chore: publish container image

Signed-off-by: Ruben Romero Montes <rromerom@redhat.com>
Assisted-by: Cursor

Author: ruromero

.dockerignore

@@ -0,0 +1,9 @@
+target/
+.git/
+.gitignore
+*.md
+LICENSE
+Dockerfile
+.dockerignore
+.env
+duplicates.json

.github/workflows/container-image.yml

@@ -0,0 +1,62 @@
+name: Build and Push Container Image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  pull_request:
+    branches:
+      - main
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,prefix=
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64,linux/arm64

Dockerfile

@@ -0,0 +1,31 @@
+# Build stage
+FROM rust:1.83-alpine AS builder
+
+# Install musl-dev for static linking
+RUN apk add --no-cache musl-dev
+
+WORKDIR /app
+
+# Copy manifests first for better layer caching
+COPY Cargo.toml Cargo.lock ./
+
+# Create a dummy main.rs to build dependencies
+RUN mkdir src && echo "fn main() {}" > src/main.rs
+
+# Build dependencies only (this layer will be cached)
+RUN cargo build --release && rm -rf src
+
+# Copy actual source code
+COPY src ./src
+
+# Build the actual binary (touch to update mtime so cargo rebuilds)
+RUN touch src/main.rs && cargo build --release
+
+# Runtime stage - use minimal distroless image
+FROM gcr.io/distroless/static-debian12:nonroot
+
+# Copy the binary from builder
+COPY --from=builder /app/target/release/trustify /usr/local/bin/trustify
+
+# Set the entrypoint
+ENTRYPOINT ["trustify"]

