add multi arch docker build (#5808)

* Add multi arch container build

Co-authored-by: EdJoPaTo <rfc-conform-git-commit-email@funny-long-domain-label-everyone-hates-as-it-is-too-long.edjopato.de>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

* using label from github action

* dont remove static labels and split docker readme in seperate action

* pin 3rd party action to a commit

* enable pushing to dockerhub

* Update .github/workflows/build-images.yml

Co-authored-by: EdJoPaTo <github@edjopato.de>

* remove not needed checkout

* set github token permissions

* Update .github/workflows/push-dockerhub-readme.yml

* update docker readme to match new tags

* Apply suggestions from code review

* fix suffix for alpine image

* fix suffix for alpine image

* push images only at upstream repo

* push images only at upstream repo

* push images only at upstream repo

* tag latest-alpine as alpine

* tag latest-alpine as alpine

* remove no needed falvor

* keep falvor for build

* Clean more things

* Rename action
To use same default name than https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml

* Rename readme action
To use same default name than https://github.com/peter-evans/dockerhub-description/blob/main/.github/workflows/dockerhub-description.yml

* Use default name for dockerhub-description
https://github.com/peter-evans/dockerhub-description/blob/main/.github/workflows/dockerhub-description.yml
Plus minor wording

* Experiment with build-args

* Debug

* Add checkout back

* Revert back to metadata-action

* Remove quotes in version

* Try to fix variables

* Experiment with automatic label values again

* Delete last Docker Hub hooks

* Use only git SHA for org.opencontainers.image.revision
https://specs.opencontainers.org/image-spec/annotations/#pre-defined-annotation-keys

* Comment out semver for now
Might be enabled later if desired

* Enable major semver

---------

Co-authored-by: EdJoPaTo <rfc-conform-git-commit-email@funny-long-domain-label-everyone-hates-as-it-is-too-long.edjopato.de>
Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Co-authored-by: EdJoPaTo <github@edjopato.de>

.github/workflows/docker-publish.yml

@@ -0,0 +1,92 @@
+name: Publish Docker images
+
+on:
+  push:
+    branches:
+      - edge
+  release:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  # packages: write
+
+jobs:
+  build-container-image:
+    name: Build Docker image ${{ matrix.name }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - name: Debian
+            file: Docker/Dockerfile
+            flavor: |
+              latest=auto
+            tags: |
+              type=edge,onlatest=false
+              type=semver,pattern={{version}}
+              type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/0.') }}
+            #  type=semver,pattern={{major}}.{{minor}}
+          - name: Alpine
+            file: Docker/Dockerfile-Alpine
+            flavor: |
+              latest=false
+            tags: |
+              type=raw,value=alpine,enable=${{ github.ref == 'refs/heads/latest' || startsWith(github.ref, 'refs/tags/') }}
+              type=edge,suffix=-alpine,onlatest=false
+              type=semver,pattern={{version}}-alpine
+              type=semver,pattern={{major}}-alpine,enable=${{ !startsWith(github.ref, 'refs/tags/0.') }}
+            #  type=semver,pattern={{major}}.{{minor}}-alpine
+    steps:
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Get FreshRSS version
+      run: |
+        FRESHRSS_VERSION=$(sed -n "s/^const FRESHRSS_VERSION = '\(.*\)'.*$/\1/p" constants.php)
+        echo "$FRESHRSS_VERSION"
+        echo "FRESHRSS_VERSION=$FRESHRSS_VERSION" >> $GITHUB_ENV
+
+    - name: Add metadata to Docker images
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        flavor: ${{ matrix.flavor }}
+        images: |
+          docker.io/freshrss/freshrss
+      #     ghcr.io/${{ github.repository }}
+        tags: ${{ matrix.tags }}
+        labels: |
+          org.opencontainers.image.version=${{ env.FRESHRSS_VERSION }}
+
+    - name: Login to Docker Hub
+      if: github.repository_owner == 'FreshRSS'
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+    # - name: Login to GitHub Container Registry
+    #   uses: docker/login-action@v3
+    #   with:
+    #     registry: ghcr.io
+    #     username: ${{ github.repository_owner }}
+    #     password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Build and push Docker images
+      uses: docker/build-push-action@v5
+      with:
+        file: ${{ matrix.file }}
+        platforms: linux/amd64,linux/arm/v7,linux/arm64
+        build-args: |
+          FRESHRSS_VERSION=${{ env.FRESHRSS_VERSION }}
+          SOURCE_COMMIT=${{ github.sha }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        push: ${{ (github.ref == 'refs/heads/latest' || github.ref == 'refs/heads/edge' || startsWith(github.ref, 'refs/tags/')) && github.repository_owner == 'FreshRSS' }}

