Merge updated CI

Squashed commit of the following:

commit 4dac7db79049eb28d1efcdb31154b3f7e86fd792
Author: Killian Meersman <hi@killianm.dev>
Date:   Fri Apr 4 14:57:36 2025 +0200

    Update release CI

commit 9f03853
Author: Killian Meersman <hi@killianm.dev>
Date:   Fri Apr 4 14:52:19 2025 +0200

    WIP multi-arch CI

Author: KillianMeersman

.github/workflows/container.yaml

@@ -4,22 +4,60 @@ on:
   push:
     branches:
       - dev
+      - ci
+    tags:
+      - v*
 
 jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-      contents: read
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup Go 
-        uses: actions/setup-go@v5
-        with:
-          go-version: 1.23
-      - name: Test
-        run: make test
-      - name: Log in to Github registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
-      - name: Push image
-        run: TAG=${{ github.ref_name }} make publish
+ # Build multi-arch image.
+ build_container:
+  runs-on: ubuntu-latest
+  permissions:
+    packages: write
+    contents: read
+    attestations: write
+    id-token: write
+  env:
+    REGISTRY: ghcr.io
+    IMAGE_NAME: ${{ github.repository }}
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Docker meta
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=semver,pattern={{version}}
+          type=semver,pattern={{major}}.{{minor}}
+
+    - name: Log in to the Github Container registry
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build and push
+      uses: docker/build-push-action@v6
+      id: push
+      with:
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        platforms: linux/arm/v7,linux/arm64/v8,linux/arm64,linux/amd64
+
+    - name: Generate artifact attestation
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        subject-digest: ${{ steps.push.outputs.digest }}
+        push-to-registry: true

.github/workflows/release.yaml

@@ -0,0 +1,79 @@
+name: Create release
+run-name: Release ${{ github.ref_name }}
+on:
+  push:
+    tags:
+      - v
+
+jobs:
+  build_windows_binaries:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+            go-version: '^1.23.0'
+      - run: |
+            GOOS=windows GOARCH=amd64 go build -buildvcs=false -o dist/chaperone_windows_x64.exe
+            GOOS=windows GOARCH=386 go build -buildvcs=false -o dist/chaperone_windows_x32.exe
+      - name: 'Upload build artifacts'
+        uses: actions/upload-artifact@v4
+        with:
+          name: windows-builds
+          path: dist/*
+          retention-days: 3
+
+  build_mac_binaries:
+      runs-on: ubuntu-latest
+      steps:
+        - uses: actions/checkout@v4
+        - uses: actions/setup-go@v5
+          with:
+            go-version: '^1.23.0'
+        - run: |
+           GOOS=darwin GOARCH=amd64 go build -buildvcs=false -o dist/chaperone_darwin_x64
+           GOOS=darwin GOARCH=arm64 go build -buildvcs=false -o dist/chaperone_mac_arm64
+        - name: 'Upload build artifacts'
+          uses: actions/upload-artifact@v4
+          with:
+            name: mac-builds
+            path: dist/*
+            retention-days: 3
+
+  build_linux_binaries:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '^1.23.0'
+      - run: |
+          GOOS=linux GOARCH=amd64 go build -buildvcs=false -o dist/chaperone_linux_x64
+          GOOS=linux GOARCH=386 go build -buildvcs=false -o dist/chaperone_linux_x32
+      - name: 'Upload build artifacts'
+        uses: actions/upload-artifact@v4
+        with:
+          name: linux-builds
+          path: dist/*
+          retention-days: 3
+    
+  github_release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    needs:
+      - build_windows_binaries
+      - build_mac_binaries
+      - build_linux_binaries
+    steps:
+      - name: Download all workflow run artifacts
+        uses: actions/download-artifact@v4
+      - uses: ncipollo/release-action@v1
+        with:
+          artifacts: "windows-builds/*,mac-builds/*,linux-builds/*"
+          allowUpdates: true
+          makeLatest: true
+          prerelease: false
+          replacesArtifacts: true
+          artifactErrorsFailBuild: true
+          generateReleaseNotes: true

.gitignore

@@ -0,0 +1,2 @@
+# Build artifacts
+dist/

Dockerfile

@@ -1,4 +1,9 @@
-FROM golang:1-alpine AS builder
+FROM --platform=$BUILDPLATFORM golang:1-alpine AS builder
+
+# Default BuildKit arguments, need to be defined as ARG to be useable in the Dockerfile.
+# See https://www.docker.com/blog/faster-multi-platform-builds-dockerfile-cross-compilation-guide/
+ARG TARGETOS
+ARG TARGETARCH
 
 LABEL org.opencontainers.image.source=https://github.com/KillianMeersman/chaperone
 LABEL org.opencontainers.image.description="A rate-limiting & caching forward HTTP proxy."
@@ -8,15 +13,17 @@ WORKDIR /app
 ENV GOCACHE=/app/.gocache
 
 COPY . .
-RUN --mount=type=cache,id=gocache,target=/app/.gocache,sharing=locked go build -o chaperone ./cmd/chaperone/main.go
+
+RUN --mount=type=cache,id=gocache,target=/app/.gocache,sharing=private \
+    GOOS="$TARGETOS" GOARCH="$TARGETARCH" go build -o chaperone ./cmd/chaperone/main.go
 RUN chmod +x chaperone
 
