Intellection · itskingori · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 16, 2026
@@ -0,0 +1,56 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]+"
+
+env:
+  IMAGE: zappi/image-builder
+
+jobs:
+  github-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Create Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release create "${{ github.ref_name }}" --title "Version ${{ github.ref_name }}"
+  docker-hub-release:
+    needs: github-release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Prepare image metadata
+        id: metadata
+        uses: docker/metadata-action@v6
+        with:
+          images: ${{ env.IMAGE }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+      - name: Login to Docker Hub
+        uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+      - name: Build, tag, and push image to Docker Hub
+        uses: docker/build-push-action@v7
+        with:
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          context: .
+          labels: ${{ steps.metadata.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.metadata.outputs.tags }}
+      - name: Update description on Docker Hub
+        uses: peter-evans/dockerhub-description@v5
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+          repository: ${{ env.IMAGE }}
@@ -0,0 +1,35 @@
+name: Test
+
+on:
+  pull_request:
+    branches:
+      - "main"
+
+env:
+  IMAGE: zappi/image-builder
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+      - name: Prepare image metadata
+        id: metadata
+        uses: docker/metadata-action@v6
+        with:
+          images: ${{ env.IMAGE }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+      - name: Test multi-arch building of image
+        uses: docker/build-push-action@v7
+        with:
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          context: .
+          labels: ${{ steps.metadata.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          push: false
+          tags: ${{ steps.metadata.outputs.tags }}
@@ -0,0 +1,10 @@
+# Changelog
+
+## 1.0.0
+
+* Use Ubuntu 24.04 (LTS) as upstream base image.
+* Set up `builder` user and group with UID and GID of `1001`.
+* Install `ca-certificates` and `curl`.
+* Install Docker CLI v`29.3.0`.
+* Install Docker Buildx Plugin v`0.31.1`.
+* Install Amazon ECR Credential Helper v`0.12.0`.
@@ -0,0 +1 @@
+* @Intellection/SRE
@@ -0,0 +1,44 @@
+FROM ubuntu:24.04
+
+SHELL ["/bin/bash", "-c"]
+
+ARG DEBIAN_FRONTEND=noninteractive
+ARG TARGETARCH
+
+RUN apt-get update -y && \
+    apt-get install --no-install-recommends -y \
+        ca-certificates \
+        curl && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# Docker
+ARG DOCKER_BUILDX_PLUGIN_VERSION="0.31.1-1"
+ARG DOCKER_CLI_VERSION="5:29.3.0-1"
+RUN mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc && \
+    chmod a+r /etc/apt/keyrings/docker.asc && \
+    echo "deb [arch=${TARGETARCH} signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu noble stable" > /etc/apt/sources.list.d/docker.list && \
+    apt-get update -y && \
+    apt-get install --no-install-recommends -y \
+        docker-buildx-plugin=${DOCKER_BUILDX_PLUGIN_VERSION}~ubuntu.24.04~noble \
+        docker-ce-cli=${DOCKER_CLI_VERSION}~ubuntu.24.04~noble && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# AECH (Amazon ECR Credential Helper)
+ARG AECH_VERSION="0.12.0"
+RUN cd /tmp && \
+    curl -fSL -o "docker-credential-ecr-login" "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${AECH_VERSION}/linux-${TARGETARCH}/docker-credential-ecr-login" && \
+    curl -fSL -o "docker-credential-ecr-login.sha256" "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${AECH_VERSION}/linux-${TARGETARCH}/docker-credential-ecr-login.sha256" && \
+    cat "docker-credential-ecr-login.sha256" | sha256sum -c - && \
+    chmod +x "./docker-credential-ecr-login" && \
+    mv "./docker-credential-ecr-login" "/usr/local/bin/docker-credential-ecr-login" && \
+    rm -rf /tmp/*
+
+# Create user
+ARG APP_USER="builder"
+RUN groupadd -g 1001 ${APP_USER} && \
+    useradd --create-home -u 1001 -g 1001 ${APP_USER}
+
+WORKDIR /home/${APP_USER}
+USER ${APP_USER}:${APP_USER}
+CMD ["/bin/bash"]
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Zappi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -1 +1,45 @@
 # Docker Image Builder
+
+A purpose-built image for building and pushing container images via remote [BuildKit](https://github.com/moby/buildkit) daemons. It carries only what is needed for this role — no Docker Engine daemon, no `git`, no build toolchains.
+
+Published to Docker Hub as [`zappi/image-builder`](https://hub.docker.com/r/zappi/image-builder). Built for `linux/amd64` and `linux/arm64`.
+
+## Contents
+
+| Component | Version |
+|-----------|---------|
+| Base image | Ubuntu 24.04 LTS |
+| [Docker CLI](https://github.com/docker/cli) | 29.3.0 |
+| [Docker Buildx plugin](https://github.com/docker/buildx) | 0.31.1 |
+| [Amazon ECR Credential Helper](https://github.com/awslabs/amazon-ecr-credential-helper) | 0.12.0 |
+
+The image runs as a non-root `builder` user (UID/GID `1001`).
+
+## Docker CLI Configuration
+
+No `~/.docker/config.json` is baked into the image. It is expected to be provided at runtime — for example, mounted via a Kubernetes ConfigMap.
+
+### AWS ECR Credential Helper Configuration
+
+The config should wire the ECR credential helper for the registries the builder needs to authenticate with:
+
+```json
+{
+  "credHelpers": {
+    "public.ecr.aws": "ecr-login",
+    "<account-id>.dkr.ecr.<region>.amazonaws.com": "ecr-login"
+  }
+}
+```
+
+The ECR credential helper (`docker-credential-ecr-login`) is already present in the image. It follows the standard [AWS credential chain](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html#credentialProviders), so no static credentials need to be baked into the image.
+
+## Releases
+
+Images are tagged and pushed to Docker Hub on every [GitHub Release](https://github.com/Intellection/docker-image-builder/releases). Tags follow the version in the release (e.g. `zappi/image-builder:1.0.0`).
+
+## References
+
+- [docker/cli](https://github.com/docker/cli)
+- [docker/buildx](https://github.com/docker/buildx)
+- [awslabs/amazon-ecr-credential-helper](https://github.com/awslabs/amazon-ecr-credential-helper)