Zondax · ziscky · Apr 1, 2026 · Apr 1, 2026
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,12 @@
+.git/
+.github/
+.earthlyignore
+Earthfile
+earthly-golem/
+node_modules/
+output/
+coverage/
+*.log
+.env
+.env.*
+docker-bake.hcl
diff --git a/.github/workflows/publish-docker-bake.yml b/.github/workflows/publish-docker-bake.yml
@@ -0,0 +1,29 @@
+name: Publish
+on:
+  push:
+    branches:
+      - main
+      - master
+      - dev
+  pull_request:
+    branches: ['*']
+  release:
+    types:
+      - created
+    tags:
+      - 'v[0-9]+'
+      - 'v[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+jobs:
+  build:
+    uses: zondax/_workflows/.github/workflows/_publish-docker-bake.yaml@main
+    with:
+      registry: dockerhub
+      enable_remote_builder: true
+      enable_signing: true
+      enable_provenance: true
+    secrets:
+      DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+      REMOTE_BUILD_KIT: tcp://buildkit.int-dev.zondax.io:8372
@@ -15,6 +15,10 @@
      - 'v[0-9]+.[0-9]+'
      - 'v[0-9]+.[0-9]+.[0-9]+'
+permissions:
+  contents: read
+  packages: write
+
 jobs:
  build:
    uses: zondax/_workflows/.github/workflows/_publish-docker-bake.yaml@main
@@ -15,6 +15,10 @@
      - 'v[0-9]+.[0-9]+'
      - 'v[0-9]+.[0-9]+.[0-9]+'

+permissions:
+  contents: read
+  packages: write
+
 jobs:
  build:
    uses: zondax/_workflows/.github/workflows/_publish-docker-bake.yaml@main
diff --git a/Makefile b/Makefile
@@ -63,6 +63,16 @@ test:
 earthly:
 	earthly +all
 
+## Docker Bake:
+docker-bake: ## Build production image locally
+	./scripts/docker-bake.sh
+
+docker-bake-push: ## Build and push with all flex tags
+	./scripts/docker-bake.sh --push
+
+docker-bake-debug: ## Build with verbose output
+	BUILDX_NO_DEFAULT_ATTESTATIONS=1 ./scripts/docker-bake.sh --progress=plain
+
 docker-bash:
 	docker run --platform linux/amd64 -it zondax/${APP_NAME}:latest /bin/sh
 

diff --git a/build/Dockerfile b/build/Dockerfile
@@ -0,0 +1,26 @@
+# syntax=docker/dockerfile:1
+FROM golang:1.24.1-alpine AS builder
+
+RUN apk update && apk --no-cache --update add build-base bash git make
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+RUN make build
+
+FROM alpine:3.17 AS production
+
+RUN apk update && apk --no-cache --update add ca-certificates
+
+RUN addgroup --system --gid 1001 zondax
+RUN adduser --system --uid 1001 zondax
+USER zondax
+
+COPY --chown=zondax:zondax --from=builder /app/output /zondax/bin
+
+EXPOSE 9090
+
+CMD ["/zondax/bin/golem", "start", "-c", "/zondax/config/golem.yaml"]
diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -0,0 +1,52 @@
+variable "BASE_NAME" {
+  default = "golem"
+}
+
+variable "REGISTRY" {
+  default = "zondax"
+}
+
+variable "GIT_SHORT_HASH" {
+  default = ""
+}
+
+variable "GIT_BRANCH" {
+  default = ""
+}
+
+variable "GIT_TAG" {
+  default = ""
+}
+
+variable "GIT_COMMIT_TIMESTAMP" {
+  default = ""
+}
+
+function "flex_tags" {
+  params = [name]
+  result = compact([
+    "${REGISTRY}/${name}:latest",
+    notequal(GIT_SHORT_HASH, "") ? "${REGISTRY}/${name}:${GIT_SHORT_HASH}" : "",
+    notequal(GIT_BRANCH, "") ? "${REGISTRY}/${name}:${GIT_BRANCH}" : "",
+    notequal(GIT_COMMIT_TIMESTAMP, "") ? "${REGISTRY}/${name}:T${GIT_COMMIT_TIMESTAMP}" : "",
+    notequal(GIT_TAG, "") ? "${REGISTRY}/${name}:${GIT_TAG}" : "",
+  ])
+}
+
+group "default" {
+  targets = ["production"]
+}
+
+target "builder" {
+  context    = "."
+  dockerfile = "build/Dockerfile"
+  target     = "builder"
+  tags       = ["${REGISTRY}/${BASE_NAME}:builder"]
+}
+
+target "production" {
+  context    = "."
+  dockerfile = "build/Dockerfile"
+  tags       = flex_tags(BASE_NAME)
+  platforms  = ["linux/amd64"]
+}
diff --git a/scripts/docker-bake.sh b/scripts/docker-bake.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+detect_git_metadata() {
+  if [ -z "${GIT_SHORT_HASH:-}" ]; then
+    export GIT_SHORT_HASH=$(git rev-parse --short HEAD 2>/dev/null || echo "")
+  fi
+
+  if [ -z "${GIT_BRANCH:-}" ]; then
+    export GIT_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '/' '-' || echo "")
+  fi
+
+  if [ -z "${GIT_TAG:-}" ]; then
+    export GIT_TAG=$(git describe --tags --exact-match HEAD 2>/dev/null || echo "")
+  fi
+
+  if [ -z "${GIT_COMMIT_TIMESTAMP:-}" ]; then
+    local unix_ts
+    unix_ts=$(git log -1 --format=%ct 2>/dev/null || echo "")
+    if [ -n "$unix_ts" ]; then
+      if date --version >/dev/null 2>&1; then
+        export GIT_COMMIT_TIMESTAMP=$(date -d "@${unix_ts}" +"%Y%m%d%H%M%S")
+      else
+        export GIT_COMMIT_TIMESTAMP=$(date -r "${unix_ts}" +"%Y%m%d%H%M%S")
+      fi
+    fi
+  fi
+}
+
+print_config() {
+  echo "Git metadata detected:"
+  echo "  GIT_SHORT_HASH:       ${GIT_SHORT_HASH:-<not set>}"
+  echo "  GIT_BRANCH:           ${GIT_BRANCH:-<not set>}"
+  echo "  GIT_TAG:              ${GIT_TAG:-<not set>}"
+  echo "  GIT_COMMIT_TIMESTAMP: ${GIT_COMMIT_TIMESTAMP:-<not set>}"
+}
+
+main() {
+  local push_flag=""
+  local extra_args=()
+
+  for arg in "$@"; do
+    case "$arg" in
+      --push)  push_flag="--push" ;;
+      --print) detect_git_metadata; print_config; exit 0 ;;
+      *)       extra_args+=("$arg") ;;
+    esac
+  done
+
+  detect_git_metadata
+  print_config
+
+  export DOCKER_BUILDKIT=1
+  export BUILDX_NO_DEFAULT_ATTESTATIONS=1
+
+  docker buildx bake $push_flag "${extra_args[@]+"${extra_args[@]}"}"
+}
+
+main "$@"