Refactor build

.devcontainer/.zshrc

@@ -10,6 +10,8 @@ export ZSH=$HOME/.oh-my-zsh
 # See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
 ZSH_THEME="powerlevel10k/powerlevel10k"
 
+POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=(status command_execution_time time)
+
 # Set list of themes to pick from when loading at random
 # Setting this variable when ZSH_THEME="powerlevel10k/powerlevel10k"
 # a theme from this variable instead of looking in $ZSH/themes/

.devcontainer/Dockerfile

@@ -1,16 +1,23 @@
 FROM mcr.microsoft.com/devcontainers/rust:1.0.20-bookworm 
 
 ENV ZSH_CUSTOM=/home/vscode/.oh-my-zsh/custom \
-    TASK_VERSION=v3.41.0
+    TASK_VERSION=v3.41.0 \
+    DIVE_VERSION=0.12.0
 
 RUN apt-get update && \
     # Install nodejs and npm
     curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
-     # Install Task
-    curl -s https://taskfile.dev/install.sh | sh -s -- -b /usr/local/bin ${TASK_VERSION} && \
     apt-get install -y nodejs && \
+    # Install Task
+    curl -s https://taskfile.dev/install.sh | sh -s -- -b /usr/local/bin ${TASK_VERSION} && \
+    # Install Dive 
+    curl -fsSL https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_arm64.tar.gz -o /tmp/dive_${DIVE_VERSION}_linux_arm64.tar.gz && \
+    tar -xzf /tmp/dive_${DIVE_VERSION}_linux_arm64.tar.gz -C /usr/local/bin && \
+    chmod +x /usr/local/bin/dive && \
+    # Cleanup
     apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+    rm -rf /var/lib/apt/lists/* && \
+    rm -rf /tmp/*
 
 RUN npm install -g semantic-release @semantic-release/changelog @semantic-release/exec @semantic-release/git @semantic-release/github conventional-changelog-conventionalcommits
 
@@ -22,8 +29,8 @@ RUN apt-get update && \
     pkg-config \
     musl-tools && \
     rustup target add \
-        aarch64-unknown-linux-musl \
-        x86_64-unknown-linux-musl && \
+    aarch64-unknown-linux-musl \
+    x86_64-unknown-linux-musl && \
     cd /tmp && \
     wget https://musl.cc/aarch64-linux-musl-cross.tgz && \
     tar -xzf aarch64-linux-musl-cross.tgz && \

.devcontainer/devcontainer.json

@@ -14,7 +14,8 @@
         "vadimcn.vscode-lldb",
         "tamasfe.even-better-toml",
         "streetsidesoftware.code-spell-checker",
-        "esbenp.prettier-vscode"
+        "esbenp.prettier-vscode",
+        "github.vscode-github-actions"
       ],
       "settings": {
         "terminal.integrated.defaultProfile.linux": "zsh",

.github/workflows/ci.yml

@@ -18,19 +18,31 @@ jobs:
     name: Build
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+          persist-credentials: false
+
+      - name: Install Rust
+        uses: actions-rust-lang/[email protected]
+        with:
+          toolchain: stable
+          components: rustfmt, clippy
+          override: true
+          cache: true
+          cache-key: ${{ runner.os }}-cargo-ci-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Cache Rust dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v4.2.1
         with:
           path: |
             ~/.cargo/bin/
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
             target/
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: ${{ runner.os }}-cargo-ci-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: |
-            ${{ runner.os }}-cargo-
+            ${{ runner.os }}-cargo-ci-
 
       - name: Lint
         run: cargo fmt --all -- --check

.github/workflows/release.yml

@@ -99,31 +99,29 @@ jobs:
             exit 1
           fi
 
-  build_artifacts:
-    name: Build and Upload Artifacts
-    needs: github_release
+  build_binaries:
+    name: Build static binaries
+    needs:
+      - github_release
     if: needs.github_release.outputs.new_release_published == 'true'
+    timeout-minutes: 15
     permissions:
       contents: write
-      packages: write
     strategy:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
+          - os: ubuntu-24.04
             target: x86_64-unknown-linux-musl
-            arch_platform: linux/amd64
-            timeout: 10
-          - os: ubuntu-latest
-            target: aarch64-unknown-linux-musl
-            arch_platform: linux/arm64
-            timeout: 40 # Cross-compilation takes longer
+          # - os:
+          #     - self-hosted
+          #     - k8s
+          #     - ubuntu-22.04-arm64
+          #   target: aarch64-unknown-linux-musl
           - os: macos-latest
             target: x86_64-apple-darwin
-            timeout: 10
           - os: macos-latest
             target: aarch64-apple-darwin
-            timeout: 10
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout repository
@@ -142,37 +140,40 @@ jobs:
           fi
 
