docker: Add workflows for building and releasing CircuitPython

This commit introduces new GitHub Actions workflows for building Docker containers and creating manifests for CircuitPython. It includes:
- A workflow for building containers based on specified platforms.
- A workflow for building container manifests for multiple architectures.
- A workflow for building releases triggered by pushes to the main branch.

These changes enhance the CI/CD process for CircuitPython development.

Signed-off-by: Chiho Sin <[email protected]>

Author: chihosin

.github/workflows/docker_build.yml

@@ -0,0 +1,83 @@
+name: Build container
+
+on:
+  workflow_call:
+    inputs:
+      platform:
+        description: Docker platform to target
+        required: true
+        type: string
+      runs-on:
+        description: Runner to use
+        required: true
+        type: string
+      push:
+        description: Push images to registry
+        required: false
+        type: boolean
+        default: false
+      cpy_platform:
+        description: CircuitPython platform to target
+        required: true
+        type: string
+    outputs:
+      digest:
+        description: Digest of built image
+        value: ${{ jobs.docker-build.outputs.digest }}
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
+jobs:
+  docker-build:
+    name: build-${{ inputs.platform }}
+    outputs:
+      digest: ${{ steps.docker_platform.outputs.digest }}
+    runs-on: ${{ inputs.runs-on }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-qemu-action@v3
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Docker login
+        if: ${{ inputs.push }}
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Sanitize platform string
+        id: sanitize_platform
+        # Replace slashes with underscores
+        run: echo "cleaned_platform=${{ inputs.platform }}" | sed 's/\//_/g' >> $GITHUB_OUTPUT
+
+      - name: Docker tag
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            GHA-main-${{ inputs.cpy_platform }}-${{ steps.sanitize_platform.outputs.cleaned_platform }}
+          flavor: latest=false
+
+      - name: Docker build and push
+        uses: docker/build-push-action@v6
+        id: docker_platform
+        with:
+          context: .
+          push: ${{ inputs.push }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: ${{ inputs.platform }}
+          build-args: |
+            cpy_platform=${{ inputs.cpy_platform }}

.github/workflows/docker_manifest.yml

@@ -0,0 +1,72 @@
+name: Build container manifest
+on:
+  workflow_call:
+    inputs:
+      cpy_platform:
+        description: CircuitPython platform to target
+        required: true
+        type: string
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
+jobs:
+  docker-amd64:
+    uses: ./.github/workflows/docker_build.yml
+    with:
+      cpy_platform: ${{ inputs.cpy_platform }}
+      platform: linux/amd64
+      runs-on: ubuntu-24.04
+      push: true
+    secrets: inherit
+
+  docker-arm64:
+    uses: ./.github/workflows/docker_build.yml
+    with:
+      cpy_platform: ${{ inputs.cpy_platform }}
+      platform: linux/arm64
+      runs-on: ubuntu-24.04-arm
+      push: true
+    secrets: inherit
+
+  docker-manifest:
+    needs:
+      - docker-amd64
+      - docker-arm64
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Docker Login GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker meta
+        id: meta_docker
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            main-${{ inputs.cpy_platform }}
+          flavor: latest=false
+
+      - name: Create Docker manifest
+        id: manifest_docker
+        uses: int128/docker-manifest-create-action@v2
+        with:
+          tags: |
+            ${{ steps.meta_docker.outputs.tags }}
+          push: true
+          sources: |
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.docker-amd64.outputs.digest }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.docker-arm64.outputs.digest }}

.github/workflows/on_pr.yml

@@ -0,0 +1,25 @@
+name: Build PR
+on:
+  pull_request:
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
+jobs:
+  docker-amd64:
+    strategy:
+      fail-fast: false
+      matrix:
+        cpy_platform:
+          - nordic
+          - espressif
+    uses: ./.github/workflows/docker_build.yml
+    with:
+      cpy_platform: ${{ matrix.cpy_platform }}
+      platform: linux/amd64
+      runs-on: ubuntu-24.04
+      push: false
+    secrets: inherit

.github/workflows/on_push.yml

@@ -0,0 +1,29 @@
+name: Build Release
+on:
+  push:
+    # build and push anytime commits are pushed/merged
+    branches:
+      - main
+  schedule:
+    # build and push weekly
+    - cron: '0 5 * * 5'
+  workflow_dispatch: # allow manual triggering
+
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
+jobs:
+  docker-platforms:
+    strategy:
+      fail-fast: false
+      matrix:
+        cpy_platform:
+          - nordic
+          - espressif
+    uses: ./.github/workflows/docker_manifest.yml
+    with:
+      cpy_platform: ${{ matrix.cpy_platform }}
+    secrets: inherit

