ant31/Dockerfile

## Dockerfile
# syntax=docker/dockerfile:1.4
# STAGE 1
FROM golang:1.19 as builder

WORKDIR /app

# ONLY needed for builds with private repo dependencies
RUN --mount=type=secret,id=GHTOKEN \
    export GHTOKEN=$(cat /run/secrets/GHTOKEN) \
    && git config --global url.https://me:$GHTOKEN@github.com/.insteadOf https://github.com/

COPY . ./
RUN make build CONTAINERIZE_BUILD=false

# STAGE 2
FROM gcr.io/distroless/static-debian11 as app
WORKDIR /app
COPY --from=builder /app/bin/linux/amd64/myapp /usr/local/bin/
ENTRYPOINT ["/usr/local/bin/myapp"]

## goci.yaml
name: CI
'on':
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
    tags:
      - '*'
  schedule:
    - cron: 0 0 * * *
  workflow_dispatch: {}

env:
  CONTAINER_PUSH: '${{  github.ref == ''refs/heads/main'' }}'
  GOPRIVATE:
  IMAGE_NAME: '${{ github.repository }}'
  REGISTRY: ghcr.io
jobs:
  build-and-push-image:
    permissions:
      contents: read
      packages: write
    runs-on: ubuntu-latest
    steps:
      - name: Chekout
        uses: actions/checkout@v3
        with: {}
      - id: commit
        uses: pr-mpt/actions-commit-hash@v1
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
        with: {}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with: {}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with: {}
      - name: Log in to the Container registry
        uses: docker/login-action@v2
        with:
          password: '${{ secrets.GITHUB_TOKEN }}'
          registry: '${{ env.REGISTRY }}'
          username: '${{ github.actor }}'
      - name: Docker build stage1
        uses: docker/build-push-action@v3
        with:
          context: .
          push: '${{ env.CONTAINER_PUSH }}'
          secrets: 'GHTOKEN=${{ secrets.GHTOKEN }}'
          tags: >-
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:build-${{
            steps.commit.outputs.short }},${{ env.REGISTRY }}/${{ env.IMAGE_NAME
            }}:build,${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:build-latest
          target: builder
      - name: Docker build App container
        uses: docker/build-push-action@v3
        with:
          context: .
          push: '${{ env.CONTAINER_PUSH }}'
          secrets: 'GHTOKEN=${{ secrets.GHTOKEN }}'
          tags: >-
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{
            steps.commit.outputs.short }},${{ env.REGISTRY }}/${{ env.IMAGE_NAME
            }}:latest
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/cache@v3
        with:
          key: 'go-${{ hashFiles(''**/go.sum'') }}'
          path: ~/.cache/go-build ~/go/pkg/mod ./vendor
      - run: >-
          git config --global url.https://me:${{ secrets.GHTOKEN
          }}@github.com/.insteadOf https://github.com/
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.18'
      - name: Vendor
        run: make vendor
      - name: lint
        run: |-
          make vendor
          git diff --exit-code
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/cache@v3
        with:
          key: 'go-${{ hashFiles(''**/go.sum'') }}'
          path: ~/.cache/go-build ~/go/pkg/mod ./vendor
      - run: >-
          git config --global url.https://me:${{ secrets.GHTOKEN
          }}@github.com/.insteadOf https://github.com/
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.18'
      - name: Vendor
        run: make vendor
      - name: test
        run: CONTAINERIZE_BUILD=false make test
  vendor:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/cache@v3
        with:
          key: 'go-${{ hashFiles(''**/go.sum'') }}'
          path: ~/.cache/go-build ~/go/pkg/mod ./vendor
      - run: >-
          git config --global url.https://me:${{ secrets.GHTOKEN
          }}@github.com/.insteadOf https://github.com/
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.18'
      - name: Vendor
        run: make vendor
      - name: vendor
        run: make lint

## Makefile
CONTAINERIZE_BUILD ?= true

.PHONY: build
build: $(BINS)

.PHONY: build-in-container
build-in-container: $(BIN_DIR)
	@echo "Create builder container..."
	@docker buildx build -q . -t myimage/name:builder --target=builder --secret=type=env,env=GHTOKEN,id=GHTOKEN
	@echo "Copy binaries"
	@docker run --rm \
		-u $$(id -u):$$(id -g) \
	    -v $$(pwd)/$(BIN_DIR):/localbins \
	    -w /app \
		myimage/name:builder \
		cp -r /app/bin/. /localbins

$(BINS): $(SRC) go.mod
ifeq ($(CONTAINERIZE_BUILD),false)
	export GOPRIVATE=github.com/somerepo
	@mkdir -p $(BIN_DIR)/$(word 2,$(subst /, ,$@))/$(word 3,$(subst /, ,$@))
	@echo "building: $@"
	GOARCH=$(word 3,$(subst /, ,$@)) \
    GOOS=$(word 2,$(subst /, ,$@)) \
	GOCACHE=$$(pwd)/.cache \
	GOMODCACHE=$$(pwd)/.gomodcache \
	CGO_ENABLED=0 \
	go build -mod=readonly -o $@ \
	$(LD_FLAGS) \
	./cmd/$(@F)
else
	@echo "building: $@"
	@$(MAKE) -s build-in-container
endif
	# syntax=docker/dockerfile:1.4
	# STAGE 1
	FROM golang:1.19 as builder

