consolidate builds

fdupress · fdupress · commit daa33ee1420a · 2026-05-08T11:37:52.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,59 +13,51 @@ on:
 
 env:
   IMAGE_TAG: ci-${{ github.run_id }}
+  OPAMYES: true
+  OPAMJOBS: 2
 
 jobs:
-  # ── Phase 1: Build Docker images and share via artifact ──
+  # ── Phase 1: Build and push all Docker images ──
 
   docker:
-    name: Build Docker images
+    name: Build and push Docker images
     runs-on: ubuntu-24.04
+    permissions:
+      packages: write
     steps:
     - uses: actions/checkout@v4
-    - name: Build base image
-      run: make -C scripts/docker build VARIANT=base TAG=$IMAGE_TAG
-    - name: Build build image
-      run: make -C scripts/docker build VARIANT=build TAG=$IMAGE_TAG
-    - name: Save images for downstream jobs
-      run: |
-        docker save "ghcr.io/easycrypt/ec-base-box:$IMAGE_TAG" | gzip > base-image.tar.gz
-        docker save "ghcr.io/easycrypt/ec-build-box:$IMAGE_TAG" | gzip > build-image.tar.gz
-    - uses: actions/upload-artifact@v4
+    - uses: docker/login-action@v3
       with:
-        name: docker-images
-        path: |
-          base-image.tar.gz
-          build-image.tar.gz
-        retention-days: 1
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Build and push base image
+      run: |
+        make -C scripts/docker build publish VARIANT=base TAG=$IMAGE_TAG
+    - name: Build and push build image
+      run: |
+        make -C scripts/docker build publish VARIANT=build TAG=$IMAGE_TAG
+    - name: Build and push test image
+      run: |
+        make -C scripts/docker build publish VARIANT=test TAG=$IMAGE_TAG
 
-  # ── Phase 2: CI ──
+  # ── Phase 2: Compile CI profile in build box ──
 
   compile-opam:
     name: EasyCrypt compilation (opam)
     needs: docker
     runs-on: ubuntu-24.04
+    container:
+      image: ghcr.io/easycrypt/ec-build-box:${{ env.IMAGE_TAG }}
     steps:
     - uses: actions/checkout@v4
-    - uses: actions/download-artifact@v4
-      with:
-        name: docker-images
-    - run: gunzip -c build-image.tar.gz | docker load
-    - name: Install dependencies & compile
+    - name: Install EasyCrypt dependencies
       run: |
-        docker run --rm \
-          -v "$PWD:/workspace" \
-          -w /workspace \
-          -e HOME=/home/charlie \
-          -e OPAMYES=true \
-          -e OPAMJOBS=2 \
-          "ghcr.io/easycrypt/ec-build-box:$IMAGE_TAG" \
-          bash -c "
-            set -e
-            opam pin add -n easycrypt .
-            opam install --deps-only --depext-only --confirm-level=unsafe-yes easycrypt
-            opam install --deps-only easycrypt
-            opam exec -- make PROFILE=ci
-          "
+        opam pin add -n easycrypt .
+        opam install --deps-only --depext-only --confirm-level=unsafe-yes easycrypt
+        opam install --deps-only easycrypt
+    - name: Compile EasyCrypt
+      run: opam exec -- make PROFILE=ci
 
   compile-nix:
     name: EasyCrypt compilation (nix)
@@ -87,40 +79,28 @@ jobs:
       run: |
         make nix-build-with-provers
 
+  # ── Phase 3: Test in test box (no rebuild) ──
+
   check:
     name: Check EasyCrypt Libraries
-    needs: [docker, compile-opam]
+    needs: docker
     runs-on: ubuntu-24.04
+    container:
+      image: ghcr.io/easycrypt/ec-test-box:${{ env.IMAGE_TAG }}
     strategy:
       fail-fast: false
       matrix:
         target: [unit, stdlib, examples]
     steps:
     - uses: actions/checkout@v4
-    - uses: actions/download-artifact@v4
-      with:
-        name: docker-images
-    - run: gunzip -c build-image.tar.gz | docker load
-    - name: Install, compile & test (${{ matrix.target }})
+    - name: Detect SMT provers
       run: |
-        docker run --rm \
-          -v "$PWD:/workspace" \
-          -w /workspace \
-          -e HOME=/home/charlie \
-          -e OPAMYES=true \
-          -e OPAMJOBS=2 \
-          -e TARGET=${{ matrix.target }} \
-          "ghcr.io/easycrypt/ec-build-box:$IMAGE_TAG" \
-          bash -c "
-            set -e
-            opam pin add -n easycrypt .
-            opam install --deps-only --depext-only --confirm-level=unsafe-yes easycrypt
-            opam install --deps-only easycrypt
-            opam exec -- make
-            rm -f ~/.why3.conf
-            opam exec -- ./ec.native why3config -why3 ~/.why3.conf
-            opam exec -- make \$TARGET
-          "
+        rm -f ~/.why3.conf
+        opam exec -- easycrypt why3config -why3 ~/.why3.conf
+    - name: Compile Library (${{ matrix.target }})
+      env:
+        TARGET: ${{ matrix.target }}
+      run: opam exec -- easycrypt runtest config/tests.config $TARGET
     - uses: actions/upload-artifact@v4
       name: Upload report.log
       if: always()
@@ -145,8 +125,10 @@ jobs:
 
