Skip to content

[SRE-5664] Create and set up zappi/image-builder Docker image#1

Merged
itskingori merged 10 commits intomainfrom
setup-image-builder
Mar 16, 2026
Merged

[SRE-5664] Create and set up zappi/image-builder Docker image#1
itskingori merged 10 commits intomainfrom
setup-image-builder

Conversation

@itskingori
Copy link
Member

@itskingori itskingori commented Mar 16, 2026
edited
Loading

Sets up the initial image definition, CI pipelines, and documentation for zappi/image-builder — a purpose-built image for running docker buildx build against remote BuildKit daemons.

Changes

  • Dockerfile — Ubuntu 24.04 image with the Docker CLI, Buildx plugin, and the Amazon ECR credential helper. Runs as a non-root builder user. The Docker CLI config is provided at runtime, not baked in.
  • CI — multi-arch build validation on PRs; build, push to Docker Hub, and GitHub Release on tag push.
  • README — image purpose, bundled components, runtime config expectations, and upstream project links.

Non-goals

  • Baking a registry-specific Docker CLI config into the image.
  • Including git, the aws CLI, or any tooling beyond what docker buildx build requires.

Testing

Verified multi-arch build passes in CI on this PR

Screenshot 2026-03-16 at 15 05 15

References

@itskingori
Add Dockerfile, changelog, and licence
800b134 
Ubuntu 24.04-based image carrying the Docker CLI (29.3.0), Docker
Buildx plugin (0.31.1), and the Amazon ECR credential helper (0.12.0).
Runs as a non-root builder user (UID/GID 1001).

The image is designed for running docker buildx build against remote
BuildKit daemons using the remote driver — no Docker Engine daemon is
needed. ECR authentication is handled by docker-credential-ecr-login
via IRSA; the Docker CLI config (credHelpers) is provided at runtime
rather than baked into the image.
@itskingori
Add CI workflows for test and release
604b056 
test.yml runs on every PR to main and validates that the image builds
successfully for both linux/amd64 and linux/arm64 using QEMU and
Docker Buildx, without pushing.

release.yml triggers on any tag push. It creates a GitHub Release,
then builds and pushes the multi-arch image to Docker Hub as
zappi/image-builder, and syncs the README to Docker Hub via
peter-evans/dockerhub-description.
@itskingori
Add CODEOWNERS
8dc6a03 
Assigns @Intellection/sre as the default owner for all files in the
repository.
@itskingori
Add README content
bb958af 
Describes the image purpose, bundled components with versions, how
the Docker CLI config is expected to be provided at runtime, and
links to the upstream projects (Docker CLI, Buildx, ECR credential
helper).
@itskingori itskingori changed the title Set up image-builder [SRE-5664] Create and set up zappi/image-builder Docker image Mar 16, 2026
@itskingori
Replace wget with curl for ECR credential helper download
803b688 
curl is already required for fetching the Docker apt repository GPG
key. Using it for the ECR credential helper download as well removes
wget as a dependency.
@itskingori
Broaden README scope and clarify credential chain
61e0e82 
The opening paragraph previously framed the image as ECR-specific.
Widened to describe the general purpose: building and pushing container
images via remote BuildKit daemons.

The credential helper description previously called out IRSA
specifically. Updated to reference the standard AWS credential chain,
which is what the helper actually follows.
@itskingori
Set default working directory to builder user home
f0dd389 
Without an explicit WORKDIR, containers start in / which is not
writable by the non-root builder user.
@itskingori itskingori marked this pull request as ready for review March 16, 2026 13:00
@itskingori
Bump CI actions to Node.js 24-compatible versions
ff50ef9 
All Docker actions (metadata, qemu, buildx, build-push, login) bumped
to their latest major versions. actions/checkout bumped from v4 to v6.
peter-evans/dockerhub-description bumped from v4 to v5.

Replaces the archived actions/create-release@v1 (stuck on Node.js 12,
no longer maintained) with a gh release create shell step.
@itskingori itskingori enabled auto-merge March 16, 2026 13:06
@itskingori itskingori disabled auto-merge March 16, 2026 13:15
@itskingori
Narrow release tag filter to semver tags
f65c6b1 
The previous wildcard matched any tag, which would trigger a GitHub
Release and Docker Hub push for non-version tags like 'test' or
'experiment'. Restricting to X.Y.Z-shaped tags prevents unintended
releases.
@itskingori
Drop --system flag from useradd
547e703 
--system sets the default shell to /usr/sbin/nologin, which is
inconsistent with the /bin/bash CMD. The flag's protections (nologin
shell, hidden from login screens) have no practical effect in a
container. Without it, the user gets /bin/bash as its shell by default,
matching the container's intended behaviour.
@itskingori itskingori enabled auto-merge March 16, 2026 13:23
@itskingori itskingori merged commit b17d70d into main Mar 16, 2026
1 check passed
@itskingori itskingori deleted the setup-image-builder branch March 16, 2026 14:47
itskingori
itskingori commented Mar 16, 2026
View reviewed changes
Copy link
Member Author

@itskingori itskingori left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Version 1.0.0 on Docker Hub

Image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zacblazic zacblazic zacblazic approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itskingori @zacblazic