feat: publish Docker image to GHCR (#218)

* ref: publish Docker image to GHCR

* ci: craft default release branch name is 'release'

* ref: use ghcr image for devservices

* chore: Use bullseye image variant

* chore: add libpangocairo

* ci: test on forks, I don't have arm64 runner laying around

* chore: bump canvas to next major version

Release notes says this is a migration to N-API, no code changes - https://github.com/Automattic/node-canvas/releases/tag/v3.0.0

* ci: remove debugging commands

* ci: conflicting job name

* ci: don't publish on PR for external contributors

* switch base images to GHCR

* ci: Run build workflow on pull requests

Fork PRs don't trigger push events in the main repo, so the build
check was never running for external contributors. Adding pull_request
trigger uses a read-only token with no secret access, which is safe.

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Alexander Tarasov <alex.tarasov@sentry.io>
Co-authored-by: Claude <noreply@anthropic.com>

Author: 3 people

.github/workflows/build.yml

@@ -1,5 +1,5 @@
 name: build
-on: [push]
+on: [push, pull_request]
 
 jobs:
   build:

.github/workflows/image.yml

@@ -0,0 +1,62 @@
+name: Docker Image
+
+on:
+  pull_request:
+  push:
+    branches:
+      - master
+      - release/**
+jobs:
+  build-docker-image:
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        include:
+          - os: ubuntu-24.04
+            platform: amd64
+          - os: ubuntu-24.04-arm
+            platform: arm64
+    name: build-docker-image-${{ matrix.platform }}
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Build and push chartcuterie image
+        uses: getsentry/action-build-and-push-images@b172ab61a5f7eabd58bd42ce231b517e79947c01
+        with:
+          image_name: 'chartcuterie'
+          platforms: linux/${{ matrix.platform }}
+          dockerfile_path: './Dockerfile'
+          ghcr: ${{ github.event_name != 'pull_request' }}
+          tag_suffix: -${{ matrix.platform }}
+          publish_on_pr: ${{ github.event.pull_request.author_association == 'OWNER' || github.event.pull_request.author_association == 'MEMBER' }}
+          google_ar: false
+          tag_nightly: false
+          tag_latest: false
+
+  assemble-chartcuterie-image:
+    runs-on: ubuntu-latest
+    needs: [build-docker-image]
+    if: ${{ (github.ref_name == 'master' || startsWith(github.ref_name, 'release/')) && github.event_name != 'pull_request' }}
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - run: docker login --username '${{ github.actor }}' --password-stdin ghcr.io <<< "$GHCR_TOKEN"
+        env:
+          GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Create multiplatform manifests
+        run: |
+          docker buildx imagetools create \
+            --tag ghcr.io/getsentry/chartcuterie:${{ github.event.pull_request.head.sha || github.sha }} \
+            --tag ghcr.io/getsentry/chartcuterie:nightly \
+            ghcr.io/getsentry/chartcuterie:${{ github.event.pull_request.head.sha || github.sha }}-amd64 \
+            ghcr.io/getsentry/chartcuterie:${{ github.event.pull_request.head.sha || github.sha }}-arm64

.github/workflows/release-ghcr-version-tag.yml

@@ -0,0 +1,28 @@
+name: Release GHCR Versioned Image
+
+on:
+  release:
+    types: [prereleased, released]
+
+jobs:
+  release-ghcr-version-tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Tag release version
+        run: |
+          docker buildx imagetools create --tag \
+           ghcr.io/getsentry/chartcuterie:${{ github.ref_name }} \
+           ghcr.io/getsentry/chartcuterie:${{ github.sha }}
+
+      - name: Tag latest version
+        run: |
+          docker buildx imagetools create --tag \
+           ghcr.io/getsentry/chartcuterie:latest \
+           ghcr.io/getsentry/chartcuterie:${{ github.sha }}

Dockerfile

@@ -1,4 +1,4 @@
-FROM us-docker.pkg.dev/sentryio/dhi/node:24-debian13-dev AS builder
+FROM ghcr.io/getsentry/dhi/node:24-debian13-dev AS builder
 
 WORKDIR /build
 
@@ -37,7 +37,7 @@ RUN apt-get update -qq && \
     rm -rf /var/lib/apt/lists/*
 
 
-FROM us-docker.pkg.dev/sentryio/dhi/node:24-debian13
+FROM ghcr.io/getsentry/dhi/node:24-debian13
 
 ENV NODE_ENV=production
 

devservices/config.yml

@@ -10,7 +10,7 @@ x-sentry-service-config:
 
 services:
   chartcuterie:
-    image: us-central1-docker.pkg.dev/sentryio/chartcuterie/image:latest
+    image: ghcr.io/getsentry/chartcuterie:nightly
     environment:
       CHARTCUTERIE_CONFIG: /etc/chartcuterie/config.js
       CHARTCUTERIE_CONFIG_POLLING: true

yarn.lock

@@ -5605,7 +5605,7 @@ safe-array-concat@^1.1.3:
 
 safe-buffer@^5.0.1, safe-buffer@~5.2.0:
   version "5.2.1"
-  resolved "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz"
+  resolved "https://registry.yarnpkg.com/safe-buffer/-/safe-buffer-5.2.1.tgz#1eaf9fa9bdb1fdd4ec75f58f9cdb4e6b7827eec6"
   integrity sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==
 
 safe-push-apply@^1.0.0: