Container building changes (dani-garcia#3958)

* WIP: Container building changes

* Small updates

- Updated to rust 1.73.0
- Updated crates
- Updated documentation
- Added a bake.sh script to make baking easier

* Update GitHub Actions Workflow

- Updated workflow to use qemu and buildx bake

In the future i would like to extract the alpine based binaries and add
them as artifacts to the release.

* Address review remarks and small updates

- Addressed review remarks
- Added `podman-bake.sh` script to build Vaultwarden with podman
- Updated README
- Updated crates
- Added `VW_VERSION` support
- Added annotations
- Updated web-vault to v2023.9.1

Author: BlackDex

.github/workflows/build.yml

@@ -12,6 +12,7 @@ on:
       - "rustfmt.toml"
       - "diesel.toml"
       - "docker/Dockerfile.j2"
+      - "docker/DockerSettings.yaml"
   pull_request:
     paths:
       - ".github/workflows/build.yml"
@@ -23,6 +24,7 @@ on:
       - "rustfmt.toml"
       - "diesel.toml"
       - "docker/Dockerfile.j2"
+      - "docker/DockerSettings.yaml"
 
 jobs:
   build:
@@ -32,7 +34,6 @@ jobs:
     # This is done globally to prevent rebuilds when the RUSTFLAGS env variable changes.
     env:
       RUSTFLAGS: "-D warnings"
-      CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse
     strategy:
       fail-fast: false
       matrix:
@@ -113,46 +114,46 @@ jobs:
           prefix-key: "v2023.07-rust"
       # End Enable Rust Caching
 
-      # Run cargo tests (In release mode to speed up future builds)
+      # Run cargo tests
       # First test all features together, afterwards test them separately.
       - name: "test features: sqlite,mysql,postgresql,enable_mimalloc"
         id: test_sqlite_mysql_postgresql_mimalloc
         if: $${{ always() }}
         run: |
-          cargo test --release --features sqlite,mysql,postgresql,enable_mimalloc
+          cargo test --features sqlite,mysql,postgresql,enable_mimalloc
 
       - name: "test features: sqlite,mysql,postgresql"
         id: test_sqlite_mysql_postgresql
         if: $${{ always() }}
         run: |
-          cargo test --release --features sqlite,mysql,postgresql
+          cargo test --features sqlite,mysql,postgresql
 
       - name: "test features: sqlite"
         id: test_sqlite
         if: $${{ always() }}
         run: |
-          cargo test --release --features sqlite
+          cargo test --features sqlite
 
       - name: "test features: mysql"
         id: test_mysql
         if: $${{ always() }}
         run: |
-          cargo test --release --features mysql
+          cargo test --features mysql
 
       - name: "test features: postgresql"
         id: test_postgresql
         if: $${{ always() }}
         run: |
-          cargo test --release --features postgresql
+          cargo test --features postgresql
       # End Run cargo tests
 
 
-      # Run cargo clippy, and fail on warnings (In release mode to speed up future builds)
+      # Run cargo clippy, and fail on warnings
       - name: "clippy features: sqlite,mysql,postgresql,enable_mimalloc"
         id: clippy
         if: ${{ always() && matrix.channel == 'rust-toolchain' }}
         run: |
-          cargo clippy --release --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
+          cargo clippy --features sqlite,mysql,postgresql,enable_mimalloc -- -D warnings
       # End Run cargo clippy
 
 
@@ -194,21 +195,3 @@ jobs:
         run: |
           echo "### :tada: Checks Passed!" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
-
-
-      # Build the binary to upload to the artifacts
-      - name: "build features: sqlite,mysql,postgresql"
-        if: ${{ matrix.channel == 'rust-toolchain' }}
-        run: |
-          cargo build --release --features sqlite,mysql,postgresql
-      # End Build the binary
-
-
-      # Upload artifact to Github Actions
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
-        if: ${{ matrix.channel == 'rust-toolchain' }}
-        with:
-          name: vaultwarden
-          path: target/release/vaultwarden
-      # End Upload artifact to Github Actions

.github/workflows/hadolint.yml

@@ -16,7 +16,6 @@ jobs:
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       # End Checkout the repo
 
