Build Docker images using root to avoid file permission issues (#4545)

connorjward · web-flow · commit 917d75576ea6 · 2025-09-25T12:30:12.000+01:00
diff --git a/.github/workflows/core.yml b/.github/workflows/core.yml
@@ -99,18 +99,6 @@ jobs:
         # Make sure the current directory is empty
         run: find . -delete
 
-      # Check that the Dockerfile is using the latest Ubuntu version.
-      # The version is hardcoded into the Dockerfile so that the OS
-      # for each release is fixed.
-      - name: Check Dockerfile Ubuntu version
-        run: |
-          latest_version=$(grep "VERSION_ID=" /etc/os-release | cut -d '"' -f 2)
-          docker_version=$(grep FROM docker/Dockerfile.vanilla | cut -d ':' -f 2)
-          if [[ "$docker_version" != "$latest_version" ]]; then
-            echo "Ubuntu version ${docker_version} in Dockerfile is out of date with latest version ${latest_version}"
-            exit 1
-          fi
-
       # Use a different mirror to fetch apt packages from to get around
       # temporary outage.
       # (https://askubuntu.com/questions/1549622/problem-with-archive-ubuntu-com-most-of-the-servers-are-not-responding)
@@ -132,6 +120,20 @@ jobs:
       - name: Validate single source of truth
         run: ./firedrake-repo/scripts/check-config
 
+      # Check that the Dockerfile is using the latest Ubuntu version.
+      # The version is hardcoded into the Dockerfile so that the OS
+      # for each release is fixed.
+      - name: Check Dockerfile Ubuntu version
+        run: |
+          latest_version=$(grep "VERSION_ID=" /etc/os-release | cut -d '"' -f 2)
+          docker_version=$(grep FROM firedrake-repo/docker/Dockerfile.vanilla | cut -d ':' -f 2)
+          echo "Latest version: $latest_version"
+          echo "Docker version: $docker_version"
+          if [[ "$docker_version" != "$latest_version" ]]; then
+            echo "Ubuntu version ${docker_version} in Dockerfile is out of date with latest version ${latest_version}"
+            exit 1
+          fi
+
       # Raise an error if any 'TODO RELEASE' comments remain
       - name: Check no 'TODO RELEASE' comments (release only)
         if: inputs.target_branch == 'release'
diff --git a/.github/workflows/docker_build.yml b/.github/workflows/docker_build.yml
@@ -46,19 +46,73 @@ on:
         required: true
 
 jobs:
-  docker_build:
-    name: "Build the ${{ inputs.target }} container"
-    strategy:
-      fail-fast: false
-    runs-on: [self-hosted, "${{ inputs.os }}"]
+  docker_build_linux:
+    name: Build the ${{ inputs.target }} container (Linux)
+    if: inputs.os == 'Linux'
+    runs-on: [self-hosted, Linux]
+    container: ubuntu:latest
     steps:
       - name: Pre-cleanup
         if: always()
+        run: find . -delete
+
+      - name: Set up Docker
         run: |
-          rm -rf ${{ runner.temp }}/digests
+          apt-get update
+          apt-get -y install docker.io
+
+      - name: Check out the repo
+        uses: actions/checkout@v5
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USER }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push ${{ inputs.target }}
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          platforms: ${{ inputs.platform }}
+          file: ${{ inputs.dockerfile }}
+          build-args: |
+            ARCH=${{ inputs.arch }}
+            BRANCH=${{ inputs.branch }}
+          outputs: type=image,name=firedrakeproject/${{ inputs.target }},push-by-digest=true,name-canonical=true,push=true
+
+      - name: Export digest
+        run: |
+          : # Create a file in './digests' with name matching the pushed image hash
+          mkdir digests
+          digest="${{ steps.build.outputs.imageid }}"
+          touch "digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests_${{ inputs.target }}_${{ inputs.os }}
+          path: digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+      - name: Post-cleanup
+        if: always()
+        run: find . -delete
+
+  docker_build_macos:
+    name: Build the ${{ inputs.target }} container (macOS)
+    if: inputs.os == 'macOS'
+    runs-on: [self-hosted, macOS]
+    steps:
+      - name: Pre-cleanup
+        if: always()
+        run: find . -delete
 
