rofl/build: Stream tar directly to sqfstar without extraction

Author: ptrus

.github/workflows/docker-rofl-container-builder.yml

@@ -0,0 +1,84 @@
+name: docker-rofl-container-builder
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - docker/rofl-container-builder/**
+      - .github/workflows/docker-rofl-container-builder.yml
+    tags:
+      - 'rofl-container-builder/v[0-9]+.[0-9]+*'
+  pull_request:
+    paths:
+      - docker/rofl-container-builder/**
+      - .github/workflows/docker-rofl-container-builder.yml
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-rofl-container-builder:
+    name: build-rofl-container-builder
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Determine tag name
+        id: determine-tag
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            echo "tag=pr-${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            # Trim rofl-container-builder/v prefix from tag
+            TAG="${{ github.ref_name }}"
+            TAG="${TAG#rofl-container-builder/v}"
+            echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=latest" >> "$GITHUB_OUTPUT"
+          fi
+          echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to ghcr.io
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: "Build and push oasisprotocol/rofl-container-builder:${{ steps.determine-tag.outputs.tag }}"
+        uses: docker/build-push-action@v6
+        with:
+          context: docker/rofl-container-builder
+          file: docker/rofl-container-builder/Dockerfile
+          tags: ghcr.io/oasisprotocol/rofl-container-builder:${{ steps.determine-tag.outputs.tag }}
+          pull: true
+          push: true
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.html_url }}
+            org.opencontainers.image.created=${{ steps.determine-tag.outputs.created }}
+            org.opencontainers.image.revision=${{ github.sha }}
+
+  prune-old-images:
+    name: prune-old-images
+    if: ${{ always() }}
+    needs: [build-rofl-container-builder]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Prune old ghcr.io/oasisprotocol/rofl-container-builder images
+        uses: vlaurin/[email protected]
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          organization: oasisprotocol
+          container: rofl-container-builder
+          keep-younger-than: 7
+          keep-last: 2
+          prune-tags-regexes: ^pr-

build/rofl/artifacts.go

@@ -1,7 +1,12 @@
 package rofl
 
-// LatestBuilderImage is the latest builder container image to use when building ROFL apps.
-const LatestBuilderImage = "ghcr.io/oasisprotocol/rofl-dev:v0.5.0@sha256:31573686552abeb0edebc450f6872831f0006a6cf38220cef7e0789d4376c2c1"
+// Builder images for different app kinds.
+const (
+	// LatestBuilderImage is the full builder with Rust toolchain for raw apps.
+	LatestBuilderImage = "ghcr.io/oasisprotocol/rofl-dev:v0.5.0@sha256:31573686552abeb0edebc450f6872831f0006a6cf38220cef7e0789d4376c2c1"
+	// LatestContainerBuilderImage is the minimal builder for container apps.
+	LatestContainerBuilderImage = "ghcr.io/oasisprotocol/rofl-container-builder:0.0.1@sha256:913ef97ab07dde31f08ce873f825bf3d4f32ad4102ff5797d7c3050c121c4dce"
+)
 
 // LatestBasicArtifacts are the latest TDX ROFL basic app artifacts.
 var LatestBasicArtifacts = ArtifactsConfig{