-
       # Download hadolint - https://github.com/hadolint/hadolint/releases
       - name: Download hadolint
         shell: bash
@@ -30,5 +29,5 @@ jobs:
       # Test Dockerfiles
       - name: Run hadolint
         shell: bash
-        run:  git ls-files --exclude='docker/*/Dockerfile*' --ignored --cached | xargs hadolint
+        run: hadolint docker/Dockerfile.{debian,alpine}
       # End Test Dockerfiles

.github/workflows/release.yml

@@ -6,7 +6,6 @@ on:
       - ".github/workflows/release.yml"
       - "src/**"
       - "migrations/**"
-      - "hooks/**"
       - "docker/**"
       - "Cargo.*"
       - "build.rs"
@@ -15,6 +14,7 @@ on:
 
     branches: # Only on paths above
       - main
+      - release-build-revision
 
     tags: # Always, regardless of paths above
       - '*'
@@ -35,23 +35,20 @@ jobs:
         with:
           cancel_others: 'true'
         # Only run this when not creating a tag
-        if: ${{ startsWith(github.ref, 'refs/heads/') }}
+        if: ${{ github.ref_type == 'branch' }}
 
   docker-build:
     runs-on: ubuntu-22.04
     timeout-minutes: 120
     needs: skip_check
-    # Start a local docker registry to be used to generate multi-arch images.
-    services:
-      registry:
-        image: registry:2
-        ports:
-          - 5000:5000
+    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
+    # TODO: Start a local docker registry to be used to extract the final Alpine static build images
+    # services:
+    #   registry:
+    #     image: registry:2
+    #     ports:
+    #       - 5000:5000
     env:
-      # Use BuildKit (https://docs.docker.com/build/buildkit/) for better
-      # build performance and the ability to copy extended file attributes
-      # (e.g., for executable capabilities) across build phases.
-      DOCKER_BUILDKIT: 1
       SOURCE_COMMIT: ${{ github.sha }}
       SOURCE_REPOSITORY_URL: "https://github.com/${{ github.repository }}"
       # The *_REPO variables need to be configured as repository variables
@@ -65,7 +62,6 @@ jobs:
       # QUAY_REPO needs to be 'quay.io/<user>/<repo>'
       # Check for Quay.io credentials in secrets
       HAVE_QUAY_LOGIN: ${{ vars.QUAY_REPO != '' && secrets.QUAY_USERNAME != '' && secrets.QUAY_TOKEN != '' }}
-    if: ${{ needs.skip_check.outputs.should_skip != 'true' && github.repository == 'dani-garcia/vaultwarden' }}
     strategy:
       matrix:
         base_image: ["debian","alpine"]
@@ -77,18 +73,43 @@ jobs:
         with:
           fetch-depth: 0
 
-      # Determine Docker Tag
-      - name: Init Variables
-        id: vars
+      - name: Initialize QEMU binfmt support
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        with:
+          platforms: "arm64,arm"
+
+      # Start Docker Buildx
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        # https://github.com/moby/buildkit/issues/3969
+        # Also set max parallelism to 2, the default of 4 breaks GitHub Actions
+        with:
+          config-inline: |
+            [worker.oci]
+              max-parallelism = 2
+          driver-opts: |
+            network=host
+
+      # Determine Base Tags and Source Version
+      - name: Determine Base Tags and Source Version
         shell: bash
         run: |
-          # Check which main tag we are going to build determined by github.ref
-          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
-            echo "DOCKER_TAG=${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_OUTPUT}"
-          elif [[ "${{ github.ref }}" == refs/heads/* ]]; then
-            echo "DOCKER_TAG=testing" | tee -a "${GITHUB_OUTPUT}"
+          # Check which main tag we are going to build determined by github.ref_type
+          if [[ "${{ github.ref_type }}" == "tag" ]]; then
+            echo "BASE_TAGS=latest,${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_ENV}"
+          elif [[ "${{ github.ref_type }}" == "branch" ]]; then
+            echo "BASE_TAGS=testing" | tee -a "${GITHUB_ENV}"
+          fi
+
+          # Get the Source Version for this release
+          GIT_EXACT_TAG="$(git describe --tags --abbrev=0 --exact-match 2>/dev/null || true)"
+          if [[ -n "${GIT_EXACT_TAG}" ]]; then
+              echo "SOURCE_VERSION=${GIT_EXACT_TAG}" | tee -a "${GITHUB_ENV}"
+          else
+              GIT_LAST_TAG="$(git describe --tags --abbrev=0)"
+              echo "SOURCE_VERSION=${GIT_LAST_TAG}-${SOURCE_COMMIT:0:8}" | tee -a "${GITHUB_ENV}"
           fi
-      # End Determine Docker Tag
+      # End Determine Base Tags
 
