Refactor: migrate container build to multi-stage Dockerfile with secret mounts

appe233 · appe233 · commit 8ed8dedbd3ea · 2025-09-06T17:06:29.000+08:00
diff --git a/.github/workflows/container-publish.yml b/.github/workflows/container-publish.yml
@@ -30,26 +30,6 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Start Wolfram Engine Container
-        run: |
-          docker run -d --name wolfram \
-            -v $GITHUB_WORKSPACE:/workspace \
-            -w /workspace \
-            wolframresearch/wolframengine:14.2 tail -f /dev/null
-
-      - name: Fix permissions for /workspace directory at host level
-        run: |
-          sudo chmod -R 777 $GITHUB_WORKSPACE
-
-      - name: Install ffmpeg inside Wolfram container
-        run: |
-          docker exec --user root wolfram bash -c "apt-get update && apt-get install -y ffmpeg"
-
-      - name: Fetch all dependencies inside Wolfram container
-        run: |
-          docker exec -e WOLFRAMSCRIPT_ENTITLEMENTID=${{ secrets.WOLFRAM_LICENSE_ENTITLEMENT_ID }} wolfram \
-          wolframscript -script ./Scripts/update.wls
-
       - name: Extract Docker metadata
         id: meta
         uses: docker/metadata-action@v5
@@ -62,6 +42,8 @@ jobs:
         with:
           context: .
           file: "./container/Containerfile"
+          secrets: |
+            "wolfram_license=${{ secrets.WOLFRAM_LICENSE_ENTITLEMENT_ID }}"
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           push: true
diff --git a/container/Containerfile b/container/Containerfile
@@ -1,28 +1,43 @@
-FROM docker.io/wolframresearch/wolframengine
+# syntax=docker/dockerfile:1
+FROM docker.io/wolframresearch/wolframengine AS deps
+
+RUN apt-get update && apt-get install -y ffmpeg
+
+COPY Scripts/update.wls /workspace/Scripts/update.wls
+COPY Common/ /workspace/Common/
+
+WORKDIR /workspace
+
+RUN --mount=type=secret,id=wolfram_license,env=WOLFRAMSCRIPT_ENTITLEMENTID,required=true wolframscript -script Scripts/update.wls
+
+
+FROM wolframresearch/wolframengine:14.2 AS final
 
 USER root
 
 RUN useradd -m wljs
 
 ENV DEBIAN_FRONTEND=noninteractive
 
+COPY --from=deps /workspace/wl_packages /wljs/wl_packages  
+COPY --from=deps /workspace/wljs_packages /wljs/wljs_packages
+
+COPY ./ /wljs/
+COPY container/run.sh /usr/local/bin/run.sh
+
+COPY container/wljs-routes /etc/nginx/sites-available/default
+COPY container/proxy-snippet.conf /etc/nginx/snippets/proxy.conf
+
 RUN apt-get update && apt-get install -y \
     git \
     nginx \
     expect \
     curl \
+    ffmpeg \
  && curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
  && apt-get install -y nodejs \
  && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-COPY container/wljs-routes /etc/nginx/sites-available/default
-COPY container/proxy-snippet.conf /etc/nginx/snippets/proxy.conf
-
-RUN mkdir -p /wljs
-COPY ./ /wljs/
-
-COPY container/run.sh /run.sh
-RUN chmod +x /run.sh
+ && rm -rf /var/lib/apt/lists/* \
+ && chmod +x /usr/local/bin/run.sh
 
-CMD /run.sh
+CMD ["/usr/local/bin/run.sh"]
