Create a docker container for the CLI (#2916)

We have a customer doing a POC that is creating their own image for the
CLI because the pipeline software they use requires that each step be in
a docker container. We should provide the container for them so they
don't have to keep it up to date

**DO NOT MERGE:** I want this to be reviewed but we'll need to cut a
release after this is merged and therefore will need to be tracked

---------

Co-authored-by: David Schmitt <[email protected]>
GitOrigin-RevId: d7b237be7a1dfa54f7264c6fd18602b326eda1a5

Author: 2 people

.github/workflows/docker-release.yml

@@ -0,0 +1,53 @@
+name: Build and Release Docker Container
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build-and-push:
+    name: Build and Push CLI Container
+    runs-on: depot-ubuntu-22.04
+
+    permissions:
+      contents: write
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Extract version from tag
+        id: extract_version
+        run: |
+          VERSION=${GITHUB_REF#refs/tags/v}
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Version: $VERSION"
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: depot/use-action@main
+        with:
+          project: xnsnw3m20t
+
+      - name: Build and push container
+        uses: depot/build-push-action@v1
+        id: build
+        with:
+          project: xnsnw3m20t
+          context: .
+          file: ./Dockerfile
+          sbom: true
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ghcr.io/overmindtech/cli:latest
+            ghcr.io/overmindtech/cli:${{ steps.extract_version.outputs.version }}

Dockerfile

@@ -0,0 +1,19 @@
+FROM ghcr.io/opentofu/opentofu:minimal AS tofu
+
+FROM alpine:3.22.2
+
+# Copy the tofu binary from the minimal image
+COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu
+
+# Add the Overmind public key directly
+ADD https://dl.cloudsmith.io/public/overmind/tools/rsa.7B6E65C2058FDB78.key \
+    /etc/apk/keys/[email protected]
+
+# Add repository config
+ADD https://dl.cloudsmith.io/public/overmind/tools/config.alpine.txt?distro=alpine&codename=v3.8 \
+    /tmp/config.alpine.txt
+RUN cat /tmp/config.alpine.txt >> /etc/apk/repositories \
+    && rm /tmp/config.alpine.txt
+
+RUN apk update
+RUN apk add --no-cache overmind-cli

README.md

@@ -173,6 +173,17 @@ Then install the CLI:
 apk add overmind-cli
 ```
 
+### Container / Docker
+
+You can use the CLI via Docker which includes both OpenTofu and the CLI:
+
+```shell
+docker pull ghcr.io/overmindtech/cli:latest
+docker run --rm ghcr.io/overmindtech/cli:latest overmind terraform plan
+```
+
+This is useful for CI/CD environments where you need a reproducible Terraform execution environment.
+
 ### Arch
 
 Packages for Arch are available on the [releases page](https://github.com/overmindtech/cli/releases/latest) for manual download and installation.