Improve Dockerfile reproducibility and add CI build validation

[Copilot]

Consolidates Dockerfile layers, makes OA version build-time configurable, and adds PR build validation workflow. Also updates the automated update workflow to handle the new Dockerfile format and removes duplicate PR triggers from the publish workflow.

Dockerfile Changes

• Single-layer build: Merged all RUN commands into one layer with proper cleanup (removes apt lists/temp files in same layer)
• Build-time version: Added ARG OA_VERSION=4.6.3 and exposed via ENV for runtime access
• Reproducible builds: Set DEBIAN_FRONTEND=noninteractive, removed apt-get dist-upgrade, added set -eux
• Minimal dependencies: Used --no-install-recommends for apt installs
• Preserved COPY command: Kept original COPY /root / format as it works correctly

ARG OA_VERSION=4.6.3
ENV TITLE="OpenAudible" \
    OA_VERSION="${OA_VERSION}" \
    DEBIAN_FRONTEND=noninteractive

RUN set -eux; \
    # ... package installation ...
    wget -q -O /tmp/OpenAudible_${OA_VERSION}_x86_64.sh "https://github.com/..."; \
    chmod +x /tmp/OpenAudible_${OA_VERSION}_x86_64.sh; \
    /tmp/OpenAudible_${OA_VERSION}_x86_64.sh -q; \
    # ... cleanup in same layer ...
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

CI Workflow

Added .github/workflows/docker-build.yml that builds (no push) on PRs to validate Dockerfile changes.

Update Workflow Changes

Updated .github/workflows/update.yml to handle the new ARG OA_VERSION format:

• Modified version extraction to detect either ARG OA_VERSION= or ENV OA_VERSION= formats
• Updated sed replacement to specifically target the ARG line
• Maintains backward compatibility with the old ENV-only format

Publish Workflow Changes

Updated .github/workflows/docker-publish.yml to remove duplicate PR builds:

• Removed pull_request trigger to avoid duplication with the dedicated docker-build.yml workflow
• Now only runs on: scheduled builds (daily cron), pushes to main branch, and semver tags
• Keeps the workflow focused on publishing rather than PR validation

Original prompt

Update the Dockerfile to improve reproducibility, reduce image size, and make the OA version build-time configurable. Changes to implement:

1. Replace existing Dockerfile contents with a consolidated single-RUN variant that:

   • Adds ARG OA_VERSION with default 4.6.3 and sets OA_VERSION in ENV so it's available at runtime.
   • Sets DEBIAN_FRONTEND=noninteractive to avoid interactive apt prompts.
   • Combines apt-get update and apt-get install in a single RUN, uses --no-install-recommends, and removes apt lists in the same layer.
   • Avoids apt-get dist-upgrade (remove unless necessary).
   • Downloads the OpenAudible installer to /tmp using wget -O, marks it executable, runs it quietly (-q), and removes the installer in the same RUN.
   • Uses set -eux to fail fast and print commands.
   • Uses apt-get purge --auto-remove and apt-get clean during cleanup and removes /var/lib/apt/lists and temp files.
   • Uses a relative COPY path (COPY root/ /root/) instead of COPY /root / to ensure build context resolution.

2. Add a GitHub Actions workflow that runs on pull_request and builds the Dockerfile using docker/build-push-action (build only, no push) to validate the image builds successfully.

3. Commit message: "chore(docker): improve Dockerfile and add CI build workflow"

4. PR title: "Improve Dockerfile and add CI build workflow"

New Dockerfile content (replace file at project root Dockerfile):

FROM ghcr.io/linuxserver/baseimage-kasmvnc:ubuntunoble

LABEL maintainer="hypnotoad08"
ARG OA_VERSION=4.6.3
ENV TITLE="OpenAudible" \
    OA_VERSION="${OA_VERSION}" \
    DEBIAN_FRONTEND=noninteractive

# keep everything in a single RUN to reduce layers and ensure cleanup happens in the same layer
RUN set -eux; \
    # add OpenAudible to openbox menu
    sed -i 's|</applications>|  <application title="OpenAudible" type="normal">\n    <maximized>no</maximized>\n  </application>\n</applications>|' /etc/xdg/openbox/rc.xml; \
    echo "**** update packages ****"; \
    apt-get update; \
    apt-get install -y --no-install-recommends \
      ca-certificates \
      wget \
      thunar \
      software-properties-common \
      libswt-webkit-gtk-4-jni; \
    echo "**** installing OpenAudible ${OA_VERSION} ****"; \
    wget -q -O /tmp/OpenAudible_${OA_VERSION}_x86_64.sh "https://github.com/openaudible/openaudible/releases/download/v${OA_VERSION}/OpenAudible_${OA_VERSION}_x86_64.sh"; \
    chmod +x /tmp/OpenAudible_${OA_VERSION}_x86_64.sh; \
    sh /tmp/OpenAudible_${OA_VERSION}_x86_64.sh -q; \
    rm -f /tmp/OpenAudible_${OA_VERSION}_x86_64.sh; \
    echo "**** cleanup ****"; \
    apt-get purge -y --auto-remove; \
    apt-get clean; \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

