ql4b · skunxicat · Jul 28, 2025 · Jul 4, 2025 · Jul 8, 2025 · Jul 9, 2025
diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml
@@ -0,0 +1,117 @@
+name: Build and Release
+
+on:
+  push:
+    branches:
+      - develop
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-base:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_PAT }}
+      - name: Build and push base
+        run: |
+          echo "${{ secrets.GHCR_PAT }}" > github_token
+          docker buildx build \
+            --platform linux/arm64 \
+            --provenance=false \
+            --secret id=github_token,src=github_token \
+            --target base \
+            --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:base \
+            --push \
+            .
+        env:
+          GITHUB_TOKEN: ${{ secrets.GHCR_PAT }}
+
+  build:
+    needs: build-base
+    runs-on: ubuntu-latest
+    env:
+      HTTP_CLI_VERSION: v1.0.1
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20
+      - uses: actions/cache@v3
+        with:
+          path: ~/.npm
+          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+      - run: npm ci
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Create and use buildx builder
+        run: |
+          docker buildx create --name shell-runtime-builder --driver docker-container --use
+          docker buildx inspect shell-runtime-builder --bootstrap
+      - name: Cache Docker layers
+        uses: actions/cache@v3
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+      - name: Set version
+        id: version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ "${{ github.ref_name }}" = "main" ]; then
+            # Get semantic version for main branch
+            VERSION=$(npx semantic-release --no-ci --dry-run --branch main 2>&1 | grep -oP 'The next release version is \K[0-9]+\.[0-9]+\.[0-9]+' || echo "")
+            if [ -z "$VERSION" ]; then
+              echo "No release needed"
+              echo "VERSION=develop" >> $GITHUB_ENV
+              echo "SHOULD_RELEASE=false" >> $GITHUB_ENV
+            else
+              echo "VERSION=$VERSION" >> $GITHUB_ENV
+              echo "SHOULD_RELEASE=true" >> $GITHUB_ENV
+            fi
+          else
+            # Use branch name for develop
+            echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
+            echo "SHOULD_RELEASE=false" >> $GITHUB_ENV
+          fi
+          echo "Detected VERSION: $VERSION"
+      - name: Log in to GHCR
+        run: echo "${{ secrets.GHCR_PAT }}" | docker login ghcr.io -u skunxicat --password-stdin
+      - name: Build and push images
+        run: |
+          echo "${{ secrets.GHCR_PAT }}" > github_token
+          export GITHUB_TOKEN="${{ secrets.GHCR_PAT }}"
+
+          # Build and push all variants
+          make push VERSION="$VERSION" REGISTRY="ghcr.io/${{ github.repository_owner }}"
+        shell: bash
+      - name: Create release
+        if: env.SHOULD_RELEASE == 'true'
+        run: npx semantic-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GHCR_PAT: ${{ secrets.GHCR_PAT }}
diff --git a/.github/workflows/build-base.yml b/.github/workflows/build-base.yml
@@ -0,0 +1,56 @@
+name: Build Base Image
+
+on:
+  push:
+    branches: [ main, develop ]
+    paths:
+      - 'Dockerfile'
+      - 'runtime/**'
+      - 'task/handler.sh'
+      - '.github/workflows/build-base.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'Dockerfile'
+      - 'runtime/**'
+      - 'task/handler.sh'
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+  packages: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-base:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_PAT }}
+
+      - name: Build and push base
+        run: |
+          echo "${{ secrets.GHCR_PAT }}" > github_token
+          docker buildx build \
+            --platform linux/arm64 \
+            --provenance=false \
+            --secret id=github_token,src=github_token \
+            --target base \
+            --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:base \
+            --push \
+            .
+        env:
+          GITHUB_TOKEN: ${{ secrets.GHCR_PAT }}
diff --git a/.github/workflows/build-installers.yml b/.github/workflows/build-installers.yml
@@ -0,0 +1,62 @@
+name: Build Installers
+
+on:
+  push:
+    branches: [ main, develop ]
+    paths:
+      - 'Dockerfile'
+      - '.github/workflows/build-installers.yml'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'Dockerfile'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build-installers:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GHCR_PAT }}
+
+      - name: Build and push installers
+        run: |
+          # Build awscurl-installer
+          docker buildx build \
+            --platform linux/arm64 \
+            --provenance=false \
+            --target awscurl-installer \
+            --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:awscurl-installer \
+            --push \
+            -f - . << 'EOF'
+          FROM public.ecr.aws/lambda/provided:al2023 AS awscurl-installer
+          RUN dnf install -y unzip python3-pip findutils && dnf clean all
