feat: multi-arch Docker images built with Nix (#62)

- Replace `Dockerfile` and `.dockerignore` with pure Nix image builds
(`dockerTools.buildLayeredImage` + `pkgsCross`)
- Build `linux/amd64` and `linux/arm64` images via `nix build`
- Publish workflow pushes images by digest (via `skopeo`) and assembles
multi-arch manifests with `docker buildx imagetools create`
- Test workflow runs both arch builds in a matrix; functional test and
scan run on amd64
- Add `skopeo` to dev shell and use `nix develop --command bash {0}` as
default shell in CI jobs

Author: tembleking

.dockerignore

@@ -51,34 +51,108 @@ jobs:
             echo "new_version=$VERSION" >> $GITHUB_OUTPUT
           fi
 
-  push_to_registry:
-    name: Push Docker image to GitHub Packages
+  build:
+    name: Build ${{ matrix.arch }} image
     runs-on: ubuntu-latest
     needs: [ get-newer-version ]
     if: needs.get-newer-version.outputs.new-version != ''
+    defaults:
+      run:
+        shell: nix develop --command bash {0}
     permissions:
-      contents: read # required for actions/checkout
-      packages: write # required for pushing to ghcr.io
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        include:
+          - arch: amd64
+            nix_package: sysdig-mcp-server-image-amd64
+          - arch: arm64
+            nix_package: sysdig-mcp-server-image-aarch64
     steps:
       - name: Check out the repo
         uses: actions/checkout@v5
 
+      - name: Install Nix
+        # Pinned to v21 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
+        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+
+      - name: Enable Nix cache
+        # Pinned to v13 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
+        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        with:
+          use-flakehub: false
+
+      - name: Build image
+        run: nix build .#${{ matrix.nix_package }} -o result
+
+      - name: Log in to GitHub Container Registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u "${{ github.actor }}" --password-stdin
+
+      - name: Push image by digest
+        id: push
+        env:
+          REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
+        run: |
+          skopeo copy --digestfile /tmp/digest \
+            docker-archive:result \
+            docker://$REGISTRY --format oci
+
+          mkdir -p /tmp/digests
+          cp /tmp/digest /tmp/digests/${{ matrix.arch }}
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v5
+        with:
+          name: digests-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  push_to_registry:
+    name: Push multi-arch manifest to GitHub Packages
+    runs-on: ubuntu-latest
+    needs: [ get-newer-version, build ]
+    permissions:
+      contents: read
+      packages: write
+    env:
+      REGISTRY: ghcr.io/sysdiglabs/sysdig-mcp-server
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v6
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push Docker image
-        id: build-and-push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          tags: |
-            ghcr.io/sysdiglabs/sysdig-mcp-server:latest
-            ghcr.io/sysdiglabs/sysdig-mcp-server:${{ needs.get-newer-version.outputs.new-version }}
+      - name: Create manifest list and push
+        env:
+          VERSION: ${{ needs.get-newer-version.outputs.new-version }}
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create --tag $REGISTRY:${VERSION} \
+            $(printf "$REGISTRY@%s " $(cat *))
+
+          docker buildx imagetools create --tag $REGISTRY:latest \
+            $(printf "$REGISTRY@%s " $(cat *))
+
+      - name: Inspect image
+        env:
+          VERSION: ${{ needs.get-newer-version.outputs.new-version }}
+        run: docker buildx imagetools inspect $REGISTRY:${VERSION}
 
   release:
     name: Create release at Github
@@ -94,7 +168,16 @@ jobs:
           fetch-tags: true
 
       - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
+        # Pinned to v21 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
+        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+
+      - name: Enable Nix cache
+        # Pinned to v13 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
+        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        with:
+          use-flakehub: false
 
       - name: Install git-chglog
         run: nix profile install nixpkgs#git-chglog

.github/workflows/publish.yaml

@@ -13,8 +13,8 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  test:
-    name: Test
+  build-and-test:
+    name: Build and Test
     runs-on: ubuntu-latest
     defaults:
       run:
@@ -24,25 +24,22 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Install nix
-        uses: DeterminateSystems/nix-installer-action@main
+        # Pinned to v21 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
+        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+
+      - name: Enable Nix cache
+        # Pinned to v13 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
+        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+        with:
+          use-flakehub: false
+
+      - name: Build
+        run: go build ./...
 
       - name: Run Checks
         run: just check
         env:
           SYSDIG_MCP_API_HOST: ${{ vars.SYSDIG_MCP_API_HOST }}
           SYSDIG_MCP_API_TOKEN: ${{ secrets.SYSDIG_MCP_API_SECURE_TOKEN }}
-  build:
-    name: Build
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        shell: nix develop --command bash {0}
-    steps:
-      - name: Check out the repo
-        uses: actions/checkout@v4
-
-      - name: Install nix
-        uses: DeterminateSystems/nix-installer-action@main
-
-      - name: Build
-        run: go build ./...

