Configure builder by default

.github/workflows/docker-rofl-container-builder.yml

@@ -0,0 +1,82 @@
+name: docker-rofl-container-builder
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - docker/rofl-container-builder/**
+      - .github/workflows/docker-rofl-container-builder.yml
+    tags:
+      - 'rofl-container-builder/v[0-9]+.[0-9]+*'
+  pull_request:
+    paths:
+      - docker/rofl-container-builder/**
+      - .github/workflows/docker-rofl-container-builder.yml
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-rofl-container-builder:
+    name: build-rofl-container-builder
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Determine tag name
+        id: determine-tag
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "tag=pr-${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            # Trim rofl-container-builder/v prefix from tag
+            TAG="${{ github.ref_name }}"
+            TAG="${TAG#rofl-container-builder/v}"
+            echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=latest" >> "$GITHUB_OUTPUT"
+          fi
+          echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Build and push oasisprotocol/rofl-container-builder:${{ steps.determine-tag.outputs.tag }}"
+        uses: docker/build-push-action@v6
+        with:
+          context: docker/rofl-container-builder
+          file: docker/rofl-container-builder/Dockerfile
+          tags: ghcr.io/oasisprotocol/rofl-container-builder:${{ steps.determine-tag.outputs.tag }}
+          pull: true
+          push: true
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.created=${{ steps.determine-tag.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+
+  prune-old-images:
+    name: prune-old-images
+    if: ${{ always() }}
+    needs: [build-rofl-container-builder]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Prune old ghcr.io/oasisprotocol/rofl-container-builder images
+        uses: vlaurin/action-ghcr-prune@v0.6.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          organization: oasisprotocol
+          container: rofl-container-builder
+          keep-younger-than: 7
+          keep-last: 2
+          prune-tags-regexes: ^pr-

build/env/env.go

@@ -6,6 +6,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"sync"
 
 	"github.com/oasisprotocol/cli/cmd/common"
 )
@@ -86,6 +87,10 @@ type ContainerEnv struct {
 }
 
 var containerCmds = []string{"docker", "podman"}
+var (
+	containerCmdPath string
+	containerCmdOnce sync.Once
+)
 
 // NewContainerEnv creates a new Docker or Podman-based execution environment.
 func NewContainerEnv(image, baseDir, dirMount string) *ContainerEnv {
@@ -213,12 +218,20 @@ func (de *ContainerEnv) HasBinary(string) bool {
 
 // getContainerCmd finds a working docker or podman command and returns its path.
 func getContainerCmd() string {
-	for _, cmd := range containerCmds {
-		if path, err := exec.LookPath(cmd); err == nil && path != "" {
-			return path
+	containerCmdOnce.Do(func() {
+		for _, cmd := range containerCmds {
+			if path, err := exec.LookPath(cmd); err == nil && path != "" {
+				containerCmdPath = path
+				return
+			}
 		}
-	}
-	return ""
+	})
+	return containerCmdPath
+}
+
+// IsContainerRuntimeAvailable returns true if a container runtime (docker or podman) is available.
+func IsContainerRuntimeAvailable() bool {
+	return getContainerCmd() != ""
 }
 
 // IsAvailable implements ExecEnv.

build/rofl/artifacts.go

@@ -1,5 +1,13 @@
 package rofl
 
+// Builder images for different app kinds.
+const (
+	// LatestBuilderImage is the full builder with Rust toolchain for raw apps.
+	LatestBuilderImage = "ghcr.io/oasisprotocol/rofl-dev:v0.5.0@sha256:31573686552abeb0edebc450f6872831f0006a6cf38220cef7e0789d4376c2c1"
+	// LatestContainerBuilderImage is the minimal builder for container apps.
+	LatestContainerBuilderImage = "ghcr.io/oasisprotocol/rofl-container-builder:0.0.1@sha256:913ef97ab07dde31f08ce873f825bf3d4f32ad4102ff5797d7c3050c121c4dce"
+)
+
 // LatestBasicArtifacts are the latest TDX ROFL basic app artifacts.
 var LatestBasicArtifacts = ArtifactsConfig{
 	Firmware: "https://github.com/oasisprotocol/oasis-boot/releases/download/v0.6.2/ovmf.tdx.fd#db47100a7d6a0c1f6983be224137c3f8d7cb09b63bb1c7a5ee7829d8e994a42f",

build/rofl/manifest.go

@@ -76,10 +76,19 @@ type Manifest struct {
 	// Scripts are custom scripts that are executed by the build system at specific stages.
 	Scripts map[string]string `yaml:"scripts,omitempty" json:"scripts,omitempty"`
 
+	// Tooling contains information about the tooling used to generate/update the manifest.
+	Tooling *ToolingConfig `yaml:"tooling,omitempty" json:"tooling,omitempty"`
+
 	// sourceFn is the filename from which the manifest has been loaded.
 	sourceFn string
 }
 
+// ToolingConfig contains information about the tooling used to manage the manifest.
+type ToolingConfig struct {
+	// Version is the CLI version that last modified this manifest.
+	Version string `yaml:"version" json:"version"`
+}
+
 // ManifestExists checks whether a manifest file exist. No attempt is made to load, parse or
 // validate any of the found manifest files.
 func ManifestExists() bool {

build/sgxs/sgxs.go

@@ -15,10 +15,10 @@ import (
 // It requires the `ftxsgx-elf2sgxs` utility to be installed.
 func Elf2Sgxs(buildEnv env.ExecEnv, elfSgxPath, sgxsPath string, heapSize, stackSize, threads uint64) (err error) {
 	if elfSgxPath, err = buildEnv.PathToEnv(elfSgxPath); err != nil {
-		return
+		return err
 	}
 	if sgxsPath, err = buildEnv.PathToEnv(sgxsPath); err != nil {
-		return
+		return err
 	}
 
 	args := []string{
@@ -31,7 +31,7 @@ func Elf2Sgxs(buildEnv env.ExecEnv, elfSgxPath, sgxsPath string, heapSize, stack
 
 	cmd := exec.Command("ftxsgx-elf2sgxs", args...)
 	if err = buildEnv.WrapCommand(cmd); err != nil {
-		return
+		return err
 	}
 	if common.IsVerbose() {
 		fmt.Println(cmd)