svrnty/docker-dotnet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 5 Wiki Activity

Add README, DOCKERHUB overview, and prerelease -test tag support

Browse Source 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Mathias Beaulieu-Duncan 2026-02-03 15:23:21 -05:00
parent 0b301121ad
commit a6c460c127
3 changed files with 303 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
.gitea/workflows/build.yaml
View File

@ -2,7 +2,7 @@ name: Build and Push .NET Images
on: on:
release: release:
types: [published] types: [published, prereleased]
workflow_dispatch: workflow_dispatch:
schedule: schedule:
# Weekly rebuild for CVE patches (Sunday 6am UTC) # Weekly rebuild for CVE patches (Sunday 6am UTC)
@ -24,7 +24,18 @@ jobs:
matrix: ${{ steps.discover.outputs.matrix }} matrix: ${{ steps.discover.outputs.matrix }}
lts_major: ${{ steps.discover.outputs.lts_major }} lts_major: ${{ steps.discover.outputs.lts_major }}
sts_major: ${{ steps.discover.outputs.sts_major }} sts_major: ${{ steps.discover.outputs.sts_major }}
tag_suffix: ${{ steps.suffix.outputs.tag_suffix }}
steps: steps:
- name: Determine tag suffix
id: suffix
run: |
if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
echo "tag_suffix=-test" >> $GITHUB_OUTPUT
echo "Prerelease detected — tags will use -test suffix"
else
echo "tag_suffix=" >> $GITHUB_OUTPUT
fi
- name: Discover supported .NET versions - name: Discover supported .NET versions
id: discover id: discover
run: | run: |
@ -64,6 +75,7 @@ jobs:
env: env:
LTS_MAJOR: ${{ needs.discover.outputs.lts_major }} LTS_MAJOR: ${{ needs.discover.outputs.lts_major }}
STS_MAJOR: ${{ needs.discover.outputs.sts_major }} STS_MAJOR: ${{ needs.discover.outputs.sts_major }}
TAG_SUFFIX: ${{ needs.discover.outputs.tag_suffix }}
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
@ -152,12 +164,12 @@ jobs:
cp dockerfiles/runtime.Dockerfile context-runtime/Dockerfile cp dockerfiles/runtime.Dockerfile context-runtime/Dockerfile
# Determine tags # Determine tags
TAGS="-t $DOCKER_IMAGE:${VARIANT}-${MAJOR} -t $DOCKER_IMAGE:${VARIANT}-${VERSION}" TAGS="-t $DOCKER_IMAGE:${VARIANT}-${MAJOR}${TAG_SUFFIX} -t $DOCKER_IMAGE:${VARIANT}-${VERSION}${TAG_SUFFIX}"
if [ "$MAJOR" = "$LTS_MAJOR" ]; then if [ "$MAJOR" = "$LTS_MAJOR" ]; then
TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-lts" TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-lts${TAG_SUFFIX}"
fi fi
if [ "$MAJOR" = "$STS_MAJOR" ]; then if [ "$MAJOR" = "$STS_MAJOR" ]; then
TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-sts" TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-sts${TAG_SUFFIX}"
fi fi
echo "Building $VARIANT with tags: $TAGS" echo "Building $VARIANT with tags: $TAGS"
@ -184,12 +196,12 @@ jobs:
done done
cp dockerfiles/runtime-invariant.Dockerfile context-runtime-invariant/Dockerfile cp dockerfiles/runtime-invariant.Dockerfile context-runtime-invariant/Dockerfile
TAGS="-t $DOCKER_IMAGE:${VARIANT}-${MAJOR} -t $DOCKER_IMAGE:${VARIANT}-${VERSION}" TAGS="-t $DOCKER_IMAGE:${VARIANT}-${MAJOR}${TAG_SUFFIX} -t $DOCKER_IMAGE:${VARIANT}-${VERSION}${TAG_SUFFIX}"
if [ "$MAJOR" = "$LTS_MAJOR" ]; then if [ "$MAJOR" = "$LTS_MAJOR" ]; then
TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-lts" TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-lts${TAG_SUFFIX}"
fi fi
if [ "$MAJOR" = "$STS_MAJOR" ]; then if [ "$MAJOR" = "$STS_MAJOR" ]; then
TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-sts" TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-sts${TAG_SUFFIX}"
fi fi
echo "Building $VARIANT with tags: $TAGS" echo "Building $VARIANT with tags: $TAGS"
@ -216,12 +228,12 @@ jobs:
done done
cp dockerfiles/sdk.Dockerfile context-sdk/Dockerfile cp dockerfiles/sdk.Dockerfile context-sdk/Dockerfile
TAGS="-t $DOCKER_IMAGE:${VARIANT}-${MAJOR} -t $DOCKER_IMAGE:${VARIANT}-${VERSION}" TAGS="-t $DOCKER_IMAGE:${VARIANT}-${MAJOR}${TAG_SUFFIX} -t $DOCKER_IMAGE:${VARIANT}-${VERSION}${TAG_SUFFIX}"
if [ "$MAJOR" = "$LTS_MAJOR" ]; then if [ "$MAJOR" = "$LTS_MAJOR" ]; then
TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-lts" TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-lts${TAG_SUFFIX}"
fi fi
if [ "$MAJOR" = "$STS_MAJOR" ]; then if [ "$MAJOR" = "$STS_MAJOR" ]; then
TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-sts" TAGS="$TAGS -t $DOCKER_IMAGE:${VARIANT}-sts${TAG_SUFFIX}"
fi fi
echo "Building $VARIANT with tags: $TAGS" echo "Building $VARIANT with tags: $TAGS"
@ -240,6 +252,6 @@ jobs:
MAJOR="${{ matrix.major }}" MAJOR="${{ matrix.major }}"
for VARIANT in runtime runtime-invariant sdk; do for VARIANT in runtime runtime-invariant sdk; do
echo "::group::Scout scan: ${VARIANT}-${MAJOR}" echo "::group::Scout scan: ${VARIANT}-${MAJOR}"
docker scout cves ${{ env.DOCKER_IMAGE }}:${VARIANT}-${MAJOR} --only-severity critical,high || true docker scout cves ${{ env.DOCKER_IMAGE }}:${VARIANT}-${MAJOR}${TAG_SUFFIX} --only-severity critical,high || true
echo "::endgroup::" echo "::endgroup::"
done done

