Unify workflows and docker stuff

Christopher Skene · Christopher Skene · commit 0f89f9625869 · 2025-10-22T23:16:25.000+11:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,19 +1,22 @@
+# .github/workflows/release.yml
 name: Release Harmony
 
 on:
   push:
     tags:
-      - 'v*'          # production releases
+      - 'v*'
   workflow_dispatch:
 
 env:
   CARGO_TERM_COLOR: always
-  REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository }}
+  REGISTRY_GHCR: ghcr.io/aurabx/harmony
+  REGISTRY_DOCKERHUB: aurabx/harmony
+  IMAGE_NAME: harmony
 
 jobs:
+  # ---------- 1. Build binaries ----------
   build-binaries:
-    name: Build Rust binaries (cross/native)
+    name: Build Harmony binaries (cross/native)
     strategy:
       matrix:
         include:
@@ -38,22 +41,18 @@ jobs:
         with:
           targets: ${{ matrix.target }}
 
-      # Linux builds (use cross)
+      # Linux builds use cross
       - name: Build Harmony (Linux cross)
         if: runner.os == 'Linux'
         shell: bash
         run: |
-          echo "Detected Linux runner. Installing musl dependencies and using cross."
           cargo install cross --git https://github.com/cross-rs/cross
-          # Build for the target
           cross build --release --target ${{ matrix.target }}
 
-      # Non-Linux builds (macOS + Windows)
+      # Non-Linux builds are native
       - name: Build Harmony (native)
         if: runner.os != 'Linux'
-        run: |
-          echo "Detected non-Linux runner. Building natively."
-          cargo build --release --target ${{ matrix.target }}
+        run: cargo build --release --target ${{ matrix.target }}
 
       - name: Package artefacts
         shell: bash
@@ -82,8 +81,9 @@ jobs:
           name: harmony-${{ matrix.target }}
           path: release/
 
+  # ---------- 2. Build and push Docker images ----------
   docker:
-    name: Build and push multi-arch Docker image
+    name: Build and push multi-arch Docker images
     runs-on: ubuntu-latest
     needs: build-binaries
     permissions:
@@ -92,61 +92,77 @@ jobs:
       id-token: write
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          path: ./binaries
 
-      - name: Set up Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Prepare Linux binaries
+        run: |
+          mv binaries/harmony-x86_64-unknown-linux-musl/harmony harmony-amd64 || true
+          mv binaries/harmony-aarch64-unknown-linux-musl/harmony harmony-arm64 || true
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Login to GHCR
+      - name: Log in to GHCR
         uses: docker/login-action@v3
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Compute image tags
         id: meta
-        shell: bash
         run: |
-          if [ "${GITHUB_REF_TYPE}" = "tag" ]; then
-            echo "Detected release tag ${GITHUB_REF_NAME}"
-            echo "tags=${REGISTRY}/${IMAGE_NAME}:${GITHUB_REF_NAME},${REGISTRY}/${IMAGE_NAME}:latest" >> $GITHUB_OUTPUT
-          else
-            SHORT_SHA="${GITHUB_SHA::7}"
-            SAFE_BRANCH="${GITHUB_REF_NAME//\//-}"
-            echo "tags=${REGISTRY}/${IMAGE_NAME}:${SAFE_BRANCH}-${SHORT_SHA}" >> $GITHUB_OUTPUT
-          fi
-        env:
-          REGISTRY: ${{ env.REGISTRY }}
-          IMAGE_NAME: ${{ env.IMAGE_NAME }}
+          TAG=${GITHUB_REF_NAME}
+          echo "tags=${{ env.REGISTRY_DOCKERHUB }}:${TAG},${{ env.REGISTRY_DOCKERHUB }}:latest,${{ env.REGISTRY_GHCR }}:${TAG},${{ env.REGISTRY_GHCR }}:latest" >> $GITHUB_OUTPUT
 
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
           context: .
+          file: Dockerfile
           push: true
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
 
+  # ---------- 3. Publish GitHub Release ----------
   release:
     name: Publish GitHub Release
     runs-on: ubuntu-latest
     needs: [build-binaries, docker]
     if: startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: write
+
     steps:
       - name: Download artefacts
         uses: actions/download-artifact@v4
         with:
           path: ./artifacts
 
