Simplify

ptrus · ptrus · commit 6898807fe866 · 2025-12-02T09:33:55.000+01:00
diff --git a/.github/workflows/docker-rofl-builder.yml b/.github/workflows/docker-rofl-builder.yml
@@ -0,0 +1,84 @@
+name: docker-rofl-builder
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - docker/rofl-builder/**
+      - .github/workflows/docker-rofl-builder.yml
+    tags:
+      - 'rofl-builder/v[0-9]+.[0-9]+*'
+  pull_request:
+    paths:
+      - docker/rofl-builder/**
+      - .github/workflows/docker-rofl-builder.yml
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-rofl-builder:
+    name: build-rofl-builder
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Determine tag name
+        id: determine-tag
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "tag=pr-${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            # Trim rofl-builder/v prefix from tag
+            TAG="${{ github.ref_name }}"
+            TAG="${TAG#rofl-builder/v}"
+            echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=latest" >> "$GITHUB_OUTPUT"
+          fi
+          echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Build and push oasisprotocol/rofl-builder:${{ steps.determine-tag.outputs.tag }}"
+        uses: docker/build-push-action@v6
+        with:
+          context: docker/rofl-builder
+          file: docker/rofl-builder/Dockerfile
+          tags: ghcr.io/oasisprotocol/rofl-builder:${{ steps.determine-tag.outputs.tag }}
+          pull: true
+          push: true
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.created=${{ steps.determine-tag.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+
+  prune-old-images:
+    name: prune-old-images
+    if: ${{ always() }}
+    needs: [build-rofl-builder]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Prune old ghcr.io/oasisprotocol/rofl-builder images
+        uses: vlaurin/action-ghcr-prune@v0.6.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          organization: oasisprotocol
+          container: rofl-builder
+          keep-younger-than: 7
+          keep-last: 2
+          prune-tags-regexes: ^pr-
diff --git a/cmd/rofl/build/artifacts.go b/cmd/rofl/build/artifacts.go
@@ -137,18 +137,33 @@ func cleanEnvForReproducibility() []string {
 	return append(env, "LC_ALL=C", "TZ=UTC", "SOURCE_DATE_EPOCH=0")
 }
 
-// ExtraFile represents a file to be injected into the rootfs.
-type ExtraFile struct {
+// extraFile represents a file to be injected into the rootfs.
+type extraFile struct {
 	HostPath string      // Path on host filesystem
 	TarPath  string      // Path inside the tar/rootfs (e.g., "init" or "etc/config")
 	Mode     os.FileMode // File mode (e.g., 0o755 for executables)
 }
 
+// normalizeHeader normalizes a tar header for reproducible builds.
+// Uses GNU format because sqfstar < 4.6 has a bug with PAX headers
+// that incorrectly strips pathname components in linkpath for symlinks.
+func normalizeHeader(header *tar.Header) {
+	header.Format = tar.FormatGNU
+	header.Uid = 0
+	header.Gid = 0
+	header.Uname = ""
+	header.Gname = ""
+	header.ModTime = time.Unix(0, 0)
+	header.AccessTime = time.Time{}
+	header.ChangeTime = time.Time{}
+	header.PAXRecords = nil
+}
+
 // createSquashFsFromTar creates a squashfs filesystem by streaming a tar.bz2 template
 // and injecting extra files, without extracting to disk.
 //
 // Returns the size of the created filesystem image in bytes.
-func createSquashFsFromTar(buildEnv env.ExecEnv, outputFn, templateFn string, extraFiles []ExtraFile) (int64, error) {
+func createSquashFsFromTar(buildEnv env.ExecEnv, outputFn, templateFn string, extraFiles []extraFile) (int64, error) {
 	const (
 		sqfstarBin  = "sqfstar"
 		fakerootBin = "fakeroot"
@@ -216,8 +231,18 @@ func createSquashFsFromTar(buildEnv env.ExecEnv, outputFn, templateFn string, ex
 	tarHasher := sha256.New()
 	tarWriter := tar.NewWriter(io.MultiWriter(stdinPipe, tarHasher))
 
