chore: move to tagging builds

.gitea/workflows/build.yml

@@ -1,23 +1,42 @@
-on: push
+name: Build Docker Image
+
+on:
+  push:
+    # Only build on tags (like v1.0.0)
+    tags:
+      - "v*"
+
 jobs:
   build-docker:
     runs-on: ubuntu-latest
     container:
       image: catthehacker/ubuntu:act-latest
+
     steps:
+      # 1. Checkout the repo
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      # 2. Set up Docker Buildx
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Login to DockerHub
+      # 3. Log in to your registry
+      - name: Login to Docker registry
         uses: docker/login-action@v3
         with:
           registry: git.comprofix.com
           username: ${{ secrets.REGISTRY_USERNAME }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
-      - name: Build and push
+      # 4. Build and push Docker image
+      - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
           file: ./Dockerfile
           push: true
-          tags: git.comprofix.com/mmckinnon/debian-runner:latest
+          tags: |
+            git.comprofix.com/mmckinnon/debian-runner:latest
+            git.comprofix.com/mmckinnon/debian-runner:${{ github.ref_name }}

Dockerfile

@@ -1,41 +1,55 @@
-# Base image
+# ==============================
-FROM debian:trixie-slim
+# Stage 1: Builder
+# ==============================
+FROM debian:trixie-slim@sha256:c85a2732e97694ea77237c61304b3bb410e0e961dd6ee945997a06c788c545bb AS builder
 
-# Set environment variables (DEBIAN_FRONTEND and LANG)
+# Set environment variables for noninteractive install
 ENV DEBIAN_FRONTEND=noninteractive \
     LANG=C.UTF-8
 
-# Install system dependencies
+# Install build and runtime dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl \
+    python3 python3-venv build-essential \
-    git \
+    curl git bash openssh-client \
-    bash \
+    ruby-full zlib1g-dev libffi-dev libssl-dev ca-certificates \
-    openssh-client \
-    python3 \
-    python3-venv \
-    build-essential \
-    zlib1g-dev \
-    libffi-dev \
-    libssl-dev \
-    ruby-full \
-    ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Node.js 22
+# Install Node.js 22 (latest patch for 22.x)
 RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
     && apt-get install -y nodejs \
     && npm install -g npm \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Jekyll and Bundler
+# Install Ruby gems: Jekyll and Bundler
 RUN gem install bundler jekyll
 
 # Create Python virtual environment for Ansible
 RUN python3 -m venv /opt/venv \
-    && /opt/venv/bin/pip install --no-cache-dir --upgrade pip ansible
+    && /opt/venv/bin/pip install --no-cache-dir --upgrade pip ansible==8.*
 
-# Update PATH globally for all shells/steps
+# ==============================
-ENV PATH=/usr/local/bundle/bin:/opt/venv/bin:$PATH
+# Stage 2: Runtime
+# ==============================
+FROM debian:trixie-slim@sha256:c85a2732e97694ea77237c61304b3bb410e0e961dd6ee945997a06c788c545bb
+
+# Set environment variables
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=C.UTF-8 \
+    PATH=/usr/local/bundle/bin:/opt/venv/bin:$PATH
+
+# Install minimal runtime dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    python3 python3-venv \
+    curl git bash openssh-client \
+    ruby-full ca-certificates \
+    nodejs \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy built tools from builder
+COPY --from=builder /opt/venv /opt/venv
+COPY --from=builder /usr/local/bundle /usr/local/bundle
+COPY --from=builder /usr/lib/node_modules /usr/lib/node_modules
+COPY --from=builder /usr/bin/node /usr/bin/node
 
 # Create workspace
 WORKDIR /workspace
@@ -43,3 +57,5 @@ WORKDIR /workspace
 # Default shell
 SHELL ["/bin/bash", "-c"]
 
+# Expose environment for scripts
+ENV PATH="/opt/venv/bin:/usr/local/bundle/bin:$PATH"