ci: Build and publish container in CI

* Check that container builds on PR
* Publish container from master branch

Author: NickeZ

.ci/README.md

@@ -0,0 +1,31 @@
+CI Design guidelines
+
+* It is more maintainable to create scripts in `.ci` and then call them from the workflows than to
+  have scripts inline in the workflows. However, it is also good to split up scripts in multiple
+  steps and jobs depending on what is being done.
+
+* The docker image is rebuilt if the `Dockerfile` or `.containerversion` file is modified. (In case
+  of a push event it is also automatically published to docker hub).
+
+* If there are changes in the `Dockerfile`, then `.containerversion` must be updated with an
+  unpublished version number.
+
+* We listen to two kinds of events, `pull_request` and `push` using two different workflows,
+  `pr-ci.yml` and `ci.yml`.
+  * On pull request events, github will checkout a version of the tree that is the PR branch merged
+    into the base branch. When we look for what is modifed we can diff HEAD^1 to HEAD. If github
+    didn't do this, it would've missed commits added to the base branch since the PR branch was
+    forked.
+
+     o--o--o--o <-- (base branch, typically 'master', parent 1)
+      \        \
+       \        o <-- (HEAD)
+        \      /
+         o----o <-- Pull requst branch (parent 2)
+
+  * On push events we get hashes of last commit before and after the push. When we look for what
+    changed we can diff github.event.before with HEAD.
+
+       o--o--o--o--o--o <-- github.event.after (HEAD)
+              \
+                github.event.before

.ci/build-container

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -e
+
+CONTAINER_REPO=shiftcrypto/firmware_v2
+CONTAINER_VERSION=$(cat .containerversion)
+
+docker build --pull --no-cache -t $CONTAINER_REPO:latest -t $CONTAINER_REPO:$CONTAINER_VERSION .

.ci/check-container-sources-modified

@@ -0,0 +1,14 @@
+#!/bin/bash
+#
+# This script works on merge commits. <rev>^1 means the first parent of <rev>.
+#
+# When the github action creates a temporary merge commit for a pull request, the first parent will
+# be the base (the branch being merged into).
+
+set -e
+
+if git diff --name-only HEAD^1 HEAD | grep -E '^(\.containerversion|Dockerfile)' >/dev/null; then
+	echo "true"
+	exit
+fi
+echo "false"

.ci/check-container-version-published

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+CONTAINER_REPO=shiftcrypto/firmware_v2
+CONTAINER_VERSION=$(cat .containerversion)
+
+# docker manifest returns 1 (error) if the container doesn't exist and 0 (success) if it does.
+if docker manifest inspect $CONTAINER_REPO:$CONTAINER_VERSION > /dev/null; then
+	 >&2 echo Container version \'$CONTAINER_VERSION\' exists.
+	 echo true
+	 exit
+fi
+echo false

.ci/publish-container

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+CONTAINER_REPO=shiftcrypto/firmware_v2
+CONTAINER_VERSION=$(cat .containerversion)
+
+docker push $CONTAINER_REPO:latest
+docker push $CONTAINER_REPO:$CONTAINER_VERSION

.github/workflows/ci.yml

@@ -8,7 +8,7 @@ on:
       - master
 
 jobs:
-  linux-docker:
+  ci:
     runs-on: ubuntu-22.04
     steps:
       - name: Clone the repo
@@ -17,7 +17,28 @@ jobs:
           fetch-depth: 0
           fetch-tags: true
           submodules: recursive
+
+      - name: Check if container should be published
+        id: checks
+        run: echo container-published=$(./.ci/check-container-version-published) >> $GITHUB_OUTPUT
+
+      - name: Build container
+        if: steps.checks.outputs.container-published == 'false'
+        run: ./.ci/build-container
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Publish container
+        if: steps.checks.outputs.container-published == 'false'
+        run: ./.ci/publish-container
+
       - name: Pull CI container image
+        if: steps.checks.outputs.container-published == 'true'
         run: ./.ci/pull-container
+
       - name: Run CI in container
         run: ./.ci/run-container-ci ${{github.workspace}} ${{ github.event.before }}

.github/workflows/pr-ci.yml

@@ -14,7 +14,23 @@ jobs:
           submodules: recursive
           fetch-depth: 0
 
+      - name: Check if container files was modified and if container version already exists
+        id: checks
+        run: |
+          echo modified=$(./.ci/check-container-sources-modified) >> "$GITHUB_OUTPUT"
+          echo container-published=$(./.ci/check-container-version-published) >> "$GITHUB_OUTPUT"
+
+      - name: Build container image
+        if: steps.checks.outputs.modified == 'true'
+        run: |
+          if "${{ steps.checks.outputs.container-published }}" == "true"; then
+            echo "::error::Container modified but version $(cat .containerversion) already published"
+            exit 1
+          fi
+          ./.ci/build-container
+
       - name: Pull container image
+        if: steps.checks.outputs.modified == 'false'
         run: ./.ci/pull-container
 
       - name: Run CI in container
@@ -66,7 +82,23 @@ jobs:
           # get the .ci scripts from there as well.
           git checkout -f ${{ github.event.pull_request.merge_commit_sha }} -- .ci .github
 
+      - name: Check if container files was modified and if container version already exists
+        id: checks
+        run: |
+          echo modified=$(./.ci/check-container-sources-modified) >> "$GITHUB_OUTPUT"
+          echo container-published=$(./.ci/check-container-version-published) >> "$GITHUB_OUTPUT"
+
+      - name: Build container image
+        if: steps.checks.outputs.modified == 'true'
+        run: |
+          if "${{ steps.checks.outputs.container-published }}" == "true"; then
+            echo "::error::Container modified but version $(cat .containerversion) already published"
+            exit 1
+          fi
+          ./.ci/build-container
+
       - name: Pull container image
+        if: steps.checks.outputs.modified == 'false'
         run: ./.ci/pull-container
 
       - name: Run CI in container