.github/workflows/dockerhub-description.yml

@@ -0,0 +1,24 @@
+name: Update Docker Hub description
+
+on:
+  push:
+    paths:
+      - Docker/README.md
+    branches:
+      - edge
+  workflow_dispatch:
+
+jobs:
+  dockerhub-description:
+    if: github.repository_owner == 'FreshRSS'
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Update repo description
+      uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_PASSWORD }}
+        repository: freshrss/freshrss
+        readme-filepath: Docker/README.md

CHANGELOG.md

@@ -12,6 +12,8 @@
 * Bug fixing
 	* Fix regression in Docker `CRON_MIN` if any environment variable contains a single quote [#5795](https://github.com/FreshRSS/FreshRSS/pull/5795)
 	* Fix JavaScript regression in label dropdown [#5785](https://github.com/FreshRSS/FreshRSS/pull/5785)
+* Deployment
+	* Use GitHub Actions to build Docker images, offering architectures `amd64`, `arm32v7`, `arm64v8` with automatic detection [#5808](https://github.com/FreshRSS/FreshRSS/pull/5808)
 * Misc.
 	* Code improvements [#5511](https://github.com/FreshRSS/FreshRSS/pull/5511)
 	* Update dev dependencies [#5787](https://github.com/FreshRSS/FreshRSS/pull/5787),

Docker/Dockerfile

@@ -20,7 +20,6 @@ COPY . /var/www/FreshRSS
 COPY ./Docker/*.Apache.conf /etc/apache2/sites-available/
 
 ARG FRESHRSS_VERSION
-ARG SOURCE_BRANCH
 ARG SOURCE_COMMIT
 
 LABEL \
@@ -28,7 +27,7 @@ LABEL \
 	org.opencontainers.image.description="A self-hosted RSS feed aggregator" \
 	org.opencontainers.image.documentation="https://freshrss.github.io/FreshRSS/" \
 	org.opencontainers.image.licenses="AGPL-3.0" \
-	org.opencontainers.image.revision="${SOURCE_BRANCH}.${SOURCE_COMMIT}" \
+	org.opencontainers.image.revision="${SOURCE_COMMIT}" \
 	org.opencontainers.image.source="https://github.com/FreshRSS/FreshRSS" \
 	org.opencontainers.image.title="FreshRSS" \
 	org.opencontainers.image.url="https://freshrss.org/" \

Docker/Dockerfile-Alpine

@@ -17,7 +17,6 @@ COPY . /var/www/FreshRSS
 COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/
 
 ARG FRESHRSS_VERSION
-ARG SOURCE_BRANCH
 ARG SOURCE_COMMIT
 
 LABEL \
@@ -25,7 +24,7 @@ LABEL \
 	org.opencontainers.image.description="A self-hosted RSS feed aggregator" \
 	org.opencontainers.image.documentation="https://freshrss.github.io/FreshRSS/" \
 	org.opencontainers.image.licenses="AGPL-3.0" \
-	org.opencontainers.image.revision="${SOURCE_BRANCH}.${SOURCE_COMMIT}" \
+	org.opencontainers.image.revision="${SOURCE_COMMIT}" \
 	org.opencontainers.image.source="https://github.com/FreshRSS/FreshRSS" \
 	org.opencontainers.image.title="FreshRSS" \
 	org.opencontainers.image.url="https://freshrss.org/" \

Docker/Dockerfile-Newest

@@ -18,7 +18,6 @@ COPY . /var/www/FreshRSS
 COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/
 
 ARG FRESHRSS_VERSION
-ARG SOURCE_BRANCH
 ARG SOURCE_COMMIT
 
 LABEL \
@@ -26,7 +25,7 @@ LABEL \
 	org.opencontainers.image.description="A self-hosted RSS feed aggregator" \
 	org.opencontainers.image.documentation="https://freshrss.github.io/FreshRSS/" \
 	org.opencontainers.image.licenses="AGPL-3.0" \
-	org.opencontainers.image.revision="${SOURCE_BRANCH}.${SOURCE_COMMIT}" \
+	org.opencontainers.image.revision="${SOURCE_COMMIT}" \
 	org.opencontainers.image.source="https://github.com/FreshRSS/FreshRSS" \
 	org.opencontainers.image.title="FreshRSS" \
 	org.opencontainers.image.url="https://freshrss.org/" \