119
DOCKERHUB.md Normal file
View File

@ -0,0 +1,119 @@
# .NET Docker Images
<a href="https://git.openharbor.io/svrnty/docker-dotnet" target="_blank"><img src="https://img.shields.io/badge/Git-Repository-orange?logo=gitea" alt="Git Repository"></a>
<a href="https://wolfi.dev" target="_blank"><img src="https://img.shields.io/badge/Base-Wolfi-purple?logo=linux" alt="Wolfi"></a>
Minimal .NET Docker images for production and CI/CD. Built on [Wolfi](https://wolfi.dev), a security-focused Linux distribution designed for containers. All supported (non-EOL) .NET versions are rebuilt automatically.
## Variants
- `runtime` - ASP.NET Core runtime with ICU/globalization support
- `runtime-invariant` - ASP.NET Core runtime without ICU (smallest, invariant mode)
- `sdk` - .NET SDK with bash, git, curl for building apps
All variants support `linux/amd64` and `linux/arm64`.
## Why Wolfi?
[Wolfi](https://wolfi.dev) is a lightweight Linux distribution built specifically for containers. It provides:
- **Minimal footprint** - Only essential packages, nothing extra
- **Daily security updates** - Patches applied quickly
- **Designed for containers** - No legacy cruft from traditional distros
## Features
- **Lightweight** - Optimized for fast CI/CD pulls
- **Secure** - Built on Wolfi with continuous vulnerability scanning
- **Multi-arch** - Supports both `linux/amd64` and `linux/arm64`
- **Non-root** - Runtime images run as unprivileged user (UID 65532)
- **Supply chain security** - SBOM and SLSA provenance attestations included
- **EOL-aware** - Versions are automatically dropped when they reach end-of-life
## Dockerfile Examples
### Web API
```dockerfile
ARG BUILDPLATFORM
FROM --platform=$BUILDPLATFORM svrnty/dotnet:sdk-10 AS build
WORKDIR /source
COPY . .
WORKDIR /source/MyApp.Api
ARG TARGETARCH
RUN case "$TARGETARCH" in \
amd64) ARCH=x64 ;; \
arm64) ARCH=arm64 ;; \
*) ARCH=$TARGETARCH ;; \
esac && \
dotnet publish -a $ARCH --self-contained false -o /app
FROM svrnty/dotnet:runtime-invariant-10 AS final
WORKDIR /app
COPY --from=build /app .
USER 65532
EXPOSE 8080
ENTRYPOINT ["/usr/share/dotnet/dotnet", "MyApp.Api.dll"]
```
### Worker service
```dockerfile
ARG BUILDPLATFORM
FROM --platform=$BUILDPLATFORM svrnty/dotnet:sdk-lts AS build
WORKDIR /source
COPY . .
ARG TARGETARCH
RUN case "$TARGETARCH" in \
amd64) ARCH=x64 ;; \
arm64) ARCH=arm64 ;; \
*) ARCH=$TARGETARCH ;; \
esac && \
dotnet publish MyWorker -a $ARCH --self-contained false -o /app
FROM svrnty/dotnet:runtime-invariant-lts AS final
WORKDIR /app
COPY --from=build /app .
USER 65532
ENTRYPOINT ["/usr/share/dotnet/dotnet", "MyWorker.dll"]
```
## CI/CD (Gitea/GitHub Actions)
```yaml
jobs:
build:
runs-on: ubuntu-latest
container:
image: svrnty/dotnet:sdk-lts
steps:
- uses: actions/checkout@v4
- run: dotnet restore
- run: dotnet test --no-restore
- run: dotnet publish -c Release -o /app
```
## Tags
- `<variant>-<major>` - Latest patch for a major version (e.g., `runtime-10`)
- `<variant>-<version>` - Exact version pin (e.g., `runtime-10.0.2`, `sdk-10.0.102`)
- `<variant>-lts` - Floating tag for the highest active LTS
- `<variant>-sts` - Floating tag for the highest active STS
## Automatic Updates
Images are automatically rebuilt when:
- New .NET patch versions are released (daily check)
- Base image security updates are available (weekly rebuild)
- A .NET version reaches EOL, it is automatically excluded
Every build is scanned and includes supply chain attestations (SBOM, SLSA provenance).
## License
MIT

