feat(docker): rewrite to cache with depot (#12491)

DaniPopes · web-flow · commit 7418317dee96 · 2025-11-07T18:48:11.000Z
* chore: clean up build script

* doc

* feat(docker): rewrite to cache with depot

* gha sucks

* update id

* runner
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -3,45 +3,47 @@ name: docker
 permissions: {}
 
 on:
-  # Trigger without any parameters a proactive rebuild
-  workflow_dispatch: {}
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        default: nightly
+        description: The tag we're building for
+        type: string
   workflow_call:
     inputs:
       tag_name:
         required: true
         type: string
 
+concurrency:
+  group: docker-${{ github.head_ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
 env:
   REGISTRY: ghcr.io
-  # Will resolve to foundry-rs/foundry
   IMAGE_NAME: ${{ github.repository }}
 
+  # Keep in sync with `release.yml`.
+  RUST_PROFILE: maxperf
+  RUST_FEATURES: aws-kms,gcp-kms,cli,asm-keccak,js-tracer
+
 jobs:
   build:
     name: build and push
-    runs-on: depot-ubuntu-22.04-16
+    runs-on: depot-ubuntu-latest
     permissions:
       contents: read
       id-token: write
       packages: write
-    timeout-minutes: 120
+    timeout-minutes: 60
     steps:
       - uses: actions/checkout@v5
         with:
           persist-credentials: false
-      - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
-        with:
-          toolchain: stable
-      - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1
-      - name: Install gcc aarch64
-        id: aarch_64_setup
-        run: |
-          sudo apt update && sudo apt install -y gcc-aarch64-linux-gnu
+
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Login into registry ${{ env.REGISTRY }}
-        # Ensure this doesn't trigger on PR's
-        if: github.event_name != 'pull_request'
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
         with:
           registry: ${{ env.REGISTRY }}
@@ -80,5 +82,20 @@ jobs:
           printf "TAGS -> %s\n" "${{ steps.docker_tagging.outputs.docker_tags }}"
           printf "LABELS -> %s\n" "${{ steps.meta.outputs.labels }}"
 
-      - name: Build and push foundry image
-        run: make DOCKER_IMAGE_NAME=${{ steps.docker_tagging.outputs.docker_tags }} CARGO_TAG_NAME=${{ inputs.tag_name }} PROFILE=maxperf docker-build-push
+      - name: Set up Depot CLI
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1
+
+      - name: Build and push Foundry image
+        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1
+        with:
+          build-args: |
+            RUST_PROFILE=${{ env.RUST_PROFILE }}
+            RUST_FEATURES=${{ env.RUST_FEATURES }}
+            TAG_NAME=${{ inputs.tag_name }}
+            VERGEN_GIT_SHA=${{ github.sha }}
+          project: 8gkbxxjrpw
+          context: .
+          tags: ${{ steps.docker_tagging.outputs.docker_tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          push: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,8 +16,12 @@ on:
 env:
   CARGO_TERM_COLOR: always
   IS_NIGHTLY: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
-  PROFILE: maxperf
-  STABLE_VERSION: "v1.4.3"
+
+  # Keep in sync with `docker-publish.yml`.
+  RUST_PROFILE: maxperf
+  RUST_FEATURES: aws-kms,gcp-kms,cli,asm-keccak,js-tracer
+
+  LAST_STABLE_VERSION: "v1.4.4"
 
 jobs:
   prepare:
@@ -171,12 +175,12 @@ jobs:
           SVM_TARGET_PLATFORM: ${{ matrix.svm_target_platform }}
           PLATFORM_NAME: ${{ matrix.platform }}
           TARGET: ${{ matrix.target }}
-          OUT_DIR: target/${{ matrix.target }}/${{ env.PROFILE }}
+          OUT_DIR: target/${{ matrix.target }}/${{ env.RUST_PROFILE }}
         shell: bash
         run: |
           set -eo pipefail
-          flags=(--target $TARGET --profile $PROFILE --bins
-            --no-default-features --features aws-kms,gcp-kms,cli,asm-keccak,js-tracer)
+          flags=(--target $TARGET --profile $RUST_PROFILE --bins
+            --no-default-features --features "$RUST_FEATURES")
 
