From 1e01d4df567098af5724c68a65fdf1382470e182 Mon Sep 17 00:00:00 2001
From: devitway <devitway@gmail.com>
Date: Mon, 23 Feb 2026 08:24:48 +0000
Subject: [PATCH] ci: add Astra Linux and RedOS parallel builds

Add Dockerfile.astra (astralinux/alse) and Dockerfile.redos (redos/redos)
for FSTEC-certified Russian OS targets. Update release.yml with a matrix
strategy that produces three image variants per release:
  - ghcr.io/.../nora:0.x.x          (Alpine, default)
  - ghcr.io/.../nora:0.x.x-astra    (Astra Linux SE)
  - ghcr.io/.../nora:0.x.x-redos    (RED OS)

Build stage is shared (musl static binary) across all variants.
---
 .github/workflows/release.yml | 38 +++++++++++++++++---
 Dockerfile.astra              | 65 +++++++++++++++++++++++++++++++++++
 Dockerfile.redos              | 63 +++++++++++++++++++++++++++++++++
 3 files changed, 161 insertions(+), 5 deletions(-)
 create mode 100644 Dockerfile.astra
 create mode 100644 Dockerfile.redos

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b67b294..4b3bf16 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,12 +10,26 @@ env:
 
 jobs:
   build:
-    name: Build & Push
+    name: Build & Push (${{ matrix.name }})
     runs-on: self-hosted
     permissions:
       contents: read
       packages: write
 
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: alpine
+            dockerfile: Dockerfile
+            suffix: ""
+          - name: astra
+            dockerfile: Dockerfile.astra
+            suffix: "-astra"
+          - name: redos
+            dockerfile: Dockerfile.redos
+            suffix: "-redos"
+
     steps:
       - uses: actions/checkout@v4
 
@@ -34,22 +48,25 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          flavor: |
+            suffix=${{ matrix.suffix }},onlatest=true
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=raw,value=latest
+            type=raw,value=latest,enable=${{ matrix.suffix == '' }}
+            type=raw,value=${{ matrix.name }},enable=${{ matrix.suffix != '' }}
 
       - name: Build and push
         uses: docker/build-push-action@v5
         with:
           context: .
+          file: ${{ matrix.dockerfile }}
           platforms: linux/amd64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          cache-from: type=gha,scope=${{ matrix.name }}
+          cache-to: type=gha,mode=max,scope=${{ matrix.name }}
 
   release:
     name: GitHub Release
@@ -68,10 +85,21 @@ jobs:
           body: |
             ## Docker
 
+            **Alpine (standard):**
             ```bash
             docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}
             ```
 
+            **Astra Linux SE:**
+            ```bash
+            docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-astra
+            ```
+
+            **RED OS:**
+            ```bash
+            docker pull ghcr.io/${{ github.repository }}:${{ github.ref_name }}-redos
+            ```
+
             ## Changelog
 
