fix: Backported build / CI fixes

dhedey · dhedey · commit 785d4f775259 · 2024-08-20T11:16:07.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -238,7 +238,7 @@ jobs:
       - name: Update clang version to 16
         run: sudo apt remove clang-14 && sudo apt autoclean && sudo apt autoremove && wget https://apt.llvm.org/llvm.sh && chmod +x llvm.sh && sudo ./llvm.sh 16 && sudo ls /usr/bin/ | grep clang && sudo ln -sf /usr/bin/clang-16 /usr/bin/clang && sudo ln -sf /usr/bin/clang++-16 /usr/bin/clang++ && sudo apt-get install -y libclang-dev llvm llvm-dev
       - name: Install cargo-xwin
-        run: cargo install cargo-xwin
+        run: cargo install cargo-xwin --version 0.17.1 --locked
       - name: cross compile to windows
         run: pushd core-rust; cargo xwin build --release --target x86_64-pc-windows-msvc
       - name: Publish corerust.dll
diff --git a/Dockerfile b/Dockerfile
@@ -21,7 +21,6 @@ ENV DEBIAN_FRONTEND noninteractive
 CMD ["/bin/bash"]
 
 ARG WGET_VERSION="1.21.3-1+b2"
-ARG OPENJDK_17_VERSION="17.0.11+9-1~deb12u1"
 ARG VERSION_BRANCH=""
 ARG VERSION_COMMIT=""
 ARG VERSION_DISPLAY=""
@@ -46,18 +45,18 @@ ENV VERSION_LAST_TAG=$VERSION_LAST_TAG
 # - https://packages.debian.org/bookworm/pkg-config
 # - https://packages.debian.org/bookworm/unzip
 # - https://packages.debian.org/bookworm/wget
-# - https://packages.debian.org/bookworm/software-properties-commo
+# - https://packages.debian.org/bookworm/software-properties-common
 # - https://packages.debian.org/bookworm/openjdk-17-jdk
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
     docker.io=20.10.24+dfsg1-1+b3 \
-    libssl-dev=3.0.11-1~deb12u2 \
+    libssl-dev=3.0.13-1~deb12u1 \
     pkg-config=1.8.1-1 \
     unzip=6.0-28 \
     wget=${WGET_VERSION} \
-    software-properties-common=0.99.30-4 \
+    software-properties-common=0.99.30-4.1~deb12u1 \
   && apt-get install -y --no-install-recommends \
-    openjdk-17-jdk=${OPENJDK_17_VERSION} \
+    openjdk-17-jdk=17.0.11+9-1~deb12u1 \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
@@ -104,7 +103,7 @@ COPY --from=java-build-stage /radixdlt/core/build/distributions /
 # LAYER: library-build-stage-base
 # Creates the base image for building the rust library
 # =================================================================================================
-FROM debian:12.1-slim as library-build-stage-base
+FROM debian:12.1-slim AS library-build-stage-base
 WORKDIR /app
 
 
@@ -127,19 +126,19 @@ RUN apt-get update \
     ca-certificates \
     build-essential=12.9 \
     # https://security-tracker.debian.org/tracker/CVE-2023-38545
-    curl=7.88.1-10+deb12u5 \
+    curl=7.88.1-10+deb12u6 \
     g++-aarch64-linux-gnu \
     g++-x86-64-linux-gnu \
     libc6-dev-arm64-cross=2.36-8cross1 \
     libclang-dev=1:14.0-55.7~deb12u1 \
-    libssl-dev=3.0.11-1~deb12u2 \
+    libssl-dev=3.0.13-1~deb12u1 \
     pkg-config=1.8.1-1 \
   && rm -rf /var/lib/apt/lists/*
 
 # We fix the version of Rust here to ensure that we can update it without having
 # issues with the caching layers containing outdated versions which aren't compatible.
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -o rustup.sh \
-  && sh rustup.sh -y --target 1.71.1-aarch64-unknown-linux-gnu 1.71.1-x86_64-unknown-linux-gnu
+  && sh rustup.sh -y --target 1.71.1-aarch64-unknown-linux-gnu 1.71.1-x86_64-unknown-linux-gnu --default-toolchain 1.77.2
 