           # `jemalloc` is not fully supported on MSVC or aarch64 Linux.
           if [[ "$TARGET" != *msvc* && "$TARGET" != "aarch64-unknown-linux-gnu" ]]; then
@@ -206,7 +210,7 @@ jobs:
         id: artifacts
         env:
           PLATFORM_NAME: ${{ matrix.platform }}
-          OUT_DIR: target/${{ matrix.target }}/${{ env.PROFILE }}
+          OUT_DIR: target/${{ matrix.target }}/${{ env.RUST_PROFILE }}
           VERSION_NAME: ${{ (env.IS_NIGHTLY == 'true' && 'nightly') || needs.prepare.outputs.tag_name }}
           ARCH: ${{ matrix.arch }}
         shell: bash
@@ -238,7 +242,7 @@ jobs:
         id: man
         if: matrix.target == 'x86_64-unknown-linux-gnu'
         env:
-          OUT_DIR: target/${{ matrix.target }}/${{ env.PROFILE }}
+          OUT_DIR: target/${{ matrix.target }}/${{ env.RUST_PROFILE }}
           VERSION_NAME: ${{ (env.IS_NIGHTLY == 'true' && 'nightly') || needs.prepare.outputs.tag_name }}
         shell: bash
         run: |
diff --git a/Dockerfile b/Dockerfile
@@ -1,45 +1,67 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1
 
-FROM alpine:3.22 AS build-environment
+FROM rust:1-bookworm AS chef
+WORKDIR /app
 
-ARG TARGETARCH
-WORKDIR /opt
+RUN apt update && apt install -y build-essential libssl-dev git pkg-config curl perl
+RUN curl -L --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/cargo-bins/cargo-binstall/main/install-from-binstall-release.sh | sh
+RUN cargo binstall cargo-chef sccache
 
-RUN apk add clang lld curl build-base linux-headers git \
-    && curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > rustup.sh \
-    && chmod +x ./rustup.sh \
-    && ./rustup.sh -y
+# Prepare the cargo-chef recipe.
+FROM chef AS planner
+COPY . .
+RUN cargo chef prepare --recipe-path recipe.json
+
+# Build the project.
+FROM chef AS builder
+COPY --from=planner /app/recipe.json recipe.json
+
+ARG RUST_PROFILE
+ARG RUST_FEATURES
+
+ENV CARGO_INCREMENTAL=0 \
+    RUSTC_WRAPPER=sccache \
+    SCCACHE_DIR=/sccache
+
+# Build dependencies.
+RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
+    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
+    cargo chef cook --recipe-path recipe.json --profile ${RUST_PROFILE} --no-default-features --features "${RUST_FEATURES}"
 
-RUN [[ "$TARGETARCH" = "arm64" ]] && echo "export CFLAGS=-mno-outline-atomics" >> $HOME/.profile || true
+ARG TAG_NAME="dev"
+ENV TAG_NAME=$TAG_NAME
+ARG VERGEN_GIT_SHA="ffffffffffffffffffffffffffffffffffffffff"
 
-WORKDIR /opt/foundry
+# Build the project.
 COPY . .
+RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
+    --mount=type=cache,target=/usr/local/cargo/git,sharing=locked \
+    --mount=type=cache,target=$SCCACHE_DIR,sharing=locked \
+    cargo build --profile ${RUST_PROFILE} --no-default-features --features "${RUST_FEATURES}"
 
-# see <https://github.com/foundry-rs/foundry/issues/7925>
-RUN git update-index --force-write-index
+# `dev` profile outputs to the `target/debug` directory.
+RUN ln -s /app/target/debug /app/target/dev \
+    && mkdir -p /app/output \
+    && mv \
+    /app/target/${RUST_PROFILE}/forge \
+    /app/target/${RUST_PROFILE}/cast \
+    /app/target/${RUST_PROFILE}/anvil \
+    /app/target/${RUST_PROFILE}/chisel \
+    /app/output/
 
-RUN --mount=type=cache,target=/root/.cargo/registry --mount=type=cache,target=/root/.cargo/git --mount=type=cache,target=/opt/foundry/target \
-    source $HOME/.profile && cargo build --release --features anvil/js-tracer,cast/aws-kms,cast/gcp-kms,cast/turnkey,forge/aws-kms,forge/gcp-kms,forge/turnkey \
-    && mkdir out \
-    && mv target/release/forge out/forge \
-    && mv target/release/cast out/cast \
-    && mv target/release/anvil out/anvil \
-    && mv target/release/chisel out/chisel \
-    && strip out/forge \
-    && strip out/cast \
-    && strip out/chisel \
-    && strip out/anvil;
+RUN sccache --show-stats || true
 
-FROM alpine:3.22 AS foundry-client
+FROM ubuntu:22.04 AS runtime
 
-RUN apk add --no-cache linux-headers git gcompat libstdc++
+# Install runtime dependencies.
+RUN apt update && apt install -y git
 
