From 65db668e2a7354b79335ad464fd0f9eca9f633be Mon Sep 17 00:00:00 2001 From: mii443 Date: Sun, 25 May 2025 00:10:08 +0900 Subject: [PATCH] update Docker things --- .github/workflows/build.yml | 28 +++++++--------------------- Dockerfile | 34 ++++++++++++++++++++++++++++++---- 2 files changed, 37 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9ac5e8d..688637f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,43 +8,29 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 name: Checkout - - uses: docker/metadata-action@v3 + - uses: docker/metadata-action@v4 id: meta with: images: ghcr.io/mii443/ncb-tts-r2 tags: | type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} - - uses: docker/login-action@v1 + - uses: docker/login-action@v2 with: registry: ghcr.io username: mii443 password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - with: - platforms: linux/amd64,linux/arm64 + uses: docker/setup-buildx-action@v2 - - name: Cache Docker layers - uses: actions/cache@v4 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - - uses: docker/build-push-action@v2 + - uses: docker/build-push-action@v4 with: context: . push: true platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max - - name: Move cache - run: | - rm -rf /tmp/.buildx-cache - mv /tmp/.buildx-cache-new /tmp/.buildx-cache + cache-from: type=gha + cache-to: type=gha,mode=max diff --git a/Dockerfile b/Dockerfile index 92a4a12..8811900 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ FROM lukemathwalker/cargo-chef:latest-rust-1.82 AS chef -WORKDIR app +WORKDIR /app FROM chef AS planner COPY . . @@ -7,13 +7,39 @@ RUN cargo chef prepare --recipe-path recipe.json FROM chef AS builder COPY --from=planner /app/recipe.json recipe.json -RUN apt-get update && apt-get install -y --no-install-recommends ffmpeg libssl-dev pkg-config libopus-dev gcc && apt-get -y clean +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + ffmpeg \ + libssl-dev \ + pkg-config \ + libopus-dev \ + gcc && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* RUN cargo chef cook --release --recipe-path recipe.json COPY . . RUN cargo build --release FROM ubuntu:22.04 AS runtime WORKDIR /ncb-tts-r2 -RUN apt-get update && apt-get install -y --no-install-recommends openssl ca-certificates ffmpeg libssl-dev libopus-dev && apt-get -y clean -COPY --from=builder /app/target/release/ncb-tts-r2 /usr/local/bin + +# 非rootユーザーの作成 +RUN groupadd -r appgroup && useradd -r -g appgroup appuser + +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + openssl \ + ca-certificates \ + ffmpeg \ + libssl-dev \ + libopus-dev && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +COPY --from=builder /app/target/release/ncb-tts-r2 /usr/local/bin/ncb-tts-r2 +RUN chmod +x /usr/local/bin/ncb-tts-r2 + +# 非rootユーザーに切り替え +USER appuser + ENTRYPOINT ["/usr/local/bin/ncb-tts-r2"]