chore: publish docker image to github package (#822)

close https://github.com/cnpm/cnpmcore/issues/821

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Introduced a GitHub Actions workflow to automate building, tagging,
publishing, and attesting Docker images for multiple platforms.

* **Documentation**
* Updated Docker deployment documentation to reflect the new image
repository and usage instructions.

* **Chores**
* Updated Docker build scripts and Dockerfiles for improved image
building and logging.
  * Upgraded the "oxlint" development dependency.
  * Removed the "prepare" script from project scripts.
* Adjusted TypeScript configuration to disable declaration file
generation and exclude test files from compilation.
  * Updated linter configuration to allow additional code patterns.
  * Improved code comments for better linting and error suppression.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

.docker/alpine/Dockerfile

@@ -6,7 +6,7 @@ WORKDIR /usr/src/app
 # Install app dependencies
 COPY . .
 
-RUN chmod +x .docker/build.sh && .docker/build.sh
+RUN .docker/build.sh
 
 ENV NODE_ENV=production \
   EGG_SERVER_ENV=prod \

.docker/build.sh

@@ -1,5 +1,6 @@
 #!/bin/sh
 
+node -v && npm -v
 npm install -g npminstall --registry=https://registry.npmmirror.com \
   && npminstall -c \
   && npm run tsc \

.docker/debian/Dockerfile

@@ -1,4 +1,4 @@
-FROM node:22
+FROM node:22-bookworm-slim
 
 # Create app directory
 WORKDIR /usr/src/app
@@ -6,7 +6,7 @@ WORKDIR /usr/src/app
 # Install app dependencies
 COPY . .
 
-RUN chmod +x .docker/build.sh && .docker/build.sh
+RUN .docker/build.sh
 
 ENV NODE_ENV=production \
   EGG_SERVER_ENV=prod \

.github/workflows/release-image.yml

@@ -0,0 +1,72 @@
+# https://docs.github.com/en/actions/tutorials/publish-packages/publish-docker-images#publishing-images-to-github-packages
+name: Create and publish a Docker image
+
+# Configures this workflow to run manually
+on:
+  workflow_dispatch:
+
+  pull_request:
+    branches: [master]
+
+# Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+# There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      # Uses the `docker/login-action` action to log in to the Container registry registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
+      - name: Log in to the Container registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
+      # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository.
+      # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: .docker/debian/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      # This step generates an artifact attestation for the image, which is a tamper-proof statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds).
+      - name: Generate artifact attestation
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

.oxlintrc.json

@@ -69,6 +69,8 @@
     "no-throw-literal": "error",
     "id-length": "allow",
     "arrow-body-style": "allow",
+    "prefer-destructuring": "allow",
+    "new-cap": "allow",
 
     // import
     "import/exports-last": "allow",

app/common/typing.ts

@@ -77,7 +77,8 @@ export interface AuthClient {
 }
 
 declare module 'egg' {
-  // @ts-expect-error avoid TS2310 Type 'EggAppConfig' recursively references itself as a base type.
+  // oxlint-disable-next-line prefer-ts-expect-error ban-ts-comment
+  // @ts-ignore
   interface EggAppConfig {
     cnpmcore: CnpmcoreConfig;
   }

docs/deploy-in-docker.md

@@ -225,11 +225,10 @@ npm login --registry=https://registry.fengmk2.com
 npm whoami --registry=https://registry.fengmk2.com
 ```
 
-## fengmk2/cnpmcore 镜像
+## cnpm/cnpmcore 镜像
 
-https://hub.docker.com/r/fengmk2/cnpmcore
+https://github.com/cnpm/cnpmcore/pkgs/container/cnpmcore
 
 ```bash
-docker pull fengmk2/cnpmcore:latest
-docker pull fengmk2/cnpmcore:latest-alpine
+docker pull ghcr.io/cnpm/cnpmcore:latest
 ```

package.json

@@ -67,8 +67,7 @@
     "images:debian": "docker build -t cnpmcore:latest -f .docker/debian/Dockerfile .",
     "start": "eggctl start --daemon && touch egg.status",
     "start:foreground": "eggctl start",
-    "stop": "rm -f egg.status && sleep 15 && eggctl stop",
-    "prepare": "husky"
+    "stop": "rm -f egg.status && sleep 15 && eggctl stop"
   },
   "repository": {
     "type": "git",
@@ -158,7 +157,7 @@
     "coffee": "^5.4.0",
     "husky": "^9.1.7",
     "lint-staged": "^15.5.0",
-    "oxlint": "^1.9.0",
+    "oxlint": "^1.10.0",
     "prettier": "^3.5.3",
     "typescript": "5"
   },

tsconfig.json

@@ -3,6 +3,8 @@
   "compilerOptions": {
     "target": "ES2021",
     "resolveJsonModule": true,
-    "useUnknownInCatchVariables": false
-  }
+    "useUnknownInCatchVariables": false,
+    "declaration": false
+  },
+  "exclude": ["test"]
 }