Docker/Dockerfile-Oldest

@@ -17,7 +17,6 @@ COPY . /var/www/FreshRSS
 COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/
 
 ARG FRESHRSS_VERSION
-ARG SOURCE_BRANCH
 ARG SOURCE_COMMIT
 
 LABEL \
@@ -25,7 +24,7 @@ LABEL \
 	org.opencontainers.image.description="A self-hosted RSS feed aggregator" \
 	org.opencontainers.image.documentation="https://freshrss.github.io/FreshRSS/" \
 	org.opencontainers.image.licenses="AGPL-3.0" \
-	org.opencontainers.image.revision="${SOURCE_BRANCH}.${SOURCE_COMMIT}" \
+	org.opencontainers.image.revision="${SOURCE_COMMIT}" \
 	org.opencontainers.image.source="https://github.com/FreshRSS/FreshRSS" \
 	org.opencontainers.image.title="FreshRSS" \
 	org.opencontainers.image.url="https://freshrss.org/" \

Docker/Dockerfile-QEMU-ARM

@@ -1,81 +0,0 @@
-# Only relevant for Docker Hub or QEMU multi-architecture builds.
-# Prefer the normal `Dockerfile` if you are building manually on the targeted architecture.
-
-FROM arm32v7/debian:12-slim
-
-# Requires ./hooks/*
-COPY ./Docker/qemu-arm-* /usr/bin/
-
-ENV TZ UTC
-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
-
-ARG DEBIAN_FRONTEND=noninteractive
-RUN apt-get update && \
-	apt-get install --no-install-recommends -y \
-	ca-certificates cron \
-	apache2 libapache2-mod-php \
-	libapache2-mod-auth-openidc \
-	php-curl php-gmp php-intl php-mbstring php-xml php-zip \
-	php-sqlite3 php-mysql php-pgsql && \
-	rm -rf /var/lib/apt/lists/*
-
-RUN mkdir -p /var/www/FreshRSS/ /run/apache2/
-WORKDIR /var/www/FreshRSS
-
-COPY . /var/www/FreshRSS
-COPY ./Docker/*.Apache.conf /etc/apache2/sites-available/
-
-ARG FRESHRSS_VERSION
-ARG SOURCE_BRANCH
-ARG SOURCE_COMMIT
-
-LABEL \
-	org.opencontainers.image.authors="Alkarex" \
-	org.opencontainers.image.description="A self-hosted RSS feed aggregator" \
-	org.opencontainers.image.documentation="https://freshrss.github.io/FreshRSS/" \
-	org.opencontainers.image.licenses="AGPL-3.0" \
-	org.opencontainers.image.revision="${SOURCE_BRANCH}.${SOURCE_COMMIT}" \
-	org.opencontainers.image.source="https://github.com/FreshRSS/FreshRSS" \
-	org.opencontainers.image.title="FreshRSS" \
-	org.opencontainers.image.url="https://freshrss.org/" \
-	org.opencontainers.image.vendor="FreshRSS" \
-	org.opencontainers.image.version="$FRESHRSS_VERSION"
-
-RUN a2dismod -q -f alias autoindex negotiation status && \
-	a2dismod -q auth_openidc && \
-	a2enmod -q deflate expires headers mime remoteip setenvif && \
-	a2disconf -q '*' && \
-	a2dissite -q '*' && \
-	a2ensite -q 'FreshRSS*'
-
-RUN sed -r -i "/^\s*(CustomLog|ErrorLog|Listen) /s/^/#/" /etc/apache2/apache2.conf && \
-	sed -r -i "/^\s*Listen /s/^/#/" /etc/apache2/ports.conf && \
-	# Disable built-in updates when using Docker, as the full image is supposed to be updated instead.
-	sed -r -i "\\#disable_update#s#^.*#\t'disable_update' => true,#" ./config.default.php && \
-	touch /var/www/FreshRSS/Docker/env.txt && \
-	echo "17,47 * * * * . /var/www/FreshRSS/Docker/env.txt; \
-		su www-data -s /bin/sh -c 'php /var/www/FreshRSS/app/actualize_script.php' \
-		2>> /proc/1/fd/2 > /tmp/FreshRSS.log"  > /etc/crontab.freshrss.default
-
-# Seems needed for arm32v7/ubuntu on Docker Hub
-RUN update-ca-certificates -f
-
-# Useful with the `--squash` build option
-RUN rm /usr/bin/qemu-* /var/www/FreshRSS/Docker/qemu-*
-
-ENV COPY_LOG_TO_SYSLOG On
-ENV COPY_SYSLOG_TO_STDERR On
-ENV CRON_MIN ''
-ENV DATA_PATH ''
-ENV FRESHRSS_ENV ''
-ENV LISTEN ''
-ENV OIDC_ENABLED ''
-ENV TRUSTED_PROXY ''
-
-ENTRYPOINT ["./Docker/entrypoint.sh"]
-
-EXPOSE 80
-# hadolint ignore=DL3025
-CMD ([ -z "$CRON_MIN" ] || cron) && \
-	. /etc/apache2/envvars && \
-	exec apache2 -D FOREGROUND $([ -n "$OIDC_ENABLED" ] && [ "$OIDC_ENABLED" -ne 0 ] && echo '-D OIDC_ENABLED')

