pandoras-box/explorer-bookmarks
8
0
Fork 0
Code Issues Pull requests Projects Releases 5 Packages 2 Wiki Activity Actions

oci-build/Dockerfile (new file) #2

Merged
longjacksonle merged 1 commit from long-msp-30 into main 2026-04-02 17:42:33 +02:00
Conversation 0 Commits 1 Files changed 3 +51 -91
longjacksonle commented 2026-04-02 17:42:29 +02:00
Member
Copy link

The old approach used imperative buildah commands (buildah from → buildah run → buildah copy → buildah mount
to extract). The Docker equivalent is a two-stage Dockerfile:

  • builder stage: installs MinGW, adds the Windows rustup target, copies manifests first for dependency
    caching, compiles dependencies with a dummy main.rs, then compiles the real source
  • artifact stage: FROM scratch containing only the .exe — this is what --output type=local extracts

oci-build/build.nu (rewritten)

  • export-env now sets DOCKER_BUILDKIT=1
  • build-stage replaces all ^buildah from/config/run/copy/mount/umount/rm calls with a single ^docker build
    --build-arg ... --output type=local,dest=$dist_dir --target artifact --file $dockerfile $project_root
  • extract-stage now just verifies the already-extracted binary and writes CI outputs (no more buildah mount
    needed)
  • The use buildah-wrapper.nu * import and check-environment call are removed entirely — those existed solely
    to work around user namespace restrictions that don't apply to Docker BuildKit

.forgejo/workflows/build-oci-image.yml — comment updated only; the workflow invocation (cd oci-build &&
./build.nu) is unchanged

buildah-wrapper.nu — left untouched; it's no longer called but removing it is a separate decision

The old approach used imperative buildah commands (buildah from → buildah run → buildah copy → buildah mount to extract). The Docker equivalent is a two-stage Dockerfile: - builder stage: installs MinGW, adds the Windows rustup target, copies manifests first for dependency caching, compiles dependencies with a dummy main.rs, then compiles the real source - artifact stage: FROM scratch containing only the .exe — this is what --output type=local extracts oci-build/build.nu (rewritten) - export-env now sets DOCKER_BUILDKIT=1 - build-stage replaces all ^buildah from/config/run/copy/mount/umount/rm calls with a single ^docker build --build-arg ... --output type=local,dest=$dist_dir --target artifact --file $dockerfile $project_root - extract-stage now just verifies the already-extracted binary and writes CI outputs (no more buildah mount needed) - The use buildah-wrapper.nu * import and check-environment call are removed entirely — those existed solely to work around user namespace restrictions that don't apply to Docker BuildKit .forgejo/workflows/build-oci-image.yml — comment updated only; the workflow invocation (cd oci-build && ./build.nu) is unchanged buildah-wrapper.nu — left untouched; it's no longer called but removing it is a separate decision
The old approach used imperative buildah commands (buildah from → buildah run → buildah copy → buildah mount
  to extract). The Docker equivalent is a two-stage Dockerfile:
  - builder stage: installs MinGW, adds the Windows rustup target, copies manifests first for dependency
  caching, compiles dependencies with a dummy main.rs, then compiles the real source
  - artifact stage: FROM scratch containing only the .exe — this is what --output type=local extracts

  oci-build/build.nu (rewritten)
  - export-env now sets DOCKER_BUILDKIT=1
  - build-stage replaces all ^buildah from/config/run/copy/mount/umount/rm calls with a single ^docker build
  --build-arg ... --output type=local,dest=$dist_dir --target artifact --file $dockerfile $project_root
  - extract-stage now just verifies the already-extracted binary and writes CI outputs (no more buildah mount
  needed)
  - The use buildah-wrapper.nu * import and check-environment call are removed entirely — those existed solely
  to work around user namespace restrictions that don't apply to Docker BuildKit

  .forgejo/workflows/build-oci-image.yml — comment updated only; the workflow invocation (cd oci-build &&
  ./build.nu) is unchanged

  buildah-wrapper.nu — left untouched; it's no longer called but removing it is a separate decision
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
pandoras-box/explorer-bookmarks!2
No description provided.