ci: single-source glibc image (zigbuild 2.28 + distroless + prebuilt binary)#61
Merged
Conversation
…ilt binary)
Make the published container image contain the *exact* binary published as a
release asset (byte-identical), on a stable glibc footing, and make the image
usable out of the box.
Release binaries (release.yml):
- Build the linux binaries with cargo-zigbuild pinned to a glibc 2.28 floor
(RHEL 8 / Debian 10), on the stable `ubuntu-latest` runner. One binary then
runs on every currently-supported distro (RHEL 8/9, Debian 10–13, Ubuntu
20.04+) and on the distroless runtime — independent of the runner's glibc.
`archive` keeps the published asset name free of the `.2.28` suffix.
- The `docker` job no longer compiles: it downloads the just-published linux
binaries and COPYs them into the image (Dockerfile.release). The container
and the downloadable binary are therefore identical. With no RUN steps the
multi-arch image is assembled by COPY alone (no QEMU), in a single job.
Images:
- Dockerfile.release (new): runtime-only, FROM distroless/cc-debian13 (latest,
glibc 2.41), COPY bin/scim-server-${TARGETARCH}.
- Dockerfile: self-contained build for dev/compose/CI switched from
alpine/musl to a glibc toolchain (rust:1.96-bookworm) + distroless/cc-debian13
runtime, so local images match the released runtime.
- Add .dockerignore to shrink the build context.
Usability:
- Default CMD is now `--host 0.0.0.0` → `docker run -p 3000:3000 IMAGE` starts a
zero-config demo (in-memory SQLite, unauthenticated) reachable on the
published port. For real use, mount a config and pass `--config
/data/config.yaml`. docker-compose sets that command explicitly.
Verified locally: self-contained image builds, runs, and serves
ServiceProviderConfig (HTTP 200) bound to 0.0.0.0; Dockerfile.release COPY path
builds and runs.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Release the single-source glibc image and zero-config-demo usability change. Release-As: 0.4.1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses two issues raised on the release pipeline:
--config→ crash without a mount; default bind127.0.0.1unreachable in a container).Single source of truth (glibc)
cargo-zigbuild, glibc floor2.28(RHEL 8 / Debian 10), on the stableubuntu-latestrunner. One binary runs on every currently-supported distro (RHEL 8/9, Debian 10–13, Ubuntu 20.04+) and in the container — independent of the runner's own glibc, so we never have to chase runner OS / glibc versions again.archivekeeps the published asset names unchanged (no.2.28suffix).dockerjob no longer compiles. It downloads the just-published linux binaries and COPYs them into the image (Dockerfile.release), so the container and the downloadable binary are byte-identical. No RUN steps → the multi-arch image is assembled by COPY alone (no QEMU), in a single fast job.Images
Dockerfile.release(new): runtime-only,FROM gcr.io/distroless/cc-debian13:nonroot(latest distroless, glibc 2.41),COPY bin/scim-server-${TARGETARCH}.Dockerfile: self-contained dev/compose/CI build switched from alpine/musl to a glibc toolchain (rust:1.96-bookworm) + distroless/cc-debian13 runtime, matching the released runtime..dockerignoreadded.Usability
CMD ["--host", "0.0.0.0"]→docker run -p 3000:3000 IMAGEruns a zero-config demo (in-memory SQLite, unauthenticated) reachable on the published port. For real use:docker-compose.ymlsetscommand: ["--config", "/data/config.yaml"]explicitly.Verified locally
scim-server 0.4.0), and servesServiceProviderConfig→ HTTP 200 bound to 0.0.0.0 (zero-config). Size 73.6MB.Dockerfile.releaseCOPY path builds (no compile) and runs.Not yet exercised in CI
cargo-zigbuildglibc-2.28 compile and the full download→COPY→multi-arch push run for the first time on the next release. I can run a throwaway end-to-end verification first (as we did for the multi-arch change) if you'd like — say the word.🤖 Generated with Claude Code