ci: single multi-target Dockerfile — slim base-nossl release image, byte-identical binary

.github/workflows/release.yml

@@ -223,7 +223,9 @@ jobs:
         uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: .
-          file: Dockerfile.release
+          target: prebuilt
+          build-args: |
+            RUNTIME=gcr.io/distroless/base-nossl-debian13:nonroot
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}

Dockerfile

@@ -1,43 +1,49 @@
-# Self-contained image used for local development, docker-compose, and the CI
-# build check. It compiles from source on a glibc toolchain so it matches the
-# released image's runtime (distroless/cc). The published release image is built
-# separately from the prebuilt binaries via Dockerfile.release.
-
-# Build stage (glibc, matches the distroless/cc runtime below)
+# One image, two build paths that share a single runtime definition.
+#
+#   * "source"   (default) — compiles from source. Used for local development,
+#     docker-compose, and the CI build check. Plain cargo binaries dynamically
+#     link libgcc_s.so.1, so this path uses the distroless/cc base (which ships
+#     libgcc).
+#   * "prebuilt"           — COPYs a prebuilt release binary, no compilation, so
+#     the published image is byte-identical to the released binary (single
+#     source of truth). Used by the release pipeline:
+#       --target prebuilt \
+#       --build-arg RUNTIME=gcr.io/distroless/base-nossl-debian13:nonroot
+#     cargo-zigbuild links libgcc statically, so the smaller base-nossl works.
+#
+# buildkit only builds the stages in the requested target's graph, so the
+# release build skips the Rust compile, and `docker build .` never evaluates
+# the prebuilt stage's `COPY bin/`.
+
+ARG RUNTIME=gcr.io/distroless/cc-debian13:nonroot
+
+# --- build stage (used by the "source" path) ---
 FROM rust:1.96-bookworm AS builder
-
-# Cargo features to enable in the build (image supports both backends by default)
 ARG FEATURES="sqlite,postgresql"
-
 WORKDIR /app
-
-# Copy manifests first for better layer caching
 COPY Cargo.toml Cargo.lock ./
-
-# Create a dummy source to cache dependencies
 RUN mkdir src && echo "fn main() {}" > src/main.rs
-
-# Build dependencies (cached unless Cargo.toml/Cargo.lock change)
 RUN cargo build --release --locked --features "${FEATURES}"
-
-# Remove dummy source and build the real binary
 RUN rm -rf src
 COPY src ./src
 RUN cargo build --release --locked --features "${FEATURES}"
 
-# Runtime stage: distroless/cc provides glibc + libgcc + ca-certificates and a
-# non-root user (debian13 / trixie is the current latest). sqlx-postgres is pure
-# Rust and rusqlite bundles SQLite, so no extra system libraries are required.
-FROM gcr.io/distroless/cc-debian13:nonroot
-
-COPY --from=builder /app/target/release/scim-server /usr/local/bin/scim-server
-
+# --- shared runtime definition (settings declared once, here) ---
+FROM ${RUNTIME} AS runtime
 EXPOSE 3000
 WORKDIR /data
 STOPSIGNAL SIGTERM
-
 ENTRYPOINT ["scim-server"]
 # Zero-config demo by default (in-memory SQLite, unauthenticated), bound to all
 # interfaces so a published port is reachable. For real use, mount a config and
 # override the command with `--config /data/config.yaml`.
 CMD ["--host", "0.0.0.0"]
+
+# --- release path: package the exact prebuilt binary (no compilation) ---
+FROM runtime AS prebuilt
+ARG TARGETARCH
+COPY bin/scim-server-${TARGETARCH} /usr/local/bin/scim-server
+
+# --- default path: compile from source ---
+FROM runtime AS source
+COPY --from=builder /app/target/release/scim-server /usr/local/bin/scim-server