Containerfile

@@ -1,20 +1,51 @@
 FROM python:3.13-bookworm AS base
 
 ENV PIP_ROOT_USER_ACTION=ignore
-ENV ARM_TOOLCHAIN_EABI_VERSION=14.2.rel1
-ENV ARM_TOOLCHAIN_ELF_VERSION=13.3.rel1
 
 # Apt dependencies
 RUN apt-get update && apt-get install -y \
     jq jdupes build-essential \
     libgpiod-dev libyaml-cpp-dev libbluetooth-dev libusb-1.0-0-dev libi2c-dev libuv1-dev \
     libx11-dev libinput-dev libxkbcommon-x11-dev \
     openssl libssl-dev libulfius-dev liborcania-dev \
-    git git-lfs gettext cmake mtools floppyd dosfstools \
+    git git-lfs gettext cmake mtools floppyd dosfstools ninja-build \
     && rm -rf /var/lib/apt/lists/*
 
-# Install ARM toolchain (EABI) based on architecture
-RUN ARCH=$(dpkg --print-architecture) && \
+FROM base AS repo
+ARG BUILD_REPO="https://github.com/adafruit/circuitpython.git"
+ARG BUILD_REF="main"
+ARG BUILD_FORK_REPO="https://github.com/fobe-projects/circuitpython.git"
+ARG BUILD_FORK_REF="main"
+
+WORKDIR /workspace
+
+RUN git config --global --add safe.directory /workspace \
+    && git clone --depth 1 --filter=tree:0 "${BUILD_REPO}" /workspace \
+    && cd /workspace && git checkout "${BUILD_REF}" \
+    && git submodule update --init --filter=blob:none data extmod lib tools frozen \
+    && git fetch --no-recurse-submodules --shallow-since="2021-07-01" --tags "${BUILD_REPO}" HEAD \
+    && git fetch --no-recurse-submodules --shallow-since="2021-07-01" origin \
+    && git repack -d \
+    && git remote add fork "${BUILD_FORK_REPO}" \
+    && git fetch fork --filter=tree:0 \
+    && git fetch --no-recurse-submodules --filter=tree:0 fork "${BUILD_FORK_REF}" \
+    && git checkout -b fork-branch "fork/${BUILD_FORK_REF}" \
+    && git repack -d
+
+RUN pip3 install --upgrade -r requirements-doc.txt \
+    && pip3 install --upgrade -r requirements-dev.txt \
+    && pip3 install --upgrade huffman
+
+FROM repo AS port
+
+ARG ARM_TOOLCHAIN_EABI_VERSION="14.2.rel1"
+ARG ARM_TOOLCHAIN_ELF_VERSION="13.3.rel1"
+ARG BUILD_PLATFORM
+
+RUN make -C ports/"${BUILD_PLATFORM}" fetch-port-submodules
+
+RUN if [ "${BUILD_PLATFORM}" != "espressif" ] && [ "${BUILD_PLATFORM}" != "zephyr-cp" ] && [ "${BUILD_PLATFORM}" != "litex" ] && [ "${BUILD_PLATFORM}" != "none" ]; then \
+    ARCH=$(dpkg --print-architecture) && \
     if [ "$ARCH" = "arm64" ]; then \
         TOOLCHAIN_URL="https://developer.arm.com/-/media/Files/downloads/gnu/$ARM_TOOLCHAIN_EABI_VERSION/binrel/arm-gnu-toolchain-$ARM_TOOLCHAIN_EABI_VERSION-aarch64-arm-none-eabi.tar.xz"; \
     elif [ "$ARCH" = "amd64" ]; then \
@@ -27,10 +58,12 @@ RUN ARCH=$(dpkg --print-architecture) && \
     curl -fsSL "$TOOLCHAIN_URL" | tar -xJ -C /usr/local/arm-none-eabi --strip-components=1 && \
     for f in /usr/local/arm-none-eabi/bin/arm-none-eabi-*; do \
         ln -sf "$f" /usr/local/bin/$(basename "$f"); \
-    done
+    done \
+fi
 