+	// Ensure cleanup on error. On success, we close things explicitly in order.
+	var cmdErr error
+	defer func() {
+		if cmdErr != nil {
+			tarWriter.Close()
+			stdinPipe.Close()
+			cmd.Wait() //nolint:errcheck
+		}
+	}()
+
 	// Build a map of extra files by their tar path for quick lookup.
-	extraFileMap := make(map[string]ExtraFile)
+	extraFileMap := make(map[string]extraFile)
 	for _, ef := range extraFiles {
 		extraFileMap[ef.TarPath] = ef
 	}
@@ -229,101 +254,56 @@ func createSquashFsFromTar(buildEnv env.ExecEnv, outputFn, templateFn string, ex
 			break
 		}
 		if err != nil {
-			tarWriter.Close()
-			stdinPipe.Close()
-			cmd.Wait() //nolint:errcheck
-			return 0, fmt.Errorf("error reading template archive: %w", err)
-		}
-
-		// Skip PAX/GNU special headers - these are metadata entries that tar.Reader
-		// normally handles internally, but if we see them we should not emit them.
-		// They have bodies that must be drained.
-		switch header.Typeflag {
-		case tar.TypeXHeader, tar.TypeXGlobalHeader, tar.TypeGNULongName, tar.TypeGNULongLink:
-			//nolint:gosec // G110: This is trusted input from our own template archives.
-			if _, err := io.Copy(io.Discard, tarReader); err != nil {
-				tarWriter.Close()
-				stdinPipe.Close()
-				cmd.Wait() //nolint:errcheck
-				return 0, fmt.Errorf("failed to skip special header content: %w", err)
-			}
-			continue
+			cmdErr = fmt.Errorf("error reading template archive: %w", err)
+			return 0, cmdErr
 		}
 
 		// Normalize the path (remove leading ./).
 		cleanPath := strings.TrimPrefix(header.Name, "./")
 
 		// Skip if this path will be replaced by an extra file.
 		if _, willReplace := extraFileMap[cleanPath]; willReplace {
-			// Skip this entry, we'll add the replacement later.
-			if header.Typeflag == tar.TypeReg || header.Typeflag == tar.TypeRegA { //nolint:staticcheck // TypeRegA for backward compat
-				// Drain the content.
-				//nolint:gosec // G110: This is trusted input from our own template archives.
-				if _, err := io.Copy(io.Discard, tarReader); err != nil {
-					tarWriter.Close()
-					stdinPipe.Close()
-					cmd.Wait() //nolint:errcheck
-					return 0, fmt.Errorf("failed to skip replaced file content: %w", err)
-				}
-			}
 			continue
 		}
 
 		// Normalize header for reproducibility.
-		// Use GNU format because sqfstar < 4.6 has a bug with PAX headers
-		// that incorrectly strips pathname components in linkpath for symlinks.
-		header.Format = tar.FormatGNU
-		header.Uid = 0
-		header.Gid = 0
-		header.Uname = ""
-		header.Gname = ""
-		header.ModTime = time.Unix(0, 0)
-		header.AccessTime = time.Time{} // Zero value = not set
-		header.ChangeTime = time.Time{} // Zero value = not set
-		header.PAXRecords = nil
+		normalizeHeader(header)
 
 		if err := tarWriter.WriteHeader(header); err != nil {
-			tarWriter.Close()
-			stdinPipe.Close()
-			cmd.Wait() //nolint:errcheck
-			return 0, fmt.Errorf("failed to write tar header: %w", err)
+			cmdErr = fmt.Errorf("failed to write tar header: %w", err)
+			return 0, cmdErr
 		}
 
 		// Copy body for entry types that have content (regular files).
 		if header.Typeflag == tar.TypeReg || header.Typeflag == tar.TypeRegA { //nolint:staticcheck // TypeRegA for backward compat
 			//nolint:gosec // G110: This is trusted input from our own template archives.
 			if _, err := io.Copy(tarWriter, tarReader); err != nil {
-				tarWriter.Close()
-				stdinPipe.Close()
-				cmd.Wait() //nolint:errcheck
-				return 0, fmt.Errorf("failed to copy file content: %w", err)
+				cmdErr = fmt.Errorf("failed to copy file content: %w", err)
+				return 0, cmdErr
 			}
 		}
 	}
 
