ci: add ARM64 cross-compilation support and fix Docker image publishing

Author: Algorithm5838

.github/workflows/build-artifacts.yaml

@@ -6,71 +6,71 @@ on:
       - "*.md"
       - "compose.*"
     branches:
-      - "main"
+      - "personal"
   release:
     types: [published]
 
-env: 
+env:
   CARGO_TERM_COLOR: always
 
-  CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER: aarch64-linux-gnu-gcc
-  CC_aarch64_unknown_linux_musl: aarch64-linux-gnu-gcc
-  CARGO_TARGET_ARMV7_UNKNOWN_LINUX_MUSLEABIHF_LINKER: arm-linux-gnueabihf-gcc
-  CC_armv7_unknown_linux_musleabihf: arm-linux-gnueabihf-gcc
-
 jobs:
   build:
     name: Rust project - latest
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        target:
-          - x86_64-unknown-linux-musl
-          - aarch64-unknown-linux-musl
-          - armv7-unknown-linux-musleabihf
     steps:
       - uses: actions/checkout@v4
-      
+
       - uses: actions-rust-lang/setup-rust-toolchain@v1
         with:
-          target: ${{ matrix.target }}
-      
-      - if: matrix.target == 'x86_64-unknown-linux-musl'
+          target: aarch64-unknown-linux-musl
+
+      - name: Install base dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y --no-install-recommends musl-tools
- 
-      - if: matrix.target == 'armv7-unknown-linux-musleabihf'
-        run: |
-          sudo apt update
-          sudo apt install -y gcc-arm-linux-gnueabihf musl-tools
+          sudo apt-get install -y --no-install-recommends \
+            build-essential \
+            cmake \
+            perl \
+            pkg-config \
+            libclang-dev \
+            musl-tools \
+            crossbuild-essential-arm64
 
-      - if: matrix.target == 'aarch64-unknown-linux-musl'
+      - name: Install musl.cc aarch64 cross-compiler
         run: |
-          sudo apt update
-          sudo apt install -y gcc-aarch64-linux-gnu musl-tools
+          wget -q https://github.com/musl-cc/musl.cc/releases/latest/download/aarch64-linux-musl-cross.tgz
+          tar xzf aarch64-linux-musl-cross.tgz -C /opt
+          echo "/opt/aarch64-linux-musl-cross/bin" >> $GITHUB_PATH
 
       - name: Versions
         id: version
         run: echo "VERSION=$(cargo metadata --format-version 1 --no-deps | jq .packages[0].version -r | sed 's/^/v/')" >> "$GITHUB_OUTPUT"
 
       - name: Build
-        run: cargo build --release --target ${{ matrix.target }}
+        env:
+          CC: aarch64-linux-musl-gcc
+          CXX: aarch64-linux-musl-g++
+          CARGO_TARGET_AARCH64_UNKNOWN_LINUX_MUSL_LINKER: aarch64-linux-musl-g++
+        run: cargo build --release --target aarch64-unknown-linux-musl
 
       - name: Package release
-        run: tar czf redlib-${{ matrix.target }}.tar.gz -C target/${{ matrix.target }}/release/ redlib
+        run: tar czf redlib-aarch64-unknown-linux-musl.tar.gz -C target/aarch64-unknown-linux-musl/release/ redlib
+
+      - name: Upload binary as workflow artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: redlib-aarch64-unknown-linux-musl
+          path: target/aarch64-unknown-linux-musl/release/redlib
+          retention-days: 1
 
       - name: Upload release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           tag_name: ${{ steps.version.outputs.VERSION }}
           name: ${{ steps.version.outputs.VERSION }} - ${{ github.event.head_commit.message }}
           draft: true
           files: |
-            redlib-${{ matrix.target }}.tar.gz
+            redlib-aarch64-unknown-linux-musl.tar.gz
           body: |
             - ${{ github.event.head_commit.message }} ${{ github.sha }}
           generate_release_notes: true
-
-
-