+          RUN pip3 install --no-cache-dir --target /tmp/awscurl awscurl && \
+              find /tmp/awscurl -type d -name '__pycache__' -exec rm -rf {} + && \
+              find /tmp/awscurl -type f -name '*.pyc' -delete && \
+              find /tmp/awscurl -type d -name '*.dist-info' -exec rm -rf {} +
+          EOF
+
+          # Build awscli-installer
+          docker buildx build \
+            --platform linux/arm64 \
+            --provenance=false \
+            --target awscli-installer \
+            --tag ghcr.io/${{ github.repository_owner }}/lambda-shell-runtime:awscli-installer \
+            --push \
+            -f - . << 'EOF'
+          FROM public.ecr.aws/lambda/provided:al2023 AS awscli-installer
+          RUN dnf install -y aws-cli && dnf clean all
+          EOF
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,17 @@
+# Docker artifacts
+*.tar
+*.tar.gz
+*.tar.xz
+*.tgz
+*.img
+
+# Build output
+.DS_Store
+build/
+dist/
+*.log
+node_modules/
+
+# VSCode settings
+.vscode/
+#examples/
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,95 @@
+FROM public.ecr.aws/lambda/provided:al2023 AS builder
+
+ARG HTTP_CLI_VERSION=v1.0.1
+
+RUN dnf install -y unzip && \
+    dnf clean all
+
+# Download http-cli
+RUN curl \
+    -L "https://github.com/ql4b/http-cli/archive/refs/tags/${HTTP_CLI_VERSION}.zip" \
+    -o http-cli.zip && \
+    unzip http-cli.zip && \
+    mkdir -p /http-cli-bin && \
+    mv http-cli-${HTTP_CLI_VERSION#v}/http-cli /http-cli-bin/ && \
+    chmod +x /http-cli-bin/http-cli && \
+    rm -rf http-cli.zip http-cli-${HTTP_CLI_VERSION#v}
+
+LABEL org.opencontainers.image.http_cli_version="${HTTP_CLI_VERSION}"
+
+# base: minimal runtime setup with jq
+FROM public.ecr.aws/lambda/provided:al2023 AS base
+
+ARG VERSION=develop
+ARG HTTP_CLI_VERSION
+
+# Install only runtime dependencies
+RUN dnf install -y jq && \
+    dnf clean all && \
+    rm -rf /var/cache/dnf
+
+# Copy http-cli
+COPY --from=builder /http-cli-bin/http-cli /var/task/bin/http-cli
+ENV PATH="/var/task/bin:${PATH}"
+
+COPY runtime/bootstrap /var/runtime/bootstrap
+RUN chmod +x /var/runtime/bootstrap
+
+WORKDIR /var/task
+
+COPY task/handler.sh handler.sh
+
+LABEL org.opencontainers.image.source="https://github.com/ql4b/lambda-shell-runtime"
+LABEL org.opencontainers.image.version="${VERSION}"
+
+# tiny: add lambda helper functions
+FROM ghcr.io/ql4b/lambda-shell-runtime:base AS tiny
+
+ARG VERSION
+ARG HTTP_CLI_VERSION
+
+COPY task/helpers.sh helpers.sh
+
+LABEL org.opencontainers.image.title="lambda-shell-runtime:tiny"
+LABEL org.opencontainers.image.version="${VERSION}"
+LABEL org.opencontainers.image.http_cli_version="${HTTP_CLI_VERSION}"
+
+# micro: includes awscurl
+FROM tiny AS micro
+
+ARG VERSION
+ARG HTTP_CLI_VERSION
+
+RUN dnf install -y python3 && \
+    dnf clean all && \
+    rm -rf /var/cache/dnf
+
+COPY --from=ghcr.io/ql4b/lambda-shell-runtime:awscurl-installer /tmp/awscurl /var/task/aws
+RUN rm -rf \
+  /var/task/aws/__pycache__ \
+  /var/task/aws/*.dist-info \
+  /var/task/aws/**/__pycache__
+
+ENV PYTHONPATH="/var/task/aws"
+
+RUN mkdir -p /var/task/bin && \
+    printf '#!/bin/sh\nexport PYTHONPATH=/var/task/aws\nexec python3 -m awscurl.awscurl "$@"\n' > /var/task/bin/awscurl && \
+    chmod +x /var/task/bin/awscurl
+
+LABEL org.opencontainers.image.title="lambda-shell-runtime:micro"
+LABEL org.opencontainers.image.version="${VERSION}"
+LABEL org.opencontainers.image.http_cli_version="${HTTP_CLI_VERSION}"
+
+# full: includes aws-cli for complete AWS functionality
+FROM tiny AS full
+
+ARG VERSION
+ARG HTTP_CLI_VERSION
+
+RUN dnf install -y awscli-2 && \
+    dnf clean all && \
+    rm -rf /var/cache/dnf   
+
+LABEL org.opencontainers.image.title="lambda-shell-runtime:full"
+LABEL org.opencontainers.image.version="${VERSION}"
+LABEL org.opencontainers.image.http_cli_version="${HTTP_CLI_VERSION}"
diff --git a/Makefile b/Makefile
@@ -0,0 +1,32 @@
+.PHONY: help build push clean base tiny micro full
+
+PLATFORM ?= linux/arm64
+TAG ?= lambda-shell-runtime
+VERSION ?= develop
+REGISTRY ?= ghcr.io/ql4b
+
+help: ## Show this help
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-15s\033[0m %s\n", $$1, $$2}'
+
+build: tiny micro full ## Build all variants locally
+
+base: ## Build base image
+	VERSION=$(VERSION) ./build --platform $(PLATFORM) --tag $(TAG) --load base
+
+tiny: base ## Build tiny variant
+	VERSION=$(VERSION) ./build --platform $(PLATFORM) --tag $(TAG) --load tiny
+
+micro: base ## Build micro variant  
+	VERSION=$(VERSION) ./build --platform $(PLATFORM) --tag $(TAG) --load micro
+
+full: base ## Build full variant
+	VERSION=$(VERSION) ./build --platform $(PLATFORM) --tag $(TAG) --load full
+
+push-base: ## Push base to registry
+	VERSION=$(VERSION) ./build --platform $(PLATFORM) --tag $(REGISTRY)/$(TAG) --push base
+
+push: ## Push all variants to registry
+	VERSION=$(VERSION) ./build --platform $(PLATFORM) --tag $(REGISTRY)/$(TAG) --push tiny micro full
+
+clean: ## Remove local images
+	docker rmi -f $(TAG):base $(TAG):tiny $(TAG):micro $(TAG):full 2>/dev/null || true