 FROM alpine:3 AS main
 
 WORKDIR /app
 COPY --from=builder /app/chaperone chaperone
 
-RUN adduser --disabled-password user
-USER user:user
+RUN adduser --disabled-password chaperone
+USER chaperone:chaperone
 
 ENTRYPOINT [ "/app/chaperone" ]

Makefile

@@ -24,7 +24,7 @@ fuzz: vendor
 
 build: vendor vet test
 	mkdir dist || true
-	go build -o dist/$(TARGET) ./cmd/$(TARGET)/main.go
+	go build -o dist/chaperone ./cmd/chaperone/main.go
 
 container:
 	docker build -t $(CONTAINER):$(TAG) .

release.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+
+if [ $# -lt 1 ]; then
+    echo "Please provide a semantic version, 'major', 'minor' or 'patch'"
+    exit 1
+fi
+
+
+NEW_VERSION="$1"
+TAG_COMMIT='HEAD'
+
+# Fetch existing tags before choosing what the next one should be.
+echo 'Fetching existing tags...'
+git fetch --tags
+
+# Parse major, minor and patch groups of latest tag.
+LATEST_RELEASE_TAG=$(git tag | grep -iE 'v.*' | sort -V | tail -n 1)
+if [[ -z "${LATEST_RELEASE_TAG}" ]]; then
+    echo "No release tags found. Please create an initial release tag first."
+    exit 1
+fi
+
+NEW_RELEASE_MAJOR=$(echo ${LATEST_RELEASE_TAG//v} | cut -d. -f 1)
+NEW_RELEASE_MINOR=$(echo ${LATEST_RELEASE_TAG//v} | cut -d. -f 2)
+NEW_RELEASE_PATCH=$(echo ${LATEST_RELEASE_TAG//v} | cut -d. -f 3)
+
+# Set the major, minor and patch groups of the new tag.
+if [[ "${NEW_VERSION}" == 'major' ]]; then
+    NEW_RELEASE_MAJOR=$(($NEW_RELEASE_MAJOR + 1))
+    NEW_RELEASE_MINOR='0'
+    NEW_RELEASE_PATCH='0'
+elif [[ "${NEW_VERSION}" == 'minor' ]]; then
+    NEW_RELEASE_MINOR=$(($NEW_RELEASE_MINOR + 1))
+    NEW_RELEASE_PATCH='0'
+elif [[ "${NEW_VERSION}" == 'patch' ]]; then
+    NEW_RELEASE_PATCH=$(($NEW_RELEASE_PATCH + 1))
+elif [[ "${NEW_VERSION}" =~ v.*\..*\..* ]]; then
+    NEW_RELEASE_MAJOR=$(echo ${NEW_VERSION//v} | cut -d. -f 1)
+    NEW_RELEASE_MINOR=$(echo ${NEW_VERSION//v} | cut -d. -f 2)
+    NEW_RELEASE_PATCH=$(echo ${NEW_VERSION//v} | cut -d. -f 3)
+else
+    echo "Invalid argument. Please provide a semantic version, 'major', 'minor' or 'patch'"
+    exit 1
+fi
+
+# Construct the new release tag.
+echo "Latest release tag is '${LATEST_RELEASE_TAG}'"
+NEW_RELEASE="v${NEW_RELEASE_MAJOR}.${NEW_RELEASE_MINOR}.${NEW_RELEASE_PATCH}"
+echo "Creating release '${NEW_RELEASE}'"
+
+# Construct the tag message.
+# If the tag message is empty, use the default message.
+TAG_MESSAGE_FILE=$(mktemp)
+TAG_MESSAGE_HEADER="Version ${NEW_RELEASE_MAJOR}.${NEW_RELEASE_MINOR}.${NEW_RELEASE_PATCH}"
+TAG_MESSAGE_CHANGES=$(git log --pretty=format:"- %s" -n 20 "${LATEST_RELEASE_TAG}..${TAG_COMMIT}")
+
+echo "${TAG_MESSAGE_HEADER}" > "${TAG_MESSAGE_FILE}"
+echo '' >> "${TAG_MESSAGE_FILE}"
+echo "Commits since ${LATEST_RELEASE_TAG}:" >> "${TAG_MESSAGE_FILE}"
+echo "${TAG_MESSAGE_CHANGES}" >> "${TAG_MESSAGE_FILE}"
+${EDITOR} "${TAG_MESSAGE_FILE}"
+
+git tag -a "${NEW_RELEASE}" -F "${TAG_MESSAGE_FILE}" "${TAG_COMMIT}"
+
+while true; do
+    read -p "Release tag created, push, delete or keep? [${bold}P${normal}ush/${bold}K${normal}eep/${bold}D${normal}elete]: " choice
+    case $choice in
+        [Pp]*) git push origin ${NEW_RELEASE} ; break ;;
+        [Kk]*) break ;;
+        [Dd]*) git tag -d ${NEW_RELEASE} ; break ;;
+    esac
+done