.github/workflows/main-docker.yml

@@ -5,105 +5,63 @@ on:
     workflows: ["Release Build"]
     types:
       - completed
+
 env:
-  REGISTRY_IMAGE: quay.io/redlib/redlib
+  REGISTRY_IMAGE: ghcr.io/algorithm5838/redlib
 
 jobs:
   build:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - { platform: linux/amd64, target: x86_64-unknown-linux-musl }
-          - { platform: linux/arm64, target: aarch64-unknown-linux-musl }
-          - { platform: linux/arm/v7, target: armv7-unknown-linux-musleabihf }
+    # Only build if the Release Build succeeded
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+
+      - name: Download binary artifact from Release Build
+        uses: actions/download-artifact@v4
+        with:
+          name: redlib-aarch64-unknown-linux-musl
+          path: docker-bin/
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Make binary executable
+        run: chmod +x docker-bin/redlib
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY_IMAGE }}
           tags: |
-            type=sha
+            type=sha,prefix=sha-,format=short,event=branch
             type=raw,value=latest,enable={{is_default_branch}}
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Login to Quay.io Container Registry
+
+      - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
         with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
-      - name: Build and push
-        id: build
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push (ARM64)
         uses: docker/build-push-action@v5
         with:
           context: .
-          platforms: ${{ matrix.platform }}
+          platforms: linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
-          file: Dockerfile
-          build-args: TARGET=${{ matrix.target }}
-      - name: Export digest
-        run: |
-          mkdir -p /tmp/digests
-          digest="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest#sha256:}"
-      - name: Upload digest
-        uses: actions/upload-artifact@v4
-        with:
-          name: digests-${{ matrix.target }}
-          path: /tmp/digests/*
-          if-no-files-found: error
-          retention-days: 1
-  merge:
-    runs-on: ubuntu-latest
-    needs:
-      - build
-    steps:
-      - name: Download digests
-        uses: actions/download-artifact@v4.1.7
-        with:
-          path: /tmp/digests
-          pattern: digests-*
-          merge-multiple: true
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ env.REGISTRY_IMAGE }}
-          tags: |
-            type=sha
-            type=raw,value=latest,enable={{is_default_branch}}
-      - name: Login to Quay.io Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_USERNAME }}
-          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
-      - name: Create manifest list and push
-        working-directory: /tmp/digests
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
-
-      # - name: Push README to Quay.io
-      #   uses: christian-korneck/update-container-description-action@v1
-      #   env:
-      #     DOCKER_APIKEY: ${{ secrets.APIKEY__QUAY_IO }}
-      #   with:
-      #     destination_container_repo: quay.io/redlib/redlib
-      #     provider: quay
-      #     readme_file: 'README.md'
+          file: Dockerfile.prebuilt
 
-      - name: Inspect image
+      - name: Print image tags
         run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
+          echo "## Docker Image" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+          echo "docker pull ${{ env.REGISTRY_IMAGE }}:latest" >> $GITHUB_STEP_SUMMARY
+          echo "docker pull ${{ env.REGISTRY_IMAGE }}:sha-$(echo '${{ github.event.workflow_run.head_sha }}' | cut -c1-7)" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY

Dockerfile

@@ -1,10 +1,11 @@
 FROM alpine:3.19
 
-ARG TARGET
+ARG TARGET=aarch64-unknown-linux-musl
+ARG GITHUB_REPOSITORY=Algorithm5838/redlib
 
 RUN apk add --no-cache curl
 
-RUN curl -L "https://github.com/redlib-org/redlib/releases/latest/download/redlib-${TARGET}.tar.gz" | \
+RUN curl -L "https://github.com/${GITHUB_REPOSITORY}/releases/latest/download/redlib-${TARGET}.tar.gz" | \
     tar xz -C /usr/local/bin/
 
 RUN adduser --home /nonexistent --no-create-home --disabled-password redlib
@@ -17,4 +18,3 @@ EXPOSE 8080
 HEALTHCHECK --interval=1m --timeout=3s CMD wget --spider -q http://localhost:8080/settings || exit 1
 
 CMD ["redlib"]
-

Dockerfile.prebuilt

@@ -0,0 +1,15 @@
+FROM alpine:3.19
+
+# Binary is copied from the workflow artifact (docker-bin/redlib)
+COPY docker-bin/redlib /usr/local/bin/redlib
+
+RUN adduser --home /nonexistent --no-create-home --disabled-password redlib
+USER redlib
+
+# Tell Docker to expose port 8080
+EXPOSE 8080
+
+# Run a healthcheck every minute to make sure redlib is functional
+HEALTHCHECK --interval=1m --timeout=3s CMD wget --spider -q http://localhost:8080/settings || exit 1
+
+CMD ["redlib"]

src/client.rs

@@ -33,11 +33,10 @@ pub static CLIENT: LazyLock<WreqClient> = LazyLock::new(build_client);
 
