enhanced dockerfile

.github/workflows/ci.yml

@@ -101,17 +101,12 @@ jobs:
           TELEMETRY_HEADER: ${{ secrets.TELEMETRY_HEADER }}
 
   build-image:
-    if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
-    needs:
-      - build
+    needs: [lint, test, license-check]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-
       - name: Hub login
         if: github.event_name != 'pull_request'
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0

Dockerfile

@@ -1,40 +1,36 @@
 # syntax=docker/dockerfile:1
 
 # xx is a helper for cross-compilation
-FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.6.1 AS xx
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.7.0 AS xx
 
-FROM golang:1.25.0-alpine@sha256:f18a072054848d87a8077455f0ac8a25886f2397f88bfdd222d6fafbb5bba440 AS build-agent
-RUN apk add --no-cache build-base
-WORKDIR /app
-COPY . ./
-ARG GIT_TAG GIT_COMMIT BUILD_DATE
-RUN --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=secret,id=telemetry_api_key \
-    --mount=type=secret,id=telemetry_endpoint \
-    --mount=type=secret,id=telemetry_header \
-    sh -c 'TELEMETRY_API_KEY=$(cat /run/secrets/telemetry_api_key 2>/dev/null || echo "") && TELEMETRY_ENDPOINT=$(cat /run/secrets/telemetry_endpoint 2>/dev/null || echo "") && TELEMETRY_HEADER=$(cat /run/secrets/telemetry_header 2>/dev/null || echo "") && go build -trimpath -ldflags "-s -w -X '"'"'github.com/docker/cagent/cmd/root.Version=$GIT_TAG'"'"' -X '"'"'github.com/docker/cagent/cmd/root.Commit=$GIT_COMMIT'"'"' -X '"'"'github.com/docker/cagent/cmd/root.BuildTime=$BUILD_DATE'"'"' -X '"'"'github.com/docker/cagent/internal/telemetry.TelemetryEndpoint=$TELEMETRY_ENDPOINT'"'"' -X '"'"'github.com/docker/cagent/internal/telemetry.TelemetryAPIKey=$TELEMETRY_API_KEY'"'"' -X '"'"'github.com/docker/cagent/internal/telemetry.TelemetryHeader=$TELEMETRY_HEADER'"'"'" -o /agent .'
-
-FROM --platform=$BUILDPLATFORM golang:1.25.0-alpine3.22 AS builder-base
-RUN apk add clang
-WORKDIR /src
+FROM --platform=$BUILDPLATFORM golang:1.25.0-alpine3.22 AS base
+RUN apk add clang file
 COPY --from=xx / /
 ENV CGO_ENABLED=0
-ARG TARGETPLATFORM TARGETOS TARGETARCH
-ARG GIT_TAG GIT_COMMIT BUILD_DATE
+WORKDIR /src
+
+FROM base AS builder-base
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=bind,source=go.mod,target=go.mod \
+    --mount=type=bind,source=go.sum,target=go.sum \
+    go mod download
 
 FROM builder-base AS builder
 COPY . ./
+ARG GIT_TAG
+ARG GIT_COMMIT
+ARG BUILD_DATE
+ARG TARGETPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
 RUN --mount=type=cache,target=/root/.cache,id=docker-ai-$TARGETPLATFORM \
     --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=secret,id=telemetry_api_key \
-    --mount=type=secret,id=telemetry_endpoint \
-    --mount=type=secret,id=telemetry_header <<EOT
-    set -x
-    TELEMETRY_API_KEY=$(cat /run/secrets/telemetry_api_key 2>/dev/null || echo "")
-    TELEMETRY_ENDPOINT=$(cat /run/secrets/telemetry_endpoint 2>/dev/null || echo "")
-    TELEMETRY_HEADER=$(cat /run/secrets/telemetry_header 2>/dev/null || echo "")
+    --mount=type=secret,id=telemetry_api_key,env=TELEMETRY_API_KEY \
+    --mount=type=secret,id=telemetry_endpoint,env=TELEMETRY_ENDPOINT \
+    --mount=type=secret,id=telemetry_header,env=TELEMETRY_HEADER <<EOT
+    set -ex
     xx-go build -trimpath -ldflags "-s -w -X 'github.com/docker/cagent/cmd/root.Version=$GIT_TAG' -X 'github.com/docker/cagent/cmd/root.Commit=$GIT_COMMIT' -X 'github.com/docker/cagent/cmd/root.BuildTime=$BUILD_DATE' -X 'github.com/docker/cagent/internal/telemetry.TelemetryEndpoint=$TELEMETRY_ENDPOINT' -X 'github.com/docker/cagent/internal/telemetry.TelemetryAPIKey=$TELEMETRY_API_KEY' -X 'github.com/docker/cagent/internal/telemetry.TelemetryHeader=$TELEMETRY_HEADER'" -o /binaries/cagent-$TARGETOS-$TARGETARCH .
+    file /binaries/cagent-$TARGETos-$TARGETARCH
     xx-verify --static /binaries/cagent-$TARGETOS-$TARGETARCH
     if [ "$TARGETOS" = "windows" ]; then
       mv /binaries/cagent-$TARGETOS-$TARGETARCH /binaries/cagent-$TARGETOS-$TARGETARCH.exe