From b4297edd9644fd288c48fdec24660536be47b2cb Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Tue, 24 Feb 2026 10:27:13 -0800
Subject: [PATCH 1/8] Add dockerfile.

---
 Dockerfile    | 22 ++++++++++++++++++++++
 entrypoint.sh | 14 ++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 000000000..46b5155d7
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,22 @@
+FROM rust:latest
+
+RUN rustup target add wasm32v1-none
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends dbus gnome-keyring libdbus-1-3 libudev1 libssl3 && \
+    LATEST=$(curl -s https://api.github.com/repos/stellar/stellar-cli/releases/latest | grep '"tag_name"' | sed 's/.*"v\(.*\)".*/\1/') && \
+    ARCH=$(dpkg --print-architecture) && \
+    curl -fsSL "https://github.com/stellar/stellar-cli/releases/download/v${LATEST}/stellar-cli_${LATEST}_${ARCH}.deb" \
+      -o /tmp/stellar-cli.deb && \
+    dpkg -i /tmp/stellar-cli.deb && \
+    rm -rf /var/lib/apt/lists/* /tmp/stellar-cli.deb
+
+ENV STELLAR_CONFIG_HOME=/stellar
+
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
+WORKDIR /source
+
+ENTRYPOINT ["entrypoint.sh", "stellar"]
+CMD []
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 000000000..832c4786e
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -e
+
+# Start D-Bus session bus
+export DBUS_SESSION_BUS_ADDRESS="unix:path=/tmp/dbus-session"
+dbus-daemon --session --address="$DBUS_SESSION_BUS_ADDRESS" --fork
+
+# Unlock gnome-keyring with an empty password for non-interactive use
+eval "$(echo '' | gnome-keyring-daemon --unlock --components=secrets)"
+export GNOME_KEYRING_CONTROL
+export SSH_AUTH_SOCK
+
+cd /source
+exec "$@"

From 4a34055f515d307d54b8968d83aa61d89dbb887d Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Tue, 24 Feb 2026 11:09:46 -0800
Subject: [PATCH 2/8] Add docker workflow.

---
 .github/workflows/docker.yml | 39 ++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 .github/workflows/docker.yml

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
new file mode 100644
index 000000000..3845621dc
--- /dev/null
+++ b/.github/workflows/docker.yml
@@ -0,0 +1,39 @@
+---
+name: Docker
+
+on:
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Setup vars
+        run: |
+          version="$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[] | select(.name == "stellar-cli") | .version')"
+          echo "VERSION=${version}" >> $GITHUB_ENV
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            stellar/cli:${{ env.VERSION }}
+            stellar/cli:latest

From 3aee1da80f0099933557a3de89f0856cfe89352c Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Tue, 24 Feb 2026 11:15:25 -0800
Subject: [PATCH 3/8] Add a stub workflow, until it is merged.

---
 .github/workflows/docker.yml | 26 +-------------------------
 1 file changed, 1 insertion(+), 25 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 3845621dc..3386b5f23 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -12,28 +12,4 @@ jobs:
   docker:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Setup vars
-        run: |
-          version="$(cargo metadata --format-version 1 --no-deps | jq -r '.packages[] | select(.name == "stellar-cli") | .version')"
-          echo "VERSION=${version}" >> $GITHUB_ENV
-
-      - name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: |
-            stellar/cli:${{ env.VERSION }}
-            stellar/cli:latest
+      - run: echo "Building and pushing Docker image..."

From 3159236707d3624e98c98079dfede0ab0200628c Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Tue, 24 Feb 2026 11:21:57 -0800
Subject: [PATCH 4/8] Use absolute path.

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 46b5155d7..dd17bcd9f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,5 +18,5 @@ RUN chmod +x /usr/local/bin/entrypoint.sh
 
 WORKDIR /source
 
-ENTRYPOINT ["entrypoint.sh", "stellar"]
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh", "stellar"]
 CMD []

From feb36152ebd3d93255284a94082411dd4c46d032 Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Tue, 24 Feb 2026 13:18:45 -0800
Subject: [PATCH 5/8] Also set data home.