 /// A separate wreq client used only for media proxying (images, videos, HLS).
 /// Unlike CLIENT (which uses Policy::none() + browser emulation for the Reddit
-/// OAuth API), this client:
-///   - follows redirects (Policy::limited(10)) so CDN 302s are resolved server-side
-///   - has NO browser emulation — Reddit's image CDN (i.redd.it, preview.redd.it)
-///     detects BoringSSL/Chrome fingerprints and serves its HTML website instead
-///     of the image bytes. A plain TLS client gets the actual image.
+/// OAuth API), this client follows redirects (Policy::limited(10)) and has no
+/// browser emulation. Reddit's image CDN (i.redd.it, preview.redd.it) detects
+/// BoringSSL/Chrome fingerprints and serves its HTML website instead of the
+/// image bytes; a plain TLS client gets the actual image.
 pub static MEDIA_CLIENT: LazyLock<WreqClient> = LazyLock::new(|| {
 	WreqClient::builder()
 		.redirect(Policy::limited(10))
@@ -96,7 +95,7 @@ trait IntoHyperResponse {
 
 impl IntoHyperResponse for wreq::Response {
 	async fn into_hyper(self) -> Result<Response<Body>, String> {
-		// wreq uses http v1.x, hyper uses http v0.2.x — convert via primitives
+		// wreq uses http v1.x; hyper uses http v0.2.x. Convert via primitives.
 		let status_u16 = self.status().as_u16();
 		let status = hyper::StatusCode::from_u16(status_u16).map_err(|e| e.to_string())?;
 
@@ -166,7 +165,6 @@ pub async fn canonical_path(path: String, tries: i8) -> Result<Option<String>, S
 
 	let res = res.ok_or_else(|| "Unable to make HEAD request to Reddit.".to_string())?;
 	let status = res.status().as_u16();
-	// Use string literals: wreq uses http v1.x, hyper::header constants are http v0.2
 	let policy_error = res.headers().get("retry-after").is_some();
 
 	match status {
@@ -217,12 +215,12 @@ pub async fn proxy(req: hyper::Request<Body>, format: &str) -> Result<Response<B
 }
 
 async fn stream(url: &str, req: &hyper::Request<Body>) -> Result<Response<Body>, String> {
-	// Use MEDIA_CLIENT (Policy::limited(10)) so CDN 302 redirects are followed
-	// server-side. CLIENT uses Policy::none() for Reddit API redirect handling.
+	// MEDIA_CLIENT follows CDN redirects; CLIENT keeps Policy::none() for the
+	// Reddit API redirect logic in request().
 	let mut builder = MEDIA_CLIENT.get(url);
 
-	// Copy useful headers from original request
-	// Convert hyper header values (http v0.2) to bytes for wreq (http v1.x)
+	// Forward caching/range headers from the browser request. hyper header
+	// values (http v0.2) are passed as bytes so wreq (http v1.x) accepts them.
 	for &key in &["Range", "If-Modified-Since", "Cache-Control"] {
 		if let Some(value) = req.headers().get(key) {
 			builder = builder.header(key, value.as_bytes());
@@ -235,10 +233,7 @@ async fn stream(url: &str, req: &hyper::Request<Body>) -> Result<Response<Body>,
 		builder = builder.header("User-Agent", client.user_agent());
 	}
 
-	let resp = builder.send().await.map_err(|e| e.to_string())?;
-
-	let status = resp.status();
-	let mut hyper_resp = resp.into_hyper().await?;
+	let mut hyper_resp = builder.send().await.map_err(|e| e.to_string())?.into_hyper().await?;
 
 	// Strip tracking/CDN headers
 	{
@@ -261,7 +256,6 @@ async fn stream(url: &str, req: &hyper::Request<Body>) -> Result<Response<Body>,
 		}
 	}
 
-	let _ = status; // used implicitly via hyper_resp
 	Ok(hyper_resp)
 }
 
@@ -320,7 +314,8 @@ fn request(method: Method, path: String, redirect: bool, quarantine: bool, base_
 						return resp.into_hyper().await;
 					}
 
-					// Use string literal: wreq uses http v1.x, hyper::header constants are http v0.2
+					// Use a string key: wreq (http v1.x) header names are not compatible
+					// with hyper::header constants (http v0.2).
 					let location = resp.headers().get("location").map(|v| v.to_str().unwrap_or_default().to_string());
 
 					if location.as_deref() == Some(ALTERNATIVE_REDDIT_URL_BASE) {