.github/workflows/test.yaml

@@ -15,36 +15,54 @@ concurrency:
 
 jobs:
   test_build:
-    name: Test Build
+    name: Test Build (${{ matrix.arch }})
     runs-on: ubuntu-latest
     permissions:
       contents: read # required for actions/checkout
-      packages: write # required for pushing the test image to ghcr.io
+    strategy:
+      max-parallel: 1
+      matrix:
+        include:
+          - arch: amd64
+            nix_package: sysdig-mcp-server-image-amd64
+          - arch: arm64
+            nix_package: sysdig-mcp-server-image-aarch64
     steps:
       - name: Check out the repo
         uses: actions/checkout@v5
         with:
-          ref: ${{ github.sha }} # required for better experience using pre-releases
-          fetch-depth: "0" # Required due to the way Git works, without it this action won't be able to find any or the correct tags
+          ref: ${{ github.sha }}
+          fetch-depth: "0"
 
-      - name: Build Docker image and test push action
-        id: build-to-test
-        uses: docker/build-push-action@v6
+      - name: Install Nix
+        # Pinned to v21 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/nix-installer-action.git <tag>
+        uses: DeterminateSystems/nix-installer-action@c5a866b6ab867e88becbed4467b93592bce69f8a # v21
+
+      - name: Enable Nix cache
+        # Pinned to v13 commit SHA for supply-chain safety.
+        # To update: git ls-remote https://github.com/DeterminateSystems/magic-nix-cache-action.git <tag>
+        uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
         with:
-          context: .
-          load: true
-          push: false
-          tags: |
-            ghcr.io/sysdiglabs/sysdig-mcp-server:test
+          use-flakehub: false
+
+      - name: Build image
+        run: nix build .#${{ matrix.nix_package }} -o result
 
-      - name: Test we can execute the docker image
+      - name: Load image
+        id: load
         run: |
-          docker run --rm ghcr.io/sysdiglabs/sysdig-mcp-server:test --help | grep "Sysdig MCP Server"
+          IMAGE_TAG=$(docker load < result | sed -n 's/Loaded image: //p')
+          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Test image
+        if: matrix.arch == 'amd64'
+        run: docker run --rm "${{ steps.load.outputs.image_tag }}" --help | grep "Sysdig MCP Server"
 
       - name: Scan Docker image
         uses: sysdiglabs/scan-action@v6
         with:
-          image-tag: ghcr.io/sysdiglabs/sysdig-mcp-server:test
+          image-tag: ${{ steps.load.outputs.image_tag }}
           sysdig-secure-token: ${{ secrets.SECURE_ENV_MON_API_KEY }}
           sysdig-secure-url: ${{ secrets.SECURE_ENV_MON_ENDPOINT }}
           stop-on-failed-policy-eval: true

.github/workflows/test_image.yaml

@@ -133,6 +133,16 @@ fix: correct API endpoint URL
 chore: update dependencies
 ```
 
+### 4.5. Known Flaky Integration Tests
+
+The process tree integration tests in `internal/infra/sysdig/client_process_tree_integration_test.go` use a **hardcoded event ID** that points to a real Sysdig event. Since Sysdig events have a retention period, this event will eventually be deleted and the tests will fail with a `not found` error.
+
+**How to fix it:**
+
+1. Use the `list_runtime_events` MCP tool (or the Sysdig API) to find a recent runtime event that originates from a **syscall/workload source** (not cloud/cloudtrail), as only these have process trees. Filter for `category = "runtime"` and `source = "syscall"`.
+2. Verify the event has a process tree by calling `get_event_process_tree` with the event ID.
+3. Update the `eventID` variable in the test's `BeforeEach` block with the new event ID.
+
 ## 5. Guides & Reference
 
 *   **Tools & New Tool Creation:** See `internal/infra/mcp/tools/README.md`

AGENTS.md

@@ -0,0 +1,7 @@
+{
+  imageName = "quay.io/sysdig/sysdig-mini-ubi9";
+  imageDigest = "sha256:efee7299f1be1971c83826175f8583bed3736ff817dc38c1d266dfa6385d9b3b";
+  hash = "sha256-Ga+VuvBYshe93r8yIN9//dRdw/sfTNsxHl2x+3A5TXE=";
+  finalImageName = "quay.io/sysdig/sysdig-mini-ubi9";
+  finalImageTag = "1";
+}

Dockerfile

@@ -0,0 +1,7 @@
+{
+  imageName = "quay.io/sysdig/sysdig-mini-ubi9";
+  imageDigest = "sha256:efee7299f1be1971c83826175f8583bed3736ff817dc38c1d266dfa6385d9b3b";
+  hash = "sha256-3K1eClgXOCAYFg5OA6SbzrUrI9xATXkG3bM1Y/t3E6I=";
+  finalImageName = "quay.io/sysdig/sysdig-mini-ubi9";
+  finalImageTag = "1";
+}

docker-base-aarch64.nix

@@ -0,0 +1,23 @@
+{
+  dockerTools,
+  sysdig-mcp-server,
+  stdenv,
+}:
+let
+  arch = if stdenv.hostPlatform.isAarch64 then "arm64" else "amd64";
+  baseImageAmd64 = import ./docker-base-amd64.nix;
+  baseImageAarch64 = import ./docker-base-aarch64.nix;
+  baseImage = dockerTools.pullImage (
+    if stdenv.hostPlatform.isAarch64 then baseImageAarch64 else baseImageAmd64
+  );
+in
+dockerTools.buildLayeredImage {
+  name = sysdig-mcp-server.pname;
+  tag = "${sysdig-mcp-server.version}-${arch}";
+  contents = [ sysdig-mcp-server ];
+  fromImage = baseImage;
+  config = {
+    Entrypoint = [ "${sysdig-mcp-server}/bin/sysdig-mcp-server" ];
+    User = "1000";
+  };
+}