Improve build system

.github/workflows/ci.yml

@@ -1,19 +1,18 @@
 name: Docker CI
-on: push
+on:
+  push:
+    branches:
+      - master
 env:
   DOCKER_BUILDKIT: 1
   LATEST_TAG: 24.0.1
 jobs:
   build:
-    name: Build
+    name: Build and push to Docker Hub
     runs-on: ubuntu-18.04
     strategy:
       fail-fast: false
       matrix:
-        arch:
-          - amd64
-          - arm64v8
-          - arm32v7
         version:
           - "24.0.1"
           - "23.1"
@@ -42,59 +41,14 @@ jobs:
           - "0.13.0"
     steps:
       - uses: actions/checkout@v1
-      - name: Register Docker QEMU
-        if: matrix.arch != 'amd64'
-        run: docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
-      - name: Build bitcoind
-        run: docker build --build-arg ARCH=${{matrix.arch}} --build-arg VERSION=${{matrix.version}} -t bitcoind:v${{matrix.version}}-${{matrix.arch}} .
-      - name: Log image data
-        run: docker images bitcoind
-      - name: Log OS details
-        run: docker run --entrypoint sh bitcoind:v${{matrix.version}}-${{matrix.arch}} '-c' 'uname -a && . /etc/os-release && echo $PRETTY_NAME'
-      - name: Check bitcoind -version
-        run: (docker run bitcoind:v${{matrix.version}}-${{matrix.arch}} -version | tee /dev/stderr | grep -q ${{matrix.version}}) 2>&1
-      - name: Save image tarballs
-        run: mkdir -p images && docker save bitcoind:v${{matrix.version}}-${{matrix.arch}} | gzip > "images/bitcoind-v${{matrix.version}}-${{matrix.arch}}.tgz"
-      - name: Print sha256sum of built image
-        run: sha256sum images/*
-      - name: Upload image tarballs
-        uses: actions/upload-artifact@v1.0.0
-        with:
-          name: images
-          path: images/
-  publish:
-    name: Publish
-    if: github.ref == 'refs/heads/master'
-    runs-on: ubuntu-18.04
-    needs: build
-    steps:
-      - name: Download image tarballs
-        uses: actions/download-artifact@v1.0.0
-        with:
-          name: images
-      - name: Print sha256sum of all images
-        run: sha256sum images/*
-      - name: Load image tarballs
-        run: for image in images/*; do docker load -i $image; done
-      - name: Set image namespace
-        run: docker images bitcoind --format "{{.Tag}}" | while read -r tag; do docker tag  "bitcoind:${tag}"  "lukechilds/bitcoind:${tag}"; done
-      - name: Log image data
-        run: docker images lukechilds/bitcoind
+  
       - name: Login to Docker Hub
-        run: echo "${{secrets.DOCKER_TOKEN}}" | docker login -u=lukechilds --password-stdin
-      - name: Create and push multi-arch manifests
-        env:
-          DOCKER_CLI_EXPERIMENTAL: enabled # To enable manifests
+        run: echo "${{ secrets.DOCKER_TOKEN }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
+
+      - name: Run Docker buildx
         run: |
-          versions=$(docker images lukechilds/bitcoind --format "{{.Tag}}" | grep amd64 | cut -d- -f1)
-          for version in $versions; do
-            tags=$(docker images lukechilds/bitcoind --format "{{.Tag}}" | grep $version- | sed 's/^/lukechilds\/bitcoind\:&/')
-            if [[ "${version}" = "v${LATEST_TAG}" ]]; then
-              docker manifest create lukechilds/bitcoind:latest $tags
-              docker manifest push lukechilds/bitcoind:latest
-            fi
-            docker manifest create "lukechilds/bitcoind:${version}" $tags
-            docker manifest push "lukechilds/bitcoind:${version}"
-            docker manifest inspect "lukechilds/bitcoind:${version}"
-            echo
-          done
+          docker buildx build \
+            --platform linux/amd64,linux/arm64,linux/arm/v7 \
+            --build-arg VERSION=${{matrix.version}} \
+            --tag ${{ secrets.DOCKER_USERNAME }}/bitcoind:v$VERSION \
+            --push .

