feat: distroless docker image (#1131)

Author: topi314

.github/workflows/build.yml

@@ -10,41 +10,30 @@ on:
       - '.github/workflows/docs-pr.yml'
   workflow_call:
     secrets:
+      DOCKER_REGISTRY:
+        required: false
       DOCKER_USERNAME:
         required: false
       DOCKER_TOKEN:
         required: false
-      DOCKER_REGISTRY:
-        required: false
       DOCKER_IMAGE:
         required: false
       MAVEN_USERNAME:
         required: false
       MAVEN_PASSWORD:
         required: false
-      ORG_GRADLE_PROJECT_mavenCentralPassword:
+      MAVEN_CENTRAL_USERNAME:
         required: false
-      ORG_GRADLE_PROJECT_mavenCentralUsername:
+      MAVEN_CENTRAL_PASSWORD:
         required: false
-      ORG_GRADLE_PROJECT_signingInMemoryKey:
+      SIGNING_IN_MEMORY_KEY:
         required: false
-      ORG_GRADLE_PROJECT_signingInMemoryKeyPassword:
+      SIGNING_IN_MEMORY_KEY_PASSWORD:
         required: false
 
 jobs:
   build:
     runs-on: ubuntu-latest
-    env:
-      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
-      DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
-      DOCKER_REGISTRY: ${{ secrets.DOCKER_REGISTRY }}
-      DOCKER_IMAGE: ${{ secrets.DOCKER_IMAGE }}
-      MAVEN_USERNAME: ${{ vars.MAVEN_USERNAME }}
-      MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
-      ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.ORG_GRADLE_PROJECT_MAVENCENTRALPASSWORD }}
-      ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.ORG_GRADLE_PROJECT_MAVENCENTRALUSERNAME }}
-      ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.ORG_GRADLE_PROJECT_SIGNINGINMEMORYKEY }}
-      ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.ORG_GRADLE_PROJECT_SIGNINGINMEMORYKEYPASSWORD }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -56,56 +45,75 @@ jobs:
           java-version: 17
 
       - name: Setup Gradle
-        uses: gradle/actions/setup-gradle@v3
+        uses: gradle/actions/setup-gradle@v4
 
-      - name: Execute Gradle build
+      - name: Build Lavalink
         run: ./gradlew build
 
-      - name: Execute Gradle build
+      - name: Build Lavalink musl
         run: ./gradlew build -PtargetPlatform=musl
 
       - name: Publish to Maven
-        run: ./gradlew publish -PMAVEN_USERNAME=$MAVEN_USERNAME -PMAVEN_PASSWORD=$MAVEN_PASSWORD
-
-      - name: Upload Artifacts
+        env:
+          ORG_GRADLE_PROJECT_MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
+          ORG_GRADLE_PROJECT_MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
+          ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+          ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+          ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.SIGNING_IN_MEMORY_KEY }}
+          ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.SIGNING_IN_MEMORY_KEY_PASSWORD }}
+        if: |
+          (env.ORG_GRADLE_PROJECT_MAVEN_USERNAME != '' && env.ORG_GRADLE_PROJECT_MAVEN_PASSWORD != '')  || 
+          (env.ORG_GRADLE_PROJECT_mavenCentralUsername != '' && env.ORG_GRADLE_PROJECT_mavenCentralPassword != '' && env.ORG_GRADLE_PROJECT_signingInMemoryKey != '' && env.ORG_GRADLE_PROJECT_signingInMemoryKeyPassword != '')
+        run: ./gradlew publish
+
+      - name: Upload Lavalink.jar
         uses: actions/upload-artifact@v4
         with:
           name: Lavalink.jar
-          path: |
-            LavalinkServer/build/libs/Lavalink.jar
-            LavalinkServer/build/libs/Lavalink-musl.jar
+          path: LavalinkServer/build/libs/Lavalink.jar
 
-      - name: Docker Meta
-        id: meta
-        uses: docker/metadata-action@v5
+      - name: Upload Lavalink-musl.jar
+        uses: actions/upload-artifact@v4
         with:
-          images: |
-            ghcr.io/${{ github.repository }}
-            ${{ env.DOCKER_IMAGE }}
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha,prefix=
+          name: Lavalink-musl.jar
+          path: LavalinkServer/build/libs/Lavalink-musl.jar
 
-      - name: Docker Meta Alpine
-        id: meta-alpine
-        uses: docker/metadata-action@v5
+  build-docker:
+    needs: build
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: Ubuntu
+            dockerfile: LavalinkServer/docker/Dockerfile
+            suffix: ''
+            platforms: linux/amd64,linux/arm/v7,linux/arm64/v8
+          - name: Alpine
+            dockerfile: LavalinkServer/docker/alpine.Dockerfile
+            suffix: '-alpine'
+            platforms: linux/amd64,linux/arm64/v8
+          - name: Distroless
+            dockerfile: LavalinkServer/docker/distroless.Dockerfile
+            suffix: '-distroless'
+            platforms: linux/amd64,linux/arm64/v8
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Download Lavalink.jar
+        if: ${{ matrix.name == 'Ubuntu' || matrix.name == 'Distroless' }}
+        uses: actions/download-artifact@v4
         with:
-          images: |
-            ghcr.io/${{ github.repository }}
-            ${{ env.DOCKER_IMAGE }}
-          flavor: |
-            suffix=-alpine,onlatest=true
-          tags: |
-            type=ref,event=branch
-            type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha,prefix=
+          name: Lavalink.jar
+          path: LavalinkServer/build/libs/Lavalink.jar
+
+      - name: Download Lavalink-musl.jar
+        if: ${{ matrix.name == 'Alpine' }}
+        uses: actions/download-artifact@v4
+        with:
+          name: Lavalink-musl.jar
+          path: LavalinkServer/build/libs/Lavalink-musl.jar
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
@@ -121,29 +129,41 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Log in to docker registry
-        if: env.DOCKER_USERNAME && env.DOCKER_TOKEN && env.DOCKER_REGISTRY && env.DOCKER_IMAGE
+        env:
+          DOCKER_REGISTRY: ${{ secrets.DOCKER_REGISTRY }}
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
+          DOCKER_IMAGE: ${{ secrets.DOCKER_IMAGE }}
+        if: env.DOCKER_REGISTRY != '' && env.DOCKER_USERNAME != '' && env.DOCKER_TOKEN != '' && env.DOCKER_IMAGE != ''
         uses: docker/login-action@v3
         with:
-          registry: ${{ env.DOCKER_REGISTRY }}
-          username: ${{ env.DOCKER_USERNAME }}
-          password: ${{ env.DOCKER_TOKEN }}
+          registry: ${{ secrets.DOCKER_REGISTRY }}
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
 
