Add Dockerfile and GHCR publish workflow

[Copilot]

Enables gitbackup to run in containerized environments by adding a Docker image build and automated publish to GitHub Container Registry on release.

Changes

• Dockerfile — Multi-stage build: golang:1.25 compiles a static binary (CGO_ENABLED=0), copied into a debian:bookworm-slim runtime image with git and ca-certificates installed. Runs as a non-root user (nonroot, UID 65532) for improved security.
• .github/workflows/docker-publish.yml — Triggers on release: published; authenticates to ghcr.io via GITHUB_TOKEN, derives semver tags (1.2.3, 1.2, 1) from the release tag using docker/metadata-action, then builds and pushes via docker/build-push-action.
• README.md — Added a "Docker image" section under "Installing gitbackup" with pull instructions and platform-specific usage guidance for Linux, macOS, and Windows, covering: volume mounting (including chown for UID 65532 on Linux/macOS), HTTPS cloning recommendation (no SSH key management required), SSH key mounting instructions, and shell syntax differences (Bash, PowerShell, Command Prompt).

Published image will be available at:

ghcr.io/amitsaha/gitbackup:<version>

Workflow uses minimal permissions (contents: read, packages: write).

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Build docker image and publish on release</issue_title>
<issue_description>For enabling gitbackup to run in more environments (such as cloud providers), it might be simple for us to have a docker image:

1. Create a Dockerfile for gitbackup
2. Publish the docker image to github container registry when a release is published </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Build docker image and publish on release #215

---

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

[amitsaha]

@copilot how does, "Triggers on release: published;" work?

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: 78df3412-407f-4ea3-93e6-c725b2bea230

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: 78df3412-407f-4ea3-93e6-c725b2bea230

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: 78df3412-407f-4ea3-93e6-c725b2bea230

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: 78df3412-407f-4ea3-93e6-c725b2bea230

[amitsaha]

@copilot how does, "Triggers on release: published;" work?

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: 78df3412-407f-4ea3-93e6-c725b2bea230

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: 78df3412-407f-4ea3-93e6-c725b2bea230

[Copilot]

@copilot how does, "Triggers on release: published;" work?

The on: release: types: [published] trigger fires whenever a GitHub Release is published via the GitHub UI or API.

The flow is:

1. You push a tag (e.g. v1.2.3) or create a draft release.
2. When you click "Publish release" in the GitHub Releases UI (or call the API with make_latest: true / no draft flag), GitHub emits a release event with type published.
3. The workflow starts at that point — it reads the release tag (available as github.ref_name, e.g. v1.2.3), and docker/metadata-action uses it to derive the image tags (1.2.3, 1.2, 1).

This is intentionally different from the goreleaser.yml workflow which triggers on any tag push (on: push: tags: ['*']). Using release: published ensures the Docker image is only pushed once a human has explicitly published the release, not just on any tag push.

@copilot how does, "Triggers on release: published;" work?

The on: release: types: [published] trigger fires whenever a GitHub Release is published via the GitHub UI or API.

The flow is:

1. You push a tag (e.g. v1.2.3) or create a draft release.
2. When you click "Publish release" in the GitHub Releases UI (or call the API with no draft flag), GitHub emits a release event with type published.
3. The workflow starts at that point — it reads the release tag (available as github.ref_name, e.g. v1.2.3), and docker/metadata-action uses it to derive the image tags (1.2.3, 1.2, 1).

This is intentionally different from the goreleaser.yml workflow which triggers on any tag push (on: push: tags: ['*']). Using release: published ensures the Docker image is only pushed once a human has explicitly published the release, not just on any tag push.

[amitsaha]

@copilot do i need to do any configuration for publishing the docker image to the GHCR?

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: c737907c-9454-4e01-928d-77523c090776

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: c737907c-9454-4e01-928d-77523c090776

[amitsaha]

@copilot do i need to do any configuration for publishing the docker image to the GHCR?

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: c737907c-9454-4e01-928d-77523c090776

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: c737907c-9454-4e01-928d-77523c090776

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: c737907c-9454-4e01-928d-77523c090776

[Copilot]

@amitsaha The model claude-sonnet-4.6 is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: c737907c-9454-4e01-928d-77523c090776

[Copilot]

@copilot do i need to do any configuration for publishing the docker image to the GHCR?

No extra configuration is needed. The workflow uses the built-in GITHUB_TOKEN (automatically injected by GitHub Actions on every run) with packages: write permission declared in the workflow itself — that's sufficient to authenticate to ghcr.io and push images.

The one thing to be aware of is package visibility. The first time the image is pushed, GHCR creates the package as private by default. If you want the image to be publicly pullable without authentication, go to github.com/amitsaha → Packages → gitbackup → Package settings → Change visibility → Public after the first push.

That's all — no secrets to create, no tokens to rotate.

@copilot do i need to do any configuration for publishing the docker image to the GHCR?

No extra configuration is needed. The workflow uses the built-in GITHUB_TOKEN (automatically injected by GitHub Actions on every run) with packages: write permission declared in the workflow itself — that's sufficient to authenticate to ghcr.io and push images.

The one thing to be aware of is package visibility. The first time the image is pushed, GHCR creates the package as private by default. If you want the image to be publicly pullable without authentication, go to github.com/amitsaha → Packages → gitbackup → Package settings → Change visibility → Public after the first push.

That's all — no secrets to create, no tokens to rotate.

[amitsaha]

@copilot Update README with instructions to use the docker image

[amitsaha]

Use a non-root user to run gitbackup

Update README with instructions to use the docker image, with volume mounting instructions and also discuss the user access nuances

[Copilot]

Use a non-root user to run gitbackup

Update README with instructions to use the docker image, with volume mounting instructions and also discuss the user access nuances...

Done in commit 0091fc0.

Dockerfile: switched the runtime base from distroless/static-debian12 (which doesn't include git — a required runtime dependency) to debian:bookworm-slim, installs git and ca-certificates, then creates a nonroot user (UID 65532) and runs as that user.

README: added a new "Docker image" subsection under "Installing gitbackup" covering:

• How to pull the image
• Volume mounting with chown 65532:65532 for the backup directory
• HTTPS cloning (recommended — no SSH key management needed)
• SSH cloning with instructions for mounting the key readable by UID 65532

@copilot Update README with instructions to use the docker image

Added in commit 0091fc0. A new "Docker image" subsection is now under "Installing gitbackup" in the README, covering pull instructions, volume mounting (with the UID 65532 ownership note), HTTPS cloning (recommended for containers), and SSH key mounting for SSH cloning.

[amitsaha]

Discuss usage of the image on MacOS, Linux and Windows

[Copilot]

Discuss usage of the image on MacOS, Linux and Windows

Done in commit 3bd6c03. The Docker section now has per-platform subsections:

• Linux — chown 65532:65532 before mounting; full HTTPS and SSH examples.
• macOS — VirtioFS handles backup directory permissions automatically (no chown for the dir); SSH keys still need an explicit chown-ed copy because git checks key ownership against the container UID (65532), not the host UID.
• Windows — PowerShell and Command Prompt examples; no chown needed (WSL2 VM handles it); SSH cloning guidance pointing to HTTPS as the simpler alternative.