-# Install ARM toolchain (ELF) based on architecture
-RUN ARCH=$(dpkg --print-architecture) && \
+# Broadcom
+RUN if [ "${BUILD_PLATFORM}" = "broadcom" ]; then \
+    ARCH=$(dpkg --print-architecture) && \
     if [ "$ARCH" = "arm64" ]; then \
         TOOLCHAIN_URL="https://developer.arm.com/-/media/Files/downloads/gnu/$ARM_TOOLCHAIN_ELF_VERSION/binrel/arm-gnu-toolchain-$ARM_TOOLCHAIN_ELF_VERSION-aarch64-aarch64-none-elf.tar.xz"; \
     elif [ "$ARCH" = "amd64" ]; then \
@@ -43,35 +76,49 @@ RUN ARCH=$(dpkg --print-architecture) && \
     curl -fsSL "$TOOLCHAIN_URL" | tar -xJ -C /usr/local/arm-none-elf --strip-components=1 && \
     for f in /usr/local/arm-none-elf/bin/arm-none-elf-*; do \
         ln -sf "$f" /usr/local/bin/$(basename "$f"); \
-    done
-
-FROM base AS repo
-ARG BUILD_REPO="https://github.com/adafruit/circuitpython.git"
-ARG BUILD_REF="main"
-ARG BUILD_FORK_REPO="https://github.com/fobe-projects/circuitpython.git"
-ARG BUILD_FORK_REF="main"
-ARG BUILD_PLATFORM
+    done \
+fi
 
-WORKDIR /workspace
-
-RUN git config --global --add safe.directory /workspace
-RUN git clone --depth 1 --filter=tree:0 "${BUILD_REPO}" /workspace
-RUN git checkout "${BUILD_REF}"
-RUN git fetch --no-recurse-submodules --shallow-since="2021-07-01" --tags "${BUILD_REPO}" HEAD
-RUN git fetch --no-recurse-submodules --shallow-since="2021-07-01" origin
-RUN git repack -d
-RUN git remote add fork "${BUILD_FORK_REPO}" && git fetch fork --filter=tree:0
-RUN git checkout -b fork-branch "fork/${BUILD_FORK_REF}"
-
-RUN pip3 install --upgrade -r requirements-dev.txt && pip3 install --upgrade -r requirements-doc.txt
-RUN pip3 install --upgrade huffman
-
-RUN python tools/ci_fetch_deps.py ${BUILD_PLATFORM}
+# Nordic
+RUN if [ "${BUILD_PLATFORM}" = "nordic" ]; then \
+    ARCH=$(dpkg --print-architecture) && \
+    if [ "$ARCH" = "arm64" ]; then \
+        TOOLCHAIN_URL="https://files.nordicsemi.com/artifactory/swtools/external/nrfutil/executables/aarch64-unknown-linux-gnu/nrfutil"; \
+    elif [ "$ARCH" = "amd64" ]; then \
+        TOOLCHAIN_URL="https://files.nordicsemi.com/artifactory/swtools/external/nrfutil/executables/x86_64-unknown-linux-gnu/nrfutil"; \
+    else \
+        echo "Unsupported architecture: $ARCH"; \
+        exit 1; \
+    fi && curl -fsSL "$TOOLCHAIN_URL" -o nrfutil;\
+    chmod +x nrfutil; \
+    ./nrfutil install nrf5sdk-tools; \
+    mv nrfutil /usr/local/bin; \
+    nrfutil -V; \
+fi
 
+# Espressif IDF
 ENV IDF_PATH=/workspace/ports/espressif/esp-idf
 ENV IDF_TOOLS_PATH=/workspace/.idf_tools
 ENV ESP_ROM_ELF_DIR=/workspace/.idf_tools
-RUN git submodule update --init --depth=1 --recursive $IDF_PATH
+RUN if [ "${BUILD_PLATFORM}" = "espressif" ]; then \
+    git submodule update --init --depth=1 --recursive ${IDF_PATH}; \
+    $IDF_PATH/install.sh; \
+    bash -c "source ${IDF_PATH}/export.sh && pip3 install --upgrade minify-html jsmin sh requests-cache"; \
+    rm -rf $IDF_TOOLS_PATH/dist; \
+fi
+
+# Litex
+RUN if [ "${BUILD_PLATFORM}" = "litex" ]; then \
+    ARCH=$(dpkg --print-architecture) && \
+    if [ "$ARCH" = "amd64" ]; then \
+        TOOLCHAIN_URL="https://static.dev.sifive.com/dev-tools/riscv64-unknown-elf-gcc-8.3.0-2019.08.0-x86_64-linux-centos6.tar.gz"; \
+    else \
+        echo "Unsupported architecture: $ARCH"; \
+        exit 1; \
+    fi && curl -fsSL "$TOOLCHAIN_URL" -o riscv64-unknown-elf-gcc-8.3.0-2019.08.0-x86_64-linux-centos6.tar.gz;\
+    tar -C /usr --strip-components=1 -xaf riscv64-unknown-elf-gcc-8.3.0-2019.08.0-x86_64-linux-centos6.tar.gz; \
+    rm -rf riscv64-unknown-elf-gcc-8.3.0-2019.08.0-x86_64-linux-centos6.tar.gz; \
+fi
 
-COPY entrypoint.sh /entrypoint.sh
+COPY --chmod=0755 entrypoint.sh /entrypoint.sh
 ENTRYPOINT [ "/entrypoint.sh" ]