-      - name: Build Ubuntu and Push
-        uses: docker/build-push-action@v5
+      - name: Docker Meta ${{ matrix.name }}
+        id: meta
+        uses: docker/metadata-action@v5
         with:
-          file: LavalinkServer/docker/Dockerfile
-          context: .
-          platforms: linux/amd64,linux/arm/v7,linux/arm64/v8
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          images: |
+            ghcr.io/${{ github.repository }}
+            ${{ secrets.DOCKER_IMAGE }}
+          flavor: |
+            suffix=${{ matrix.suffix }},onlatest=true
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,prefix=
 
-      - name: Build Alpine and Push
-        uses: docker/build-push-action@v5
+      - name: Docker Build ${{ matrix.name }} and Push
+        uses: docker/build-push-action@v6
         with:
-          file: LavalinkServer/docker/alpine.Dockerfile
+          file: ${{ matrix.dockerfile }}
           context: .
-          platforms: linux/amd64,linux/arm64/v8
+          platforms: ${{ matrix.platforms }}
           push: true
-          tags: ${{ steps.meta-alpine.outputs.tags }}
-          labels: ${{ steps.meta-alpine.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/docs-pr.yml

@@ -8,8 +8,8 @@ on:
       - '.github/workflows/docs.yml'
 
 concurrency:
-    group: pages-${{ github.ref }}
-    cancel-in-progress: true
+  group: pages-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   deploy:
@@ -33,7 +33,7 @@ jobs:
             mkdocs-material-
       - run: pip install -r requirements.txt
         working-directory: docs
-#      - run: mkdocs build --verbose --strict
+      #      - run: mkdocs build --verbose --strict
       - run: mkdocs build --verbose
         working-directory: docs
       - uses: actions/upload-pages-artifact@v3

.github/workflows/docs.yml

@@ -2,7 +2,7 @@ name: Release
 
 on:
   release:
-    types: [published]
+    types: [ published ]
 
 jobs:
   build:
@@ -12,12 +12,12 @@ jobs:
       DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
       DOCKER_REGISTRY: ${{ secrets.DOCKER_REGISTRY }}
       DOCKER_IMAGE: ${{ secrets.DOCKER_IMAGE }}
-      MAVEN_USERNAME: ${{ vars.MAVEN_USERNAME }}
+      MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
       MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
-      ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.ORG_GRADLE_PROJECT_MAVENCENTRALPASSWORD }}
-      ORG_GRADLE_PROJECT_mavenCentralUsername: ${{ secrets.ORG_GRADLE_PROJECT_MAVENCENTRALUSERNAME }}
-      ORG_GRADLE_PROJECT_signingInMemoryKey: ${{ secrets.ORG_GRADLE_PROJECT_SIGNINGINMEMORYKEY }}
-      ORG_GRADLE_PROJECT_signingInMemoryKeyPassword: ${{ secrets.ORG_GRADLE_PROJECT_SIGNINGINMEMORYKEYPASSWORD }}
+      MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+      MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+      SIGNING_IN_MEMORY_KEY: ${{ secrets.SIGNING_IN_MEMORY_KEY }}
+      SIGNING_IN_MEMORY_KEY_PASSWORD: ${{ secrets.SIGNING_IN_MEMORY_KEY_PASSWORD }}
 
   release:
     needs: build
@@ -26,15 +26,20 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Download Artifacts
+      - name: Download Lavalink.jar
         uses: actions/download-artifact@v4
         with:
           name: Lavalink.jar
 
+      - name: Download Lavalink-musl.jar
+        uses: actions/download-artifact@v4
+        with:
+          name: Lavalink-musl.jar
+
       - name: Upload Artifacts to GitHub Release
         uses: ncipollo/release-action@v1
         with:
-          artifacts: Lavalink.jar
+          artifacts: Lavalink.jar,Lavalink-musl.jar
           allowUpdates: true
           omitBodyDuringUpdate: true
           omitDraftDuringUpdate: true

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-FROM azul/zulu-openjdk-alpine:17-jre-headless-latest
+FROM azul/zulu-openjdk-alpine:21-jre-headless-latest
 
 RUN apk add --no-cache libgcc
 

LavalinkServer/docker/alpine.Dockerfile

@@ -0,0 +1,9 @@
+FROM gcr.io/distroless/java21-debian12:nonroot
+
+WORKDIR /opt/Lavalink
+
+COPY LavalinkServer/build/libs/Lavalink.jar Lavalink.jar
+
+ENTRYPOINT ["java", "-jar"]
+
+CMD ["Lavalink.jar"]