161
README.md Normal file
View File

@ -0,0 +1,161 @@
# .NET Docker Images
<a href="https://git.openharbor.io/svrnty/docker-dotnet" target="_blank"><img src="https://img.shields.io/badge/Git-Repository-orange?logo=gitea" alt="Git Repository"></a>
<a href="https://hub.docker.com/r/svrnty/dotnet" target="_blank"><img src="https://img.shields.io/badge/Docker%20Hub-svrnty%2Fdotnet-blue?logo=docker" alt="Docker Hub"></a>
<a href="https://hub.docker.com/r/svrnty/dotnet" target="_blank"><img src="https://img.shields.io/docker/pulls/svrnty/dotnet?logo=docker" alt="Docker Pulls"></a>
<a href="https://dotnet.microsoft.com" target="_blank"><img src="https://img.shields.io/badge/.NET-10%20|%209%20|%208-512BD4?logo=dotnet" alt=".NET"></a>
<a href="https://wolfi.dev" target="_blank"><img src="https://img.shields.io/badge/Base-Wolfi-purple?logo=linux" alt="Wolfi"></a>
Minimal .NET Docker images for production and CI/CD. Built on [Wolfi](https://wolfi.dev), a security-focused Linux distribution designed for containers. All supported (non-EOL) .NET versions are rebuilt automatically.
## Images
| Variant | Use Case | .NET 10 (LTS) | .NET 9 (STS) | .NET 8 | Arch |
|---------|----------|----------------|---------------|--------|------|
| <a href="https://hub.docker.com/r/svrnty/dotnet/tags?name=runtime-" target="_blank"><img src="https://img.shields.io/badge/dotnet-runtime-blue?logo=docker" alt="runtime"></a> | Production web apps | `runtime-10` `runtime-lts` | `runtime-9` `runtime-sts` | `runtime-8` | <img src="https://img.shields.io/badge/amd64-E65100" alt="amd64"> <img src="https://img.shields.io/badge/arm64-2e7d32" alt="arm64"> |
| <a href="https://hub.docker.com/r/svrnty/dotnet/tags?name=runtime-invariant-" target="_blank"><img src="https://img.shields.io/badge/dotnet-runtime--invariant-blue?logo=docker" alt="runtime-invariant"></a> | Minimal production (UTC-only) | `runtime-invariant-10` `runtime-invariant-lts` | `runtime-invariant-9` `runtime-invariant-sts` | `runtime-invariant-8` | <img src="https://img.shields.io/badge/amd64-E65100" alt="amd64"> <img src="https://img.shields.io/badge/arm64-2e7d32" alt="arm64"> |
| <a href="https://hub.docker.com/r/svrnty/dotnet/tags?name=sdk-" target="_blank"><img src="https://img.shields.io/badge/dotnet-sdk-blue?logo=docker" alt="sdk"></a> | Building .NET apps | `sdk-10` `sdk-lts` | `sdk-9` `sdk-sts` | `sdk-8` | <img src="https://img.shields.io/badge/amd64-E65100" alt="amd64"> <img src="https://img.shields.io/badge/arm64-2e7d32" alt="arm64"> |
## Variants
| Variant | Includes | Shell | ICU/Globalization | User |
|---------|----------|-------|-------------------|------|
| **runtime** | ASP.NET Core runtime | No | Yes | 65532 (nonroot) |
| **runtime-invariant** | ASP.NET Core runtime | No | No (invariant mode) | 65532 (nonroot) |
| **sdk** | .NET SDK + bash, git, curl | Yes (bash) | Yes | root |
- **runtime** - Full globalization support (ICU + tzdata). Use this for apps that need locale-aware formatting, time zones, or culture-specific behavior.
- **runtime-invariant** - No ICU or tzdata. Smallest image size. Use this for APIs that only need UTC and ordinal string comparison.
- **sdk** - Everything needed to build .NET apps. Runs as root so `dotnet restore` can write to global caches.
