From 96551ae0bbf02fceb5213254aa50a5fb73a7710e Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Thu, 30 May 2024 13:18:57 -0600
Subject: [PATCH] ci: add `caddy` image build workflow

Signed-off-by: Matthew Penner <me@matthewp.io>
---
 .github/workflows/caddy.yaml | 63 ++++++++++++++++++++++++++++++++++++
 caddy.Containerfile          | 16 +++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 .github/workflows/caddy.yaml
 create mode 100644 caddy.Containerfile

diff --git a/.github/workflows/caddy.yaml b/.github/workflows/caddy.yaml
new file mode 100644
index 0000000..9b4eef9
--- /dev/null
+++ b/.github/workflows/caddy.yaml
@@ -0,0 +1,63 @@
+name: Caddy
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - caddy.Containerfile
+
+jobs:
+  build-image:
+    name: Build Image
+    runs-on: ubuntu-22.04
+    permissions:
+      attestations: write
+      contents: read
+      id-token: write
+      packages: write
+    steps:
+      - name: Code checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          sparse-checkout: |
+            caddy.Containerfile
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Push image
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
+        id: push
+        env:
+          # ref; https://docs.docker.com/build/ci/github-actions/reproducible-builds/
+          SOURCE_DATE_EPOCH: 0
+        with:
+          context: .
+          file: ./caddy.Containerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          sbom: true
+          tags: ghcr.io/caddyserver/gateway:caddy-2.8.0
+          build-args: |
+            CADDY_VERSION=2.8.0
+            CADDY_BUILDER_HASH=sha256:93a0320af6e247362974f8606f1659b977b8c4421282682844a197b26b4be924
+            CADDY_HASH=sha256:ccdad842a0f34a8db14fa0671113f9567d65ba3798220539467d235131a3ed63
+
+      - name: Attest
+        uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+        id: attest
+        with:
+          subject-name: ghcr.io/caddyserver/gateway
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true
diff --git a/caddy.Containerfile b/caddy.Containerfile
new file mode 100644
index 0000000..b4f1fb2
--- /dev/null
+++ b/caddy.Containerfile
@@ -0,0 +1,16 @@
+# This Containerfile is used to build Caddy with the additional modules required by Caddy Gateway
+# to function properly.
+
+ARG CADDY_VERSION=2.8.0
+
+ARG CADDY_BUILDER_HASH=sha256:93a0320af6e247362974f8606f1659b977b8c4421282682844a197b26b4be924
+ARG CADDY_HASH=sha256:ccdad842a0f34a8db14fa0671113f9567d65ba3798220539467d235131a3ed63
+
+FROM docker.io/library/caddy:${CADDY_VERSION}-builder@${CADDY_BUILDER_HASH} AS builder
+
+RUN xcaddy build \
+    --with github.com/mholt/caddy-l4@6a8be7c4b8acb0c531b6151c94a9cd80894acce1
+
+FROM docker.io/library/caddy:${CADDY_VERSION}@${CADDY_HASH}
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy