workflows: Build Alpine musl cross compiler images

Author: meator

.github/workflows/cross-containers.yml

@@ -0,0 +1,97 @@
+name: Build cross Docker containers
+
+on:
+  push:
+    paths:
+      - alpine-docker/config-aarch64.mak
+      - alpine-docker/config-arm.mak
+      - alpine-docker/config-armhf.mak
+      - alpine-docker/config-base.mak
+      - alpine-docker/config-powerpc64le.mak
+      - alpine-docker/config-riscv64.mak
+      - alpine-docker/docker-bake.hcl
+      - alpine-docker/save-versions.py
+      - alpine-docker/universal.Dockerfile
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    name: Build container
+
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+
+    strategy:
+      matrix:
+        arch: [aarch64, arm, armhf, powerpc64le, riscv64]
+
+    env:
+      IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/musl-cross-make-alpine-${{ matrix.arch }}
+
+    steps:
+      - name: Set up Docker Buildx
+        # v3.11.1
+        # The hash below **must** be kept up-to-date with the 'Build and push' action
+        # below.
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+
+      - name: Log in to the Container registry
+        # v3.4.0
+        # The hash below **must** be kept up-to-date with the 'Build and push' action
+        # below.
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        # v5.7.0
+        # The hash below **must** be kept up-to-date with the 'Build and push' action
+        # below.
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=raw,value={{date 'YYYY-MM-DD'}},enable={{is_default_branch}},priority=1000
+
+      - uses: actions/checkout@v4
+
+      - name: Build and push
+        # v6.8.0
+        # The hash below **must** be kept up-to-date with the 'Build and push' action
+        # below.
+        uses: docker/bake-action@37816e747588cb137173af99ab33873600c46ea8
+        with:
+          # The default git source pulls all submodules too, so use v6.8.0 instead.
+          source: .
+          workdir: alpine-docker
+          files: |
+            ./docker-bake.hcl
+            cwd://${{ steps.meta.outputs.bake-file }}
+          targets: ${{ matrix.arch }}
+          # The hashes below **must** be kept up-to-date with the hashes above.
+          set: |
+            *.args.DOCKER_SETUP_BUILDX_ACTION_VERSION=e468171a9de216ec08956ac3ada2f0791b6bd435
+            *.args.DOCKER_LOGIN_ACTION_VERSION=74a5d142397b4f367a81961eba4e8cd7edddf772
+            *.args.DOCKER_METADATA_ACTION_VERSION=902fa8ec7d6ecbf8d84d538b9b233a880e428804
+            *.args.DOCKER_BAKE_ACTION_VERSION=37816e747588cb137173af99ab33873600c46ea8
+          push: true
+
+      # - name: Generate artifact attestation
+      #   uses: actions/attest-build-provenance@v2
+      #   with:
+      #     subject-name: ${{ env.IMAGE_NAME }}
+      #     # I don't know how to get the subject digest. See
+      #     # https://github.com/docker/bake-action/issues/99
+      #     subject-digest: 'sha256:fedcba0...'
+      #     push-to-registry: true

alpine-docker/README.md

@@ -0,0 +1,6 @@
+This directory includes Dockerfiles and auxiliary helper files used to build
+Alpine Linux Docker containers which contain Linux cross-compilers used to build
+release artifacts.
+
+See `.github/workflows/` which includes workflows for building the containers
+(which are hosted on ghcr.io) and building the release artifacts themselves.