---
 Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index dd17bcd9f..1c95820fb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,7 +11,8 @@ RUN apt-get update && \
     dpkg -i /tmp/stellar-cli.deb && \
     rm -rf /var/lib/apt/lists/* /tmp/stellar-cli.deb
 
-ENV STELLAR_CONFIG_HOME=/stellar
+ENV STELLAR_CONFIG_HOME=/config
+ENV STELLAR_DATA_HOME=/data
 
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
 RUN chmod +x /usr/local/bin/entrypoint.sh

From 0c3ef0e2f7a19b3001c65da40cab8a0d70fc4128 Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Mon, 2 Mar 2026 10:13:47 -0800
Subject: [PATCH 6/8] Build from source instead.

---
 Dockerfile | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1c95820fb..48a8fa406 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,26 @@
+FROM rust:latest AS builder
+
+ARG STELLAR_CLI_REF=main
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends libdbus-1-dev libudev-dev pkg-config git && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN git clone https://github.com/stellar/stellar-cli.git /tmp/stellar-cli && \
+    cd /tmp/stellar-cli && \
+    git checkout ${STELLAR_CLI_REF} && \
+    cargo install --locked --path cmd/stellar-cli && \
+    rm -rf /tmp/stellar-cli
+
 FROM rust:latest
 
 RUN rustup target add wasm32v1-none
 
 RUN apt-get update && \
     apt-get install -y --no-install-recommends dbus gnome-keyring libdbus-1-3 libudev1 libssl3 && \
-    LATEST=$(curl -s https://api.github.com/repos/stellar/stellar-cli/releases/latest | grep '"tag_name"' | sed 's/.*"v\(.*\)".*/\1/') && \
-    ARCH=$(dpkg --print-architecture) && \
-    curl -fsSL "https://github.com/stellar/stellar-cli/releases/download/v${LATEST}/stellar-cli_${LATEST}_${ARCH}.deb" \
-      -o /tmp/stellar-cli.deb && \
-    dpkg -i /tmp/stellar-cli.deb && \
-    rm -rf /var/lib/apt/lists/* /tmp/stellar-cli.deb
+    rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /usr/local/cargo/bin/stellar /usr/local/bin/stellar
 
 ENV STELLAR_CONFIG_HOME=/config
 ENV STELLAR_DATA_HOME=/data

From dd1caef4b245efc326c7abbfa92c95a57971c6d3 Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Mon, 2 Mar 2026 14:50:28 -0800
Subject: [PATCH 7/8] Apply suggestion from @leighmcculloch

Co-authored-by: Leigh <351529+leighmcculloch@users.noreply.github.com>
---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 48a8fa406..e44c87f2e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,6 +8,7 @@ RUN apt-get update && \
 
 RUN git clone https://github.com/stellar/stellar-cli.git /tmp/stellar-cli && \
     cd /tmp/stellar-cli && \
+    git fetch origin ${STELLAR_CLI_REF} && \
     git checkout ${STELLAR_CLI_REF} && \
     cargo install --locked --path cmd/stellar-cli && \
     rm -rf /tmp/stellar-cli

From 915c224318bc0397275684c9d6861f87b5f7e5a2 Mon Sep 17 00:00:00 2001
From: Nando Vieira <me@fnando.com>
Date: Thu, 5 Mar 2026 14:35:24 -0800
Subject: [PATCH 8/8] Address pr feedback.

---
 .github/workflows/docker.yml | 1 +
 Dockerfile                   | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 3386b5f23..50071ee46 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -11,5 +11,6 @@ defaults:
 jobs:
   docker:
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
       - run: echo "Building and pushing Docker image..."
diff --git a/Dockerfile b/Dockerfile
index e44c87f2e..83552048e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,8 +8,8 @@ RUN apt-get update && \
 
 RUN git clone https://github.com/stellar/stellar-cli.git /tmp/stellar-cli && \
     cd /tmp/stellar-cli && \
-    git fetch origin ${STELLAR_CLI_REF} && \
-    git checkout ${STELLAR_CLI_REF} && \
+    git fetch origin "${STELLAR_CLI_REF}" && \
+    git checkout "${STELLAR_CLI_REF}" && \
     cargo install --locked --path cmd/stellar-cli && \
     rm -rf /tmp/stellar-cli