## Why Wolfi?
[Wolfi](https://wolfi.dev) is a lightweight Linux distribution built specifically for containers. It provides:
- **Minimal footprint** - Only essential packages, nothing extra
- **Daily security updates** - Patches applied quickly
- **Designed for containers** - No legacy cruft from traditional distros
## Features
- **Lightweight** - Optimized for fast CI/CD pulls
- **Secure** - Built on Wolfi with continuous vulnerability scanning
- **Multi-arch** - Supports both `linux/amd64` and `linux/arm64`
- **Non-root** - Runtime images run as unprivileged user (UID 65532)
- **Supply chain security** - SBOM and SLSA provenance attestations included
- **EOL-aware** - Versions are automatically dropped when they reach end-of-life
## Dockerfile Examples
### Web API (recommended)
```dockerfile
ARG BUILDPLATFORM
FROM --platform=$BUILDPLATFORM svrnty/dotnet:sdk-10 AS build
WORKDIR /source
COPY . .
WORKDIR /source/MyApp.Api
ARG TARGETARCH
RUN case "$TARGETARCH" in \
amd64) ARCH=x64 ;; \
arm64) ARCH=arm64 ;; \
*) ARCH=$TARGETARCH ;; \
esac && \
dotnet publish -a $ARCH --self-contained false -o /app
FROM svrnty/dotnet:runtime-invariant-10 AS final
WORKDIR /app
COPY --from=build /app .
USER 65532
EXPOSE 8080
ENTRYPOINT ["/usr/share/dotnet/dotnet", "MyApp.Api.dll"]
```
### Web API with globalization (ICU)
```dockerfile
ARG BUILDPLATFORM
FROM --platform=$BUILDPLATFORM svrnty/dotnet:sdk-lts AS build
WORKDIR /source
COPY . .
ARG TARGETARCH
RUN case "$TARGETARCH" in \
amd64) ARCH=x64 ;; \
arm64) ARCH=arm64 ;; \
*) ARCH=$TARGETARCH ;; \
esac && \
dotnet publish MyApp.sln -a $ARCH --self-contained false -o /app
FROM svrnty/dotnet:runtime-lts AS final
WORKDIR /app
COPY --from=build /app .
USER 65532
EXPOSE 8080
ENTRYPOINT ["/usr/share/dotnet/dotnet", "MyApp.dll"]
```
### Worker service
```dockerfile
ARG BUILDPLATFORM
FROM --platform=$BUILDPLATFORM svrnty/dotnet:sdk-10 AS build
WORKDIR /source
COPY . .
ARG TARGETARCH
RUN case "$TARGETARCH" in \
amd64) ARCH=x64 ;; \
arm64) ARCH=arm64 ;; \
*) ARCH=$TARGETARCH ;; \
esac && \
dotnet publish MyWorker -a $ARCH --self-contained false -o /app
FROM svrnty/dotnet:runtime-invariant-10 AS final
WORKDIR /app
COPY --from=build /app .
USER 65532
ENTRYPOINT ["/usr/share/dotnet/dotnet", "MyWorker.dll"]
```
## CI/CD (Gitea/GitHub Actions)
```yaml
jobs:
build:
runs-on: ubuntu-latest
container:
image: svrnty/dotnet:sdk-lts
steps:
- uses: actions/checkout@v4
- run: dotnet restore
- run: dotnet test --no-restore
- run: dotnet publish -c Release -o /app
```
## Tags
Each variant is tagged with:
- `<variant>-<major>` - Latest patch for a major version (e.g., `runtime-10`)
- `<variant>-<version>` - Exact version pin (e.g., `runtime-10.0.2`, `sdk-10.0.102`)
- `<variant>-lts` - Floating tag pointing to the highest active LTS (currently .NET 10)
- `<variant>-sts` - Floating tag pointing to the highest active STS (currently .NET 9)
## Automatic Updates
Images are automatically rebuilt when:
- New .NET patch versions are released (daily check)
- Base image security updates are available (weekly rebuild)
- A .NET version reaches EOL, it is automatically excluded
Every build is scanned with Docker Scout and includes supply chain attestations (SBOM, SLSA provenance).
## License
MIT