c: set up CI pipeline

Author: jaredallard

.github/workflows/docker.yml

@@ -5,24 +5,45 @@ on:
     branches: [main]
   pull_request: {}
 
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
 jobs:
   build:
-    runs-on: ubuntu-24.04
+    name: build (${{ matrix.platform }})
+    runs-on: ubuntu-24.04${{ matrix.platform == 'linux/arm64' && '-arm' || ''}}
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
     permissions:
       id-token: write
       packages: write
       contents: read
       attestations: write
     env:
-      REGISTRY: ghcr.io
-      IMAGE_NAME: ${{ github.repository }}
+      PLATFORM: ${{ matrix.platform }}
 
     steps:
       - name: Checkout
         uses: actions/checkout@v5
-      - name: Set up QEMU
-        id: qemu
-        uses: docker/setup-qemu-action@v3
+      - name: Build time variables
+        run: |-
+          echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >>"$GITHUB_ENV"
+          echo "TOR_VERSION=$(tr -d '\n' <VERSION)" >>"$GITHUB_ENV"
+      - name: Skip if already published
+        env:
+          FULL_DOCKER_IMAGE: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TOR_VERSION }}"
+        run: |-
+          echo "Checking if $FULL_DOCKER_IMAGE exists ..."
+          if docker manifest inspect "$FULL_DOCKER_IMAGE" &>/dev/null; then
+            echo "$FULL_DOCKER_IMAGE already exists, skipping build"
+            gh run cancel "$GITHUB_RUN_ID"
+            exit 0
+          fi
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Login to GitHub Container Registry
@@ -31,27 +52,85 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      - run: echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >>"$GITHUB_ENV"
-      - run: echo "TOR_VERSION=$(tr -d '\n' <VERSION) >>"$GITHUB_ENV"
+      - name: Download Gentoo
+        run: ./scripts/fetch-gentoo.sh "${PLATFORM##*/}"
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
       - name: Build and push image
         uses: docker/build-push-action@v6
-        id: push
+        id: build
         env:
           SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }}
         with:
           context: .
-          outputs: type=registry,rewrite-timestamp=true
           sbom: true
-          push: ${{ github.event_name != 'pull_request' }}
-          provenance: "max"
+          provenance: mode=max
+          labels: ${{ steps.meta.outputs.labels }}
           build-args: TOR_VERSION=${{ env.TOR_VERSION }}
-          platforms: "linux/amd64,linux/arm64"
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TOR_VERSION }}
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          outputs: type=image,rewrite-timestamp=true,push-by-digest=true,name-canonical=true,push=${{ github.event_name == 'push' }}
+      - name: Export digest
+        run: |-
+          mkdir -p "${{ runner.temp }}/digests"
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+      - name: Escape platform (/ -> -)
+        id: platform
+        run: echo "escaped=${PLATFORM//\//-}" >"$GITHUB_OUTPUT"
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ steps.platform.outputs.escaped }}
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+      - name: Attest
+        uses: actions/attest-build-provenance@v3
+        id: attest
+        if: ${{ github.event_name == 'push' }}
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true
+
+  merge:
+    if: ${{ github.event_name == 'push' }}
+    runs-on: ubuntu-24.04
+    needs:
+      - build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Build time variables
+        run: |-
+          echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >>"$GITHUB_ENV"
+          echo "TOR_VERSION=$(tr -d '\n' <VERSION)" >>"$GITHUB_ENV"
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Create manifest
+        id: manifest
+        env:
+          FULL_DOCKER_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TOR_VERSION }}
+          DOCKER_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        run: |-
+          readarray -t digests < <(printf "$DOCKER_IMAGE@sha256:%s\n" *)
+          docker buildx imagetools create -t "$FULL_DOCKER_IMAGE" "${digests[@]}"
+          docker buildx imagetools inspect "$FULL_DOCKER_IMAGE"
+          echo "digest=$(docker buildx imagetools inspect "$FULL_DOCKER_IMAGE" | grep "Digest:" | awk '{ print $2 }')" >"$GITHUB_OUTPUT"
       - name: Attest
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@v3
         id: attest
         if: ${{ github.event_name == 'push' }}
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          subject-digest: ${{ steps.push.outputs.digest }}
+          subject-digest: ${{ steps.manifest.outputs.digest }}
           push-to-registry: true

.gitignore

@@ -0,0 +1 @@
+.gentoo-sources

Dockerfile

@@ -1,15 +1,24 @@
 # syntax=docker/dockerfile:1
-FROM gentoo/portage:latest AS portage
-FROM gentoo/stage3:latest AS builder
+FROM scratch AS builder
+
+# Automatically supplied by Docker
+ARG TARGETARCH
+
+# Comes from ./scripts/fetch-gentoo.sh
+ADD ./.gentoo-sources/$TARGETARCH.tar /
 
 # https://gitlab.torproject.org/tpo/core/tor/-/tags
 ARG TOR_VERSION
 
-COPY --from=portage /var/db/repos/gentoo /var/db/repos/gentoo
+SHELL ["/usr/bin/bash", "-euo", "pipefail", "-c"]
 