+      # Combine all SHA256 files into one manifest
+      - name: Generate combined checksums manifest
+        shell: bash
+        run: |
+          cd artifacts
+          find . -type f -name "*.sha256" -exec cat {} \; > checksums.txt
+          echo "Combined checksums:"
+          cat checksums.txt
+
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ github.ref_name }}
           name: Harmony ${{ github.ref_name }}
           files: ./artifacts/**/*
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
diff --git a/Dockerfile b/Dockerfile
@@ -1,34 +1,13 @@
-# Build stage
-FROM rust:1.87-bookworm AS builder
-
-WORKDIR /app
-
-# Copy Cargo files first for better layer caching
-COPY Cargo.toml Cargo.lock ./
-COPY crates/ ./crates/
-
-# Copy source code
-COPY src/ ./src/
-
-# Build release binary
-RUN cargo build --release --bin harmony
-
-# Runtime stage
+# syntax=docker/dockerfile:1
 FROM debian:bookworm-slim
 
-# Install minimal dependencies
-RUN apt-get update && \
-    apt-get install -y ca-certificates && \
-    rm -rf /var/lib/apt/lists/*
-
-# Create directories
+WORKDIR /app
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/*
 RUN mkdir -p /etc/harmony /var/log/harmony /tmp/harmony
 
-# Copy binary from builder
-COPY --from=builder /app/target/release/harmony /usr/local/bin/harmony
+# Copy in prebuilt binary (for CI or local use)
+ARG TARGETARCH
+COPY harmony-${TARGETARCH} /usr/local/bin/harmony
 
-# Expose ports
 EXPOSE 8080 9090
-
-# Default command
-CMD ["harmony", "--config", "/etc/harmony/config.toml"]
+CMD ["harmony", "--config", "/etc/harmony/config.toml"]
diff --git a/Dockerfile.build b/Dockerfile.build
@@ -0,0 +1,34 @@
+# Build stage
+FROM rust:1.87-bookworm AS builder
+
+WORKDIR /app
+
+# Copy Cargo files first for better layer caching
+COPY Cargo.toml Cargo.lock ./
+COPY crates/ ./crates/
+
+# Copy source code
+COPY src/ ./src/
+
+# Build release binary
+RUN cargo build --release --bin harmony
+
+# Runtime stage
+FROM debian:bookworm-slim
+
+# Install minimal dependencies
+RUN apt-get update && \
+    apt-get install -y ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
+
+# Create directories
+RUN mkdir -p /etc/harmony /var/log/harmony /tmp/harmony
+
+# Copy binary from builder
+COPY --from=builder /app/target/release/harmony /usr/local/bin/harmony
+
+# Expose ports
+EXPOSE 8080 9090
+
+# Default command
+CMD ["harmony", "--config", "/etc/harmony/config.toml"]
diff --git a/readme.md b/readme.md
@@ -57,23 +57,36 @@ If configured, you should receive an echoed response from the sample backend. Ex
 
 ### Docker
 
-Run with Docker Compose:
+#### Option 1 – Run with Docker Compose (recommended)
+
+For local development or quick testing:
 
 ```bash
-# Build and run
-docker-compose up
+# Build and start containers
+docker compose up
 
-# Alternatively, to force a rebuild
+# Alternatively, to rebuild and restart cleanly
 docker compose up --build --force-recreate -d
 
 # Test the service
 curl -i http://localhost:8080/echo
 ```
 
-Or build and run manually:
+Compose uses the included `Dockerfile.build` so everything builds from source inside Docker—no Rust toolchain required on the host.
+
+**Ports**
+
+* **8080** – Main service endpoints
+* **9090** – Management API (if enabled)
+
+---
+
+#### Option 2 – Build and run manually (from prebuilt or local binaries)
+
+If you have prebuilt binaries or are running from CI output, use the lean runtime image (`Dockerfile`):
 
 ```bash
-# Build image
+# Build image from prebuilt binaries (fast path)
 docker build -t harmony-proxy .
 
 # Run with default config
@@ -87,9 +100,32 @@ docker run -p 8080:8080 \
   harmony-proxy --config /examples/basic-echo/config.toml
 ```
 
-Ports:
-- 8080: Main service endpoints
-- 9090: Management API (if enabled)
+If you’d rather build everything from scratch (no prebuilt binaries), specify the full build image explicitly:
+
+```bash
+docker build -f Dockerfile.build -t harmony-proxy .
+docker run -p 8080:8080 harmony-proxy
+```
+
+---
+
+#### Option 3 – Use the published image
+
+Once your CI workflow pushes to GHCR:
+
+```bash
+docker pull ghcr.io/aurabx/harmony:latest
+docker run -p 8080:8080 -p 9090:9090 ghcr.io/aurabx/harmony:latest
+```
+
+---
+
+This layout clarifies:
+
+* **Compose / Dockerfile.build** → full source build (developer-friendly)
+* **Dockerfile** → prebuilt-binary runtime (used by CI and GHCR images)
+* **Published image** → fastest start for end-users
+
 
 ## Configuration
 Harmony's configuration is file-based (TOML) and can include additional pipeline/transform files from a directory.
