marvinsxtr
diff --git a/‎Dockerfile‎ ‎.devcontainer/Dockerfile‎Dockerfile renamed to .devcontainer/Dockerfile
Lines changed: 15 additions & 7 deletions b/‎Dockerfile‎ ‎.devcontainer/Dockerfile‎Dockerfile renamed to .devcontainer/Dockerfile
Lines changed: 15 additions & 7 deletions
diff --git a/‎.devcontainer.json‎ ‎.devcontainer/devcontainer.json‎.devcontainer.json renamed to .devcontainer/devcontainer.json
Lines changed: 6 additions & 5 deletions b/‎.devcontainer.json‎ ‎.devcontainer/devcontainer.json‎.devcontainer.json renamed to .devcontainer/devcontainer.json
Lines changed: 6 additions & 5 deletions
diff --git a/‎.dockerignore‎
Lines changed: 1 addition & 2 deletions b/‎.dockerignore‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎.github/workflows/docker-publish.yaml‎
Lines changed: 105 additions & 61 deletions b/‎.github/workflows/docker-publish.yaml‎
Lines changed: 105 additions & 61 deletions
@@ -1,11 +1,15 @@
-FROM --platform=linux/amd64 python:3.12-slim AS linux-base
+FROM python:3.12-slim AS linux-base
+
+ARG TARGETARCH
 
 # Utilities
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends build-essential \
-    sudo curl git htop less rsync screen vim nano wget ca-certificates openssh-client zsh procps psmisc
+    sudo curl git htop less rsync screen vim nano wget ca-certificates openssh-client zsh procps psmisc \
+    iptables ipset iproute2 dnsutils aggregate jq gfortran pkg-config
 
 # Download and install VS Code Server CLI
-RUN wget -O /tmp/vscode-server-cli.tar.gz "https://update.code.visualstudio.com/latest/cli-linux-x64/stable" && \
+RUN ARCH="$TARGETARCH" && [ "$ARCH" = "amd64" ] && ARCH="x64"; \
+    wget -O /tmp/vscode-server-cli.tar.gz "https://update.code.visualstudio.com/latest/cli-linux-${ARCH}/stable" && \
     mkdir -p /usr/local/bin && \
     tar -xf /tmp/vscode-server-cli.tar.gz -C /usr/local/bin && \
     rm /tmp/vscode-server-cli.tar.gz
@@ -16,9 +20,11 @@ RUN COMMANDS="sacct sacctmgr salloc sattach sbatch sbcast scancel scontrol sdiag
     && echo 'ssh $USER@$SLURM_CLUSTER_NAME -t "cd $PWD; . ~/.zshrc 2>/dev/null || . ~/.bashrc 2>/dev/null; bash -lc '\'$CMD \$@\''"' >> "/usr/local/bin/$CMD" \
     && chmod +x "/usr/local/bin/$CMD"; done
 
+# Non-root user
+RUN useradd -m -s /bin/bash devuser
+
 FROM linux-base AS python-base
 
-# Workdir
 WORKDIR /srv/repo
 
 # Environment variables
@@ -30,13 +36,15 @@ ENV UV_PYTHON=python3.12
 ENV PATH="$UV_PROJECT_ENVIRONMENT/bin:$PATH"
 ENV PYTHONPATH="/srv/repo:$PYTHONPATH"
 # See https://github.com/jax-ml/jax/issues/29260
-ENV LD_LIBRARY_PATH=/venv/lib/python3.12/site-packages/nvidia/cuda_nvrtc/lib:$LD_LIBRARY_PATH
+ENV LD_LIBRARY_PATH="/venv/lib/python3.12/site-packages/nvidia/cuda_nvrtc/lib:$LD_LIBRARY_PATH"
 
 # Install uv
 COPY --from=ghcr.io/astral-sh/uv:0.6.6 /uv /usr/local/bin/uv
+RUN mkdir -p /venv && chown devuser:devuser /venv
+
+USER devuser
 
-# Environment
-RUN --mount=type=cache,target=/root/.cache/uv \
+RUN --mount=type=cache,target=/home/devuser/.cache/uv,uid=1000 \
     --mount=type=bind,source=uv.lock,target=uv.lock \
     --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
     uv sync --frozen --no-install-project --all-groups
@@ -1,15 +1,16 @@
 {
-    "dockerFile": "Dockerfile",
-    "build": {"args": {"BUILDPLATFORM": "linux/amd64"}},
-	"workspaceFolder": "/srv/repo",
+    "build": {
+        "dockerfile": "Dockerfile",
+        "context": ".."
+    },
+    "workspaceFolder": "/srv/repo",
     "workspaceMount": "source=${localWorkspaceFolder},target=/srv/repo,type=bind",
     "customizations": {
         "vscode": {
             "extensions": [
                 "ms-python.debugpy",
                 "ms-python.python",
-                "ms-python.vscode-pylance",
-                "ms-python.mypy-type-checker",
+                "astral-sh.ty",
                 "charliermarsh.ruff",
                 "tamasfe.even-better-toml",
                 "ms-azuretools.vscode-docker",
 