	WORKDIR /app

	# ONLY needed for builds with private repo dependencies
	RUN --mount=type=secret,id=GHTOKEN \
	export GHTOKEN=$(cat /run/secrets/GHTOKEN) \
	&& git config --global url.https://me:$GHTOKEN@github.com/.insteadOf https://github.com/

	COPY . ./
	RUN make build CONTAINERIZE_BUILD=false

	# STAGE 2
	FROM gcr.io/distroless/static-debian11 as app
	WORKDIR /app
	COPY --from=builder /app/bin/linux/amd64/myapp /usr/local/bin/
	ENTRYPOINT ["/usr/local/bin/myapp"]
	name: CI
	'on':
	pull_request:
	branches:
	- main
	push:
	branches:
	- main
	tags:
	- '*'
	schedule:
	- cron: 0 0 * * *
	workflow_dispatch: {}

	env:
	CONTAINER_PUSH: '${{ github.ref == ''refs/heads/main'' }}'
	GOPRIVATE:
	IMAGE_NAME: '${{ github.repository }}'
	REGISTRY: ghcr.io
	jobs:
	build-and-push-image:
	permissions:
	contents: read
	packages: write
	runs-on: ubuntu-latest
	steps:
	- name: Chekout
	uses: actions/checkout@v3
	with: {}
	- id: commit
	uses: pr-mpt/actions-commit-hash@v1
	- name: Set up QEMU
	uses: docker/setup-qemu-action@v2
	with: {}
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v2
	with: {}
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v2
	with: {}
	- name: Log in to the Container registry
	uses: docker/login-action@v2
	with:
	password: '${{ secrets.GITHUB_TOKEN }}'
	registry: '${{ env.REGISTRY }}'
	username: '${{ github.actor }}'
	- name: Docker build stage1
	uses: docker/build-push-action@v3
	with:
	context: .
	push: '${{ env.CONTAINER_PUSH }}'
	secrets: 'GHTOKEN=${{ secrets.GHTOKEN }}'
	tags: >-
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:build-${{
	steps.commit.outputs.short }},${{ env.REGISTRY }}/${{ env.IMAGE_NAME
	}}:build,${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:build-latest
	target: builder
	- name: Docker build App container
	uses: docker/build-push-action@v3
	with:
	context: .
	push: '${{ env.CONTAINER_PUSH }}'
	secrets: 'GHTOKEN=${{ secrets.GHTOKEN }}'
	tags: >-
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{
	steps.commit.outputs.short }},${{ env.REGISTRY }}/${{ env.IMAGE_NAME
	}}:latest
	lint:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3
	- uses: actions/cache@v3
	with:
	key: 'go-${{ hashFiles(''**/go.sum'') }}'
	path: ~/.cache/go-build ~/go/pkg/mod ./vendor
	- run: >-
	git config --global url.https://me:${{ secrets.GHTOKEN
	}}@github.com/.insteadOf https://github.com/
	- name: Set up Go
	uses: actions/setup-go@v3
	with:
	go-version: '1.18'
	- name: Vendor
	run: make vendor
	- name: lint
	run: \|-
	make vendor
	git diff --exit-code
	test:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3
	- uses: actions/cache@v3
	with:
	key: 'go-${{ hashFiles(''**/go.sum'') }}'
	path: ~/.cache/go-build ~/go/pkg/mod ./vendor
	- run: >-
	git config --global url.https://me:${{ secrets.GHTOKEN
	}}@github.com/.insteadOf https://github.com/
	- name: Set up Go
	uses: actions/setup-go@v3
	with:
	go-version: '1.18'
	- name: Vendor
	run: make vendor
	- name: test
	run: CONTAINERIZE_BUILD=false make test
	vendor:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3
	- uses: actions/cache@v3
	with:
	key: 'go-${{ hashFiles(''**/go.sum'') }}'
	path: ~/.cache/go-build ~/go/pkg/mod ./vendor
	- run: >-
	git config --global url.https://me:${{ secrets.GHTOKEN
	}}@github.com/.insteadOf https://github.com/
	- name: Set up Go
	uses: actions/setup-go@v3
	with:
	go-version: '1.18'
	- name: Vendor
	run: make vendor
	- name: vendor
	run: make lint
	CONTAINERIZE_BUILD ?= true

	.PHONY: build
	build: $(BINS)

	.PHONY: build-in-container
	build-in-container: $(BIN_DIR)
	@echo "Create builder container..."
	@docker buildx build -q . -t myimage/name:builder --target=builder --secret=type=env,env=GHTOKEN,id=GHTOKEN
	@echo "Copy binaries"
	@docker run --rm \
	-u $$(id -u):$$(id -g) \
	-v $$(pwd)/$(BIN_DIR):/localbins \
	-w /app \
	myimage/name:builder \
	cp -r /app/bin/. /localbins

	$(BINS): $(SRC) go.mod
	ifeq ($(CONTAINERIZE_BUILD),false)
	export GOPRIVATE=github.com/somerepo
	@mkdir -p $(BIN_DIR)/$(word 2,$(subst /, ,$@))/$(word 3,$(subst /, ,$@))
	@echo "building: $@"
	GOARCH=$(word 3,$(subst /, ,$@)) \
	GOOS=$(word 2,$(subst /, ,$@)) \
	GOCACHE=$$(pwd)/.cache \
	GOMODCACHE=$$(pwd)/.gomodcache \
	CGO_ENABLED=0 \
	go build -mod=readonly -o $@ \
	$(LD_FLAGS) \
	./cmd/$(@F)
	else
	@echo "building: $@"
	@$(MAKE) -s build-in-container
	endif