   external:
     name: Check EasyCrypt External Projects
-    needs: [docker, compile-opam, fetch-external-matrix]
+    needs: [docker, fetch-external-matrix]
     runs-on: ubuntu-24.04
+    container:
+      image: ghcr.io/easycrypt/ec-test-box:${{ env.IMAGE_TAG }}
     strategy:
       fail-fast: false
       matrix:
@@ -156,8 +138,8 @@ jobs:
       with:
         path: easycrypt
     - name: Extract target branch name
-      id: extract_branch
       run: echo "branch=merge-${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
+      id: extract_branch
     - name: Find remote branch
       id: branch_name
       run: |
@@ -172,34 +154,18 @@ jobs:
           -b ${{ steps.branch_name.outputs.REPO_BRANCH }} \
           ${{ matrix.target.repository }} \
           project/${{ matrix.target.name }}
-    - uses: actions/download-artifact@v4
-      with:
-        name: docker-images
-    - run: gunzip -c build-image.tar.gz | docker load
-    - name: Install, compile & test external project
+    - name: Detect SMT provers
+      run: |
+        rm -f ~/.why3.conf ~/.config/easycrypt/why3.conf
+        opam exec -- easycrypt why3config
+    - name: Compile project
+      working-directory: project/${{ matrix.target.name }}/${{ matrix.target.subdir }}
       run: |
-        docker run --rm \
-          -v "$PWD:/workspace" \
-          -w /workspace \
-          -e HOME=/home/charlie \
-          -e OPAMYES=true \
-          -e OPAMJOBS=2 \
-          "ghcr.io/easycrypt/ec-build-box:$IMAGE_TAG" \
-          bash -c "
-            set -e
-            opam pin add -n easycrypt easycrypt
-            opam install --deps-only --depext-only --confirm-level=unsafe-yes easycrypt
-            opam install --deps-only easycrypt
-            opam exec -- make -C easycrypt build install
-            rm -f ~/.why3.conf ~/.config/easycrypt/why3.conf
-            opam exec -- easycrypt why3config
-            cd project/${{ matrix.target.name }}/${{ matrix.target.subdir }}
-            opam exec -- easycrypt runtest  \
-              -report report.log            \
-              ${{ matrix.target.options  }} \
-              ${{ matrix.target.config   }} \
-              ${{ matrix.target.scenario }}
-          "
+        opam exec -- easycrypt runtest  \
+          -report report.log            \
+          ${{ matrix.target.options  }} \
+          ${{ matrix.target.config   }} \
+          ${{ matrix.target.scenario }}
     - name: Compute real-path to report.log
       if: always()
       run: |
@@ -223,7 +189,7 @@ jobs:
         jobs: ${{ toJSON(needs) }}
         allowed-skips: external
 
-  # ── Phase 3: Publish to GHCR (only on push after CI passes) ──
+  # ── Phase 4: Retag and push with permanent tags ──
 
   publish:
     name: Publish Docker images
@@ -239,37 +205,33 @@ jobs:
     permissions:
       packages: write
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/download-artifact@v4
-      with:
-        name: docker-images
-    - run: gunzip -c base-image.tar.gz | docker load
-    - run: gunzip -c build-image.tar.gz | docker load
     - uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Push base image
+    - name: Pull and retag base image
       run: |
-        docker tag "ghcr.io/easycrypt/ec-base-box:$IMAGE_TAG" \
-          "ghcr.io/easycrypt/ec-base-box:${{ github.ref_name }}"
-        docker push "ghcr.io/easycrypt/ec-base-box:${{ github.ref_name }}"
-    - name: Push build image
+        docker pull ghcr.io/easycrypt/ec-base-box:${{ env.IMAGE_TAG }}
+        docker tag ghcr.io/easycrypt/ec-base-box:${{ env.IMAGE_TAG }} \
+          ghcr.io/easycrypt/ec-base-box:${{ github.ref_name }}
+        docker push ghcr.io/easycrypt/ec-base-box:${{ github.ref_name }}
+    - name: Pull and retag build image
       run: |
-        docker tag "ghcr.io/easycrypt/ec-build-box:$IMAGE_TAG" \
-          "ghcr.io/easycrypt/ec-build-box:${{ github.ref_name }}"
-        docker push "ghcr.io/easycrypt/ec-build-box:${{ github.ref_name }}"
-    - name: Build and push test image
+        docker pull ghcr.io/easycrypt/ec-build-box:${{ env.IMAGE_TAG }}
+        docker tag ghcr.io/easycrypt/ec-build-box:${{ env.IMAGE_TAG }} \
+          ghcr.io/easycrypt/ec-build-box:${{ github.ref_name }}
+        docker push ghcr.io/easycrypt/ec-build-box:${{ github.ref_name }}
+    - name: Pull and retag test image
       if: |
         github.ref == 'refs/heads/release' ||
         github.ref == 'refs/heads/latest' ||
         github.ref_type == 'tag'
       run: |
-        make -C scripts/docker build VARIANT=test TAG=${{ github.ref_name }}
-        make -C scripts/docker publish VARIANT=test TAG=${{ github.ref_name }}
-
-  # ── Notification ──
+        docker pull ghcr.io/easycrypt/ec-test-box:${{ env.IMAGE_TAG }}
+        docker tag ghcr.io/easycrypt/ec-test-box:${{ env.IMAGE_TAG }} \
+          ghcr.io/easycrypt/ec-test-box:${{ github.ref_name }}
+        docker push ghcr.io/easycrypt/ec-test-box:${{ github.ref_name }}
 
   notification:
     name: Notification
