From 4c9ef6121e90d7e29667e3bb2ce89c172fd0e108 Mon Sep 17 00:00:00 2001
From: Jean-Laurent de Morlhon <jeanlaurent@morlhon.net>
Date: Wed, 10 Sep 2025 13:50:49 +0100
Subject: [PATCH 1/4] build-image

Signed-off-by: Jean-Laurent de Morlhon <jeanlaurent@morlhon.net>
---
 .github/workflows/ci.yml | 35 +++++++++++++++++++++++++++++++++++
 Dockerfile               |  5 +++++
 Taskfile.yml             |  4 ++++
 3 files changed, 44 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c38ba19d0..7e30f242c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -95,3 +95,38 @@ jobs:
           TELEMETRY_API_KEY: ${{ secrets.TELEMETRY_API_KEY }}
           TELEMETRY_ENDPOINT: ${{ secrets.TELEMETRY_ENDPOINT }}
           TELEMETRY_HEADER: ${{ secrets.TELEMETRY_HEADER }}
+
+  build-image:
+    # remove once this works on main
+    # if: startsWith(github.ref, 'refs/tags/v')
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+
+      - name: Hub login
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          username: ${{ vars.DOCKERBUILDBOT_USERNAME }}
+          password: ${{ secrets.DOCKERBUILDBOT_WRITE_PAT }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        with:
+          version: "lab:latest"
+          driver: cloud
+          endpoint: "docker/make-product-smarter"
+          install: true
+
+      - name: Install Task
+        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          version: 3.x
+
+      - name: Build
+        run: task build-image
diff --git a/Dockerfile b/Dockerfile
index 23eec604a..c1f784bcb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -84,3 +84,8 @@ COPY --from=builder /binaries/cagent-$TARGETOS-$TARGETARCH cagent
 
 FROM scratch AS cross
 COPY --from=builder /binaries .
+
+FROM alpine:3.22@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1
+RUN apk add --no-cache curl socat
+COPY --from=build-agent /agent /
+ENTRYPOINT [ "/agent" ]
\ No newline at end of file
diff --git a/Taskfile.yml b/Taskfile.yml
index ccb5cd267..b141815d0 100644
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -63,3 +63,7 @@ tasks:
   cross:
     desc: Build binaries for multiple platforms
     cmd: docker buildx build --target=cross {{.BUILD_ARGS}} --platform linux/amd64,linux/arm64,darwin/amd64,darwin/arm64,windows/amd64 --output=./dist .
+
+  build-image:
+    desc: Build Docker image
+    cmd: docker buildx build -t docker/cagent:latest {{.BUILD_ARGS}} .

From 13c46027b955ca4bb0eb5e8d518d32cc86bdf3e0 Mon Sep 17 00:00:00 2001
From: Jean-Laurent de Morlhon <jeanlaurent@morlhon.net>
Date: Wed, 10 Sep 2025 16:16:14 +0100
Subject: [PATCH 2/4] adding pushing

Signed-off-by: Jean-Laurent de Morlhon <jeanlaurent@morlhon.net>
---
 .github/workflows/ci.yml | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7e30f242c..747e3e97d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -109,6 +109,7 @@ jobs:
         uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
 
       - name: Hub login
+        if: github.event_name != 'pull_request'
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           username: ${{ vars.DOCKERBUILDBOT_USERNAME }}
@@ -116,17 +117,14 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-        with:
-          version: "lab:latest"
-          driver: cloud
-          endpoint: "docker/make-product-smarter"
-          install: true
 
-      - name: Install Task
-        uses: arduino/setup-task@b91d5d2c96a56797b48ac1e0e89220bf64044611 # v2.0.0
+      - name: Build and push image
+        uses: docker/build-push-action@v5
         with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          version: 3.x
-
-      - name: Build
-        run: task build-image
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          sbom: true
+          provenance: mode=max
+          tags: ${{ steps.metadata.outputs.tags }}
+          labels: ${{ steps.metadata.outputs.labels }}
+          build-args: GIT_COMMIT=${{ github.sha }}

From f8b903f2d46e956ed6921b3df237faf3db523c62 Mon Sep 17 00:00:00 2001
From: Jean-Laurent de Morlhon <jeanlaurent@morlhon.net>
Date: Wed, 10 Sep 2025 16:30:29 +0100
Subject: [PATCH 3/4] using metadata

Signed-off-by: Jean-Laurent de Morlhon <jeanlaurent@morlhon.net>
---
 .github/workflows/ci.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 747e3e97d..2403ec839 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -97,8 +97,7 @@ jobs:
           TELEMETRY_HEADER: ${{ secrets.TELEMETRY_HEADER }}
 
   build-image:
-    # remove once this works on main
-    # if: startsWith(github.ref, 'refs/tags/v')
+    if: startsWith(github.ref, 'refs/tags/v')
     needs: [build]
     runs-on: ubuntu-latest
     steps:
@@ -118,6 +117,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
 
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: docker/cagent
+
       - name: Build and push image
         uses: docker/build-push-action@v5
         with:
@@ -125,6 +130,6 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           sbom: true
           provenance: mode=max
-          tags: ${{ steps.metadata.outputs.tags }}
-          labels: ${{ steps.metadata.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
           build-args: GIT_COMMIT=${{ github.sha }}

From cdbe3ee04dfb9f4001bb9044445d97cfbfa7af52 Mon Sep 17 00:00:00 2001
From: Jean-Laurent de Morlhon <jeanlaurent@morlhon.net>
Date: Wed, 10 Sep 2025 16:39:10 +0100
Subject: [PATCH 4/4] adding sha + dispatch for testing

Signed-off-by: Jean-Laurent de Morlhon <jeanlaurent@morlhon.net>
---
 .github/workflows/ci.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 2403ec839..a3c1b3419 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,6 +3,7 @@ permissions:
   contents: read
 
 on:
+  workflow_dispatch:
   push:
     branches: [main]
     tags: ["v*"]
@@ -97,7 +98,7 @@ jobs:
           TELEMETRY_HEADER: ${{ secrets.TELEMETRY_HEADER }}
 
   build-image:
-    if: startsWith(github.ref, 'refs/tags/v')
+    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
     needs: [build]
     runs-on: ubuntu-latest
     steps:
@@ -119,12 +120,12 @@ jobs:
 
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         with:
           images: docker/cagent
 
       - name: Build and push image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}