Workflows: Refactor docker (#4738)

* Workflows: Rewrite Docker image build process

* Docker: Merge Multi-Arch Manifests

Author: Meo597

.github/docker/Dockerfile

@@ -1,28 +1,61 @@
-# syntax=docker/dockerfile:1
-FROM --platform=$BUILDPLATFORM golang:alpine AS build
+# syntax=docker/dockerfile:latest
+FROM --platform=$BUILDPLATFORM golang:latest AS build
+
+# Build xray-core
 WORKDIR /src
 COPY . .
 ARG TARGETOS
 ARG TARGETARCH
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
-ADD https://github.com/v2fly/geoip/releases/latest/download/geoip.dat /v2fly/geoip.dat
-ADD https://github.com/v2fly/domain-list-community/releases/latest/download/dlc.dat /v2fly/geosite.dat
-ADD https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geoip.dat /loyalsoldier/geoip.dat
-ADD https://github.com/Loyalsoldier/v2ray-rules-dat/releases/latest/download/geosite.dat /loyalsoldier/geosite.dat
-
-# chainguard/static contains only tzdata and ca-certificates, can be built with multiarch static binaries.
-FROM --platform=linux/amd64 chainguard/static:latest
-WORKDIR /var/log/xray
-COPY .github/docker/files/config.json /etc/xray/config.json
-COPY --from=build --chmod=755 /src/xray /usr/bin/xray
-
-USER root
-WORKDIR /root
-VOLUME /etc/xray
-ARG TZ=Asia/Shanghai
+
+# Download geodat into a staging directory
+ADD https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/geoip.dat /tmp/geodat/geoip.dat
+ADD https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/geosite.dat /tmp/geodat/geosite.dat
+
+RUN mkdir -p /tmp/empty
+
+# Create config files with empty JSON content
+RUN mkdir -p /tmp/usr/local/etc/xray
+RUN cat <<EOF >/tmp/usr/local/etc/xray/00_log.json
+{
+  "log": {
+    "error": "/var/log/xray/error.log",
+    "loglevel": "warning",
+    "access": "none",
+    "dnsLog": false
+  }
+}
+EOF
+RUN echo '{}' >/tmp/usr/local/etc/xray/01_api.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/02_dns.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/03_routing.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/04_policy.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/05_inbounds.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/06_outbounds.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/07_transport.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/08_stats.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/09_reverse.json
+
+# Create log files
+RUN mkdir -p /tmp/var/log/xray && touch \
+  /tmp/var/log/xray/access.log \
+  /tmp/var/log/xray/error.log
+
+# Build finally image
+FROM gcr.io/distroless/static:nonroot
+
+COPY --from=build --chown=0:0 --chmod=755 /src/xray /usr/local/bin/xray
+COPY --from=build --chown=0:0 --chmod=644 /tmp/geodat/*.dat /usr/local/share/xray/
+COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /usr/local/etc/xray
+COPY --from=build --chown=0:0 --chmod=644 /tmp/usr/local/etc/xray/*.json /usr/local/etc/xray/
+COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /var/log/xray
+COPY --from=build --chown=65532:65532 --chmod=600 /tmp/var/log/xray/*.log /var/log/xray/
+
+VOLUME /usr/local/etc/xray
+VOLUME /var/log/xray
+
+ARG TZ=Etc/UTC
 ENV TZ=$TZ
-ENTRYPOINT [ "/usr/bin/xray" ]
-CMD [ "-confdir", "/etc/xray/" ]
 
-ARG flavor=v2fly
-COPY --from=build --chmod=644 /$flavor /usr/share/xray
+ENTRYPOINT [ "/usr/local/bin/xray" ]
+CMD [ "-confdir", "/usr/local/etc/xray/" ]