+# Download latest portage sources
 RUN <<EOF
-  set -euo pipefail
-  
+  mkdir -p /var/db/repos/gentoo
+  emerge-webrsync
+EOF
+
+RUN <<EOF  
   export MAKEOPTS="-j$(nproc)"
   export EMERGE_DEFAULT_OPTS="--jobs 2"
   export USE="${USE:-""} hardened zstd static-libs"
@@ -31,6 +40,6 @@ RUN <<EOF
   strip /usr/bin/tor
 EOF
 
-FROM gcr.io/distroless/static-debian12:nonroot
+FROM scratch
 COPY --from=builder /usr/bin/tor /usr/bin/tor
 ENTRYPOINT ["/usr/bin/tor"]

renovate.json5

@@ -1,4 +1,17 @@
 {
+  // Validate with:
+  //   npx --yes --package renovate -- renovate-config-validator --strict
   $schema: "https://docs.renovatebot.com/renovate-schema.json",
   extends: ["config:recommended"],
+  customManagers: [
+    {
+      customType: "regex",
+      managerFilePatterns: ["/^VERSION$/"],
+      matchStrings: ["^(?<currentValue>.+)$"],
+      datasourceTemplate: "gitlab-releases",
+      depNameTemplate: "tpo/core/tor",
+      registryUrlTemplate: "https://gitlab.torproject.org",
+      extractVersionTemplate: "^tor-(?<version>.+)$",
+    },
+  ],
 }

scripts/fetch-gentoo.sh

@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+# Downloads a Gentoo stage3 tarball and makes it available for a FROM
+# scratch Docker image to use.
+#
+# Usage: fetch-gentoo.sh <ARCH>
+#
+#  ARCH: amd64, arm64
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+# curl https://qa-reports.gentoo.org/output/service-keys.gpg | sha512sum | awk '{ print $1 }'
+SIGNATURE_FILE_HASH="21d1c6ccd5c3e82ce4ec2fe4509e072bc1e47d4f16628274d2b508e2d6e111ed0b3b5f7f542ad29d4f58fc0ff475b0d423322de3cad54c0056bf774fed3dffb0"
+
+info() {
+  echo -e "\033[1;34m[INFO]\033[0m" "$@"
+}
+
+
+ARCH="${1:-}"
+if [[ -z "$ARCH" ]] || ! [[ "$ARCH" =~ ^(arm64|amd64)$ ]]; then
+  echo "Usage: $(basename "$0") <ARCH>"
+  echo
+  echo "  ARCH: amd64, arm64"
+  exit
+fi
+
+# Download the Gentoo signing keys, comparing them to the time of this
+# script's writing (avoids us having to vendor them).
+gentooKeys="$(mktemp)"
+wget -O "$gentooKeys" https://qa-reports.gentoo.org/output/service-keys.gpg
+if [[ "$(sha512sum "$gentooKeys" | awk '{ print $1 }')" != "$SIGNATURE_FILE_HASH" ]]; then
+  echo "Gentoo signing keys did not match expected hash" >&2
+  exit 1
+fi
+
+export GNUPGHOME=$(mktemp -d)
+gpg --import "$gentooKeys"
+info "Imported Gentoo signing keys successfully"
+
+DOWNLOAD_DIR=$(mktemp -d)
+
+wget -q -O "$DOWNLOAD_DIR/latest-version.txt" \
+  "https://distfiles.gentoo.org/releases/$ARCH/autobuilds/latest-stage3-$ARCH-openrc.txt"
+gpg --verify "$DOWNLOAD_DIR/latest-version.txt"
+
+GENTOO_VERSION=$(grep "stage3-$ARCH-openrc" "$DOWNLOAD_DIR/latest-version.txt" | awk -F '/' '{ print $1 }')
+info "Using Gentoo stage3 snapshot: $GENTOO_VERSION"
+
+TAR_PATH="$DOWNLOAD_DIR/gentoo-$ARCH.tar.xz"
+
+info "Fetching gentoo archive (ARCH: $ARCH)"
+wget --progress=bar --show-progress -O "$TAR_PATH" \
+  "https://distfiles.gentoo.org/releases/$ARCH/autobuilds/$GENTOO_VERSION/stage3-$ARCH-openrc-$GENTOO_VERSION.tar.xz"
+wget --progress=bar --show-progress -O "$TAR_PATH.asc" \
+  "https://distfiles.gentoo.org/releases/$ARCH/autobuilds/$GENTOO_VERSION/stage3-$ARCH-openrc-$GENTOO_VERSION.tar.xz.asc"
+info "Download successfully"
+
+gpg --verify "$TAR_PATH.asc"
+info "Successfully validated downloaded archive"
+
+DECOMPRESSED_PATH="$SCRIPT_DIR/../.gentoo-sources/$ARCH.tar"
+mkdir -p "$(dirname "$DECOMPRESSED_PATH")"
+rm -f "$DECOMPRESSED_PATH" || true
+
+info "Storing Gentoo tar at $DECOMPRESSED_PATH"
+xz --decompress --stdout "$TAR_PATH" >"$DECOMPRESSED_PATH"
+rm -f "$TAR_PATH"{,.asc}