Fix Dockerfile to work with GoReleaser output structure

chaptersix · chaptersix · commit f64d6f2a5834 · 2025-11-21T18:11:54.000-06:00
- Use ARG TARGETARCH (built-in Docker Buildx arg) instead of custom BUILDARCH
- Copy binaries from GoReleaser output structure: dist/nix_linux_amd64_v1/temporal
- Add multi-stage dist build to properly handle GoReleaser output paths
- Remove unnecessary TARGETPLATFORM from workflows and docker-bake.hcl
- Ensure Docker build works correctly with actual GoReleaser binary locations
diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml
@@ -222,3 +222,4 @@ jobs:
           IMAGE_NAMESPACE: ${{ steps.meta.outputs.image_namespace }}
           IMAGE_NAME: ${{ steps.meta.outputs.image_name }}
           GITHUB_REPOSITORY: ${{ github.repository }}
+          TARGETPLATFORM: linux/amd64,linux/arm64
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,22 @@
 # syntax=docker/dockerfile:1
 
-# Build stage to extract CA certificates and create user files
+ARG TARGETARCH
+
+# Build stage - copy binaries from goreleaser output
+FROM --platform=$TARGETARCH scratch AS dist
+COPY dist/nix_linux_amd64_v1/temporal /dist/amd64/temporal
+COPY dist/nix_linux_arm64_v8.0/temporal /dist/arm64/temporal
+
+# Stage to extract CA certificates and create user files
 FROM alpine:3.22@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412 AS certs
 RUN apk add --no-cache ca-certificates && \
     adduser -u 1000 -D temporal
 
 # Final scratch stage - completely minimal base
 FROM scratch
 
+ARG TARGETARCH
+
 # Copy CA certificates from certs stage
 COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
@@ -16,10 +25,9 @@ COPY --from=certs /etc/passwd /etc/passwd
 COPY --from=certs /etc/group /etc/group
 
 # Copy the appropriate binary for target architecture
-ARG TARGETARCH
-COPY dist/nix_linux_${TARGETARCH}/temporal /temporal
+COPY --from=dist /dist/$TARGETARCH/temporal /temporal
 
-# Run as non-root user temporal (uid 1000)
-USER 1000:1000
+# Run as non-root user temporal
+USER temporal:temporal
 
 ENTRYPOINT ["/temporal"]