.github/docker/Dockerfile.usa

@@ -0,0 +1,70 @@
+# syntax=docker/dockerfile:latest
+FROM --platform=$BUILDPLATFORM golang:latest AS build
+
+# Build xray-core
+WORKDIR /src
+COPY . .
+ARG TARGETOS
+ARG TARGETARCH
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH CGO_ENABLED=0 go build -o xray -trimpath -ldflags "-s -w -buildid=" ./main
+
+# Download geodat into a staging directory
+ADD https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/geoip.dat /tmp/geodat/geoip.dat
+ADD https://raw.githubusercontent.com/Loyalsoldier/v2ray-rules-dat/release/geosite.dat /tmp/geodat/geosite.dat
+
+RUN mkdir -p /tmp/empty
+
+# Create config files with empty JSON content
+RUN mkdir -p /tmp/usr/local/etc/xray
+RUN cat <<EOF >/tmp/usr/local/etc/xray/00_log.json
+{
+  "log": {
+    "error": "/var/log/xray/error.log",
+    "loglevel": "warning",
+    "access": "none",
+    "dnsLog": false
+  }
+}
+EOF
+RUN echo '{}' >/tmp/usr/local/etc/xray/01_api.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/02_dns.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/03_routing.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/04_policy.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/05_inbounds.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/06_outbounds.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/07_transport.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/08_stats.json
+RUN echo '{}' >/tmp/usr/local/etc/xray/09_reverse.json
+
+# Create log files
+RUN mkdir -p /tmp/var/log/xray && touch \
+  /tmp/var/log/xray/access.log \
+  /tmp/var/log/xray/error.log
+
+# Build finally image
+# Note on Distroless Base Image and Architecture Support:
+# - The official 'gcr.io/distroless/static' image provided by Google only supports a limited set of architectures for Linux:
+#   - linux/amd64
+#   - linux/arm/v7
+#   - linux/arm64/v8
+#   - linux/ppc64le
+#   - linux/s390x
+# - Upon inspection, the blob contents of the Distroless images across these architectures are nearly identical, with only minor differences in metadata (e.g., 'Architecture' field in the manifest).
+# - Due to this similarity in content, it is feasible to forcibly specify a single platform (e.g., '--platform=linux/amd64') for unsupported architectures, as the core image content remains compatible with statically compiled binaries like Go applications.
+FROM --platform=linux/amd64 gcr.io/distroless/static:nonroot
+
+COPY --from=build --chown=0:0 --chmod=755 /src/xray /usr/local/bin/xray
+COPY --from=build --chown=0:0 --chmod=644 /tmp/geodat/*.dat /usr/local/share/xray/
+COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /usr/local/etc/xray
+COPY --from=build --chown=0:0 --chmod=644 /tmp/usr/local/etc/xray/*.json /usr/local/etc/xray/
+COPY --from=build --chown=0:0 --chmod=755 /tmp/empty /var/log/xray
+COPY --from=build --chown=65532:65532 --chmod=600 /tmp/var/log/xray/*.log /var/log/xray/
+
+VOLUME /usr/local/etc/xray
+VOLUME /var/log/xray
+
+ARG TZ=Etc/UTC
+ENV TZ=$TZ
+
+ENTRYPOINT [ "/usr/local/bin/xray" ]
+CMD [ "-confdir", "/usr/local/etc/xray/" ]

.github/docker/files/config.json

@@ -3,9 +3,6 @@ name: Build docker image
 on:
   release:
     types: [published]
-  push:
-    branches:
-      - main
 
 jobs:
   build-image:
@@ -14,63 +11,81 @@ jobs:
       packages: write
     steps:
       - uses: actions/checkout@v4
+
       - name: Docker metadata
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository_owner }}/xray-core
           flavor: latest=auto
           tags: |
-            type=sha
-            type=ref,event=branch
-            type=ref,event=pr
             type=semver,pattern={{version}}
-      - name: Docker metadata Loyalsoldier flavor
-        id: loyalsoldier
+
+      - name: Docker metadata (unsupported architectures)
+        id: metausa
         uses: docker/metadata-action@v5
         with:
           images: ghcr.io/${{ github.repository_owner }}/xray-core
           flavor: |
             latest=auto
-            suffix=-ls,onlatest=true
+            suffix=-usa,onlatest=true
           tags: |
-            type=sha
-            type=ref,event=branch
-            type=ref,event=pr
             type=semver,pattern={{version}}
+
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
           context: .
           platforms: |
             linux/amd64
-            linux/arm64
-            linux/loong64
-            linux/riscv64
+            linux/arm/v7
+            linux/arm64/v8
+            linux/ppc64le
+            linux/s390x
           provenance: false
           file: .github/docker/Dockerfile
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-      - name: Build and push Loyalsoldier flavor
+
+      - name: Build and push (unsupported architectures)
         uses: docker/build-push-action@v6
         with:
           context: .
           platforms: |
-            linux/amd64
-            linux/arm64
-            linux/loong64
+            linux/386
+            linux/arm/v6
             linux/riscv64
+            linux/loong64
           provenance: false
-          file: .github/docker/Dockerfile
-          build-args: flavor=loyalsoldier
+          file: .github/docker/Dockerfile.usa
           push: true
-          tags: |
-            ${{ steps.loyalsoldier.outputs.tags }}
+          tags: ${{ steps.metausa.outputs.tags }}
+
+      - name: Merge Multi-Arch Manifests
+        run: |
+          echo "Starting to merge multi-architecture manifests..."
+
+          # Convert newlines to spaces and split into array
+          TAGS=($(echo "${{ steps.meta.outputs.tags }}" | tr '\n' ' '))
+
+          echo "Total tags to process: ${#TAGS[@]}"
+          for tag in "${TAGS[@]}"; do
+            echo "Merging tag: $tag with unsupported architectures ($tag-usa)"
+            docker buildx imagetools create --append --tag "$tag" "$tag-usa"
+            if [ $? -ne 0 ]; then
+              echo "Error: Failed to merge $tag-usa into $tag"
+              exit 1
+            fi
+          done
+
+          echo "Multi-architecture manifest merge completed successfully."