       - name: Install Rust
-        uses: actions-rust-lang/setup-rust-toolchain@v1.10.1
+        uses: actions-rust-lang/setup-rust-toolchain@v1.11.0
         with:
           toolchain: stable
           override: true
+          cache: true
+          cache-key: ${{ runner.os }}-${{ matrix.target }}-cargo-release-${{ hashFiles('**/Cargo.lock') }}
 
       - name: Cache Rust dependencies
-        uses: actions/cache@v4
+        uses: actions/cache@v4.2.1
         with:
           path: |
             ~/.cargo/bin/
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
             target/
-          key: ${{ runner.os }}-${{ matrix.target }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          key: ${{ runner.os }}-${{ matrix.target }}-cargo-release-${{ hashFiles('**/Cargo.lock') }}
           restore-keys: |
-            ${{ runner.os }}-${{ matrix.target }}-cargo
+            ${{ runner.os }}-${{ matrix.target }}-cargo-release-
 
       - name: Add target ${{ matrix.target }}
         run: rustup target add ${{ matrix.target }}
 
       - name: Add build tools for musl target instead of glibc
-        if: startsWith(matrix.os, 'ubuntu')
+        if: ${{ !startsWith(matrix.os, 'macos') }}
         run: |
           sudo apt-get update && sudo apt-get install --no-install-recommends -y \
             curl \
             ca-certificates \
             build-essential \
+            clang \
+            llvm \
             pkg-config \
             wget \
-            git \
             musl-tools \
             libssl-dev \
             && sudo rm -rf /var/lib/apt/lists/* \
@@ -185,21 +186,25 @@ jobs:
             && rm -rf *.tgz
 
       - name: Build binary for ${{ matrix.target }}
-        timeout-minutes: ${{ matrix.timeout }}
+        if: ${{ !startsWith(matrix.os, 'macos') }}
         env:
           PKG_CONFIG_ALLOW_CROSS: 1
-          RUSTFLAGS: "-C target-feature=+crt-static"
+          RUSTFLAGS: "-C target-feature=+crt-static -C linker=clang"
+          CC: clang
+          AR: llvm-ar
           OPENSSL_DIR: /usr
           OPENSSL_LIB_DIR: /usr/lib
           OPENSSL_INCLUDE_DIR: /usr/include
           OPENSSL_STATIC: 1
-          CC_aarch64_unknown_linux_musl: aarch64-linux-musl-gcc
-          AR_aarch64_unknown_linux_musl: aarch64-linux-musl-ar
-          CC_x86_64_unknown_linux_musl: x86_64-linux-musl-gcc
-          AR_x86_64_unknown_linux_musl: x86_64-linux-musl-ar
         run: |
-          export PATH="/root/.cargo/bin:/opt/x86_64-linux-musl-cross/bin:/opt/aarch64-linux-musl-cross/bin:${PATH}"
-          cargo build --release --target ${{ matrix.target }}
+          cargo build --release --no-default-features --target ${{ matrix.target }}
+
+      - name: Build binary for ${{ matrix.target }}
+        if: ${{ startsWith(matrix.os, 'macos') }}
+        env:
+          RUSTFLAGS: "-C target-feature=+crt-static"
+        run: |
+          cargo build --release --no-default-features --target ${{ matrix.target }}
 