alpine-docker/config-aarch64.mak

@@ -0,0 +1 @@
+TARGET = aarch64-linux-musl

alpine-docker/config-arm.mak

@@ -0,0 +1 @@
+TARGET = arm-linux-musleabi

alpine-docker/config-armhf.mak

@@ -0,0 +1 @@
+TARGET = arm-linux-musleabihf

alpine-docker/config-base.mak

@@ -0,0 +1,87 @@
+#
+# config.mak.dist - sample musl-cross-make configuration
+#
+# Copy to config.mak and edit as desired.
+#
+
+# There is no default TARGET; you must select one here or on the make
+# command line. Some examples:
+
+# TARGET = i486-linux-musl
+# TARGET = x86_64-linux-musl
+# TARGET = arm-linux-musleabi
+# TARGET = arm-linux-musleabihf
+# TARGET = sh2eb-linux-muslfdpic
+# ...
+
+# By default, cross compilers are installed to ./output under the top-level
+# musl-cross-make directory and can later be moved wherever you want them.
+# To install directly to a specific location, set it here. Multiple targets
+# can safely be installed in the same location. Some examples:
+
+# OUTPUT = /opt/cross
+OUTPUT = /usr/local
+
+# By default, latest supported release versions of musl and the toolchain
+# components are used. You can override those here, but the version selected
+# must be supported (under hashes/ and patches/) to work. For musl, you
+# can use "git-refname" (e.g. git-master) instead of a release. Setting a
+# blank version for gmp, mpc, mpfr and isl will suppress download and
+# in-tree build of these libraries and instead depend on pre-installed
+# libraries when available (isl is optional and not set by default).
+# Setting a blank version for linux will suppress installation of kernel
+# headers, which are not needed unless compiling programs that use them.
+
+# BINUTILS_VER = 2.25.1
+# GCC_VER = 5.2.0
+# MUSL_VER = git-master
+# GMP_VER =
+# MPC_VER =
+# MPFR_VER =
+# ISL_VER =
+# LINUX_VER =
+
+# By default source archives are downloaded with wget. curl is also an option.
+
+# DL_CMD = wget -c -O
+# DL_CMD = curl -C - -L -o
+
+# Check sha-1 hashes of downloaded source archives. On gnu systems this is
+# usually done with sha1sum.
+
+# SHA1_CMD = sha1sum -c
+# SHA1_CMD = sha1 -c
+# SHA1_CMD = shasum -a 1 -c
+
+# Something like the following can be used to produce a static-linked
+# toolchain that's deployable to any system with matching arch, using
+# an existing musl-targeted cross compiler. This only works if the
+# system you build on can natively (or via binfmt_misc and qemu) run
+# binaries produced by the existing toolchain (in this example, i486).
+
+# COMMON_CONFIG += CC="i486-linux-musl-gcc -static --static" CXX="i486-linux-musl-g++ -static --static"
+
+# Recommended options for smaller build for deploying binaries:
+
+# COMMON_CONFIG += CFLAGS="-g0 -Os" CXXFLAGS="-g0 -Os" LDFLAGS="-s"
+
+# Options you can add for faster/simpler build at the expense of features:
+
+COMMON_CONFIG += --disable-nls
+# GCC_CONFIG += --disable-libquadmath --disable-decimal-float
+# GCC_CONFIG += --disable-libitm
+# GCC_CONFIG += --disable-fixed-point
+# GCC_CONFIG += --disable-lto
+
+# By default C and C++ are the only languages enabled, and these are
+# the only ones tested and known to be supported. You can uncomment the
+# following and add other languages if you want to try getting them to
+# work too.
+
+# GCC_CONFIG += --enable-languages=c,c++
+
+# You can keep the local build path out of your toolchain binaries and
+# target libraries with the following, but then gdb needs to be told
+# where to look for source files.
+
+# COMMON_CONFIG += --with-debug-prefix-map=$(CURDIR)=