README.md

@@ -25,6 +25,41 @@ cargo build --release
 # The binary will be at ./target/release/trustify
 ```
 
+### Using Docker
+
+Pull and run the pre-built image:
+
+```bash
+# Run with environment variables
+docker run --rm \
+  -e TRUSTIFY_URL=https://trustify.example.com \
+  -e TRUSTIFY_SSO_URL=https://sso.example.com/realms/trustify \
+  -e TRUSTIFY_CLIENT_ID=my-client \
+  -e TRUSTIFY_CLIENT_SECRET=my-secret \
+  ghcr.io/ruromero/trustify-cli sbom list
+
+# Or use an env file
+docker run --rm --env-file .env ghcr.io/ruromero/trustify-cli sbom list
+
+# Mount a volume to save/load files (e.g., duplicates.json)
+docker run --rm --env-file .env \
+  -v $(pwd):/data \
+  ghcr.io/ruromero/trustify-cli sbom duplicates find --output /data/duplicates.json
+```
+
+### Build Docker Image Locally
+
+```bash
+# Clone and build
+git clone https://github.com/ruromero/trustify-cli.git
+cd trustify-cli
+
+docker build -t trustify-cli .
+
+# Run
+docker run --rm --env-file .env trustify-cli sbom list
+```
+
 ## Configuration
 
 The CLI can be configured using command-line arguments, environment variables, or a `.env` file.

src/api/client.rs

@@ -13,31 +13,41 @@ const RETRY_DELAY_MS: u64 = 1000;
 
 #[derive(Error, Debug, Clone)]
 pub enum ApiError {
-    #[error("Request failed: {0}")]
-    RequestError(String),
+    #[error("Network error: {0}")]
+    NetworkError(String),
 
-    #[error("Not found: {0}")]
+    #[error("HTTP {0}: {1}")]
+    HttpError(u16, String),
+
+    #[error("HTTP 404: Resource not found")]
     NotFound(String),
 
-    #[error("Unauthorized: Please check your authentication credentials")]
+    #[error("HTTP 401: Please check your authentication credentials")]
     Unauthorized,
 
-    #[error("Token expired")]
+    #[error("HTTP 401: Token expired")]
     TokenExpired,
 
-    #[error("Server timeout - please retry")]
-    Timeout,
+    #[error("HTTP {0}: Server timeout")]
+    Timeout(u16),
+
+    #[error("HTTP {0}: {1}")]
+    ServerError(u16, String),
 
-    #[error("Server error: {0}")]
-    ServerError(String),
+    #[error("{0}")]
+    InternalError(String),
 }
 
 impl From<reqwest::Error> for ApiError {
     fn from(e: reqwest::Error) -> Self {
         if e.is_timeout() {
-            ApiError::Timeout
+            ApiError::Timeout(0) // 0 indicates network-level timeout (no HTTP response)
+        } else if e.is_connect() {
+            ApiError::NetworkError(format!("Connection failed: {}", e))
+        } else if e.is_request() {
+            ApiError::NetworkError(format!("Request error: {}", e))
         } else {
-            ApiError::RequestError(e.to_string())
+            ApiError::NetworkError(e.to_string())
         }
     }
 }
@@ -158,7 +168,7 @@ impl ApiClient {
         F: Fn() -> Fut,
         Fut: std::future::Future<Output = Result<String, ApiError>>,
     {
-        let mut last_error = ApiError::RequestError("No attempts made".to_string());
+        let mut last_error = ApiError::NetworkError("No attempts made".to_string());
         let mut token_refreshed = false;
 
         for attempt in 0..MAX_RETRIES {
@@ -174,18 +184,21 @@ impl ApiClient {
                     }
                     return Err(ApiError::Unauthorized);
                 }
-                Err(ApiError::Timeout) | Err(ApiError::ServerError(_))
+                Err(ref e @ ApiError::Timeout(_))
+                | Err(ref e @ ApiError::ServerError(_, _))
+                | Err(ref e @ ApiError::NetworkError(_))
                     if attempt < MAX_RETRIES - 1 =>
                 {
                     let delay = RETRY_DELAY_MS * (attempt as u64 + 1);
                     eprintln!(
-                        "Request failed, retrying in {}ms... (attempt {}/{})",
+                        "{}, retrying in {}ms... (attempt {}/{})",
+                        e,
                         delay,
                         attempt + 1,
                         MAX_RETRIES
                     );
                     sleep(Duration::from_millis(delay)).await;
-                    last_error = ApiError::Timeout;
+                    last_error = e.clone();
                 }
                 Err(e) => return Err(e),
             }
@@ -196,6 +209,7 @@ impl ApiClient {
 
     async fn handle_response(&self, response: reqwest::Response) -> Result<String, ApiError> {
         let status = response.status();
+        let status_code = status.as_u16();
 
         if status.is_success() {
             Ok(response.text().await?)
@@ -206,10 +220,14 @@ impl ApiClient {
         } else if status == StatusCode::FORBIDDEN {
             Err(ApiError::Unauthorized)
         } else if status == StatusCode::GATEWAY_TIMEOUT || status == StatusCode::REQUEST_TIMEOUT {
-            Err(ApiError::Timeout)
+            Err(ApiError::Timeout(status_code))
         } else {
             let body = response.text().await.unwrap_or_default();
-            Err(ApiError::ServerError(format!("HTTP {}: {}", status, body)))
+            if status.is_server_error() {
+                Err(ApiError::ServerError(status_code, body))
+            } else {
+                Err(ApiError::HttpError(status_code, body))
+            }
         }
     }
 }

src/api/sbom.rs

@@ -78,12 +78,12 @@ async fn fetch_page(
 
     let response = list(client, &list_params).await?;
     let parsed: Value = serde_json::from_str(&response)
-        .map_err(|e| ApiError::ServerError(format!("Failed to parse response: {}", e)))?;
+        .map_err(|e| ApiError::InternalError(format!("Failed to parse response: {}", e)))?;
 
     let items = parsed
         .get("items")
         .and_then(|v| v.as_array())
-        .ok_or_else(|| ApiError::ServerError("No items in response".to_string()))?;
+        .ok_or_else(|| ApiError::InternalError("No items in response".to_string()))?;
 
     let entries: Vec<SbomEntry> = items
         .iter()
@@ -165,7 +165,7 @@ pub async fn find_duplicates(
     .await?;
 
     let parsed: Value = serde_json::from_str(&first_page)
-        .map_err(|e| ApiError::ServerError(format!("Failed to parse response: {}", e)))?;
+        .map_err(|e| ApiError::InternalError(format!("Failed to parse response: {}", e)))?;
 
     let total = parsed.get("total").and_then(|v| v.as_u64()).unwrap_or(0) as u32;
 
@@ -238,7 +238,7 @@ pub async fn find_duplicates(
     join_all(handles).await;
 
     let all_entries = Arc::try_unwrap(results)
-        .map_err(|_| ApiError::ServerError("Failed to unwrap entries".to_string()))?
+        .map_err(|_| ApiError::InternalError("Failed to unwrap entries".to_string()))?
         .into_inner();
 
     eprintln!("\nProcessing {} SBOMs for duplicates...", all_entries.len());
@@ -291,13 +291,13 @@ pub async fn find_duplicates(
         .unwrap_or("duplicates.json");
 
     let json = serde_json::to_string_pretty(&duplicate_groups)
-        .map_err(|e| ApiError::ServerError(format!("Failed to serialize results: {}", e)))?;
+        .map_err(|e| ApiError::InternalError(format!("Failed to serialize results: {}", e)))?;
 
     let mut file = File::create(output_path)
-        .map_err(|e| ApiError::ServerError(format!("Failed to create output file: {}", e)))?;
+        .map_err(|e| ApiError::InternalError(format!("Failed to create output file: {}", e)))?;
 
     file.write_all(json.as_bytes())
-        .map_err(|e| ApiError::ServerError(format!("Failed to write to file: {}", e)))?;
+        .map_err(|e| ApiError::InternalError(format!("Failed to write to file: {}", e)))?;
 
     Ok(duplicate_groups)
 }
@@ -334,19 +334,19 @@ pub async fn delete_duplicates(
     // Check if file exists
     let path = Path::new(input_file);
     if !path.exists() {
-        return Err(ApiError::ServerError(format!(
+        return Err(ApiError::InternalError(format!(
             "Input file not found: {}",
             input_file
         )));
     }
 
     // Read and parse the file
     let file = File::open(path)
-        .map_err(|e| ApiError::ServerError(format!("Failed to open input file: {}", e)))?;
+        .map_err(|e| ApiError::InternalError(format!("Failed to open input file: {}", e)))?;
     let reader = BufReader::new(file);
 
     let groups: Vec<DuplicateGroup> = serde_json::from_reader(reader)
-        .map_err(|e| ApiError::ServerError(format!("Failed to parse input file: {}", e)))?;
+        .map_err(|e| ApiError::InternalError(format!("Failed to parse input file: {}", e)))?;
 
     // Collect all duplicate entries to delete
     let entries: Vec<DeleteEntry> = groups
@@ -410,8 +410,12 @@ pub async fn delete_duplicates(
                         // SBOM already deleted or doesn't exist - skip silently
                         skipped.fetch_add(1, Ordering::Relaxed);
                     }
-                    Err(_) => {
+                    Err(e) => {
                         failed.fetch_add(1, Ordering::Relaxed);
+                        progress.println(format!(
+                            "Failed to delete {} (document_id: {}): {}",
+                            entry.id, entry.document_id, e
+                        ));
                     }
                 }
                 progress.inc(1);