fix(docker): Mount /tmp and /home as tmpfs during ort requirements

This prevents caches and temporary files from being persisted to the
image, reducing its size by ~500 MB.

More importantly, it fixes an "AccessDenied" error when running with
ort-ci-action. Burrito-based tools (mix_sbom, bombom) extract a musl
runtime to /tmp on first run. When this happens during the Docker build,
the files are owned by the ort user with mode 0754 (no execute for
others). The ort-ci-action runs containers with -u $(id -u):$(id -g),
so the user may not be ort and cannot execute the musl library.

By using tmpfs mounts, these files are not persisted and each container
creates them fresh with appropriate permissions.

Signed-off-by: Jonatan Männchen <jonatan@maennchen.ch>

Author: maennchen

Dockerfile

@@ -725,6 +725,10 @@ ENTRYPOINT ["/opt/ort/bin/ort"]
 # Runtime container with all supported package managers pre-installed.
 FROM all-tools AS run
 
+ARG HOMEDIR=/home/ort
+ARG USER_ID=1000
+ARG USER_GID=$USER_ID
+
 # ORT
 COPY --from=ortbin --chown=$USER:$USER /opt/ort /opt/ort
 ENV PATH=$PATH:/opt/ort/bin
@@ -739,6 +743,9 @@ RUN mkdir -p "$HOME/.ort" "$HOME/.gradle"
 RUN $CARGO_HOME/bin/cargo install cargo-credential-netrc
 
 # Verify that all tools required by ORT are available.
-RUN ort requirements
+# Mount /tmp and $HOMEDIR as cache to prevent temporary files from being persisted to the image.
+RUN --mount=type=tmpfs,target=/tmp \
+    --mount=type=cache,target=$HOMEDIR,uid=$USER_ID,gid=$USER_GID \
+    ort requirements
 
 ENTRYPOINT ["/opt/ort/bin/ort"]