       # Login to Docker Hub
       - name: Login to Docker Hub
@@ -98,6 +119,12 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
         if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
 
+      - name: Add registry for DockerHub
+        if: ${{ env.HAVE_DOCKERHUB_LOGIN == 'true' }}
+        shell: bash
+        run: |
+          echo "CONTAINER_REGISTRIES=${{ vars.DOCKERHUB_REPO }}" | tee -a "${GITHUB_ENV}"
+
       # Login to GitHub Container Registry
       - name: Login to GitHub Container Registry
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -107,6 +134,12 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
         if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
 
+      - name: Add registry for ghcr.io
+        if: ${{ env.HAVE_GHCR_LOGIN == 'true' }}
+        shell: bash
+        run: |
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.GHCR_REPO }}" | tee -a "${GITHUB_ENV}"
+
       # Login to Quay.io
       - name: Login to Quay.io
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
@@ -116,120 +149,22 @@ jobs:
           password: ${{ secrets.QUAY_TOKEN }}
         if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
 
-      # Debian
-
-      # Docker Hub
-      - name: Build Debian based images (docker.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
-
-      - name: Push Debian based images (docker.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
-
-      # GitHub Container Registry
-      - name: Build Debian based images (ghcr.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_GHCR_LOGIN == 'true' }}
-
-      - name: Push Debian based images (ghcr.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_GHCR_LOGIN == 'true' }}
-
-      # Quay.io
-      - name: Build Debian based images (quay.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_QUAY_LOGIN == 'true' }}
-
-      - name: Push Debian based images (quay.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'debian' && env.HAVE_QUAY_LOGIN == 'true' }}
-
-      # Alpine
-
-      # Docker Hub
-      - name: Build Alpine based images (docker.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
-
-      - name: Push Alpine based images (docker.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.DOCKERHUB_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_DOCKERHUB_LOGIN == 'true' }}
-
-      # GitHub Container Registry
-      - name: Build Alpine based images (ghcr.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_GHCR_LOGIN == 'true' }}
-
-      - name: Push Alpine based images (ghcr.io)
-        shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.GHCR_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_GHCR_LOGIN == 'true' }}
-
-      # Quay.io
-      - name: Build Alpine based images (quay.io)
+      - name: Add registry for Quay.io
+        if: ${{ env.HAVE_QUAY_LOGIN == 'true' }}
         shell: bash
-        env:
-          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
         run: |
-          ./hooks/build
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_QUAY_LOGIN == 'true' }}
+          echo "CONTAINER_REGISTRIES=${CONTAINER_REGISTRIES:+${CONTAINER_REGISTRIES},}${{ vars.QUAY_REPO }}" | tee -a "${GITHUB_ENV}"
 
-      - name: Push Alpine based images (quay.io)
-        shell: bash
+      - name: Bake ${{ matrix.base_image }} containers
+        uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 # v4.0.0
         env:
-          DOCKER_REPO: "${{ vars.QUAY_REPO }}"
-          DOCKER_TAG: "${{steps.vars.outputs.DOCKER_TAG}}-alpine"
-        run: |
-          ./hooks/push
-        if: ${{ matrix.base_image == 'alpine' && env.HAVE_QUAY_LOGIN == 'true' }}
+          BASE_TAGS: "${{ env.BASE_TAGS }}"
+          SOURCE_COMMIT: "${{ env.SOURCE_COMMIT }}"
+          SOURCE_VERSION: "${{ env.SOURCE_VERSION }}"
+          SOURCE_REPOSITORY_URL: "${{ env.SOURCE_REPOSITORY_URL }}"
+          CONTAINER_REGISTRIES: "${{ env.CONTAINER_REGISTRIES }}"
+        with:
+          pull: true
+          push: true
+          files: docker/docker-bake.hcl
+          targets: "${{ matrix.base_image }}-multi"