# Copy files from build context. Ensure there's a 'root' directory in the repo (relative path).
COPY root/ /root/

EXPOSE 3000 3001

VOLUME /config

New GitHub Actions workflow (.github/workflows/docker-build.yml):

name: Docker build

on:
  pull_request:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build image
        uses: docker/build-push-action@v4
        with:
          context: .
          push: false
          file: ./Dockerfile
          platforms: linux/amd64

Please create a new branch, apply these file changes, and open a pull request. Also include the CI workflow so the PR run will test that the image builds. After creating the PR, run the CI (it will run automatically) and report the build logs and results. If the build fails due to missing packages (e.g., libswt-webkit-gtk-4-jni not available), attempt a fix: either remove that package if not required, or add an alternative package name, and update the PR accordingly. If you cannot run the CI, at least open the PR and provide instructions to the user about how to trigger and view the builds.

This pull request was created as a result of the following prompt from Copilot chat.

Update the Dockerfile to improve reproducibility, reduce image size, and make the OA version build-time configurable. Changes to implement:

1. Replace existing Dockerfile contents with a consolidated single-RUN variant that:

   • Adds ARG OA_VERSION with default 4.6.3 and sets OA_VERSION in ENV so it's available at runtime.
   • Sets DEBIAN_FRONTEND=noninteractive to avoid interactive apt prompts.
   • Combines apt-get update and apt-get install in a single RUN, uses --no-install-recommends, and removes apt lists in the same layer.
   • Avoids apt-get dist-upgrade (remove unless necessary).
   • Downloads the OpenAudible installer to /tmp using wget -O, marks it executable, runs it quietly (-q), and removes the installer in the same RUN.
   • Uses set -eux to fail fast and print commands.
   • Uses apt-get purge --auto-remove and apt-get clean during cleanup and removes /var/lib/apt/lists and temp files.
   • Uses a relative COPY path (COPY root/ /root/) instead of COPY /root / to ensure build context resolution.

2. Add a GitHub Actions workflow that runs on pull_request and builds the Dockerfile using docker/build-push-action (build only, no push) to validate the image builds successfully.

3. Commit message: "chore(docker): improve Dockerfile and add CI build workflow"

4. PR title: "Improve Dockerfile and add CI build workflow"

New Dockerfile content (replace file at project root Dockerfile):

FROM ghcr.io/linuxserver/baseimage-kasmvnc:ubuntunoble

LABEL maintainer="hypnotoad08"
ARG OA_VERSION=4.6.3
ENV TITLE="OpenAudible" \
    OA_VERSION="${OA_VERSION}" \
    DEBIAN_FRONTEND=noninteractive

# keep everything in a single RUN to reduce layers and ensure cleanup happens in the same layer
RUN set -eux; \
    # add OpenAudible to openbox menu
    sed -i 's|</applications>|  <application title="OpenAudible" type="normal">\n    <maximized>no</maximized>\n  </application>\n</applications>|' /etc/xdg/openbox/rc.xml; \
    echo "**** update packages ****"; \
    apt-get update; \
    apt-get install -y --no-install-recommends \
      ca-certificates \
      wget \
      thunar \
      software-properties-common \
      libswt-webkit-gtk-4-jni; \
    echo "**** installing OpenAudible ${OA_VERSION} ****"; \
    wget -q -O /tmp/OpenAudible_${OA_VERSION}_x86_64.sh "https://github.com/openaudible/openaudible/releases/download/v${OA_VERSION}/OpenAudible_${OA_VERSION}_x86_64.sh"; \
    chmod +x /tmp/OpenAudible_${OA_VERSION}_x86_64.sh; \
    sh /tmp/OpenAudible_${OA_VERSION}_x86_64.sh -q; \
    rm -f /tmp/OpenAudible_${OA_VERSION}_x86_64.sh; \
    echo "**** cleanup ****"; \
    apt-get purge -y --auto-remove; \
    apt-get clean; \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