 	// Add extra files.
 	for _, ef := range extraFiles {
 		if err := addFileToTar(tarWriter, ef.HostPath, ef.TarPath, ef.Mode); err != nil {
-			tarWriter.Close()
-			stdinPipe.Close()
-			cmd.Wait() //nolint:errcheck
-			return 0, fmt.Errorf("failed to add extra file %s: %w", ef.TarPath, err)
+			cmdErr = fmt.Errorf("failed to add extra file %s: %w", ef.TarPath, err)
+			return 0, cmdErr
 		}
 	}
 
 	// Close tar writer and stdin pipe.
 	if err := tarWriter.Close(); err != nil {
-		stdinPipe.Close()
-		cmd.Wait() //nolint:errcheck
-		return 0, fmt.Errorf("failed to close tar writer: %w", err)
+		cmdErr = fmt.Errorf("failed to close tar writer: %w", err)
+		return 0, cmdErr
 	}
 
 	// Print tar hash for verification.
 	fmt.Printf("TAR archive SHA256: %s\n", hex.EncodeToString(tarHasher.Sum(nil)))
 
 	if err := stdinPipe.Close(); err != nil {
-		cmd.Wait() //nolint:errcheck
-		return 0, fmt.Errorf("failed to close stdin pipe: %w", err)
+		cmdErr = fmt.Errorf("failed to close stdin pipe: %w", err)
+		return 0, cmdErr
 	}
 
 	// Wait for sqfstar to finish.
@@ -353,15 +333,12 @@ func addFileToTar(tw *tar.Writer, hostPath, tarPath string, mode os.FileMode) er
 	}
 
 	header := &tar.Header{
-		Format:   tar.FormatGNU,
 		Name:     "./" + tarPath,
 		Mode:     int64(mode),
 		Size:     fi.Size(),
-		Uid:      0,
-		Gid:      0,
-		ModTime:  time.Unix(0, 0),
 		Typeflag: tar.TypeReg,
 	}
+	normalizeHeader(header)
 
 	if err := tw.WriteHeader(header); err != nil {
 		return fmt.Errorf("failed to write header: %w", err)
diff --git a/cmd/rofl/build/container.go b/cmd/rofl/build/container.go
@@ -33,8 +33,8 @@ func tdxBuildContainer(
 	// Use the pre-built container runtime.
 	initPath := artifacts[artifactContainerRuntime]
 
-	stage2, err := tdxPrepareStage2(buildEnv, tmpDir, artifacts, initPath, map[string]string{
-		artifacts[artifactContainerCompose]: "etc/oasis/containers/compose.yaml",
+	stage2, err := tdxPrepareStage2(buildEnv, tmpDir, artifacts, initPath, []extraFile{
+		{HostPath: artifacts[artifactContainerCompose], TarPath: "etc/oasis/containers/compose.yaml", Mode: 0o644},
 	})
 	if err != nil {
 		return err
diff --git a/cmd/rofl/build/tdx.go b/cmd/rofl/build/tdx.go
@@ -132,7 +132,7 @@ func tdxPrepareStage2(
 	tmpDir string,
 	artifacts map[string]string,
 	initPath string,
-	extraFiles map[string]string,
+	extraFiles []extraFile,
 ) (*tdxStage2, error) {
 	fmt.Println("Preparing stage 2 root filesystem...")
 
@@ -144,12 +144,10 @@ func tdxPrepareStage2(
 	fmt.Printf("Runtime hash: %s\n", initHash)
 
 	// Build list of files to inject into the rootfs.
-	filesToInject := []ExtraFile{
+	filesToInject := []extraFile{
 		{HostPath: initPath, TarPath: "init", Mode: 0o755},
 	}
-	for src, dst := range extraFiles {
-		filesToInject = append(filesToInject, ExtraFile{HostPath: src, TarPath: dst, Mode: 0o644})
-	}
+	filesToInject = append(filesToInject, extraFiles...)
 
 	// Create the root filesystem by streaming template and injecting files.
 	fmt.Println("Creating squashfs filesystem...")
