moved the build to an shellscript

.forgejo/workflows/container-build.yml

@@ -14,9 +14,14 @@ jobs:
     steps:
       - name: Fetch repo
         uses: actions/checkout@v3
-      - name: buildah build
+      - name: Container build
-        run: "buildah build -t image ${{ env.CONTAINERFILE }}"
+        run: "./build_container.sh"
-      - name: skopeo copy image
+      - name: Container push
-        run: "skopeo copy --dest-precompute-digests --image-parallel-copies 4 --dest-registry-token ${{ env.GITHUB_TOKEN }} containers-storage:image ${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}"
+        run: |
+          skopeo copy --dest-precompute-digests --image-parallel-copies 4 --dest-registry-token ${{ env.GITHUB_TOKEN }} containers-storage:localhost/keycloak:latest docker://${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}:latest
+          skopeo copy --dest-precompute-digests --image-parallel-copies 4 --dest-registry-token ${{ env.GITHUB_TOKEN }} containers-storage:localhost/keycloak:latest docker://${{ env.GITHUB_SERVER_URL }}/${{ env.GITHUB_REPOSITORY }}:${{ env.GITHUB_RUN_NUMBER}}
+          
       - name: Cleanup
-        run: "buildah prune -af"
+        run: |
+          buildah rmi -f localhost/keycloak
+          buildah prune -f

Containerfile

@@ -1,31 +0,0 @@
-FROM quay.io/keycloak/keycloak:latest as builder
-ENV PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin"
-
-ENV KC_HEALTH_ENABLED=false
-ENV KC_DB=postgres
-ENV KC_CACHE_STACK=tcp
-ENV KC_HTTPS_CLIENT_AUTH=request
-ENV KC_FEATURES=dynamic-scopes,recovery-codes,preview
-ENV KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak
-RUN kc.sh build
-
-FROM quay.io/keycloak/keycloak:latest
-ENV PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin"
-
-COPY --from=builder /opt/keycloak/ /opt/keycloak/
-
-WORKDIR /opt/keycloak
-ENV KC_HOSTNAME_ADMIN_URL="https://admin.sso.sebastian-tobie.de"
-ENV KC_HOSTNAME_URL="https://sso.sebastian-tobie.de"
-ENV KC_DB_USERNAME=keycloak
-ENV KC_DB_PASSWORD=changeme
-ENV KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak
-
-ENV KEYCLOAK_ADMIN="admin"
-ENV KEYCLOAK_ADMIN_PASSWORD="admin"
-EXPOSE 8080
-COPY --chown=root:root tobie-ca.crt /etc/pki/ca-trust/source/anchors/tobie-ca.crt
-USER root
-RUN keytool -importcert -alias tobieca -cacerts -storepass changeit -noprompt -trustcacerts -file /etc/pki/ca-trust/source/anchors/tobie-ca.crt
-USER keycloak
-ENTRYPOINT ["kc.sh", "start", "--optimized", "--http-enabled", "true", "--proxy", "edge", "--log-console-format", "'%-5p [%c] (%t) %s%e%n'", "--hostname-strict-backchannel=true"]

build_container.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+set -e
+
+both() {
+    "$@" builder
+    "$@" final
+}
+
+source=quay.io/keycloak/keycloak:latest
+buildah from --name builder --pull=newer $source
+buildah from --name final $source
+
+buildah config -l - -e - -a - -p - final
+buildah config \
+    -e PATH="/opt/keycloak/bin:/usr/bin:/usr/local/bin" \
+    -e KC_HTTPS_CLIENT_AUTH=request \
+    builder
+buildah config \
+    -e KC_HOSTNAME_ADMIN_URL="https://admin.sso.sebastian-tobie.de" \
+    -e KC_HOSTNAME_URL="https://sso.sebastian-tobie.de" \
+    -e KC_DB_USERNAME=keycloak \
+    -e KC_DB_PASSWORD=changeme \
+    -e KC_DB_URL=postgresql://postgres.services.tobie:5432/keycloak \
+    -e KEYCLOAK_ADMIN="admin" \
+    -e KEYCLOAK_ADMIN_PASSWORD="admin" \
+    -p 8080/tcp \
+    -u keycloak:keycloak \
+    --entrypoint "[\"kc.sh\", \"start\", \"--optimized\", \"--http-enabled\", \"true\", \"--proxy\", \"edge\", \"--log-console-format\", \"'%-5p [%c] (%t) %s%e%n'\", \"--hostname-strict-backchannel=true\"]" \
+    final
+set -x
+buildah run -- builder kc.sh build --db=postgres --metrics-enabled=true --https-client-auth request --features web-authn,passkeys,persistent-user-sessions,recovery-codes --features-disabled kerberos,docker,ciba,fips
+
+buildah copy --from builder --chown root:root final /opt/keycloak/ /opt/keycloak/
+buildah rm builder
+buildah commit -f oci --rm final containers-storage:localhost/keycloak:latest