diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index fdb57fbc5..0a3a7ecd7 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -1,16 +1,16 @@ --- name: Build and Push Docker Image - +permissions: + contents: read + packages: write on: # Allows you to run workflow manually from Actions tab workflow_dispatch: - inputs: - tags: - description: 'Docker Tag' - required: true - default: 'latest' push: - branches: [main, master] + branches: + - main + - master + - dev/* tags: - 'v*.*.*' # Only build when files in these directories have been changed @@ -22,7 +22,7 @@ on: jobs: build: - if: ${{ !contains(github.event.head_commit.message, 'skip ci') && github.repository == 'advplyr/audiobookshelf' }} + if: ${{ !contains(github.event.head_commit.message, 'skip ci') }} runs-on: ubuntu-24.04 steps: @@ -33,10 +33,16 @@ jobs: id: meta uses: docker/metadata-action@v5 with: - images: advplyr/audiobookshelf,ghcr.io/${{ github.repository_owner }}/audiobookshelf + images: | + name=${{ secrets.DOCKERHUB_USERNAME }}/audiobookshelf,enable=${{ github.ref == 'refs/heads/main' && secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} + name=ghcr.io/${{ github.repository }},enable=true tags: | + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} type=edge,branch=master type=semver,pattern={{version}} + type=ref,event=branch + type=ref,event=pr + type=sha - name: Setup QEMU uses: docker/setup-qemu-action@v3 @@ -54,6 +60,10 @@ jobs: - name: Login to Dockerhub uses: docker/login-action@v3 + env: # secrets for Docker hub username and token should be in the registry settings if not docker hub push will be skipped. + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME || '' }} + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN || '' }} + if: ${{ github.ref == 'refs/heads/main' && env.DOCKERHUB_USERNAME != '' && env.DOCKERHUB_TOKEN != '' }} with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_PASSWORD }} @@ -62,13 +72,13 @@ jobs: uses: docker/login-action@v3 with: registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_PASSWORD }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Build image uses: docker/build-push-action@v6 with: - tags: ${{ github.event.inputs.tags || steps.meta.outputs.tags }} + tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} context: . platforms: linux/amd64,linux/arm64 diff --git a/Dockerfile b/Dockerfile index 816bdd3c3..37f1879a3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,9 @@ +# globally defining Arguments and Defaults ARG NUSQLITE3_DIR="/usr/local/lib/nusqlite3" ARG NUSQLITE3_PATH="${NUSQLITE3_DIR}/libnusqlite3.so" +# default Process user id and group id +ARG PUID=1000 +ARG PGID=1000 ### STAGE 0: Build client ### FROM node:20-alpine AS build-client @@ -25,7 +29,7 @@ RUN apk add --no-cache --update \ unzip WORKDIR /server -COPY index.js package* /server +COPY index.js package* /server/ COPY /server /server/server RUN case "$TARGETPLATFORM" in \ @@ -45,19 +49,28 @@ FROM node:20-alpine ARG NUSQLITE3_DIR ARG NUSQLITE3_PATH +ARG PUID +ARG PGID # Install only runtime dependencies RUN apk add --no-cache --update \ tzdata \ ffmpeg \ - tini + tini \ + shadow \ + && groupmod -g ${PGID} -n audiobookshelf node\ + && usermod -u ${PUID} -l audiobookshelf -d /home/audiobookshelf -m node \ + && apk del shadow \ + && mkdir -p /config /metadata \ + && chown -R audiobookshelf:audiobookshelf /config /metadata \ + && chmod a=rwx /config /metadata WORKDIR /app # Copy compiled frontend and server from build stages -COPY --from=build-client /client/dist /app/client/dist -COPY --from=build-server /server /app -COPY --from=build-server ${NUSQLITE3_PATH} ${NUSQLITE3_PATH} +COPY --chmod=755 --from=build-client /client/dist /app/client/dist +COPY --chmod=755 --from=build-server /server /app +COPY --chmod=755 --from=build-server ${NUSQLITE3_PATH} ${NUSQLITE3_PATH} EXPOSE 80 @@ -69,5 +82,6 @@ ENV SOURCE="docker" ENV NUSQLITE3_DIR=${NUSQLITE3_DIR} ENV NUSQLITE3_PATH=${NUSQLITE3_PATH} +USER audiobookshelf ENTRYPOINT ["tini", "--"] CMD ["node", "index.js"]