Golden image Dockerfile + local build script

Debian bookworm with two clearly-labeled sections: - ESSENTIAL: systemd, openssh-server, ca-certificates, curl, iproute2. - OPINION: git, jq, ripgrep, fd, build-essential, shellcheck, mise, Docker CE (+ Compose v2 + buildx), tmux, htop, and friends. Per-VM identity stripped at build time: /etc/machine-id cleared, SSH host keys removed with a ssh.service drop-in that runs `ssh-keygen -A` on first start so each VM gets a unique set. The script is a parameterized wrapper around `docker build`; it also supports `--push` to an OCI registry, which will be removed once the bundle pipeline is in place. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-17 15:11:40 -03:00 · 2026-04-17 15:11:40 -03:00 · da471b0640
commit da471b0640
parent feb679a301
2 changed files with 192 additions and 0 deletions
--- a/scripts/publish-golden-image.sh
+++ b/scripts/publish-golden-image.sh
@ -0,0 +1,104 @@
+#!/usr/bin/env bash
+# Build and optionally push the banger golden image.
+#
+# Examples:
+#   ./scripts/publish-golden-image.sh --tag thaloco/banger-golden:debian-bookworm
+#   ./scripts/publish-golden-image.sh --tag thaloco/banger-golden:debian-bookworm --push
+#   ./scripts/publish-golden-image.sh --tag ghcr.io/thaloco/banger-golden:latest --push --platform linux/amd64
+#
+# The script expects the user to be logged in to the target registry
+# (docker login / gh auth token) when --push is set.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+DOCKERFILE="$REPO_ROOT/images/golden/Dockerfile"
+CONTEXT="$REPO_ROOT/images/golden"
+
+TAG=""
+PUSH=0
+PLATFORM="linux/amd64"
+EXTRA_TAGS=()
+
+usage() {
+  cat <<'EOF'
+Usage: publish-golden-image.sh --tag <reg/name:tag> [--tag <alt>] [--push] [--platform <platform>]
+
+Options:
+  --tag        Primary image reference (required). Repeat --tag for extra tags
+               (e.g. to publish both :latest and :debian-bookworm).
+  --push       Push all tags after building. Requires prior `docker login`.
+  --platform   Build platform (default: linux/amd64). banger x86_64-only today.
+  -h, --help   This help.
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --tag)
+      if [[ -z "$TAG" ]]; then
+        TAG="${2:-}"
+      else
+        EXTRA_TAGS+=("${2:-}")
+      fi
+      shift 2
+      ;;
+    --push)
+      PUSH=1
+      shift
+      ;;
+    --platform)
+      PLATFORM="${2:-}"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "unknown option: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ -z "$TAG" ]]; then
+  echo "--tag is required" >&2
+  usage >&2
+  exit 1
+fi
+
+if ! command -v docker >/dev/null 2>&1; then
+  echo "docker binary not found in PATH" >&2
+  exit 1
+fi
+
+BUILD_ARGS=(build --platform "$PLATFORM" -t "$TAG" -f "$DOCKERFILE")
+for t in "${EXTRA_TAGS[@]}"; do
+  BUILD_ARGS+=(-t "$t")
+done
+BUILD_ARGS+=("$CONTEXT")
+
+echo "==> building $TAG (platform=$PLATFORM)"
+docker "${BUILD_ARGS[@]}"
+
+if [[ "$PUSH" -eq 1 ]]; then
+  echo "==> pushing $TAG"
+  docker push "$TAG"
+  for t in "${EXTRA_TAGS[@]}"; do
+    echo "==> pushing $t"
+    docker push "$t"
+  done
+fi
+
+echo "==> done"
+echo "  primary tag: $TAG"
+for t in "${EXTRA_TAGS[@]}"; do
+  echo "  extra tag  : $t"
+done
+if [[ "$PUSH" -eq 0 ]]; then
+  echo
+  echo "Image is built locally but not pushed. Pass --push to publish."
+fi