# Copy files from build context. Ensure there's a 'root' directory in the repo (relative path).
COPY root/ /root/

EXPOSE 3000 3001

VOLUME /config

New GitHub Actions workflow (.github/workflows/docker-build.yml):

name: Docker build

on:
  pull_request:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Build image
        uses: docker/build-push-action@v4
        with:
          context: .
          push: false
          file: ./Dockerfile
          platforms: linux/amd64

Please create a new branch, apply these file changes, and open a pull request. Also include the CI workflow so the PR run will test that the image builds. After creating the PR, run the CI (it will run automatically) and report the build logs and results. If the build fails due to missing packages (e.g., libswt-webkit-gtk-4-jni not available), attempt a fix: either remove that package if not required, or add an alternative package name, and update the PR accordingly. If you cannot run the CI, at least open the PR and provide instructions to the user about how to trigger and view the builds.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[hypnotoad08]

@copilot my update script would need to change a well, I believe it updates the dockerfile

[Copilot]

@copilot my update script would need to change a well, I believe it updates the dockerfile

You're absolutely right! I've updated the update.yml workflow to handle the new ARG format. The script now:

• Extracts version from either ARG OA_VERSION= or ENV OA_VERSION= (whichever comes first)
• Updates the ARG line specifically with: sed -i "s/^\(ARG OA_VERSION=\)${IMAGE_VERSION}/\1${EXT_RELEASE}/" Dockerfile
• Maintains backward compatibility with the old ENV-only format

Fixed in commit f789801.

[hypnotoad08]

@copilot ok so I now have an update action to check for new versions of openaudible, a dockerfile build script, and a docker publish script?

[Copilot]

@copilot ok so I now have an update action to check for new versions of openaudible, a dockerfile build script, and a docker publish script?

Yes, exactly! You now have three GitHub Actions workflows:

1. update.yml - Checks for new OpenAudible versions daily (3 AM UTC) and automatically updates the Dockerfile ARG when found
2. docker-build.yml - Validates Dockerfile builds on every pull request (build only, no push)
3. docker-publish.yml - Builds and publishes Docker images to ghcr.io when pushing to main branch or tags

The update workflow will automatically create commits when new versions are detected, which will then trigger the publish workflow to build and push the new image.

[hypnotoad08]

@copilot I don't think changing COPY root/ /root/ from COPY /root / is a great idea if the current copy works correctly

[Copilot]

@copilot I don't think changing COPY root/ /root/ from COPY /root / is a great idea if the current copy works correctly

You're absolutely right - I've reverted the COPY command back to the original COPY /root / format. The original copies from the root/ directory in the build context to the root filesystem of the container (/), while my change would have incorrectly copied to /root/ instead. Reverted in commit e701ad0.

[hypnotoad08]

@copilot doesn't my docker-publish.yml need updating if I am building now in a new action?

[Copilot]

@copilot doesn't my docker-publish.yml need updating if I am building now in a new action?

Good catch! Yes, docker-publish.yml currently runs on pull_request events (line 15-16), which duplicates the new docker-build.yml. I should remove the pull_request trigger from docker-publish.yml since it's only meant for publishing (scheduled builds, pushes to main, and tags), not PR validation. Would you like me to update it?

[hypnotoad08]

@copilot is the new docker-build action needed then? or is it better practice to have separate actions?

[Copilot]

@copilot is the new docker-build action needed then? or is it better practice to have separate actions?

Having separate actions is better practice. Here's why:

docker-build.yml (PR validation):

• Runs fast (build only, no push, no signing)
• Provides quick feedback on PRs
• No registry credentials needed
• Can run on any PR, even from forks

docker-publish.yml (production):

• Pushes to registry
• Signs images with cosign
• Requires write permissions
• Only runs on main/tags

Keeping them separate means faster PR checks and clearer separation of concerns. The alternative would be one workflow with complex conditionals, which is harder to maintain.

[hypnotoad08]

@copilot then my publish needs updated with this pr

[Copilot]

@copilot then my publish needs updated with this pr

Done! Removed the pull_request trigger from docker-publish.yml. Now it only runs on scheduled builds, pushes to main, and tags - keeping it focused on publishing rather than PR validation. Fixed in commit c9f038a.

[hypnotoad08]

@copilot ok so this warning is ok? WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load

[Copilot]

@copilot ok so this warning is ok? WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load...

Yes, that warning is completely fine! It's expected behavior for the PR validation workflow. The docker-build.yml workflow intentionally uses push: false to only validate that the Dockerfile builds correctly without pushing to any registry. The warning just confirms the build result stays in the build cache, which is exactly what we want for PR checks - fast validation without side effects.