Use Debian Trixie as baseimage and official language images when available

[endersonmaia]

This pull request modernizes and hardens the Dockerfiles for all supported languages by switching from Ubuntu to Debian "trixie" base images, introducing reproducible builds using snapshot.debian.org, and improving the installation process for machine-guest-tools. It also includes several clean-up and security enhancements, such as stricter verification of downloaded packages and improved build determinism.

Base image and build reproducibility improvements:

• All Dockerfiles (cpp-low-level/Dockerfile, cpp/Dockerfile, go/Dockerfile, lua/Dockerfile, python/Dockerfile) now use Debian "trixie" snapshot images instead of Ubuntu, with apt configured to use snapshot.debian.org for fully reproducible builds. Custom apt configs are added to handle expired snapshots and insecure TLS for the initial update. [1] [2] [3] [4] [5]

Machine guest tools installation and verification:

• The installation of machine-guest-tools is now performed in a more secure and reproducible way: a SHA512 checksum file is injected and verified before installing the downloaded .deb package, and the process is unified across all Dockerfiles. [1] [2] [3] [4] [5]

Build and runtime environment clean-up:

• All images now explicitly remove temporary apt configs and aggressively clean up package manager caches, logs, and other non-deterministic files. A new apt-get dist-clean step is added to further strip non-determinism from the final images. [1] [2] [3] [4] [5]

Language-specific improvements:

• The Python Dockerfile now builds and copies a virtual environment in a dedicated builder stage, sets the correct PATH, and runs as a non-root user (dapp).
• The Go Dockerfile uses the official golang image for cross-building, simplifying the build process and removing manual installation of Go.
• The Lua Dockerfile splits the installation of Lua dependencies and system libraries for better layering and reproducibility. [1] [2]

.dockerignore updates:

• Added .cartesi, .venv, .bundle to .dockerignore files to prevent local development artifacts from being included in Docker build contexts. [1] [2]

These changes collectively improve security, reproducibility, and maintainability of the build process for all supported languages.

[endersonmaia]

I'm using snapshot.debian.org to make the builds reproducible just like we did with Ubuntu.

For security repositories (like debian-security), the expiration is enforced to prevent users from installing outdated security updates, as these can quickly become unsafe. When the Release file expires, apt will refuse to use the repository for updates.

This would make the build fail.

I'm investigating alternatives like manipulating the sources.list.d for the security repository, but not sure about the practical impact for the reproducibility vs. security we want to provide with this templates.

[Copilot]

Pull Request Overview

This pull request modernizes the Docker build process by migrating all language templates from Ubuntu to Debian snapshot-based images for better reproducibility. The changes update multiple Dockerfiles to use deterministic Debian Trixie snapshots, modernize the machine-guest-tools installation process, and enhance CI workflows with updated tooling and artifact management.

Key changes include:

• Migration from Ubuntu to Debian Trixie snapshot images across all language templates
• Refactored machine-guest-tools installation with better verification and non-determinism fixes
• Updated GitHub Actions workflow to use newer Cartesi CLI version and add artifact uploads

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
rust/Dockerfile	Migrated to Debian Trixie and official Rust image, updated machine-guest-tools installation
ruby/Dockerfile	Switched to official Ruby image on Debian Trixie base
python/Dockerfile	Adopted official Python image with multi-stage build for virtual environment
lua/Dockerfile	Converted to Debian Trixie base image
go/Dockerfile	Updated to use official Go image with Debian Trixie
cpp/Dockerfile	Migrated to Debian Trixie base
cpp-low-level/Dockerfile	Converted to Debian Trixie with reorganized machine-guest-tools handling
.github/workflows/build.yaml	Updated Cartesi CLI version and added artifact upload steps
ruby/.dockerignore	Added .bundle exclusion
python/.dockerignore	Added .cartesi and .venv exclusions

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[endersonmaia]

There's already an update at docker-library/official-images#19823

Will work on this soon.