Publish multi-arch Docker image to GHCR on release

Adds:

* Dockerfile — single-stage, FROM distroless/static-debian12:nonroot,
  COPYs the prebuilt musl binary at /qn. No in-image compilation; the
  SLSA-attested binary that ships in the GitHub release IS what ships
  in the image. Distroless gives us a CA bundle (for any future
  HTTPS-calling qn feature) without a shell or package manager.

* publish-docker.yml — reusable workflow invoked by cargo-dist as a
  user_publish_job. Downloads both musl tarballs from the GitHub
  release, stages per-arch build contexts, pushes single-arch images,
  then stitches them into a multi-arch manifest at the version tag.
  Promotes to :latest only for non-prerelease releases.

* dist-workspace.toml — wires ./publish-docker into publish-jobs.

The image is published private — the package's visibility needs to be
flipped to private once after the first push (GHCR defaults to inherit-
from-repo, which is public for a public repo). Pulls then require
`docker login ghcr.io` with a PAT scoped to read:packages.

End-to-end-tested the Dockerfile locally with a static musl-style
binary: builds clean, runs under the nonroot user, exits 0.

Author: johnpmitsch

.github/workflows/publish-docker.yml

@@ -0,0 +1,115 @@
+name: Publish Docker image to GHCR
+
+# Reusable workflow invoked by cargo-dist's release pipeline as a
+# user_publish_job (see dist-workspace.toml `publish-jobs`).
+#
+# Builds a multi-arch (linux/amd64 + linux/arm64) image from the
+# pre-built musl binaries attached to the GitHub release, pushes
+# per-arch tags to GHCR, and stitches them into a multi-arch manifest
+# at the canonical tag. The image is published private — see Phase 2
+# of the packaging plan for the visibility flip.
+on:
+  workflow_call:
+    inputs:
+      plan:
+        description: dist-manifest JSON for this announcement
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: quicknode/qn
+
+jobs:
+  publish:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Extract release tag from plan
+        id: meta
+        env:
+          PLAN: ${{ inputs.plan }}
+        run: |
+          tag=$(echo "$PLAN" | jq -r '.announcement_tag')
+          version=$(echo "$PLAN" | jq -r '.releases[0].app_version')
+          is_prerelease=$(echo "$PLAN" | jq -r '.announcement_is_prerelease')
+          echo "tag=$tag" >> "$GITHUB_OUTPUT"
+          echo "version=$version" >> "$GITHUB_OUTPUT"
+          echo "is_prerelease=$is_prerelease" >> "$GITHUB_OUTPUT"
+
+      - name: Download musl artifacts from the GitHub release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mkdir -p artifacts
+          gh release download "${{ steps.meta.outputs.tag }}" \
+            --pattern '*linux-musl*.tar.xz' \
+            --dir artifacts/
+
+      - name: Stage per-arch binaries
+        run: |
+          mkdir -p build/amd64 build/arm64
+          tar -xf artifacts/quicknode-cli-x86_64-unknown-linux-musl.tar.xz \
+            --strip-components=1 -C build/amd64 \
+            --wildcards '*/qn'
+          tar -xf artifacts/quicknode-cli-aarch64-unknown-linux-musl.tar.xz \
+            --strip-components=1 -C build/arm64 \
+            --wildcards '*/qn'
+          chmod +x build/amd64/qn build/arm64/qn
+          file build/amd64/qn build/arm64/qn
+
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push linux/amd64
+        id: amd64
+        uses: docker/build-push-action@v6
+        with:
+          context: build/amd64
+          file: Dockerfile
+          platforms: linux/amd64
+          push: true
+          provenance: true
+          sbom: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}-amd64
+
+      - name: Build and push linux/arm64
+        id: arm64
+        uses: docker/build-push-action@v6
+        with:
+          context: build/arm64
+          file: Dockerfile
+          platforms: linux/arm64
+          push: true
+          provenance: true
+          sbom: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}-arm64
+
+      - name: Create and push multi-arch manifest for v${{ steps.meta.outputs.version }}
+        run: |
+          docker buildx imagetools create \
+            -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }} \
+            -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:v${{ steps.meta.outputs.version }} \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}-amd64 \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}-arm64
+
+      - name: Promote to :latest (skip for prereleases)
+        if: ${{ steps.meta.outputs.is_prerelease == 'false' }}
+        run: |
+          docker buildx imagetools create \
+            -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest \
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}

.github/workflows/release.yml

@@ -346,16 +346,31 @@ jobs:
       "id-token": "write"
       "packages": "write"
 
+  custom-publish-docker:
+    needs:
+      - plan
+      - host
+    if: ${{ !fromJson(needs.plan.outputs.val).announcement_is_prerelease || fromJson(needs.plan.outputs.val).publish_prereleases }}
+    uses: ./.github/workflows/publish-docker.yml
+    with:
+      plan: ${{ needs.plan.outputs.val }}
+    secrets: inherit
+    # publish jobs get escalated permissions
+    permissions:
+      "id-token": "write"
+      "packages": "write"
+
   announce:
     needs:
       - plan
       - host
       - publish-homebrew-formula
       - custom-publish-crates
+      - custom-publish-docker
     # use "always() && ..." to allow us to wait for all publish jobs while
     # still allowing individual publish jobs to skip themselves (for prereleases).
     # "host" however must run to completion, no skipping allowed!
-    if: ${{ always() && needs.host.result == 'success' && (needs.publish-homebrew-formula.result == 'skipped' || needs.publish-homebrew-formula.result == 'success') && (needs.custom-publish-crates.result == 'skipped' || needs.custom-publish-crates.result == 'success') }}
+    if: ${{ always() && needs.host.result == 'success' && (needs.publish-homebrew-formula.result == 'skipped' || needs.publish-homebrew-formula.result == 'success') && (needs.custom-publish-crates.result == 'skipped' || needs.custom-publish-crates.result == 'success') && (needs.custom-publish-docker.result == 'skipped' || needs.custom-publish-docker.result == 'success') }}
     runs-on: "ubuntu-22.04"
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -0,0 +1,17 @@
+# syntax=docker/dockerfile:1.7
+
+# We do NOT compile here. The publish-docker workflow pulls the
+# cross-compiled musl binary from the GitHub release artifacts and
+# stages it at ./qn before invoking `docker buildx build`. That keeps
+# the multi-arch image build a no-op COPY rather than a cargo rebuild
+# (the SLSA-attested binary in the release IS what ships in the image).
+ARG TARGETARCH
+
+FROM gcr.io/distroless/static-debian12:nonroot
+LABEL org.opencontainers.image.source="https://github.com/quicknode/cli"
+LABEL org.opencontainers.image.description="qn — Quicknode CLI"
+LABEL org.opencontainers.image.licenses="MIT"
+
+COPY --chown=nonroot:nonroot qn /qn
+USER nonroot
+ENTRYPOINT ["/qn"]

dist-workspace.toml

@@ -22,6 +22,6 @@ tap = "quicknode/homebrew-tap"
 # Override the Homebrew formula name so `brew install quicknode/tap/qn` works
 # (default would derive it from the package name `quicknode-cli`).
 formula = "qn"
-publish-jobs = ["homebrew", "./publish-crates"]
+publish-jobs = ["homebrew", "./publish-crates", "./publish-docker"]
 # Emit SLSA build attestations for every binary archive. Critical for a credential-handling tool.
 github-attestations = true