Conversation
There was a problem hiding this comment.
Pull request overview
This PR makes the Rust base image used by the Docker build configurable via a build argument, and wires that through the GitHub Actions Docker publishing workflow so callers can choose a specific Rust image tag.
Changes:
- Parameterize
Dockerfile’sFROM rust:...with aRUST_IMAGEbuild arg (defaulting tolatest). - Add a
workflow_dispatchinput to select the Rust image tag, and pass it as a Docker build arg. - Adjust Docker tag computation so non-default Rust images get a
-rust-<image>suffix and do not update the:latesttag on version releases.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| Dockerfile | Adds ARG RUST_IMAGE and uses it in the FROM line to make the Rust base image tag configurable. |
| .github/workflows/docker.yml | Adds a workflow input + env propagation for RUST_IMAGE, modifies tag computation to suffix tags when a custom Rust image is used, and passes the build arg to Buildx. |
fnando
force-pushed
the
docker-custom-image
branch
from
d720221 to
8a53140
Compare
fnando
force-pushed
the
docker-custom-image
branch
from
8a53140 to
a1cd5b6
Compare
fnando
force-pushed
the
docker-custom-image
branch
from
a1cd5b6 to
7f37b6f
Compare
| RUN git clone "${CLI_REPO}" . && \ | ||
| git checkout "${CLI_REF}" |
There was a problem hiding this comment.
I'm not sure we want to checkout via git from the dockerfile. This is somewhat misleading for users who build with the dockerfile locally.
e.g. as it sits docker build ./ will build from main instead of local.
IMO - we would be better off doing the following:
- Have the github action checkout the code
- Have the dockerfile do
COPY . /src, and keep the builder step to actually build the binary - keep the image creation step as is
There was a problem hiding this comment.
the dockerfile will be extracted into its own repo, as per this thread.
But I believe the proper fix is actually just downloading the binary distributed through the release pages, because re-building the cli inside/outside the dockerfile is changing the cliver metadata anyway. I'm just confirming if we want to move into that direction before doing the work.
| - name: Resolve build args | ||
| run: | | ||
| rust_image="${{ github.event_name == 'workflow_dispatch' && inputs.rust_image || 'latest' }}" | ||
| cli_ref="${{ github.event_name == 'workflow_dispatch' && inputs.ref || github.ref_name }}" |
There was a problem hiding this comment.
[picky] we might want to resolve the input ref into a commit sha before the build job. Technically this could race condition if a branch is passed and the branch is updated between amd64 run and arm64 run?
Though this isn't an issue when running on publish so am fine ignoring.
What
Make the Docker image self-contained and customizable. Closes #2542.
The Dockerfile is now multi-stage: the builder stage clones the requested CLI source from GitHub and runs
cargo buildagainst the target rust base image. Both stages use the samerust:${RUST_IMAGE}image, so glibc and shared libraries cannot drift between build and runtime.Two knobs are exposed to the workflow:
rust_image(defaultlatest) — pins the rust base image used for both stages. When non-default, images are tagged with a-rust-<sanitized>suffix and:latestis not updated.refflows into the Dockerfile asCLI_REFand selects which version of stellar-cli to clone and build.Anyone can now reproduce a target configuration with a single command, no workflow knowledge required:
docker build \ --build-arg RUST_IMAGE=1.90.0-slim-bookworm \ --build-arg CLI_REF=v25.1.0 \ -t stellar-cli:25.1.0-rust-1.90.0-slim-bookworm .Multi-arch builds run on native runners (
ubuntu-latestfor amd64,ubuntu-24.04-armfor arm64) and push per-arch by digest; a finalmanifestjob combines them into the tagged manifest list — no QEMU emulation in CI.Why
https://stellarfoundation.slack.com/archives/C08AP4BN24E/p1778093609993929?thread_ts=1773364869.231219&cid=C08AP4BN24E
Known limitations
N/A