chore: verify xwin checksum (#1099)

rjaegers · web-flow · commit e7aec51afbec · 2026-01-22T20:08:44.000Z
* chore: verify xwin checksum

* chore: silence linter warnings

* chore: retry ignore

* chore: maybe this works

* chore: another permutation

* chore: one last try before global ignore

* chore: the ignore bazooka

* chore: process review comments
diff --git a/.devcontainer/cpp/Dockerfile b/.devcontainer/cpp/Dockerfile
@@ -1,13 +1,47 @@
 # syntax=docker/dockerfile:1
+# hadolint global ignore=DL3006
 
 ARG BASE_IMAGE=ghcr.io/philips-software/amp-devcontainer-base:edge
+ARG XWIN_VERSION=0.7.0
+
+# Downloader stage for AMD64 architecture
+FROM scratch AS downloader-amd64
+
+ARG XWIN_VERSION
+
+ADD --checksum=sha256:f1bffe5319728fca9cde5bb03fcb6c88cdf44922bd003fca8b4b9ce5b6f259d2 \
+ https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-x86_64-unknown-linux-musl.tar.gz /xwin.tar.gz
+
+# Downloader stage for ARM64 architecture
+FROM scratch AS downloader-arm64
+
+ARG XWIN_VERSION
+
+ADD --checksum=sha256:b85cd1e0c94f249338b02a6e54b380154a5af6b5dd754121b15722125a67cf9f \
+ https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-aarch64-unknown-linux-musl.tar.gz /xwin.tar.gz
+
+# Select downloader stage based on target architecture.
+# Linters don't recognize the TARGETARCH variable, so we ignore warnings here.
+# trivy:ignore:AVD-DS-0001
+FROM downloader-${TARGETARCH} AS downloader
+
+# Extractor stage using target architecture specific downloader
+FROM ${BASE_IMAGE} AS extractor
+
+ARG XWIN_VERSION
+
+WORKDIR /
+
+RUN --mount=from=downloader,target=/dl \
+ tar xzf /dl/xwin.tar.gz --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin"
+
+# Final development container image
 FROM ${BASE_IMAGE}
 
 ARG CCACHE_VERSION=4.12
 ARG CLANG_VERSION=19
 ARG CPM_VERSION=0.40.2
 ARG INCLUDE_WHAT_YOU_USE_VERSION=0.23
-ARG XWIN_VERSION=0.6.7
 
 ARG DEBIAN_FRONTEND=noninteractive
 
@@ -24,20 +58,28 @@ ENV CCACHE_DIR=/cache/.ccache \
     PATH="$PATH:/usr/lib/llvm-${CLANG_VERSION}/bin:/opt/gcc-arm-none-eabi/bin" \
     PYTHONPYCACHEPREFIX=/cache/.python
 
-# Install the base system with all tool dependencies
 # hadolint ignore=DL3008
 RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-base.json,target=/tmp/apt-requirements-base.json \
     --mount=type=bind,source=.devcontainer/cpp/requirements.txt,target=/tmp/requirements.txt \
     --mount=type=cache,target=/cache,sharing=locked \
     --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     --mount=type=cache,target=/var/log,sharing=locked \
- apt-get update \
- && jq -r 'to_entries | .[] | .key + "=" + .value' /tmp/apt-requirements-base.json | xargs apt-get install -y --no-install-recommends \
- # Install some tools via pip to get more recent versions, clean up afterwards
- && python3 -m pip install --break-system-packages --require-hashes --no-cache-dir --no-compile -r /tmp/requirements.txt \
- && find / -regex '^.*\(__pycache__\|\.py[co]\)$' -delete \
- && rm -rf "$(pip cache dir)"
+    --mount=from=extractor,target=/src <<EOF
+
+    # Install the base system with all tool dependencies
+    apt-get update && \
+    jq -r 'to_entries | .[] | .key + "=" + .value' /tmp/apt-requirements-base.json | \
+        xargs apt-get install -y --no-install-recommends
+
+    # Install some tools via pip to get more recent versions, clean up afterwards
+    python3 -m pip install --break-system-packages --require-hashes --no-cache-dir --no-compile -r /tmp/requirements.txt
+    find / -regex '^.*\(__pycache__\|\.py[co]\)$' -delete
+    rm -rf "$(pip cache dir)"
+
+    # Install xwin
+    cp /src/xwin /usr/local/bin/xwin
+EOF
 
 # Install clang toolchain and mull mutation testing framework
 RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-clang.json,target=/tmp/apt-requirements-clang.json \
@@ -57,9 +99,8 @@ RUN --mount=type=bind,source=.devcontainer/cpp/apt-requirements-clang.json,targe
 RUN mkdir /opt/gcc-arm-none-eabi \
  && wget --no-hsts -qO - "https://developer.arm.com/-/media/Files/downloads/gnu/14.2.rel1/binrel/arm-gnu-toolchain-14.2.rel1-$(uname -m)-arm-none-eabi.tar.xz" | tar --exclude='*arm-none-eabi-gdb*' --exclude='share' --strip-components=1 -xJC /opt/gcc-arm-none-eabi
 
-# Install xwin and ccache
-RUN wget --no-hsts -qO - "https://github.com/Jake-Shadle/xwin/releases/download/${XWIN_VERSION}/xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl.tar.gz" | tar -xzv -C /usr/local/bin --strip-components=1 "xwin-${XWIN_VERSION}-$(uname -m)-unknown-linux-musl/xwin" \
- && wget --no-hsts -qO - "https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-$(uname -m).tar.xz" | tar -xJ -C /usr/local/bin --strip-components=1 "ccache-${CCACHE_VERSION}-linux-$(uname -m)/ccache"
+# Install ccache
+RUN wget --no-hsts -qO - "https://github.com/ccache/ccache/releases/download/v${CCACHE_VERSION}/ccache-${CCACHE_VERSION}-linux-$(uname -m).tar.xz" | tar -xJ -C /usr/local/bin --strip-components=1 "ccache-${CCACHE_VERSION}-linux-$(uname -m)/ccache"
 
 # Install include-what-you-use (iwyu) from source
 # hadolint ignore=DL3008
