Publish OCI containers to GitHub registry

codingjoe · codingjoe · commit cb72cefb36b9 · 2025-06-27T11:28:36.000+02:00
diff --git a/.dockerignore b/.dockerignore
@@ -1,5 +1,5 @@
 .env
-Dockerfile
+Containerfile
 .dockerignore
 .git
 .gitignore
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,95 @@
+name: Publish OCI Containers
+
+on:
+  push:
+    branches:
+      - main
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+
+  backend-container:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Containerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
+
+  frontend-container:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}-web
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: web
+          file: web/Containerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/Containerfile b/Containerfile
@@ -0,0 +1,10 @@
+FROM ghcr.io/astral-sh/uv:python3.12-alpine
+
+WORKDIR /app
+COPY . /app
+
+RUN uv sync --locked --no-dev
+
+EXPOSE 8000
+
+CMD ["uv", "run", "python", "server.py", "--host", "0.0.0.0", "--port", "8000"]
diff --git a/Dockerfile b/Dockerfile
diff --git a/compose.yml b/compose.yml
@@ -1,9 +1,8 @@
 services:
   backend:
-    build:
-      context: .
-      dockerfile: Dockerfile
+    image: ghcr.io/codingjoe/deer-flow:main
     container_name: deer-flow-backend
+    pull_policy: always
     ports:
       - "8000:8000"
     env_file:
@@ -15,11 +14,8 @@ services:
       - deer-flow-network
 
   frontend:
-    build:
-      context: ./web
-      dockerfile: Dockerfile
-      args:
-        - NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL
+    image: ghcr.io/codingjoe/deer-flow-web:main
+    pull_policy: always
     container_name: deer-flow-frontend
     ports:
       - "3000:3000"
diff --git a/web/.dockerignore b/web/.dockerignore
@@ -1,5 +1,5 @@
 .env
-Dockerfile
+Containerfile
 .dockerignore
 node_modules
 npm-debug.log
diff --git a/web/Containerfile b/web/Containerfile
@@ -0,0 +1,17 @@
+FROM node:20-alpine
+WORKDIR /app
+
+ENV NODE_ENV=production
+ENV SKIP_ENV_VALIDATION=1
+ENV NEXT_TELEMETRY_DISABLED=1
+ENV PORT=3000
+
+RUN apk add --no-cache pnpm
+
+COPY . /app
+RUN pnpm i
+RUN pnpm run build
+
+EXPOSE 3000
+
+CMD ["pnpm", "start"]
diff --git a/web/Dockerfile b/web/Dockerfile
diff --git a/web/docker-compose.yml b/web/docker-compose.yml
@@ -2,7 +2,7 @@ services:
   deer-flow-web:
     build:
       context: .
-      dockerfile: Dockerfile
+      dockerfile: Containerfile
       args:
         NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL}
     image: deer-flow-web
