Skip to content

build(docker): make e-dant/watcher install robust #2432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dunglas merged 2 commits into from
May 16, 2026
+39 −32
Merged

build(docker): make e-dant/watcher install robust #2432

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
be5f73d
build(docker): make e-dant/watcher install robust
dunglas May 16, 2026
1439292
build(docker): use tab indentation inside watcher install heredoc
dunglas May 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/docker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ jobs:
VERSION: ${{ (github.ref_type == 'tag' && github.ref_name) || needs.prepare.outputs.ref || 'dev' }}
PHP_VERSION: ${{ needs.prepare.outputs.php_version }}
BASE_FINGERPRINT: ${{ needs.prepare.outputs.base_fingerprint }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- # Workaround for https://github.com/actions/runner/pull/2477#issuecomment-1501003600
name: Export metadata
if: fromJson(needs.prepare.outputs.push)
Expand Down
37 changes: 20 additions & 17 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ RUN apt-get update && \
apt-get -y --no-install-recommends install \
cmake \
git \
jq \
libargon2-dev \
libbrotli-dev \
libcurl4-openssl-dev \
Expand All @@ -81,23 +82,25 @@ RUN apt-get update && \

# Install e-dant/watcher (necessary for file watching)
WORKDIR /usr/local/src/watcher
RUN --mount=type=secret,id=github-token \
if [ -f /run/secrets/github-token ] && [ -s /run/secrets/github-token ]; then \
curl -s -H "Authorization: Bearer $(cat /run/secrets/github-token)" https://api.github.com/repos/e-dant/watcher/releases/latest; \
else \
curl -s https://api.github.com/repos/e-dant/watcher/releases/latest; \
fi | \
grep tarball_url | \
awk '{ print $2 }' | \
sed 's/,$//' | \
sed 's/"//g' | \
xargs curl -L | \
tar xz --strip-components 1 && \
# -Wno-error=use-after-free: GCC 12 on Bookworm i386 emits a spurious warning in libstdc++ basic_string.h
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_FLAGS="-Wno-error=use-after-free" && \
cmake --build build && \
cmake --install build && \
ldconfig
RUN --mount=type=secret,id=github-token <<'EOF'
set -e
api=https://api.github.com/repos/e-dant/watcher/releases/latest
if [ -s /run/secrets/github-token ]; then
tarball_url=$(curl -fsSL -H "Authorization: Bearer $(cat /run/secrets/github-token)" "${api}" | jq -r '.tarball_url // empty')
else
tarball_url=$(curl -fsSL "${api}" | jq -r '.tarball_url // empty')
fi
if [ -z "${tarball_url}" ]; then
echo "failed to resolve e-dant/watcher tarball URL (rate limited?)" >&2
exit 1
fi
curl -fsSL "${tarball_url}" | tar xz --strip-components 1
# -Wno-error=use-after-free: GCC 12 on Bookworm i386 emits a spurious warning in libstdc++ basic_string.h
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_FLAGS="-Wno-error=use-after-free"
cmake --build build
cmake --install build
ldconfig
EOF

WORKDIR /go/src/app

Expand Down
33 changes: 18 additions & 15 deletions alpine.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ RUN apk add --no-cache --virtual .build-deps \
# Needed for the custom Go build \
git \
gnu-libiconv-dev \
jq \
libsodium-dev \
# Needed for the file watcher \
cmake \
Expand All @@ -88,21 +89,23 @@ RUN apk add --no-cache --virtual .build-deps \

# Install e-dant/watcher (necessary for file watching)
WORKDIR /usr/local/src/watcher
RUN --mount=type=secret,id=github-token \
if [ -f /run/secrets/github-token ] && [ -s /run/secrets/github-token ]; then \
curl -s -H "Authorization: Bearer $(cat /run/secrets/github-token)" https://api.github.com/repos/e-dant/watcher/releases/latest; \
else \
curl -s https://api.github.com/repos/e-dant/watcher/releases/latest; \
fi | \
grep tarball_url | \
awk '{ print $2 }' | \
sed 's/,$//' | \
sed 's/"//g' | \
xargs curl -L | \
tar xz --strip-components 1 && \
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release && \
cmake --build build && \
cmake --install build
RUN --mount=type=secret,id=github-token <<'EOF'
set -e
api=https://api.github.com/repos/e-dant/watcher/releases/latest
if [ -s /run/secrets/github-token ]; then
tarball_url=$(curl -fsSL -H "Authorization: Bearer $(cat /run/secrets/github-token)" "${api}" | jq -r '.tarball_url // empty')
else
tarball_url=$(curl -fsSL "${api}" | jq -r '.tarball_url // empty')
fi
if [ -z "${tarball_url}" ]; then
echo "failed to resolve e-dant/watcher tarball URL (rate limited?)" >&2
exit 1
fi
curl -fsSL "${tarball_url}" | tar xz --strip-components 1
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build
cmake --install build
EOF

WORKDIR /go/src/app

Expand Down
Loading