Docker build (#486)

Closes GRAPH-1184

- Publish amd64 and arm64 docker images on pushes to main and tags
- Build binaries using beefy org runners
- Upgrade actionlint and perform necessary configuration and update
steps to make it happy

Author: antonsviridov-src

.dockerignore

@@ -0,0 +1,2 @@
+**/.git
+bazel-*

.github/actionlint.yaml

@@ -0,0 +1,6 @@
+# Configuration related to self-hosted runner.
+self-hosted-runner:
+  # Labels of self-hosted runner in array of strings.
+  labels:
+    - ubuntu-22.04-32core-graph-team-amd64
+    - ubuntu-22.04-32core-graph-team-arm64

.github/workflows/release-docker.yml

@@ -0,0 +1,156 @@
+name: "Release Docker images"
+
+on:
+  push:
+    branches: ["main"]
+    tags:
+      - "v*"
+env:
+  REGISTRY_IMAGE: sourcegraph/scip-clang
+
+jobs:
+  build-binaries:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-22.04-32core-graph-team-amd64
+            platform: linux/amd64
+            binary-name: scip-clang-x86_64-linux
+          - os: ubuntu-22.04-32core-graph-team-arm64
+            platform: linux/arm64
+            binary-name: scip-clang-arm64-linux
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: bazel-contrib/setup-bazel@0.14.0
+        with:
+          bazelisk-cache: true
+          disk-cache: ${{ github.workflow }}-${{ matrix.binary-name }}
+          repository-cache: true
+
+      - name: Build binary
+        run: bazel build //indexer:scip-clang --config release
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          path: bazel-bin/indexer/scip-clang
+          name: ${{ matrix.binary-name }}
+          if-no-files-found: error
+
+  build-docker:
+    needs: [build-binaries]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-22.04
+            platform: linux/amd64
+            binary-name: scip-clang-x86_64-linux
+          - os: ubuntu-22.04-arm
+            platform: linux/arm64
+            binary-name: scip-clang-arm64-linux
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY_IMAGE }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Download pre-built binary
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ matrix.binary-name }}
+          path: /tmp/binary
+
+      - run: cp /tmp/binary/scip-clang ./scip-clang && ls -l ./scip-clang
+
+      - name: Build and push by digest
+        id: build-images
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ env.REGISTRY_IMAGE }}
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build-images.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ env.PLATFORM_PAIR }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge-docker:
+    runs-on: ubuntu-latest
+    needs: [build-docker]
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Snapshot metadata
+        if: github.ref == 'refs/heads/main'
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY_IMAGE }}
+          tags: |
+            type=raw,value=latest-snapshot
+
+      - name: Tag metadata
+        if: startsWith(github.ref, 'refs/tags/v')
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.REGISTRY_IMAGE }}
+          tags: |
+            type=raw,value=latest
+            type=raw,value=${{ env.PATCH }}
+            type=raw,value=${{ env.MINOR }}
+            type=raw,value=${{ env.MAJOR }}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)

.github/workflows/release.yml

@@ -2,47 +2,47 @@ name: Release
 on:
   push:
     tags:
-      - 'v*'
+      - "v*"
   workflow_dispatch:
     inputs:
       revision:
-        description: 'Tag or revision to build binaries for'
+        description: "Tag or revision to build binaries for"
         type: string
         required: true
       create_release:
-        description: 'Should publish the binary or not'
+        description: "Should publish the binary or not"
         required: true
-        default: 'false'
+        default: "false"
 
 jobs:
   build-and-upload-artifacts:
-    name: 'Build and upload artifacts'
+    name: "Build and upload artifacts"
     strategy:
       matrix:
         include:
-          - platform: 'ubuntu-22.04'
-            container: 'gcc:9.5.0-buster'
-            config: 'dev'
-          - platform: 'ubuntu-22.04'
-            container: 'gcc:9.5.0-buster'
-            config: 'release'
+          - platform: "ubuntu-22.04"
+            container: "gcc:9.5.0-buster"
+            config: "dev"
+          - platform: "ubuntu-22.04"
+            container: "gcc:9.5.0-buster"
+            config: "release"
           # macOS 14 => arm64
-          - platform: 'macos-14'
-            container: ''
-            config: 'release'
+          - platform: "macos-14"
+            container: ""
+            config: "release"
     runs-on: ${{ matrix.platform }}
     container: ${{ matrix.container }}
     env:
       TAG: ${{ github.event.ref }}
     permissions:
-      contents: 'read'
-      id-token: 'write'
+      contents: "read"
+      id-token: "write"
     defaults:
       run:
         shell: bash
     steps:
-      - uses: actions/checkout@v3
-      - name: '📝 Check version'
+      - uses: actions/checkout@v4
+      - name: "📝 Check version"
         run: |
           set -euo pipefail
           if [[ "${TAG:-}" == v* ]]; then
@@ -51,7 +51,7 @@ jobs:
             TAG_LIKE="$(grep '## v' CHANGELOG.md | head -n 1 | cut -d ' ' -f 2)"
           fi
           NEW_VERSION="${TAG_LIKE/v/}" ./tools/version_check.sh
-      - name: '🐍 Install Bazelisk'
+      - name: "🐍 Install Bazelisk"
         run: |
           if ! command -v bazelisk; then
             if [ "$RUNNER_OS" == "Windows" ]; then
@@ -64,13 +64,13 @@ jobs:
             fi
           fi
       - id: auth
-        name: '🔓 Authenticate to Google Cloud'
-        uses: 'google-github-actions/auth@v1'
+        name: "🔓 Authenticate to Google Cloud"
+        uses: "google-github-actions/auth@v2"
         with:
           workload_identity_provider: ${{ secrets.GCP_IDENTITY_PROVIDER }}
           service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
           create_credentials_file: true
-      - name: '🚧 Build scip-clang'
+      - name: "🚧 Build scip-clang"
         run: |
           # Stop Windows from converting the // to /
           # https://github.com/bazelbuild/bazel/commit/866ecc8c3d5e0b899e3f0c9c6b2265f16daae842
@@ -99,7 +99,7 @@ jobs:
           fi
         env:
           CONFIG: ${{ matrix.config }}
-      - name: '🔎 Identify OS'
+      - name: "🔎 Identify OS"
         run: echo "OS=$(uname -s | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV"
       # - name: '🪵 Upload log'
       #   uses: actions/upload-artifact@v3
@@ -120,19 +120,19 @@ jobs:
           OS: ${{ env.OS }}
           CONFIG: ${{ matrix.config }}
       - name: ${{ format('📦 Store binary ({0})', matrix.config) }}
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: ${{ matrix.platform }}-${{ matrix.config }}-release-artifacts
           path: ${{ env.outBinaryPath }}
 