 RUN "$HOME/.cargo/bin/cargo" install sccache --version 0.7.4
 
@@ -153,7 +152,7 @@ ENV RUSTC_WRAPPER=/root/.cargo/bin/sccache
 # Specifically - the Rust isn't built as part of the image, instead the CMD of the image is to do the build.
 # It allows us to use volumes at runtime to cache the build dependencies and artifacts.
 # =================================================================================================
-FROM library-build-stage-base as library-builder-local
+FROM library-build-stage-base AS library-builder-local
 WORKDIR /app
 
 COPY docker/build_scripts/cargo_local_build.sh /opt/radixdlt/cargo_local_build.sh
@@ -167,7 +166,7 @@ CMD ["/opt/radixdlt/cargo_local_build.sh"]
 # LAYER: library-build-stage-cache-packages
 # This layer allows us to cache the compilation of all our rust dependencies in a Docker layer
 # =================================================================================================
-FROM library-build-stage-base as library-build-stage-cache-packages
+FROM library-build-stage-base AS library-build-stage-cache-packages
 
 WORKDIR /app
 
@@ -205,7 +204,7 @@ RUN --mount=type=cache,id=radixdlt-babylon-node-rust-cache,target=/root/.cache/s
 # LAYER: library-build-stage
 # The actual build of the library
 # =================================================================================================
-FROM library-build-stage-cache-packages as library-build-stage
+FROM library-build-stage-cache-packages AS library-build-stage
 
 # Tidy up from the previous layer
 RUN rm -rf core-api-server engine-state-api-server jni-export node-common state-manager
@@ -226,20 +225,18 @@ RUN --mount=type=cache,id=radixdlt-babylon-node-rust-cache,target=/root/.cache/s
 # LAYER: library-container
 # A layer containing just the built library at the root: /libcorerust.so
 # =================================================================================================
-FROM scratch as library-container
+FROM scratch AS library-container
 COPY --from=library-build-stage /libcorerust.so /
 
 # =================================================================================================
 # LAYER: app-container
 # The application container which will actually run the application
 # =================================================================================================
-FROM debian:12.1-slim as app-container
+FROM debian:12.1-slim AS app-container
 
 LABEL org.opencontainers.image.source="https://github.com/radixdlt/babylon-node"
 LABEL org.opencontainers.image.authors="devops@radixdlt.com"
 
-ARG OPENJDK_17_VERSION="17.0.11+9-1~deb12u1"
-
 # Install dependencies needed for building the image or running the application
 # - unzip is needed for unpacking the java build artifacts
 # - daemontools is needed at application runtime for async tasks
@@ -259,16 +256,16 @@ ARG OPENJDK_17_VERSION="17.0.11+9-1~deb12u1"
 # - https://packages.debian.org/bookworm/libc6
 RUN apt-get update -y \
   && apt-get -y --no-install-recommends install \
-    openjdk-17-jre-headless=${OPENJDK_17_VERSION} \
+    openjdk-17-jre-headless=17.0.11+9-1~deb12u1 \
     # https://security-tracker.debian.org/tracker/CVE-2023-38545
-    curl=7.88.1-10+deb12u5 \
+    curl=7.88.1-10+deb12u6 \
     gettext-base=0.21-12 \
     daemontools=1:0.76-8.1 \
     # https://security-tracker.debian.org/tracker/CVE-2023-4911
     # Fixes CVE-2023-4911 can be removed when we update the base OS image to include this fix
     # docker run -it debian:12.1-slim ldd --version
     # This fix can be removed as long as the version printed in the above command is 2.36-9+deb12u3 or above
-    libc6=2.36-9+deb12u4 \
+    libc6=2.36-9+deb12u7 \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
@@ -322,4 +319,4 @@ COPY docker/build_scripts/config_radixdlt.sh /opt/radixdlt/config_radixdlt.sh
 
 # See https://docs.docker.com/engine/reference/builder/#entrypoint
 ENTRYPOINT ["/opt/radixdlt/config_radixdlt.sh"]
-CMD ["/opt/radixdlt/bin/core"]
+CMD ["/opt/radixdlt/bin/core"]
