ci: use pre-built APK in Docker image instead of compiling from source

.gitea/workflows/apk-publish.yml

@@ -1,68 +0,0 @@
-name: Build and Publish APK Package
-on:
-  push:
-    tags:
-      - 'v*'
-
-jobs:
-  build-apk:
-    runs-on:
-      - ubuntu-24.04
-    container:
-      image: alpine:latest
-    strategy:
-      matrix:
-        include:
-          - goarch: amd64
-            pkgarch: x86_64
-          - goarch: arm64
-            pkgarch: aarch64
-    steps:
-      - name: Install build dependencies
-        run: |
-          apk update
-          apk add --no-cache git nodejs go abuild curl sudo build-base
-
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Create build user
-        run: |
-          adduser -D -G abuild build
-          echo "build ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
-          chown -R build:abuild .
-
-      - name: Configure git safe directory
-        run: git config --global --add safe.directory "$PWD"
-
-      - name: Setup abuild for package signing
-        run: |
-          su build -c "abuild-keygen -a -n"
-          cp /home/build/.abuild/*.pub /etc/apk/keys/
-
-      - name: Prepare source
-        run: |
-          pkgver=$(echo "${{ github.ref_name }}" | sed 's/^v//')
-          pkgname="axolotl"
-
-          sed -i "s/pkgver=.*/pkgver=$pkgver/" packaging/alpine/APKBUILD
-          sed -i "s/^arch=.*/arch=\"${{ matrix.pkgarch }}\"/" packaging/alpine/APKBUILD
-
-          git archive --format=tar.gz --prefix="$pkgname-$pkgver/" -o "packaging/alpine/$pkgname-$pkgver.tar.gz" HEAD
-
-          sed -i "s|source=.*|source=\"\$pkgname-\$pkgver.tar.gz\"|" packaging/alpine/APKBUILD
-          chown -R build:abuild .
-
-      - name: Generate checksums
-        run: su build -c "cd $PWD/packaging/alpine && abuild checksum"
-
-      - name: Build package
-        run: su build -c "cd $PWD/packaging/alpine && GOARCH=${{ matrix.goarch }} CARCH=${{ matrix.pkgarch }} abuild -r"
-
-      - name: Publish to Gitea Registry
-        run: |
-          apk_file=$(find ~build/packages -name "*.apk" -type f | head -1)
-          curl --fail-with-body \
-            --user "${{ github.repository_owner }}:${{ secrets.ACCESS_TOKEN }}" \
-            --upload-file "$apk_file" \
-            "${{ github.server_url }}/api/packages/${{ github.repository_owner }}/alpine/edge/main"

.gitea/workflows/docker-build.yml

@@ -1,15 +1,81 @@
-name: Build and Push Docker Container
+name: Build and Publish Docker Image
 on:
   push:
     tags:
       - 'v*'
 
 jobs:
-  build-and-push:
+  build-apk:
+    runs-on:
+      - ubuntu-24.04
+    container:
+      image: alpine:latest
+    strategy:
+      matrix:
+        include:
+          - goarch: amd64
+            pkgarch: x86_64
+          - goarch: arm64
+            pkgarch: aarch64
+    steps:
+      - name: Install build dependencies
+        run: |
+          apk update
+          apk add --no-cache git nodejs go abuild curl sudo build-base
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Create build user
+        run: |
+          adduser -D -G abuild build
+          echo "build ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+          chown -R build:abuild .
+
+      - name: Configure git safe directory
+        run: git config --global --add safe.directory "$PWD"
+
+      - name: Setup abuild for package signing
+        run: |
+          su build -c "abuild-keygen -a -n"
+          cp /home/build/.abuild/*.pub /etc/apk/keys/
+
+      - name: Prepare source
+        run: |
+          pkgver=$(echo "${{ github.ref_name }}" | sed 's/^v//')
+          pkgname="axolotl"
+
+          sed -i "s/pkgver=.*/pkgver=$pkgver/" packaging/alpine/APKBUILD
+          sed -i "s/^arch=.*/arch=\"${{ matrix.pkgarch }}\"/" packaging/alpine/APKBUILD
+
+          git archive --format=tar.gz --prefix="$pkgname-$pkgver/" -o "packaging/alpine/$pkgname-$pkgver.tar.gz" HEAD
+
+          sed -i "s|source=.*|source=\"\$pkgname-\$pkgver.tar.gz\"|" packaging/alpine/APKBUILD
+          chown -R build:abuild .
+
+      - name: Generate checksums
+        run: su build -c "cd $PWD/packaging/alpine && abuild checksum"
+
+      - name: Build package
+        run: su build -c "cd $PWD/packaging/alpine && GOARCH=${{ matrix.goarch }} CARCH=${{ matrix.pkgarch }} abuild -r"
+
+      - name: Publish to Gitea Registry
+        run: |
+          apk_file=$(find ~build/packages -name "*.apk" -type f | head -1)
+          curl --fail-with-body \
+            --user "${{ github.repository_owner }}:${{ secrets.ACCESS_TOKEN }}" \
+            --upload-file "$apk_file" \
+            "${{ github.server_url }}/api/packages/${{ github.repository_owner }}/alpine/edge/main"
+
+  build-and-push-docker:
+    needs: build-apk
     runs-on:
       - ubuntu-24.04
     steps:
-      - name: Login to Docker Hub
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Login to Docker Registry
         uses: docker/login-action@v3
         with:
           registry: g.eliaskohout.de
@@ -22,9 +88,18 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Extract version
+        id: version
+        run: |
+          VERSION=$(echo "${{ github.ref_name }}" | sed 's/^v//')
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
+          context: .
           push: true
           platforms: linux/amd64,linux/arm64
+          build-args: |
+            VERSION=${{ steps.version.outputs.version }}
           tags: "g.eliaskohout.de/eliaskohout/axolotl-server:${{gitea.ref_name}},g.eliaskohout.de/eliaskohout/axolotl-server:latest"

Dockerfile

@@ -1,25 +1,15 @@
-FROM golang:1.25-alpine AS builder
-
-WORKDIR /app
-
-ENV GOTOOLCHAIN=local
-
-COPY src/go.mod src/go.sum ./
-RUN go mod download
-
-COPY src/ ./
-
-RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
-    go build -ldflags="-s -w" -trimpath -o /ax .
-
 FROM alpine:latest
 
-RUN apk --no-cache add ca-certificates
+ARG VERSION
+ARG TARGETARCH
+
+RUN apk --no-cache add ca-certificates && \
+    ARCH=$([ "$TARGETARCH" = "arm64" ] && echo aarch64 || echo x86_64) && \
+    wget -q "https://g.eliaskohout.de/api/packages/eliaskohout/alpine/edge/main/${ARCH}/axolotl-${VERSION}-r0.apk" \
+      -O /tmp/axolotl.apk && \
+    apk add --no-cache --allow-untrusted /tmp/axolotl.apk && \
+    rm /tmp/axolotl.apk
 
 WORKDIR /data
-
-COPY --from=builder /ax /usr/local/bin/ax
-
 EXPOSE 7000
-
 ENTRYPOINT ["ax", "serve"]

src/serve/auth.go

@@ -173,7 +173,9 @@ func (h *authHandler) deviceStart(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	da, err := h.oauth2.DeviceAuth(r.Context())
+	da, err := h.oauth2.DeviceAuth(r.Context(),
+		oauth2.SetAuthURLParam("client_secret", h.cfg.ClientSecret),
+	)
 	if err != nil {
 		writeError(w, http.StatusBadGateway, "device authorization request failed: "+err.Error())
 		return