From c1a646a71f1526ba9dfb74c80bf871c65d90de65 Mon Sep 17 00:00:00 2001
From: Jared Lunde <jared.lunde@gmail.com>
Date: Sat, 20 Jun 2026 17:07:28 -0700
Subject: [PATCH] ci: publish beyond-queue server image to ghcr

Multi-stage Dockerfile (build + run on ubuntu:24.04 to match the prod rootfs)
and a tag-triggered workflow that builds amd64+arm64 natively, pushes by digest,
and assembles a multi-arch manifest at ghcr.io/beyondoss/beyond-queue.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .dockerignore                       |  3 ++
 .github/workflows/release-image.yml | 76 +++++++++++++++++++++++++++++
 Dockerfile                          | 30 ++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 .dockerignore
 create mode 100644 .github/workflows/release-image.yml
 create mode 100644 Dockerfile

diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..6fa1952
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,3 @@
+target
+**/node_modules
+.git
diff --git a/.github/workflows/release-image.yml b/.github/workflows/release-image.yml
new file mode 100644
index 0000000..d3b91d0
--- /dev/null
+++ b/.github/workflows/release-image.yml
@@ -0,0 +1,76 @@
+name: Release image
+on:
+  push:
+    tags:
+      - api-v*
+permissions:
+  contents: read
+  packages: write
+env:
+  IMAGE: ghcr.io/beyondoss/beyond-queue
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runs-on: ubuntu-latest
+            arch: amd64
+          - runs-on: ubuntu-24.04-arm
+            arch: arm64
+    runs-on: ${{ matrix.runs-on }}
+    steps:
+      - uses: actions/checkout@v6
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/${{ matrix.arch }}
+          outputs: type=image,name=${{ env.IMAGE }},push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha,scope=image-${{ matrix.arch }}
+          cache-to: type=gha,mode=max,scope=image-${{ matrix.arch }}
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+      - uses: actions/upload-artifact@v4
+        with:
+          name: digest-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs: [build]
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digest-*
+          merge-multiple: true
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Resolve version
+        id: meta
+        run: echo "version=${GITHUB_REF_NAME#api-v}" >> "$GITHUB_OUTPUT"
+      - name: Create manifest list
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create \
+            -t ${{ env.IMAGE }}:${{ steps.meta.outputs.version }} \
+            -t ${{ env.IMAGE }}:latest \
+            $(printf '${{ env.IMAGE }}@sha256:%s ' *)
+      - name: Inspect
+        run: docker buildx imagetools inspect ${{ env.IMAGE }}:${{ steps.meta.outputs.version }}
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..6cb1428
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,30 @@
+# syntax=docker/dockerfile:1
+# Slim release image for the beyond-queue server, published to
+# ghcr.io/beyondoss/beyond-queue for local-dev / docker-compose use.
+# Built and run on ubuntu:24.04 (noble) to match the production rootfs.
+FROM ubuntu:24.04 AS builder
+ENV DEBIAN_FRONTEND=noninteractive \
+    RUSTUP_HOME=/usr/local/rustup \
+    CARGO_HOME=/usr/local/cargo \
+    PATH=/usr/local/cargo/bin:$PATH
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      build-essential curl ca-certificates clang libclang-dev pkg-config \
+      libssl-dev protobuf-compiler \
+    && rm -rf /var/lib/apt/lists/*
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
+      | sh -s -- -y --default-toolchain 1.92.0 --profile minimal
+WORKDIR /src
+COPY . .
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/src/target,sharing=locked \
+    cargo build --release --bin beyond-queue \
+    && cp /src/target/release/beyond-queue /usr/local/bin/beyond-queue \
+    && strip /usr/local/bin/beyond-queue
+
+FROM ubuntu:24.04
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      ca-certificates curl openssl \
+    && rm -rf /var/lib/apt/lists/*
+COPY --from=builder /usr/local/bin/beyond-queue /usr/local/bin/beyond-queue
+EXPOSE 4566
+ENTRYPOINT ["/usr/local/bin/beyond-queue", "serve"]