From c7f6dc4372e0458403d122b36144ba943cb748fd Mon Sep 17 00:00:00 2001
From: Siddhant Khare <siddhantkhare2694@gmail.com>
Date: Sun, 28 Jun 2026 04:56:17 +0000
Subject: [PATCH] fix: publish distroless docker image with dockers v2

---
 .github/workflows/main.yaml | 12 +++++-
 .goreleaser.Dockerfile      |  8 ++--
 .goreleaser.yaml            | 77 ++++++++-----------------------------
 README.md                   |  2 +
 4 files changed, 34 insertions(+), 65 deletions(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index b75a4d6d..26ec2a05 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -220,8 +220,16 @@ jobs:
             ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
         run: |
           set -euo pipefail
-          artifact=$(echo "$ARTIFACTS" | jq -r '[.[] | select (.type=="Docker Manifest")][0]')
-          image=$(echo "$artifact" | jq -r '.path' | cut -d':' -f1)
+          artifact=$(
+            echo "$ARTIFACTS" | jq -er --arg image_tag "openfga/cli:${GITHUB_REF_NAME}" '
+              [
+                .[]
+                | select(.type == "Docker Image")
+                | select(.path == $image_tag)
+                | select(((.extra.Platforms // []) | index("linux/amd64")) and ((.extra.Platforms // []) | index("linux/arm64")))
+              ][0]
+            '
+          )
           digest=$(echo "$artifact" | jq -r '.extra.Digest')
           echo "digest=$digest" >> "$GITHUB_OUTPUT"
 
diff --git a/.goreleaser.Dockerfile b/.goreleaser.Dockerfile
index d4155783..3a4fcdd5 100644
--- a/.goreleaser.Dockerfile
+++ b/.goreleaser.Dockerfile
@@ -1,3 +1,5 @@
-FROM scratch
-COPY fga /fga
-ENTRYPOINT ["/fga"]
\ No newline at end of file
+FROM gcr.io/distroless/static-debian13:nonroot
+
+ARG TARGETPLATFORM
+COPY ${TARGETPLATFORM}/fga /fga
+ENTRYPOINT ["/fga"]
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index 9baa38ff..995b4ec4 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -24,68 +24,25 @@ builds:
       - "-X github.com/openfga/cli/internal/build.Commit={{.Commit}}"
       - "-X github.com/openfga/cli/internal/build.Date={{.Date}}"
 
-dockers:
-  - goos: linux
-    goarch: amd64
-
+dockers_v2:
+  - images:
+      - openfga/cli
+    tags:
+      - latest
+      - "{{ .Tag }}"
+      - "v{{ .Major }}"
+      - "v{{ .Major }}.{{ .Minor }}"
     dockerfile: .goreleaser.Dockerfile
-
-    image_templates:
-      - "openfga/cli:latest-amd64"
-      - "openfga/cli:{{ .Tag }}-amd64"
-      - "openfga/cli:v{{ .Version }}-amd64"
-      - "openfga/cli:v{{ .Major }}-amd64"
-      - "openfga/cli:v{{ .Major }}.{{ .Minor }}-amd64"
-      - "openfga/cli:v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64"
-
-    use: buildx
-    build_flag_templates:
-      - "--platform=linux/amd64"
+    platforms:
+      - linux/amd64
+      - linux/arm64
+    labels:
+      org.opencontainers.image.created: "{{ .Date }}"
+      org.opencontainers.image.title: "{{ .ProjectName }}"
+      org.opencontainers.image.revision: "{{ .FullCommit }}"
+      org.opencontainers.image.version: "{{ .Version }}"
+    flags:
       - "--pull"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-
-  - goos: linux
-    goarch: arm64
-
-    dockerfile: .goreleaser.Dockerfile
-
-    image_templates:
-      - "openfga/cli:latest-arm64"
-      - "openfga/cli:{{ .Tag }}-arm64"
-      - "openfga/cli:v{{ .Version }}-arm64"
-      - "openfga/cli:v{{ .Major }}-arm64"
-      - "openfga/cli:v{{ .Major }}.{{ .Minor }}-arm64"
-      - "openfga/cli:v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64"
-
-    use: buildx
-
-    build_flag_templates:
-      - "--platform=linux/arm64"
-
-docker_manifests:
-  - name_template: openfga/cli:latest
-    image_templates:
-      - openfga/cli:latest-amd64
-      - openfga/cli:latest-arm64
-  - name_template: openfga/cli:v{{ .Version }}
-    image_templates:
-      - openfga/cli:v{{ .Version }}-amd64
-      - openfga/cli:v{{ .Version }}-arm64
-  - name_template: openfga/cli:v{{ .Major }}
-    image_templates:
-      - openfga/cli:v{{ .Major }}-amd64
-      - openfga/cli:v{{ .Major }}-arm64
-  - name_template: openfga/cli:v{{ .Major }}.{{ .Minor }}
-    image_templates:
-      - openfga/cli:v{{ .Major }}.{{ .Minor }}-amd64
-      - openfga/cli:v{{ .Major }}.{{ .Minor }}-arm64
-  - name_template: openfga/cli:v{{ .Major }}.{{ .Minor }}.{{ .Patch }}
-    image_templates:
-      - openfga/cli:v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-amd64
-      - openfga/cli:v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-arm64
 
 release:
   draft: true
diff --git a/README.md b/README.md
index 352bea6b..fb099e95 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,8 @@ scoop install openfga
 docker pull openfga/cli; docker run -it openfga/cli
 ```
 
+The Docker image is multi-platform and includes the system CA certificates needed for endpoints that use publicly trusted certificate authorities. Private or internal CAs still need to be provided by the user.
+
 ### Go
 
 ```shell