From 4f3c06954eaf1e371a6de36b654612bd3de3dddf Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@penumbralabs.xyz>
Date: Fri, 4 Aug 2023 09:06:33 -0700
Subject: [PATCH] ci: try build args for container again

Second attempt at supporting container builds that reference specific
versions of the Penumbra dependencies. The only changes are that the
fallback value to the string 'main' is now in single quotes, rather than
double quotes [0], and the "inputs" field has the event prefix.

Also made some largely cosmetic changes to source code paths within
Containerfile.

Revert "Revert "ci: add build args for container""
This reverts commit 0bcb9a4c4134cc5a71a434c89315ac63a642922e.

Revert "Revert "ci: support default build args as gha inputs""
This reverts commit f975cd8ecf3f078256c848458cb82fc3cc36d4ea.

[0] https://docs.github.com/en/actions/learn-github-actions/expressions#literals
---
 .github/workflows/container.yml | 11 ++++++++++-
 Containerfile                   | 20 ++++++++++++--------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index bf5cf02..b858cff 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -3,6 +3,11 @@ name: Build container image
 on:
   workflow_call:
   workflow_dispatch:
+    inputs:
+      penumbra_version:
+        description: 'Git ref (e.g. branch or tag) of Penumbra repo for building'
+        default: "main"
+        required: true
   push:
     branches:
       - main
@@ -45,7 +50,11 @@ jobs:
           platforms: linux/amd64
           file: Containerfile
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
+          # We include a tag with the associated Penumbra, e.g. `penumbra-v0.57.0`.
+          # This is important to maintain compatibility with a long-running testnet.
+          tags: ${{ steps.meta.outputs.tags }},penumbra-${{ github.event.inputs.penumbra_version || 'main' }}
+          build-args: |
+            PENUMBRA_VERSION=${{ github.event.inputs.penumbra_version || 'main' }}
           # We disable layer caching to ensure that the most recent penumbra repo is used.
           # Otherwise, the static git url for the repo will always result in a cache hit.
           # TODO: update with dynamic build-args using e.g. current date to bust cache.
diff --git a/Containerfile b/Containerfile
index d46d740..6d73a5c 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,22 +1,26 @@
+ARG PENUMBRA_VERSION=main
+# ARG PENUMBRA_VERSION=v0.54.1
 # Pull from Penumbra container, so we can grab a recent `pcli` without
 # needing to compile from source.
-FROM ghcr.io/penumbra-zone/penumbra:main AS penumbra
-FROM docker.io/rust:1-bullseye AS builder
+FROM ghcr.io/penumbra-zone/penumbra:${PENUMBRA_VERSION} AS penumbra
 
+# Build the osiris binary
+FROM docker.io/rust:1-bullseye AS builder
+ARG PENUMBRA_VERSION=main
 RUN apt-get update && apt-get install -y \
         libssl-dev git-lfs clang
-# Shallow clone since we only want most recent HEAD; this should change
-# if/when we want to support specific refs, such as release tags, for Penumbra deps.
-RUN git clone --depth=1 https://github.com/penumbra-zone/penumbra /app/penumbra
-COPY . /app/osiris
-WORKDIR /app/osiris
+# Clone in Penumbra deps to relative path, required due to git-lfs.
+RUN git clone --depth 1 --branch "${PENUMBRA_VERSION}" https://github.com/penumbra-zone/penumbra /usr/src/penumbra
+COPY . /usr/src/osiris
+WORKDIR /usr/src/osiris
 RUN cargo build --release
 
+# Runtime container, copying in built artifacts
 FROM docker.io/debian:bullseye-slim
 RUN apt-get update && apt-get install -y ca-certificates
 RUN groupadd --gid 1000 penumbra \
         && useradd -m -d /home/penumbra -g 1000 -u 1000 penumbra
-COPY --from=builder /app/osiris/target/release/osiris /usr/bin/osiris
 COPY --from=penumbra /bin/pcli /usr/bin/pcli
+COPY --from=builder /usr/src/osiris/target/release/osiris /usr/bin/osiris
 WORKDIR /home/penumbra
 USER penumbra