Docker/README.md

@@ -66,13 +66,16 @@ The [tags](https://hub.docker.com/r/freshrss/freshrss/tags) correspond to FreshR
 
 * `:latest` (default) is the [latest stable release](https://github.com/FreshRSS/FreshRSS/releases/latest)
 * `:edge` is the rolling release, same than our [git `edge` branch](https://github.com/FreshRSS/FreshRSS/tree/edge)
-* `:x.y.z` are [specific FreshRSS releases](https://github.com/FreshRSS/FreshRSS/releases)
-* `:arm` or `:*-arm` are the ARM `arm32v7` versions (e.g., for Raspberry Pi).
+* `:x.y.z` tags correspond to [specific FreshRSS releases](https://github.com/FreshRSS/FreshRSS/releases), allowing you to target a precise version for deployment
+* `:x.y` tags are tied to a specific major version and minor version number. For example, `:1.23` will automatically receive updates for any `1.23.x` releases, but will not update to `1.24.x`
+* `:x` tags track the latest release within a major version series. For instance, `:1` will update to include any `1.x` releases, but will exclude versions beyond `2.x`
+* `*-alpine` use Linux Alpine as base-image instead of Debian
+* Our Docker images are designed with multi-architecture support, accommodating a variety of Linux platforms including `linux/arm/v7`, `linux/arm64`, and `linux/amd64`.
   * For other platforms, see the [custom build section](#build-custom-docker-image)
 
 ### Linux: Debian vs. Alpine
 
-Our default image is based on [Debian](https://www.debian.org/). We offer an alternative based on [Alpine](https://alpinelinux.org/) (with the `:alpine` or `*-alpine` tag suffix).
+Our default image is based on [Debian](https://www.debian.org/). We offer an alternative based on [Alpine](https://alpinelinux.org/) (with the `*-alpine` tag suffix).
 In [our tests](https://github.com/FreshRSS/FreshRSS/pull/2205) (2019), Alpine was slower,
 while Alpine is smaller on disk (and much faster to build),
 and with newer packages in general (Apache, PHP).
@@ -108,7 +111,7 @@ docker rm freshrss_old
 ## Build custom Docker image
 
 Building your own Docker image is especially relevant for platforms not available on our Docker Hub,
-which is currently limited to `x64` (Intel, AMD) and `arm32v7`.
+which is currently limited to `x64` (Intel, AMD), `arm32v7`, `arm64`.
 
 > ℹ️ If you try to run an image for the wrong platform, you might get an error message like *exec format error*.
 
@@ -395,27 +398,6 @@ docker-compose down --remove-orphans --volumes
 
 > ℹ️ You can combine it with `-f docker-compose-db.yml` to spin a PostgreSQL database.
 