       - name: Rename binary to the published name
         run: |
@@ -213,37 +218,122 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Set up QEMU
-        if: startsWith(matrix.os, 'ubuntu')
-        uses: docker/setup-qemu-action@v3
+  build_containers:
+    name: B&P Containers
+    needs:
+      - github_release
+    if: needs.github_release.outputs.new_release_published == 'true'
+    timeout-minutes: 65
+    permissions:
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-24.04
+            target: x86_64-unknown-linux-musl
+          # - os:
+          #     - self-hosted
+          #     - k8s
+          #   target: aarch64-unknown-linux-musl
+    container:
+      image: gcr.io/kaniko-project/executor:v1.23.2-debug
+      options: --entrypoint="" --cpu-shares=4096 --memory=6g --cpus=4
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Login to GitHub Container Registry
+        run: |
+          mkdir -p /kaniko/.docker
+          cat << EOF > /kaniko/.docker/config.json
+          {
+            "auths": {
+              "ghcr.io": {
+                "auth": "$(echo -n ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} | base64)"
+              }
+            }
+          }
+          EOF
+
+      - name: Build and push
+        env:
+          REPOSITORY_NAME: coder
+          REPOSITORY_OWNER: ${{ github.repository_owner }}
+          CONTAINER_REGISTRY: ghcr.io
+          VERSION: ${{ needs.github_release.outputs.new_release_version }}
+        run: |
+          echo "Available cores: $(nproc)"
+          /kaniko/executor \
+            --context="${{ github.repositoryUrl }}#${{ github.ref }}" \
+            --dockerfile=Dockerfile \
+            --target=minimal \
+            --destination=${{ env.CONTAINER_REGISTRY }}/${{ env.REPOSITORY_OWNER }}/${{ env.REPOSITORY_NAME }}:latest \
+            --destination=${{ env.CONTAINER_REGISTRY }}/${{ env.REPOSITORY_OWNER }}/${{ env.REPOSITORY_NAME }}:minimal \
+            --destination=${{ env.CONTAINER_REGISTRY }}/${{ env.REPOSITORY_OWNER }}/${{ env.REPOSITORY_NAME }}:minimal-${{ env.VERSION }} \
+            --build-arg=TARGET_ARCH=${{ matrix.target }} \
+            --label="org.opencontainers.image.version=${{ env.VERSION }}" \
+            --label="org.opencontainers.image.revision=${{ github.sha }}" \
+            --label="org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" \
+            --label="org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}" \
+            --label="org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}/blob/main/README.md" \
+            --label="org.opencontainers.image.title=Coder" \
+            --label="org.opencontainers.image.description=The AI-Powered Coder without tools" \
+            --label="org.opencontainers.image.licenses=MIT" \
+            --label="org.opencontainers.image.vendor=${{ github.repository_owner }}" \
+            --cache=true \
+            --cache-repo=${{ env.CONTAINER_REGISTRY }}/${{ env.REPOSITORY_OWNER }}/${{ env.REPOSITORY_NAME }}/cache-${{ matrix.target }} \
+            --cache-ttl=336h \
+            --compressed-caching=true \
+            --snapshot-mode=redo \
+            --use-new-run \
+            --ignore-path=".git" \
+            --skip-unused-stages \
 
-      - name: Set up Docker Buildx
-        if: startsWith(matrix.os, 'ubuntu')
-        uses: docker/setup-buildx-action@v3
+  sign_containers:
+    name: Sign Container Images
+    needs:
+      - github_release
+      - build_containers
+    if: needs.github_release.outputs.new_release_published == 'true'
+    runs-on: ubuntu-24.04
+    permissions:
+      packages: write
+      id-token: write # needed for signing the images with GitHub OIDC Token
+      contents: read
+    env:
+      REPOSITORY_NAME: coder
+      REPOSITORY_OWNER: ${{ github.repository_owner }}
+      CONTAINER_REGISTRY: ghcr.io
+      VERSION: ${{ needs.github_release.outputs.new_release_version }}
+    steps:
+      - name: Install cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: "v2.4.3"
 
       - name: Login to GitHub Container Registry
-        if: startsWith(matrix.os, 'ubuntu')
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Build and push container
-        if: startsWith(matrix.os, 'ubuntu')
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          platforms: ${{ matrix.arch_platform }}
-          push: true
-          cache-from: type=gha,scope=${{ github.workflow }}-${{ matrix.target }}
-          cache-to: type=gha,mode=max,scope=${{ github.workflow }}-${{ matrix.target }}
-          tags: |
-            ghcr.io/${{ github.repository_owner }}/coder:latest
-            ghcr.io/${{ github.repository_owner }}/coder:${{ needs.github_release.outputs.new_release_version }}
-          build-args: |
-            TARGET_ARCH=${{ matrix.target }}
-          labels: |
-            org.opencontainers.image.source=https://github.com/inference-gateway/coder
-            org.opencontainers.image.description=The AI-Powered Coder
-            org.opencontainers.image.licenses=MIT
+      - name: Sign container images with GitHub OIDC
+        run: |
+          # Pull the images to sign
+          docker pull ${CONTAINER_REGISTRY}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:minimal-${VERSION}
+          docker pull ${CONTAINER_REGISTRY}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:latest
+          docker pull ${CONTAINER_REGISTRY}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:minimal
+
+          # Get digests for the images
+          VERSION_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${CONTAINER_REGISTRY}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:minimal-${VERSION})
+          LATEST_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${CONTAINER_REGISTRY}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:latest)
+          MINIMAL_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${CONTAINER_REGISTRY}/${REPOSITORY_OWNER}/${REPOSITORY_NAME}:minimal)
+
+          echo "Signing image digest: $VERSION_DIGEST"
+          echo "Signing image digest: $LATEST_DIGEST"
+          echo "Signing image digest: $MINIMAL_DIGEST"
+
+          # Sign using digests instead of tags
+          cosign sign --yes $VERSION_DIGEST
+          cosign sign --yes $LATEST_DIGEST
+          cosign sign --yes $MINIMAL_DIGEST

.gitignore

@@ -2,3 +2,4 @@
 .vscode
 .env
 .coder
+kaniko