refactor: smaller size and multi arch image release

.github/workflows/release.yaml

@@ -8,46 +8,11 @@ on:
 permissions:
   contents: write
 jobs:
-  image-amd64:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version-file: go.mod
-
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: v0.11.2
-          install: true
-
-      # <--- Login, build and push image to Docker Hub --->
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Extract metadata (tags, labels) for Docker
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: kcllang/kcl
-      - name: Build and push Docker image
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-
-  image-arm64:
+  image:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+      image_url: ${{ steps.hash.outputs.image_url }}
+      image_digest: ${{ steps.hash.outputs.image_digest }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -61,32 +26,40 @@ jobs:
 
       - name: Setup QEMU
         uses: docker/setup-qemu-action@v3
-        with:
-          platforms: all
       - name: Setup Docker Buildx
+        id: buildx
         uses: docker/setup-buildx-action@v3
+      - name: Docker login ghcr.io
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
-          version: v0.11.2
-          install: true
-
-      # <--- Login, build and push image to Docker Hub --->
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
+          registry: ghcr.io
+          username: kclbot
+          password: ${{ secrets.DEPLOY_ACCESS_TOKEN }}
+      - name: Docker login docker.io
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-
-      - name: Extract metadata (tags, labels) for Docker
+      - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
-          images: kcllang/kcl-arm64
+          images: |
+            kcllang/kcl
+            ghcr.io/kcl-lang/kcl
+          tags: |
+            type=raw,value=v0.10.6
+
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
         with:
+          sbom: true
+          provenance: true
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
           context: .
-          platforms: linux/arm64
-          push: ${{ github.event_name != 'pull_request' }}
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 

Dockerfile

@@ -13,22 +13,25 @@ ENV CGO_ENABLED=0
 
 RUN --mount=type=cache,target=/go/pkg --mount=type=cache,target=/root/.cache/go-build GOOS=${TARGETOS} GOARCH=${TARGETARCH} make build
 
-FROM --platform=${BUILDPLATFORM} ubuntu:22.04 AS base
-ENV LANG=en_US.utf8
+FROM debian:11-slim AS image
 
-FROM base
+COPY --from=build /src/bin/kcl /usr/local/bin/kcl
+# Verify KCL installation and basic functionality
+RUN kcl version && \
+    echo 'a=1' | kcl run -
 
-ARG TARGETARCH
+# Install git for KCL package management
+# Use best practices for apt-get commands
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends git && \
+    rm -rf /var/lib/apt/lists/*
 
-COPY --from=build /src/bin/kcl /usr/local/bin/kcl
-RUN /usr/local/bin/kcl
-RUN apt-get update && apt-get install make gcc git -y && rm -rf /var/lib/apt/lists/*
-# The reason for doing this below is to prevent the
-# container from not having write permissions.
-ENV KCL_LIB_HOME=/tmp
-ENV KCL_PKG_PATH=/tmp
-ENV KCL_CACHE_PATH=/tmp
-# Install the tini
-ENV TINI_VERSION v0.19.0
-ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini-${TARGETARCH} /tini
-RUN chmod +x /tini
+# Configure KCL runtime environment
+# Set temporary directories for write permissions
+ENV KCL_LIB_HOME=/tmp \
+    KCL_PKG_PATH=/tmp \
+    KCL_CACHE_PATH=/tmp \
+    LANG=en_US.utf8
+
+# Switch to non-root user for security
+USER nonroot:nonroot