feat: don't rebuild container on bazel version change

This removes the `.bazelversion` as a dependency from the `Dockerfile`,
meaning that bazel version bumps won't force the container to be
rebuilt.

The `.bazelversion` was only used to generate bash completion. The bash
completion is now run only in interactive mode (if no command is run)
and as the container is run (not built).

(bazelisk is bumped to a recent version that contains the completion command)

Author: nmattia

ci/container/Dockerfile

@@ -45,8 +45,8 @@ RUN curl -fsSL https://github.com/FiloSottile/mkcert/releases/download/v${mkcert
     echo "$mkcert_sha /usr/local/bin/mkcert" | sha256sum --check && \
     chmod +x /usr/local/bin/mkcert
 
-ARG bazelisk_sha=fd8fdff418a1758887520fa42da7e6ae39aefc788cf5e7f7bb8db6934d279fc4
-RUN curl -fsSL https://github.com/bazelbuild/bazelisk/releases/download/v1.25.0/bazelisk-linux-amd64 -o /usr/bin/bazel && \
+ARG bazelisk_sha=22e7d3a188699982f661cf4687137ee52d1f24fec1ec893d91a6c4d791a75de8
+RUN curl -fsSL https://github.com/bazelbuild/bazelisk/releases/download/v1.28.1/bazelisk-linux-amd64 -o /usr/bin/bazel && \
     echo "$bazelisk_sha /usr/bin/bazel" | sha256sum --check && \
     chmod 777 /usr/bin/bazel
 
@@ -84,22 +84,10 @@ RUN curl -L "https://apt.llvm.org/llvm-snapshot.gpg.key" | apt-key add - && \
     mv afl-fuzz afl-showmap  /afl && \
     cd .. && rm -rf AFLplusplus
 
-# Pre-populate the Bazel installation for root
-# (note: this is only used for bash completion; the actual bazel version comes from bazelisk)
-COPY .bazelversion /tmp/bazel/
-RUN cd /tmp/bazel && bazel version
-
-COPY ./ci/container/files/generate-bazel-completion.sh /tmp/
-RUN USE_BAZEL_VERSION=$(tail -1 /tmp/bazel/.bazelversion) /tmp/generate-bazel-completion.sh && \
-    echo "source /etc/bash_completion.d/bazel" >>/etc/bash.bashrc
-
 USER ubuntu
 # Set PATH for ubuntu user
 ENV PATH=/ic/bin:/home/ubuntu/.cargo/bin:/home/ubuntu/.local/bin:$PATH
 
-# Pre-populate the Bazel installation for ubuntu
-RUN cd /tmp/bazel && bazel version
-
 # Add Rust/Cargo support
 RUN mkdir -p /tmp/rust-version/
 COPY rust-toolchain.toml /tmp/rust-version/rust-toolchain.toml
@@ -141,4 +129,4 @@ RUN apt -yq update && \
     apt -yqq install $(sed -e "s/#.*//" "/tmp/$(basename $PACKAGE_DEV_FILE)") && \
     rm "/tmp/$(basename $PACKAGE_DEV_FILE)"
 
-USER $CI_USER
+USER $CI_USER

ci/container/container-run.sh

@@ -87,9 +87,17 @@ while test $# -gt $CTR; do
     esac
 done
 
-# option to pass in another shell if desired
 if [ $# -eq 0 ]; then
-    cmd=("${USHELL:-/usr/bin/bash}")
+    # if no command is specified, create an shell
+    if [ -z "${USHELL:-}" ] || [ "$USHELL" == "bash" ]; then
+        # bit of a hack: we source the completion by passing it as an rcfile.
+        # The completion itself requires `.bazelversion` to exist.
+        # We avoid generating the completion in the container _build_ so that
+        # the container itself does not depend on the bazel version.
+        cmd=("/usr/bin/bash" -c "exec bash --rcfile <(bazel completion bash)")
+    else
+        cmd=("$USHELL")
+    fi
 else
     cmd=("$@")
 fi
@@ -134,6 +142,8 @@ USER=$(whoami)
 
 PODMAN_RUN_ARGS=(
     -w "$WORKDIR"
+    --rm              # remove container after it ran
+    --log-driver=none # by default podman logs all of stdout to the journal which is resource-consuming and wasteful
 
     -u "ubuntu:ubuntu"
     -e HOSTUSER="$USER"
@@ -225,21 +235,14 @@ else
     eprintln "No ssh-agent to forward."
 fi
 
-# Omit -t if not a tty.
-# Also shut up logging, because podman will by default log
-# every byte of standard output to the journal, and that
-# destroys the journal + wastes enormous amounts of CPU.
-# I witnessed journald and syslog peg 2 cores of my devenv
-# when running a simple cat /path/to/file.
+# if a user is attached, make it interactive and create tty
 if tty >/dev/null 2>&1; then
-    tty_arg=-t
-else
-    tty_arg=
+    PODMAN_RUN_ARGS+=(-i -t)
 fi
 
 # Privileged rootful podman is required due to requirements of IC-OS guest build;
 # additionally, we need to use hosts's cgroups and network.
-OTHER_ARGS=(--pids-limit=-1 -i $tty_arg --log-driver=none --rm --privileged --network=host --cgroupns=host)
+PODMAN_RUN_ARGS+=(--pids-limit=-1 --privileged --network=host --cgroupns=host)
 
 if [ -f "$HOME/.container-run.conf" ]; then
     # conf file with user's custom PODMAN_RUN_USR_ARGS
@@ -255,4 +258,4 @@ if [ -f "$HOME/.container-run.conf" ]; then
 fi
 
 set -x
-exec "${CONTAINER_CMD[@]}" run "${OTHER_ARGS[@]}" "${PODMAN_RUN_ARGS[@]}" -w "$WORKDIR" "$IMAGE" "${cmd[@]}"
+exec "${CONTAINER_CMD[@]}" run "${PODMAN_RUN_ARGS[@]}" -w "$WORKDIR" "$IMAGE" "${cmd[@]}"