@ -0,0 +1,49 @@
+name: CI
+env:
+  GO_VERSION: 1.19.x
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    # if: startsWith(github.ref, 'ref/tags/v')
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - name: Get go version
+        id: go-version
+        run: echo "::set-output name=version::$(go env GOVERSION)"
+      - name: Docker Login
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
+        run: |
+          echo "${DOCKER_PASSWORD}" | docker login --username "${DOCKER_USERNAME}" --password-stdin
+      - uses: actions/cache@v2
+        with:
+          # In order:
+          # * Module download cache
+          # * Build cache (Linux)
+          # * Build cache (Mac)
+          # * Build cache (Windows)
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+            ~/Library/Caches/go-build
+            %LocalAppData%\go-build
+          key: ${{ env.CACHE_VERSION }}-${{ runner.os }}-${{ steps.go-version.outputs.version }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ env.CACHE_VERSION }}-${{ runner.os }}-go
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }}

.goreleaser.yml

@@ -0,0 +1,7 @@
+dockers:
+  - goos: linux
+    goarch: amd64
+    image_templates:
+      - "ii64/obs-access-signer:latest"
+      - "ii64/obs-access-signer:v{{ .Version }}"
+    skip_push: auto

Dockerfile

@@ -1,18 +1,12 @@
-FROM ii64/golang-zig:go1.18-alpine3.15-zig AS builder
+FROM golang:alpine as build
+RUN apk --no-cache add ca-certificates
 
-WORKDIR /build
-COPY . /build
+RUN mkdir /newtmp && chown 1777 /newtmp
 
-RUN apk add --no-cache \
-    make
+FROM scratch
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=build /newtmp /tmp
 
-RUN --mount=type=cache,mode=0755,target=/go/pkg/mod make dep
-RUN make build
+COPY obs-access-signer /
 
-
-FROM gcr.io/distroless/static-debian11
-
-WORKDIR /app
-COPY --from=builder /build/obs-access-signer /app/obs-access-signer
-
-ENTRYPOINT [ "/app/obs-access-signer" ]
+ENTRYPOINT ["/obs-access-signer"]

Dockerfile.dev

@@ -0,0 +1,20 @@
+FROM ii64/golang-zig:go1.18-alpine3.15-zig AS builder
+
+WORKDIR /build
+COPY . /build
+
+RUN apk add --no-cache \
+    make
+
+RUN --mount=type=cache,mode=0755,target=/go/pkg/mod make dep
+RUN make build
+
+
+FROM scratch
+
+WORKDIR /app
+
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=builder /build/obs-access-signer /app/obs-access-signer
+
+ENTRYPOINT [ "/app/obs-access-signer" ]

Makefile

@@ -2,8 +2,6 @@ all: build
 
 export DOCKER_BUILDKIT=1
 
-IMAGE := obs-access-signer:dev
-
 # use zig cc/c++ to statically link deps
 TARGET_TRIPLE := x86_64-linux
 
@@ -14,11 +12,9 @@ CXXFLAGS += -target $(TARGET_TRIPLE)
 GOFLAGS ?=
 GOFLAGS += -x -trimpath
 
+.PHONY: dep
 dep:
 	go mod download
 
 build:
 	CGO_ENABLED=0 CC="zig cc $(CFLAGS)" CXX="zig c++ $(CXXFLAGS)" go build $(GOFLAGS) .
-
-build.docker:
-	"docker" build --progress=plain -t $(IMAGE) .

README.md

@@ -4,12 +4,11 @@ S3 Object Storage access signer.
 
 Run `obs-access-signer` behind a gateway/cache proxy is preferred as the response is static.
 
-There's an example of using it with Varnish Cache, you can see [here](docker/docker-compose.yaml).
+There's an example of using it with Varnish Cache, which you can see [here](docker/docker-compose.yaml).
 
 ## Why?
 
-Some S3-compatible gateway might not support ACL endpoints but they are support presigned access. Currently, the behavior of `obs-access-signer` is similar to `public-read` ACL where clients can access objects anonymously and redirect them (permanently) to presigned url with `Expires` set to the max signed value of `int64` which has roughly 250yrs lifetime since unix time started.
-
+Some S3-compatible gateways might not support ACL endpoints but they support presigned access. Currently, the behavior of `obs-access-signer` is similar to `public-read` ACL where clients can access objects anonymously and redirect them (permanently) to presigned URL with `Expires` set to the max signed value of `int64` which has roughly 250yrs lifetime since UNIX time started.
 
 ## License