Dockerfile

@@ -1,4 +1,3 @@
-ARG ARCH="amd64"
 ARG VERSION="0.19.1"
 
 ARG LEGACY_BITCOIN_CORE_RELEASE_KEY="01EA5486DE18A882D4C2684590C8019E36C2E964"
@@ -12,34 +11,53 @@ ARG PIETER_WUILLE="133EAC179436F14A5CF1B794860FEB804E669320"
 ARG SJORS_PROVOOST="ED9BDF7AD6A55E232E84524257FF9BDBCC301009"
 ARG KEYS="${LEGACY_BITCOIN_CORE_RELEASE_KEY} ${ANDREW_CHOW} ${JON_ATACK} ${JONAS_SCHNELLI} ${MATT_CORALLO} ${LUKE_DASHJR} ${PETER_TODD} ${PIETER_WUILLE} ${SJORS_PROVOOST}"
 
-FROM $ARCH/debian:stable-slim
+# Build stage
+FROM --platform=$BUILDPLATFORM debian:stable-slim as builder
 LABEL maintainer="Luke Childs <lukechilds123@gmail.com>"
 
+ARG TARGETARCH
+
 ARG ARCH
 ARG VERSION
 ARG KEYS
 
-RUN cd /tmp && \
-    if [ "${ARCH}" = "amd64" ]; then TARBALL_ARCH=x86_64-linux-gnu; fi && \
-    if [ "${ARCH}" = "arm64v8" ]; then TARBALL_ARCH=aarch64-linux-gnu; fi && \
-    if [ "${ARCH}" = "arm32v7" ]; then TARBALL_ARCH=arm-linux-gnueabihf; fi && \
-    TARBALL="bitcoin-${VERSION}-${TARBALL_ARCH}.tar.gz" && \
-    apt-get update && \
-    apt-get install -y wget gpg && \
-    wget https://bitcoincore.org/bin/bitcoin-core-${VERSION}/${TARBALL} && \
-    # This file only exists after v22
-    wget https://bitcoincore.org/bin/bitcoin-core-${VERSION}/SHA256SUMS || true && \
-    wget https://bitcoincore.org/bin/bitcoin-core-${VERSION}/SHA256SUMS.asc && \
-    gpg --keyserver keyserver.ubuntu.com --recv-keys $KEYS && \
-    gpg --verify SHA256SUMS.asc 2>&1 >/dev/null | grep "^gpg: Good signature from" || { echo "No valid signature"; exit 1; } && \
-    if [ -f SHA256SUMS ]; then CHECKSUM_FILE="SHA256SUMS"; else CHECKSUM_FILE="SHA256SUMS.asc"; fi && \
-    grep $TARBALL $CHECKSUM_FILE | sha256sum -c && \
-    # sha256sum -c --ignore-missing "${CHECKSUM_FILE}" \
-    tar -zxvf $TARBALL --strip-components=1 && \
-    mv bin/bitcoind /usr/local/bin/ && \
-    mv bin/bitcoin-cli /usr/local/bin/ && \
-    apt-get purge -y wget gpg && \
-    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+WORKDIR /build
+
+RUN echo "Installing build deps"
+RUN apt-get update
+RUN apt-get install -y wget pgp
+
+RUN echo "Deriving tarball name from \$TARGETARCH"
+RUN [ "${TARGETARCH}" = "amd64" ] && echo "bitcoin-${VERSION}-x86_64-linux-gnu.tar.gz"    > /tarball-name || true
+RUN [ "${TARGETARCH}" = "arm64" ] && echo "bitcoin-${VERSION}-aarch64-linux-gnu.tar.gz"   > /tarball-name || true
+RUN [ "${TARGETARCH}" = "arm" ]   && echo "bitcoin-${VERSION}-arm-linux-gnueabihf.tar.gz" > /tarball-name || true
+RUN echo "Tarball name: $(cat /tarball-name)"
+
+RUN echo "Downloading release assets"
+RUN wget https://bitcoincore.org/bin/bitcoin-core-${VERSION}/$(cat /tarball-name)
+RUN wget https://bitcoincore.org/bin/bitcoin-core-${VERSION}/SHA256SUMS.asc
+# This file only exists after v22 so allow it to fail
+RUN wget https://bitcoincore.org/bin/bitcoin-core-${VERSION}/SHA256SUMS || true
+RUN echo "Downloaded release assets:" && ls
+
+RUN echo "Verifying PGP signatures"
+RUN gpg --keyserver keyserver.ubuntu.com --recv-keys $KEYS
+RUN gpg --verify SHA256SUMS.asc 2>&1 >/dev/null | grep "^gpg: Good signature from" || { echo "No valid signature"; exit 1; }
+RUN echo "PGP signature verification passed"
+
+RUN echo "Verifying checksums"
+RUN [ -f SHA256SUMS ] && cp SHA256SUMS /sha256sums || cp SHA256SUMS.asc /sha256sums
+RUN grep $(cat /tarball-name) /sha256sums | sha256sum -c
+RUN echo "Chucksums verified ok"
+
+RUN echo "Extracting release assets"
+RUN tar -zxvf $(cat /tarball-name) --strip-components=1
+
+# Final image
+FROM debian:stable-slim
+
+COPY --from=builder /build/bin/bitcoind /bin
+COPY --from=builder /build/bin/bitcoin-cli /bin
 
 ENV HOME /data
 VOLUME /data/.bitcoin