             See [CHANGELOG.md](https://github.com/${{ github.repository }}/blob/main/CHANGELOG.md)
diff --git a/Dockerfile.astra b/Dockerfile.astra
new file mode 100644
index 0000000..0f69a33
--- /dev/null
+++ b/Dockerfile.astra
@@ -0,0 +1,65 @@
+# syntax=docker/dockerfile:1.4
+
+# Build stage — static binary via musl (runs on any Linux)
+FROM rust:1.83-alpine AS builder
+
+RUN apk add --no-cache musl-dev curl
+
+WORKDIR /app
+
+# Copy manifests
+COPY Cargo.toml Cargo.lock ./
+COPY nora-registry/Cargo.toml nora-registry/
+COPY nora-storage/Cargo.toml nora-storage/
+COPY nora-cli/Cargo.toml nora-cli/
+
+# Create dummy sources for dependency caching
+RUN mkdir -p nora-registry/src nora-storage/src nora-cli/src && \
+    echo "fn main() {}" > nora-registry/src/main.rs && \
+    echo "fn main() {}" > nora-storage/src/main.rs && \
+    echo "fn main() {}" > nora-cli/src/main.rs
+
+# Build dependencies only (with cache)
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/app/target \
+    cargo build --release --package nora-registry && \
+    rm -rf nora-registry/src nora-storage/src nora-cli/src
+
+# Copy real sources
+COPY nora-registry/src nora-registry/src
+COPY nora-storage/src nora-storage/src
+COPY nora-cli/src nora-cli/src
+
+# Build release binary (with cache)
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/app/target \
+    touch nora-registry/src/main.rs && \
+    cargo build --release --package nora-registry && \
+    cp /app/target/release/nora /usr/local/bin/nora
+
+# Runtime stage — Astra Linux Special Edition (certified FSTEC OS)
+FROM astralinux/alse:latest
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN mkdir -p /data
+
+COPY --from=builder /usr/local/bin/nora /usr/local/bin/nora
+
+ENV RUST_LOG=info
+ENV NORA_HOST=0.0.0.0
+ENV NORA_PORT=4000
+ENV NORA_STORAGE_MODE=local
+ENV NORA_STORAGE_PATH=/data/storage
+ENV NORA_AUTH_TOKEN_STORAGE=/data/tokens
+
+EXPOSE 4000
+
+VOLUME ["/data"]
+
+ENTRYPOINT ["/usr/local/bin/nora"]
+CMD ["serve"]
diff --git a/Dockerfile.redos b/Dockerfile.redos
new file mode 100644
index 0000000..b4e97b3
--- /dev/null
+++ b/Dockerfile.redos
@@ -0,0 +1,63 @@
+# syntax=docker/dockerfile:1.4
+
+# Build stage — static binary via musl (runs on any Linux)
+FROM rust:1.83-alpine AS builder
+
+RUN apk add --no-cache musl-dev curl
+
+WORKDIR /app
+
+# Copy manifests
+COPY Cargo.toml Cargo.lock ./
+COPY nora-registry/Cargo.toml nora-registry/
+COPY nora-storage/Cargo.toml nora-storage/
+COPY nora-cli/Cargo.toml nora-cli/
+
+# Create dummy sources for dependency caching
+RUN mkdir -p nora-registry/src nora-storage/src nora-cli/src && \
+    echo "fn main() {}" > nora-registry/src/main.rs && \
+    echo "fn main() {}" > nora-storage/src/main.rs && \
+    echo "fn main() {}" > nora-cli/src/main.rs
+
+# Build dependencies only (with cache)
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/app/target \
+    cargo build --release --package nora-registry && \
+    rm -rf nora-registry/src nora-storage/src nora-cli/src
+
+# Copy real sources
+COPY nora-registry/src nora-registry/src
+COPY nora-storage/src nora-storage/src
+COPY nora-cli/src nora-cli/src
+
+# Build release binary (with cache)
+RUN --mount=type=cache,target=/usr/local/cargo/registry \
+    --mount=type=cache,target=/usr/local/cargo/git \
+    --mount=type=cache,target=/app/target \
+    touch nora-registry/src/main.rs && \
+    cargo build --release --package nora-registry && \
+    cp /app/target/release/nora /usr/local/bin/nora
+
+# Runtime stage — RED OS (certified FSTEC OS)
+FROM redos/redos:8
+
+RUN dnf install -y ca-certificates && \
+    dnf clean all && \
+    mkdir -p /data
+
+COPY --from=builder /usr/local/bin/nora /usr/local/bin/nora
+
+ENV RUST_LOG=info
+ENV NORA_HOST=0.0.0.0
+ENV NORA_PORT=4000
+ENV NORA_STORAGE_MODE=local
+ENV NORA_STORAGE_PATH=/data/storage
+ENV NORA_AUTH_TOKEN_STORAGE=/data/tokens
+
+EXPOSE 4000
+
+VOLUME ["/data"]
+
+ENTRYPOINT ["/usr/local/bin/nora"]
+CMD ["serve"]