alpine-docker/config-powerpc64le.mak

@@ -0,0 +1 @@
+TARGET = powerpc64le-linux-musl

alpine-docker/config-riscv64.mak

@@ -0,0 +1 @@
+TARGET = riscv64-linux-musl

alpine-docker/docker-bake.hcl

@@ -0,0 +1,64 @@
+# https://github.com/docker/metadata-action?tab=readme-ov-file#bake-definition
+target "docker-metadata-action" {}
+
+target "_common" {
+  args = {
+    ALPINE_VERSION = "3.22"
+    # A fairly recent version of musl-cross-make is needed. There are multiple
+    # features added in newer commits, for example
+    # 5b3b4ea504c8b71764d815de76e35c8bc2aaa507, which adds support for Linux
+    # kernel 6.15.7. Linux v6 added support for powerpc64 kernel headers.
+    # android-tools need kernel headers, so this commit adds support for
+    # powerpc64 android-tools.
+    MUSL_CROSS_MAKE_VERSION = "3635262e4524c991552789af6f36211a335a77b3"
+    BINUTILS_VERSION = "2.44"
+    GCC_VERSION = "14.2.0"
+    MUSL_VERSION = "1.2.5"
+    GMP_VERSION = "6.3.0"
+    MPC_VERSION = "1.3.1"
+    MPFR_VERSION = "4.2.2"
+    LINUX_VERSION = "6.15.7"
+    ISL_VERSION = "0.27"
+  }
+  dockerfile = "universal.Dockerfile"
+}
+
+target "aarch64" {
+  inherits = ["docker-metadata-action", "_common"]
+  args = {
+    TARGET_MAK_FILE = "config-aarch64.mak"
+  }
+  # tags = ["alpine-cross-aarch64"]
+}
+
+target "armhf" {
+  inherits = ["docker-metadata-action", "_common"]
+  args = {
+    TARGET_MAK_FILE = "config-armhf.mak"
+  }
+  # tags = ["alpine-cross-armhf"]
+}
+
+target "arm" {
+  inherits = ["docker-metadata-action", "_common"]
+  args = {
+    TARGET_MAK_FILE = "config-arm.mak"
+  }
+  # tags = ["alpine-cross-arm"]
+}
+
+target "powerpc64le" {
+  inherits = ["docker-metadata-action", "_common"]
+  args = {
+    TARGET_MAK_FILE = "config-powerpc64le.mak"
+  }
+  # tags = ["alpine-cross-powerpc64le"]
+}
+
+target "riscv64" {
+  inherits = ["docker-metadata-action", "_common"]
+  args = {
+    TARGET_MAK_FILE = "config-riscv64.mak"
+  }
+  # tags = ["alpine-cross-riscv64"]
+}

alpine-docker/save-versions.py

@@ -0,0 +1,74 @@
+#!/usr/bin/env python3
+
+# Copyright 2025 meator
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Save the versions of components used into a machine-readable file.
+
+This script is run from each Alpine musl cross-compiler Dockerfile to store info about
+the cross-compiler into the image itself. This info is also stored in the resulting
+container's labels, but Docker labels can be harder to work with from inside the
+container.
+"""
+
+import argparse
+import json
+import sys
+import typing
+
+
+class _VersionInfo(typing.NamedTuple):
+    version_flag_base: str
+
+
+if __name__ == "__main__":
+    _VI = _VersionInfo
+    result_mapping = {
+        "alpine": _VI("alpine"),
+        "musl-cross-make": _VI("musl-cross-make"),
+        "binutils": _VI("binutils"),
+        "gcc": _VI("gcc"),
+        "musl": _VI("musl"),
+        "gmp": _VI("gmp"),
+        "mpc": _VI("mpc"),
+        "mpfr": _VI("mpfr"),
+        "linux": _VI("linux"),
+        "isl": _VI("isl"),
+        "docker/setup-buildx-action": _VI("setup-buildx-action"),
+        "docker/login-action": _VI("login-action"),
+        "docker/metadata-action": _VI("metadata-action"),
+        "docker/bake-action": _VI("bake-action"),
+    }
+
+    parser = argparse.ArgumentParser()
+
+    for key_name, flag_base in result_mapping.items():
+        parser.add_argument(
+            f"--{flag_base.version_flag_base}-version", required=True, dest=key_name
+        )
+
+    args = parser.parse_args()
+
+    result = {}
+
+    for key_name, flag_base in result_mapping.items():
+        version = getattr(args, key_name)
+        if not version:
+            sys.exit(
+                f"Flag --{flag_base.version_flag_base}-version must not have empty "
+                "version!"
+            )
+        result[key_name] = version
+
+    json.dump(result, sys.stdout)