Make official Docker Hub image build from source

[pataquets]

Docker Hub allows you to create Automated Builds from source: https://docs.docker.com/docker-hub/builds/ It also allows to create different image tags from git tags & branches. By making the image build via an AB, you give the resulting image verifiability and auditability. Also, the build is fully automatic. You can have the latest image tag build from HEAD and individual image tags from git's release tags. Some people avoid non-verifiable (manually uploaded) images due to security & traceability reasons.

Docker search command clearly displays AB:

$ docker search hacdias
NAME                        DESCRIPTION                                     STARS               OFFICIAL            AUTOMATED
hacdias/webdav                                                              0                                       
hacdias/caddy-plugin-test                                                   0                                       
hacdias/co20                                                                0                                       
marvambass/webdav           my forked and dockerized version of github.c…   0                                       [OK]
gifteryaa/filemanager       https://github.com/hacdias/filemanager          0                                       
svlentink/filebrowser       The 'official' is not an automated build and…   0                                       [OK]

[pataquets]

@hacdias ping I can help on this, if necessary.

[hacdias]

Hey @pataquets! Sorry for just seeing this now. Yes, if you'd like to contribute, feel free to open a PR. It can probably be done through CircleCI and Goreleaser files. Just ping me to make sure I get a notification :)

[pataquets]

@hacdias I've submitted #48.

[hacdias]

Thanks @pataquets. Closed by #48.

[pataquets]

You're welcome @hacdias . Happy to help. :smile:

However, I think that the issue can't be closed, yet. There is still no release on Docker Hub with the new build process and, as per the original post, we could try to figure out an Automated Build where the build process could be traced and audited. All the ABs I've done to date were setup at the image repo creation time by linking the Gh repo. However, I've tried it, and you can have both manually pushed and AB image tags in the same image repo on DH. I'm aware that you've already setup CircleCI, but I can't find any trace nor audit log of Docker Hub pushed images.

In any case, I think we should keep the issue open while discussing it, if you don't mind.

[hacdias]

Makes sense. it seems we're only pushing images on release

[pataquets]

@hacdias Just pinging and also wanted to let you know about GitHub Container Registry alternative for sorting auditable builds.

[mohammed90]

By the way, the PR had to be reverted to fix the release pipeline which resulted in failing builds complaining about files not being available. The error happens because goreleaser creates a temp directory with only the Dockerfile and the binary to make an isolated build. In goreleaser docs it says:

    # If your Dockerfile copies files other than the binary itself,
    # you should list them here as well.
    # Note that goreleaser will create the same structure inside the temporary
    # folder, so if you add `foo/bar.json` here, on your Dockerfile you can
    # `COPY foo/bar.json /whatever.json`.
    # Also note that the paths here are relative to the folder in which
    # goreleaser is being run.
    # This field does not support wildcards, you can add an entire folder here
    # and use wildcards when you `COPY`/`ADD` in your Dockerfile.
    extra_files:
    - config.yml

We can have another attempt it at but it should be validated that the goreleaser flow works fine.