@@ -1,4 +1,3 @@
 *
-!/Dockerfile
 !/pyproject.toml
-!/uv.lock
+!/uv.lock
@@ -1,108 +1,152 @@
 name: Docker
 
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
 on:
   push:
-    # Publish semver tags as releases.
-    tags: [ 'v*.*.*' ]
+    tags: ['v*.*.*']
 
 env:
-  # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository }}
 
-
 jobs:
   build:
-
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runner }}
     permissions:
       contents: read
       packages: write
-      # This is used to complete the identity challenge
-      # with sigstore/fulcio when running outside of PRs.
-      id-token: write
-
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
       - name: Clean up disk space
         uses: jlumbroso/free-disk-space@main
 
-      # Install the cosign tool except on PR
-      # https://github.com/sigstore/cosign-installer
-      - name: Install cosign
-        if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
-        with:
-          cosign-release: 'v2.2.4'
-
-      # Set up BuildKit Docker container builder to be able to build
-      # multi-platform images and export cache
-      # https://github.com/docker/setup-buildx-action
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+        uses: docker/setup-buildx-action@v3
 
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+      - name: Log into registry
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
+      - name: Repository to lowercase
+        id: lower-repo
+        run: echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT
+
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ env.REGISTRY }}/${{ steps.lower-repo.outputs.repository }}
 
-      # Build and push Docker image with Buildx (don't push on PR)
-      # https://github.com/docker/build-push-action
-      - name: Build and push Docker image
-        id: build-and-push
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+      - name: Prepare platform pair
+        id: platform
+        run: echo "pair=${platform//\//-}" >> $GITHUB_OUTPUT
+        env:
+          platform: ${{ matrix.platform }}
+
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v5
         with:
           context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+          file: .devcontainer/Dockerfile
+          platforms: ${{ matrix.platform }}
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ steps.lower-repo.outputs.repository }},push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha,scope=${{ steps.platform.outputs.pair }}
+          cache-to: type=gha,mode=max,scope=${{ steps.platform.outputs.pair }}
 
-      - name: Free disk space after Docker build
+      - name: Export digest
         run: |
-          docker buildx ls --format '{{.Name}}' | grep -v default | xargs -I {} docker buildx rm {} 2>/dev/null || true
-          docker system prune -af --volumes
-          docker builder prune -af
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digest-${{ steps.platform.outputs.pair }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digest-*
+          merge-multiple: true
+
+      - name: Log into registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
-          rm -rf ~/.docker/buildx || true
-          rm -rf /tmp/docker-actions-toolkit-*/* 2>/dev/null || true
+      - name: Repository to lowercase
+        id: lower-repo
+        run: echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT
 
-          df -h /
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ steps.lower-repo.outputs.repository }}
 
-      - id: lower-repo
-        name: Repository to lowercase
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
         run: |
-          echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.REGISTRY }}/${{ steps.lower-repo.outputs.repository }}@sha256:%s ' *)
+
+  apptainer:
+    runs-on: ubuntu-latest
+    needs: merge
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Clean up disk space
+        uses: jlumbroso/free-disk-space@main
+
+      - name: Repository to lowercase
+        id: lower-repo
+        run: echo "repository=${GITHUB_REPOSITORY@L}" >> $GITHUB_OUTPUT
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ steps.lower-repo.outputs.repository }}
 
-      # Build and push .sif files for Apptainer
       - name: Setup Apptainer
         uses: eWaterCycle/setup-apptainer@v2
+
       - name: Build and push Apptainer
         env:
           TAGS: ${{ steps.meta.outputs.tags }}
         run: |
-           echo ${{ secrets.GITHUB_TOKEN }} | apptainer registry login -u ${{ secrets.GHCR_USERNAME }} --password-stdin docker://ghcr.io
-           apptainer build container.sif docker://${{ env.REGISTRY }}/${{ steps.lower-repo.outputs.repository }}:latest
-           echo "${TAGS}" | xargs -I {} apptainer push container.sif oras://{}-sif
+          echo ${{ secrets.GITHUB_TOKEN }} | apptainer registry login -u ${{ secrets.GHCR_USERNAME }} --password-stdin docker://ghcr.io
+          apptainer build container.sif docker://${{ env.REGISTRY }}/${{ steps.lower-repo.outputs.repository }}:latest
+          echo "${TAGS}" | xargs -I {} apptainer push container.sif oras://{}-sif
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,3 @@`
`1`	`1`	`*`
`2`		`-!/Dockerfile`
`3`	`2`	`!/pyproject.toml`
`4`		`-!/uv.lock`
	`3`	`+!/uv.lock`