-### Docker Compose and ARM64
-
-If you’re working or want to host on an ARM64 system (such as Apple Silicon (M1/M2)) you’ll need to use the `arm` tag in your `docker-compose.yml` file:
-```yaml
-image: freshrss/freshrss:arm
-```
-
-If you then get this error message when running `docker compose up`:
-
-> The requested image’s platform (linux/arm/v7) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
-
-… you will also need to specify the platform in the `service` part:
-
-```yaml
-services:
-  freshrss:
-    image: freshrss/freshrss:arm
-    platform: linux/arm/v7
-    container_name: freshrss
- ```
-
 ## Run in production
 
 For production, it is a good idea to use a reverse proxy on your host server, providing HTTPS.

Docker/hooks/build

@@ -1,21 +0,0 @@
-#!/bin/bash
-
-cd ..
-FRESHRSS_VERSION=$(grep "'FRESHRSS_VERSION'" constants.php | cut -d "'" -f4)
-echo "$FRESHRSS_VERSION"
-
-if [[ $DOCKERFILE_PATH == *-ARM ]]; then
-	#TODO: Add --squash --platform arm options when Docker Hub daemon supports them
-	docker build \
-		--build-arg FRESHRSS_VERSION="$FRESHRSS_VERSION" \
-		--build-arg SOURCE_BRANCH="$SOURCE_BRANCH" \
-		--build-arg SOURCE_COMMIT="$SOURCE_COMMIT" \
-		-f "$DOCKERFILE_PATH" -t "$IMAGE_NAME" .
-else
-	#TODO: Add --squash option when Docker Hub daemon supports it
-	docker build \
-		--build-arg FRESHRSS_VERSION="$FRESHRSS_VERSION" \
-		--build-arg SOURCE_BRANCH="$SOURCE_BRANCH" \
-		--build-arg SOURCE_COMMIT="$SOURCE_COMMIT" \
-		-f "$DOCKERFILE_PATH" -t "$IMAGE_NAME" .
-fi

Docker/hooks/post_checkout

@@ -1,4 +0,0 @@
-#!/bin/bash
-
-mv ../README.md ../README.en.md
-mv README.md ../

Docker/hooks/pre_build

@@ -1,11 +0,0 @@
-#!/bin/bash
-
-if [[ $DOCKERFILE_PATH == *-ARM ]]; then
-	# https://github.com/balena-io/qemu
-	# Download a local copy of QEMU on Docker Hub build machine
-	curl -LSs 'https://github.com/balena-io/qemu/releases/download/v3.0.0%2Bresin/qemu-3.0.0+resin-arm.tar.gz' | tar -xzv --strip-components=1 --wildcards '*/qemu-*'
-
-	# https://github.com/multiarch/qemu-user-static
-	# Register qemu-*-static for all supported processors except the current one, but also remove all registered binfmt_misc before
-	docker run --rm --privileged multiarch/qemu-user-static:register --reset
-fi

Makefile

@@ -21,8 +21,6 @@ endif
 
 ifeq ($(findstring alpine,$(TAG)),alpine)
 	DOCKERFILE=Dockerfile-Alpine
-else ifeq ($(findstring arm,$(TAG)),arm)
-	DOCKERFILE=Dockerfile-QEMU-ARM
 else
 	DOCKERFILE=Dockerfile
 endif

docs/en/developers/02_First_steps.md

@@ -40,7 +40,7 @@ If you’re interested in the configuration, the `make` commands are defined in
 If you need to use a different tag image (default is `alpine`), you can set the `TAG` environment variable:
 
 ```sh
-TAG=arm make start
+TAG=alpine make start
 ```
 
 You can find the full list of available tags [on the Docker hub](https://hub.docker.com/r/freshrss/freshrss/tags).
@@ -49,11 +49,9 @@ If you want to build the Docker image yourself, you can use the following comman
 
 ```sh
 make build
-# or
-TAG=arm make build
 ```
 
-The `TAG` variable can be anything (e.g. `local`). You can target a specific architecture by adding `-alpine` or `-arm` at the end of the tag (e.g. `local-arm`).
+The `TAG` variable can be anything (e.g. `local`). You can target a specific architecture by adding `-alpine` at the end of the tag (e.g. `local-alpine`).
 
 ## Project architecture
 

docs/fr/developers/01_First_steps.md

@@ -66,7 +66,7 @@ suivante la variable d’environnement `TAG` au moment de l’exécution de la
 commande :
 
 ```sh
-TAG=arm make start
+TAG=alpine make start
 ```
 
 Vous pouvez trouver la liste complète des tags disponibles [sur le hub
@@ -77,13 +77,11 @@ suivante :
 
 ```sh
 make build
-# ou
-TAG=arm make build
 ```
 
 La valeur de la variable `TAG` peut contenir n’importe quelle valeur (par
 exemple `local`). Vous pouvez cibler une architecture spécifique en ajoutant
-`-alpine` ou `-arm` à la fin du tag (par exemple `local-arm`).
+`-alpine` à la fin du tag (par exemple `local-alpine`).
 
 ## Architecture du projet