   create-release:
-    name: 'Create release'
+    name: "Create release"
     if: github.event_name != 'workflow_dispatch' || inputs.create_release
     needs: build-and-upload-artifacts
-    runs-on: 'ubuntu-20.04'
+    runs-on: "ubuntu-20.04"
     steps:
-      - uses: actions/checkout@v3
-      - name: '📝 Create Release'
+      - uses: actions/checkout@v4
+      - name: "📝 Create Release"
         run: |
           REV="$INPUT_REVISION"
           if [ "$TRIGGER" != "workflow_dispatch" ]; then
@@ -147,9 +147,9 @@ jobs:
           INPUT_REVISION: ${{ inputs.revision }}
       # Download everything to avoid spelling out the different
       # platforms here.
-      - name: '📥 Download all artifacts'
-        uses: actions/download-artifact@v3
-      - name: '📤 Upload artifacts for release'
+      - name: "📥 Download all artifacts"
+        uses: actions/download-artifact@v4
+      - name: "📤 Upload artifacts for release"
         run: gh release upload "${GITHUB_REF/refs\/tags\//}" ./*-release-artifacts/*
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -0,0 +1,10 @@
+FROM ubuntu:22.04 as indexer
+
+RUN apt-get update && apt-get install -y curl libc6-dev python3 build-essential ninja-build git cmake
+
+COPY ./scip-clang /usr/bin/scip-clang
+RUN chmod +x /usr/bin/scip-clang && chown $(whoami) /usr/bin/scip-clang
+
+WORKDIR /sources
+
+ENTRYPOINT [ "scip-clang" ]

fetch_deps.bzl

@@ -210,22 +210,22 @@ def fetch_direct_dependencies():
     http_archive(
         name = "actionlint_darwin_arm64",
         build_file = "@scip_clang//third_party:actionlint.BUILD",
-        sha256 = "4b8eff986643b8d9918c4fd3ada9c0eee7e59230a53a46a9bd9686521dcad170",
-        urls = ["https://github.com/rhysd/actionlint/releases/download/v1.6.27/actionlint_1.6.27_darwin_arm64.tar.gz"],
+        sha256 = "2693315b9093aeacb4ebd91a993fea54fc215057bf0da2659056b4bc033873db",
+        urls = ["https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_darwin_arm64.tar.gz"],
     )
 
     http_archive(
         name = "actionlint_linux_amd64",
         build_file = "@scip_clang//third_party:actionlint.BUILD",
-        sha256 = "5c9b6e5418f688b7f7c7e3d40c13d9e41b1ca45fb6a2c35788b0580e34b7300f",
-        urls = ["https://github.com/rhysd/actionlint/releases/download/v1.6.27/actionlint_1.6.27_linux_amd64.tar.gz"],
+        sha256 = "023070a287cd8cccd71515fedc843f1985bf96c436b7effaecce67290e7e0757",
+        urls = ["https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_amd64.tar.gz"],
     )
 
     http_archive(
         name = "actionlint_linux_arm64",
         build_file = "@scip_clang//third_party:actionlint.BUILD",
-        sha256 = "03ffe5891da7800ec39533543667697b5c292d0ff8b906397b43c58374ec052a",
-        urls = ["https://github.com/rhysd/actionlint/releases/download/v1.6.27/actionlint_1.6.27_linux_arm64.tar.gz"],
+        sha256 = "401942f9c24ed71e4fe71b76c7d638f66d8633575c4016efd2977ce7c28317d0",
+        urls = ["https://github.com/rhysd/actionlint/releases/download/v1.7.7/actionlint_1.7.7_linux_arm64.tar.gz"],
     )
 
     http_archive(