       - name: Add homebrew to PATH
-        if: inputs.os == 'macOS'
         run: |
           : # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#adding-a-system-path
           echo "/opt/homebrew/bin" >> "$GITHUB_PATH"
@@ -88,21 +142,19 @@ jobs:
 
       - name: Export digest
         run: |
-          : # Create a file in <tempdir>/digests with name matching the pushed image hash
-          rm -rf ${{ runner.temp }}/digests
-          mkdir -p ${{ runner.temp }}/digests
+          : # Create a file in digests with name matching the pushed image hash
+          mkdir digests
           digest="${{ steps.build.outputs.imageid }}"
-          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+          touch "digests/${digest#sha256:}"
 
       - name: Upload digest
         uses: actions/upload-artifact@v4
         with:
           name: digests_${{ inputs.target }}_${{ inputs.os }}
-          path: ${{ runner.temp }}/digests/*
+          path: digests/*
           if-no-files-found: error
           retention-days: 1
 
       - name: Post-cleanup
         if: always()
-        run: |
-          rm -rf ${{ runner.temp }}/digests
+        run: find . -delete
diff --git a/.github/workflows/docker_merge.yml b/.github/workflows/docker_merge.yml
@@ -28,15 +28,21 @@ on:
 jobs:
   docker_merge:
     runs-on: [self-hosted, Linux]
+    container: ubuntu:latest
     steps:
       - name: Pre-cleanup
         if: always()
-        run: rm -rf ${{ runner.temp }}/digests
+        run: find . -delete
+
+      - name: Set up Docker
+        run: |
+          apt-get update
+          apt-get -y install docker.io
 
       - name: Download digests
         uses: actions/download-artifact@v4
         with:
-          path: ${{ runner.temp }}/digests
+          path: digests
           pattern: digests_${{ inputs.target }}_*
           merge-multiple: true
 
@@ -49,26 +55,27 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      # NOTE: This action pushes a new image with the given tag but also updates
-      # the 'latest' tag.
-      - name: Merge and push the per-platform images
-        working-directory: ${{ runner.temp }}/digests
+      - name: Merge and push the per-platform images (release)
+        if: inputs.tag_latest
+        working-directory: digests
+        run: |
+          docker buildx imagetools create \
+            -t firedrakeproject/${{ inputs.target }}:${{ inputs.tag }} \
+            -t firedrakeproject/${{ inputs.target }}:latest \
+            $(printf "firedrakeproject/${{ inputs.target }}@sha256:%s " *)
+
+      - name: Merge and push the per-platform images (dev)
+        if: ${{ ! inputs.tag_latest }}
+        working-directory: digests
         run: |
-          if [[ "${{ inputs.tag_latest }}" == "true" ]]; then
-            docker buildx imagetools create \
-              -t firedrakeproject/${{ inputs.target }}:${{ inputs.tag }} \
-              -t firedrakeproject/${{ inputs.target }}:latest \
-              $(printf "firedrakeproject/${{ inputs.target }}@sha256:%s " *)
-          else
-            docker buildx imagetools create \
-              -t firedrakeproject/${{ inputs.target }}:${{ inputs.tag }} \
-              $(printf "firedrakeproject/${{ inputs.target }}@sha256:%s " *)
-          fi
+          docker buildx imagetools create \
+            -t firedrakeproject/${{ inputs.target }}:${{ inputs.tag }} \
+            $(printf "firedrakeproject/${{ inputs.target }}@sha256:%s " *)
 
       - name: Inspect image
         run: |
           docker buildx imagetools inspect firedrakeproject/${{ inputs.target }}:${{ inputs.tag }}
 
       - name: Post-cleanup
         if: always()
-        run: rm -rf ${{ runner.temp }}/digests
+        run: find . -delete