-COPY --from=build-environment /opt/foundry/out/forge /usr/local/bin/forge
-COPY --from=build-environment /opt/foundry/out/cast /usr/local/bin/cast
-COPY --from=build-environment /opt/foundry/out/anvil /usr/local/bin/anvil
-COPY --from=build-environment /opt/foundry/out/chisel /usr/local/bin/chisel
+COPY --from=builder /app/output/* /usr/local/bin/
 
-RUN adduser -Du 1000 foundry
+RUN groupadd -g 1000 foundry && \
+    useradd -m -u 1000 -g foundry foundry
+USER foundry
 
 ENTRYPOINT ["/bin/sh", "-c"]
 
diff --git a/Dockerfile.cross b/Dockerfile.cross
diff --git a/Makefile b/Makefile
@@ -32,59 +32,21 @@ help: ## Display this help.
 build: ## Build the project.
 	cargo build --features "$(FEATURES)" --profile "$(PROFILE)"
 
-# The following commands use `cross` to build a cross-compile.
-#
-# These commands require that:
-#
-# - `cross` is installed (`cargo install cross`).
-# - Docker is running.
-# - The current user is in the `docker` group.
-#
-# The resulting binaries will be created in the `target/` directory.
-build-%:
-	cross build --target $* --features "$(FEATURES)" --profile "$(PROFILE)"
-
-.PHONY: docker-build-push
-docker-build-push: docker-build-prepare ## Build and push a cross-arch Docker image tagged with DOCKER_IMAGE_NAME.
-	# Build x86_64-unknown-linux-gnu.
-	cargo build --target x86_64-unknown-linux-gnu --features "jemalloc aws-kms gcp-kms turnkey cli asm-keccak js-tracer" --profile "$(PROFILE)"
-	mkdir -p $(BIN_DIR)/amd64
-	for bin in anvil cast chisel forge; do \
-		cp $(CARGO_TARGET_DIR)/x86_64-unknown-linux-gnu/$(PROFILE)/$$bin $(BIN_DIR)/amd64/; \
-	done
-
-	# Build aarch64-unknown-linux-gnu.
-	rustup target add aarch64-unknown-linux-gnu
-	RUSTFLAGS="-C linker=aarch64-linux-gnu-gcc" cargo build --target aarch64-unknown-linux-gnu --features "aws-kms gcp-kms turnkey cli asm-keccak js-tracer" --profile "$(PROFILE)"
-	mkdir -p $(BIN_DIR)/arm64
-	for bin in anvil cast chisel forge; do \
-		cp $(CARGO_TARGET_DIR)/aarch64-unknown-linux-gnu/$(PROFILE)/$$bin $(BIN_DIR)/arm64/; \
-	done
-
-	docker buildx build --file ./Dockerfile.cross . \
-		--platform linux/amd64,linux/arm64 \
-		$(foreach tag,$(shell echo $(DOCKER_IMAGE_NAME) | tr ',' ' '),--tag $(tag)) \
-		--provenance=true \
-		--push
-
-.PHONY: docker-build-prepare
-docker-build-prepare: ## Prepare the Docker build environment.
-	docker run --privileged --rm tonistiigi/binfmt:qemu-v7.0.0-28 --install amd64,arm64
-	@if ! docker buildx inspect cross-builder &> /dev/null; then \
-		echo "Creating a new buildx builder instance"; \
-		docker buildx create --use --driver docker-container --name cross-builder; \
-	else \
-		echo "Using existing buildx builder instance"; \
-		docker buildx use cross-builder; \
-	fi
+.PHONY: build-docker
+build-docker: ## Build the docker image.
+	docker build . -t "$(DOCKER_IMAGE_NAME)" \
+	--build-arg "RUST_PROFILE=$(PROFILE)" \
+	--build-arg "RUST_FEATURES=$(FEATURES)" \
+	--build-arg "TAG_NAME=dev" \
+	--build-arg "VERGEN_GIT_SHA=$(shell git rev-parse HEAD)"
 
 ##@ Test
 
 ## Run unit/doc tests and generate html coverage report in `target/llvm-cov/html` folder.
-## Notice that `llvm-cov` supports doc tests only in nightly builds because the `--doc` flag 
+## Notice that `llvm-cov` supports doc tests only in nightly builds because the `--doc` flag
 ## is unstable (https://github.com/taiki-e/cargo-llvm-cov/issues/2).
 .PHONY: test-coverage
-test-coverage: 
+test-coverage:
 	cargo +nightly llvm-cov --no-report nextest -E 'kind(test) & !test(/\b(issue|ext_integration)/)' && \
 	cargo +nightly llvm-cov --no-report --doc && \
 	cargo +nightly llvm-cov report --doctests --open
