Minor Docker enhancements (#1660)

* Add a readiness check to the Docker container

* missing path change for centrifuge binary

* push docker to GH registry on PRs to test image

* more standard paths for the binaries

* log into ghcr

* Add standardized OCI labels

* push to both registries

* fix registry permissions

* comply with RFC3339 standard date format

* Minor Docker enhancements

# Description

This PR:
- Sets some additional RFC standard LABELS to our Docker container
- Upload the container to both GitHub and DockerHub registries (PRs do not upload to DH)
- Minor Dockerfile efficiencies.

It's a follow up from #1656

* cleanup from old PR

* Update build-docker.yml with kf info

.github/workflows/build-docker.yml

@@ -11,7 +11,9 @@ on:
   pull_request:
     paths:
       - ".github/workflows/build-docker.yml"
-      - "docker/centrifuge-chain/Dockerfile"
+      - "docker/centrifuge-chain"
+      - "docker/scripts"
+      - ".dockerignore"
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}${{ github.event_name }}
   cancel-in-progress: true
@@ -22,32 +24,50 @@ jobs:
         target: [ release, test ]
     runs-on: ubuntu-latest-8-cores
     permissions:
-      contents: write    
+      contents: write # to update the GH release w/ Docker tags
+      packages: write # to upload images to ghcr
+      id-token: write
     steps:
       - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac #v4
         with:
           fetch-depth: 0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 #v3
-      - name: DockerHub Login
-        uses: docker/login-action@v3
+
+      - name: DockerHub Registry Login
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_TOKEN }}
 
-      - run: echo "NOW=$(date -u +%y-%m-%d)" >> $GITHUB_ENV
+      - name: Github Registry login
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: echo "NOW=$(date -u +%Y-%m-%d)" >> $GITHUB_ENV
 
       - name: Setup docker metadata
         id: meta
         uses: docker/metadata-action@9dc751fe249ad99385a2583ee0d084c400eee04e #v5
         with:
-          images: centrifugeio/centrifuge-chain
+          images: |
+            ghcr.io/centrifuge/centrifuge-chain
+            ${{ github.event_name != 'pull_request' && 'centrifugeio/centrifuge-chain' || ''}}
           tags: |
             type=semver,pattern={{raw}},prefix=${{ matrix.target == 'test' && 'test-' || '' }}
             type=raw,value=latest,enable=${{ github.event_name == 'release' }}
             type=ref,event=tag,suffix=-{{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }}
             type=ref,event=pr,suffix=-{{sha}}-${{ env.NOW }},prefix=${{ matrix.target == 'test' && 'test-' || '' }}PR
             type=ref,event=branch,prefix=${{ matrix.target == 'test' && 'test-' || '' }},suffix=-{{sha}}-${{ env.NOW }}
+          labels: |
+            org.opencontainers.image.vendor="k-f dev AG" \
+            org.opencontainers.image.authors="[email protected]" \	
+            org.opencontainers.image.documentation="https://github.com/centrifuge/centrifuge-chain/blob/main/README.md" \
+            org.opencontainers.image.base.name="ubuntu/jammy" \
+            org.opencontainers.image.base.digest="ubuntu@sha256:6042500cf4b44023ea1894effe7890666b0c5c7871ed83a97c36c76ae560bb9b" 
 
       - name: Configure GHA cache
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea #v6
@@ -63,7 +83,8 @@ jobs:
           file: ./docker/centrifuge-chain/Dockerfile
           build-args: |
             FEATURES=${{ matrix.target == 'test' && 'fast-runtime' || '' }}
-          push: ${{ github.event_name != 'pull_request' }}
+          # Always push, either to ghcr or Dockerhub
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           # Cache options:
           # https://docs.docker.com/build/ci/github-actions/cache/
@@ -82,14 +103,14 @@ jobs:
           repository: centrifuge/centrifuge-chain
           short-description: ${{ github.event.repository.description }}
           enable-url-completion: true
-          
+
       - name: Update GitHub release
         if: github.event_name == 'release' && matrix.target == 'release'
         uses: softprops/action-gh-release@v1
         with:
           append_body: true
           body: |
-            **Docker tags:** 
+            **Docker tags:**
                ${{ steps.meta.outputs.tags }}
 
       - if: failure()

docker/centrifuge-chain/Dockerfile

@@ -27,43 +27,40 @@ FROM --platform=linux/amd64 docker.io/paritytech/ci-linux:production as builder
 # and simply download the binaries here. Some short of hash or integrity check would need to
 # happen to make sure the binary is what we want.
 FROM --platform=linux/amd64 docker.io/library/ubuntu:jammy
+	ARG BUILD_DATE
+	ARG VERSION
 
-	LABEL io.centrifuge.image.authors="[email protected]" \
-		io.centrifuge.image.vendor="Centrifuge" \
-		io.centrifuge.image.title="centrifugeio/centrifuge-chain" \
-		io.centrifuge.image.description="Centrifuge, the layer 1 of RWA. This is the official Centrifuge (para)chain image" \
-		io.centrifuge.image.source="https://github.com/centrifuge/centrifuge-chain/blob/main/docker/centrifuge-chain/Dockerfile" \
-		io.centrifuge.image.created="${BUILD_DATE}"
-
-	# Add chain resources to image
-	COPY node/res /resources/
-
-	COPY --from=builder /centrifuge-chain/target/release/centrifuge-chain /usr/local/bin
-
-	RUN apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/* ;
+	RUN apt-get update && apt-get install -y curl jq
+	RUN apt-get autoremove -y && apt-get clean && rm -rf /var/lib/apt/lists/*
 
 	# Because of the following, all data and config directories need to be owned by UID and GID 1000
 	RUN useradd -m -u 1000 -U -s /bin/sh -d /centrifuge centrifuge
+
+	COPY node/res /resources/
+	COPY --from=builder /centrifuge-chain/target/release/centrifuge-chain /usr/local/bin/
+
+	COPY docker/scripts /centrifuge/scripts
+	# The following will make everything under /centrifuge/scripts reachable from PATH
+	# by creating a symbolic link into /usr/local/bin
+	RUN chmod +x /centrifuge/scripts/* && \
+		ln -s /centrifuge/scripts/* /usr/local/bin/
 
-	RUN mkdir -p /data && \
+	RUN mkdir -p /data && \ 
 		chown -R centrifuge:centrifuge /data && \
 		chown -R centrifuge:centrifuge /resources && \
-		chown -R centrifuge:centrifuge /usr/local/bin/centrifuge-chain && \
-		chown -R centrifuge:centrifuge /centrifuge/
-
-	COPY ./docker/scripts/entrypoint.sh /centrifuge/entrypoint.sh
-	RUN chown -R centrifuge:centrifuge /centrifuge/entrypoint.sh && chmod +x /centrifuge/entrypoint.sh
+		chown -R centrifuge:centrifuge /centrifuge/ 
 
 # Running as an non-root is a good security practice
 # in some cases the container can be forced to run as root overriding the next line
 # but by default we want to enforce this.
 USER centrifuge
+WORKDIR /centrifuge
 
 # checks
 RUN ldd /usr/local/bin/centrifuge-chain && \
 	/usr/local/bin/centrifuge-chain --version
 
 EXPOSE 30333 9933 9944
 VOLUME ["/data"]
-ENTRYPOINT ["/centrifuge/entrypoint.sh"]
+ENTRYPOINT ["entrypoint.sh"]
 CMD ["--help"]