feat: docker image creation

.dockerignore

@@ -0,0 +1,2 @@
+*
+!.output/

.github/workflows/docker.yaml

@@ -0,0 +1,104 @@
+name: Docker
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - '*'
+  pull_request:
+    branches:
+      - main
+
+env:
+  IMAGE_NAME: nuxt-template
+
+jobs:
+  docker-review:
+    name: Docker image (review / main)
+    if: ${{ github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Registry names and ref slug
+        id: meta
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          HEAD_REF: ${{ github.head_ref }}
+          REF_NAME: ${{ github.ref_name }}
+          SHA: ${{ github.sha }}
+        run: |
+          OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
+          NAME="${{ env.IMAGE_NAME }}"
+          echo "image_dev=ghcr.io/${OWNER}/${NAME}-dev" >> "$GITHUB_OUTPUT"
+
+          if [ "$EVENT_NAME" = "pull_request" ]; then
+            REF="$HEAD_REF"
+          else
+            REF="$REF_NAME"
+          fi
+          SLUG=$(echo "$REF" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9.]+/-/g' | sed -E 's/^-+|-+$//g')
+          echo "ref_slug=${SLUG}" >> "$GITHUB_OUTPUT"
+          echo "tag=${SLUG}-${SHA}" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image (dev)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64
+          push: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+          tags: ${{ steps.meta.outputs.image_dev }}:${{ steps.meta.outputs.tag }}
+          cache-from: type=gha,scope=review
+          cache-to: type=gha,mode=max,scope=review
+
+  docker-release:
+    name: Docker image (release)
+    if: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Registry image name
+        id: meta
+        run: |
+          OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
+          NAME="${{ env.IMAGE_NAME }}"
+          echo "image=ghcr.io/${OWNER}/${NAME}" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Docker image (release)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.meta.outputs.image }}:${{ github.ref_name }}
+          cache-from: type=gha,scope=release
+          cache-to: type=gha,mode=max,scope=release

.gitlab-ci.yml

@@ -5,4 +5,5 @@
 
 include:
   - local: .gitlab/workflows/tests.yml
+  - local: .gitlab/workflows/docker.yml
   - local: .gitlab/workflows/deploy.yml

.gitlab/workflows/docker.yml

@@ -0,0 +1,43 @@
+.build-docker-template:
+  image:
+    name: moby/buildkit:rootless
+    entrypoint: ['']
+  needs: [build]
+  variables:
+    DOCKER_AUTH_CONFIG: ''
+    BUILDKITD_FLAGS: --oci-worker-no-process-sandbox
+    IMAGE_NAME: nuxt-template
+  before_script:
+    - mkdir -p ~/.docker
+    - echo "{\"auths\":{\"$REGISTRY\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASSWORD\"}}}" > ~/.docker/config.json
+  script:
+    - |
+      buildctl-daemonless.sh build \
+        --frontend dockerfile.v0 \
+        --local context=. \
+        --local dockerfile=. \
+        --opt platform=linux/amd64 \
+        --output type=image,name=$REGISTRY/$REGISTRY_NAMESPACE/$IMAGE,push=true
+
+.docker-review-template:
+  variables:
+    IMAGE: ${IMAGE_NAME}-dev:${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHA}
+
+build-docker-review:
+  extends:
+    - .build-docker-template
+    - .docker-review-template
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+
+.docker-release-template:
+  variables:
+    IMAGE: ${IMAGE_NAME}:${CI_COMMIT_TAG}
+
+build-docker-release:
+  extends:
+    - .build-docker-template
+    - .docker-release-template
+  rules:
+    - if: $CI_COMMIT_TAG

Dockerfile

@@ -0,0 +1,16 @@
+FROM docker.io/node:24-slim
+
+WORKDIR /app
+EXPOSE 3000
+
+COPY .output .
+
+USER node
+ENV PORT=3000
+
+CMD ["node", \
+    "--enable-source-maps", \
+    "--permission", \
+    "--allow-fs-read=/app", \
+    "--allow-addons", \
+    "./server/index.mjs"]