fix: restore multi-stage Dockerfiles, use cameleer-docker-builder

Follow cameleer3-server CI pattern: docker job uses cameleer-docker-builder:1 (has Docker CLI), Dockerfiles contain multi-stage builds (self-contained, no external toolchain needed). - Dockerfile: restore frontend + maven + runtime stages - ui/sign-in/Dockerfile: add node build stage + Logto base - ci.yml: docker job reverts to cameleer-docker-builder:1, passes REGISTRY_TOKEN as build-arg, adds build cache Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-06 15:51:59 +02:00
parent ad97a552f6
commit 3fcbc431fb
3 changed files with 52 additions and 36 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -56,19 +56,16 @@ jobs:
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    container:
-      image: gitea.siegeln.net/cameleer/cameleer-build:1
+      image: gitea.siegeln.net/cameleer/cameleer-docker-builder:1
      credentials:
        username: cameleer
        password: ${{ secrets.REGISTRY_TOKEN }}
    steps:
-      - uses: actions/checkout@v4
-
-      - name: Cache Maven dependencies
-        uses: actions/cache@v4
-        with:
-          path: ~/.m2/repository
-          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-maven-
+      - name: Checkout
+        run: |
+          git clone --depth=1 --branch=${GITHUB_REF_NAME} https://cameleer:${REGISTRY_TOKEN}@gitea.siegeln.net/${GITHUB_REPOSITORY}.git .
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}

      - name: Login to registry
        run: echo "$REGISTRY_TOKEN" | docker login gitea.siegeln.net -u cameleer --password-stdin
@@ -92,42 +89,25 @@ jobs:
            echo "IMAGE_TAGS=branch-$SLUG" >> "$GITHUB_ENV"
          fi

-      - name: Build SaaS frontend
-        run: |
-          cd ui
-          echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc
-          npm ci
-          npm run build
-          cp -r dist/ ../src/main/resources/static/
-        env:
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Build SaaS JAR
-        run: mvn package -DskipTests -B
-
-      - name: Build sign-in UI
-        run: |
-          cd ui/sign-in
-          echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc
-          npm ci
-          npm run build
-        env:
-          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
-
-      - name: Set up Docker buildx
-        run: |
-          docker buildx create --use --name cibuilder 2>/dev/null || true
+      - name: Set up QEMU for cross-platform builds
+        run: docker run --rm --privileged gitea.siegeln.net/cameleer/binfmt:1 --install all

      - name: Build and push SaaS image
        run: |
+          docker buildx create --use --name cibuilder
          TAGS="-t gitea.siegeln.net/cameleer/cameleer-saas:${{ github.sha }}"
          for TAG in $IMAGE_TAGS; do
            TAGS="$TAGS -t gitea.siegeln.net/cameleer/cameleer-saas:$TAG"
          done
          docker buildx build --platform linux/amd64 \
+            --build-arg REGISTRY_TOKEN="$REGISTRY_TOKEN" \
            $TAGS \
+            --cache-from type=registry,ref=gitea.siegeln.net/cameleer/cameleer-saas:buildcache \
+            --cache-to type=registry,ref=gitea.siegeln.net/cameleer/cameleer-saas:buildcache,mode=max \
            --provenance=false \
            --push .
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}

      - name: Build and push Logto image
        run: |
@@ -136,7 +116,12 @@ jobs:
            TAGS="$TAGS -t gitea.siegeln.net/cameleer/cameleer-logto:$TAG"
          done
          docker buildx build --platform linux/amd64 \
+            --build-arg REGISTRY_TOKEN="$REGISTRY_TOKEN" \
            -f ui/sign-in/Dockerfile \
            $TAGS \
+            --cache-from type=registry,ref=gitea.siegeln.net/cameleer/cameleer-logto:buildcache \
+            --cache-to type=registry,ref=gitea.siegeln.net/cameleer/cameleer-logto:buildcache,mode=max \
            --provenance=false \
            --push ui/sign-in/
+        env:
+          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
--- a/25
+++ b/25
@@ -1,7 +1,30 @@
+# syntax=docker/dockerfile:1
+
+# Frontend: runs natively on build host
+FROM --platform=$BUILDPLATFORM node:22-alpine AS frontend
+ARG REGISTRY_TOKEN
+WORKDIR /ui
+COPY ui/package.json ui/package-lock.json ui/.npmrc ./
+RUN echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc && npm ci
+COPY ui/ .
+RUN npm run build
+
+# Maven build: runs natively on build host (no QEMU emulation)
+FROM --platform=$BUILDPLATFORM eclipse-temurin:21-jdk-alpine AS build
+WORKDIR /build
+COPY .mvn/ .mvn/
+COPY mvnw pom.xml ./
+# Cache deps — only re-downloaded when POM changes
+RUN ./mvnw dependency:go-offline -B || true
+COPY src/ src/
+COPY --from=frontend /ui/dist/ src/main/resources/static/
+RUN ./mvnw package -DskipTests -B
+
+# Runtime: target platform (amd64)
 FROM eclipse-temurin:21-jre-alpine
 WORKDIR /app
 RUN addgroup -S cameleer && adduser -S cameleer -G cameleer
-COPY target/*.jar app.jar
+COPY --from=build /build/target/*.jar app.jar
 USER cameleer
 EXPOSE 8080
 ENTRYPOINT ["java", "-jar", "app.jar"]
--- a/ui/sign-in/Dockerfile
+++ b/ui/sign-in/Dockerfile
@@ -1,2 +1,10 @@
+FROM --platform=$BUILDPLATFORM node:22-alpine AS build
+ARG REGISTRY_TOKEN
+WORKDIR /ui
+COPY package.json package-lock.json .npmrc ./
+RUN echo "//gitea.siegeln.net/api/packages/cameleer/npm/:_authToken=${REGISTRY_TOKEN}" >> .npmrc && npm ci
+COPY . .
+RUN npm run build
+
 FROM ghcr.io/logto-io/logto:latest
-COPY dist/ /etc/logto/packages/experience/dist/
+COPY --from=build /ui/dist/ /etc/logto/packages/experience/dist/