Merge branch 'add-android-build-container-wrapper'

9 files changed, 82 insertions, 15 deletions

diff --git a/.github/workflows/android-app.yml b/.github/workflows/android-app.yml
index 4565cb73a7..9337863549 100644
--- a/.github/workflows/android-app.yml
+++ b/.github/workflows/android-app.yml
@@ -45,8 +45,7 @@ jobs:
         - name: Use default container image and resolve digest
           if: "${{ github.event.inputs.override_container_image == '' }}"
           run: |
-            image_tag="$(cat ./building/android-container-image-tag.txt)"
-            echo "inner_container_image=ghcr.io/mullvad/mullvadvpn-app-build-android:$image_tag" >> $GITHUB_ENV
+            echo "inner_container_image=$(cat ./building/android-container-image.txt)" >> $GITHUB_ENV
 
         outputs:
           container_image: "${{ env.inner_container_image }}"
diff --git a/android/docker/Dockerfile b/android/docker/Dockerfile
index 8c61889492..351a09689a 100644
--- a/android/docker/Dockerfile
+++ b/android/docker/Dockerfile
@@ -18,7 +18,7 @@
 # patch for a given go version can be identified by checking the wireguard-android
 # repo: https://git.zx2c4.com/wireguard-android/tree/tunnel/tools/libwg-go.
 # It's also important to keep the go path in sync.
-FROM ghcr.io/mullvad/mullvadvpn-app-build@sha256:8a937cfc0
+FROM ghcr.io/mullvad/mullvadvpn-app-build:62371bb6c
 
 # === Metadata ===
 LABEL org.opencontainers.image.source=https://github.com/mullvad/mullvadvpn-app
diff --git a/building/README.md b/building/README.md
index c85776d368..3b6876e2d9 100644
--- a/building/README.md
+++ b/building/README.md
@@ -2,7 +2,7 @@
 
 Substitute `${repo}` with the actual absolute path to this repository
 
-## Building and publishing a container image
+## Building and publishing a production container image
 
 These instructions describe how to set up the trusted machine that builds, signs and publishes
 the container images to ghcr.io.
@@ -31,6 +31,27 @@ git checkout -b update-build-container
 git push # And create a PR
 ```
 
+## Building and publishing a development image container image
+
+These instructions describe how to set up a development machine to build, sign and publish container
+images. The purpose of this is mainly to verify the `build-and-publish.sh` script as well as the
+built images.
+
+Set the following environment variables to override the default values:
+- `REGISTRY_HOST`
+- `REGISTRY_ORG`
+- `CONTAINER_SIGNING_KEY_FINGERPRINT`
+
+Configure podman to store signatures when building and pushing images (substitute `${testorg}`). `~/.config/containers/registries.d/$testorg.yaml`:
+
+```yml
+docker:
+  ghcr.io/$testorg:
+    sigstore-staging: file://${repo}/building/sigstore
+```
+
+In order to verify the signature of the development images, you'll also need to follow the [pull and
+verification steps](#pulling-verifying-and-using-build-images) with some slight adjustments.
 
 ## Pulling, verifying and using build images
 
diff --git a/building/android-container-image-tag.txt b/building/android-container-image-tag.txt
deleted file mode 100644
index c761c91090..0000000000
--- a/building/android-container-image-tag.txt
+++ /dev/null
@@ -1 +0,0 @@
-8a937cfc0
diff --git a/building/android-container-image.txt b/building/android-container-image.txt
new file mode 100644
index 0000000000..d6e693adc2
--- /dev/null
+++ b/building/android-container-image.txt
@@ -0,0 +1 @@
+ghcr.io/mullvad/mullvadvpn-app-build-android:8a937cfc0
diff --git a/building/build-and-publish.sh b/building/build-and-publish.sh
index 777c644d51..d1d2dc275c 100755
--- a/building/build-and-publish.sh
+++ b/building/build-and-publish.sh
@@ -6,9 +6,9 @@
 
 set -eu
 
-CONTAINER_SIGNING_KEY_FINGERPRINT=1E551687D67F5FD820BEF2C4D7C17F87A0D3D215
-REGISTRY_HOST="ghcr.io"
-REGISTRY_ORG="mullvad"
+CONTAINER_SIGNING_KEY_FINGERPRINT=${CONTAINER_SIGNING_KEY_FINGERPRINT:-"1E551687D67F5FD820BEF2C4D7C17F87A0D3D215"}
+REGISTRY_HOST=${REGISTRY_HOST:-"ghcr.io"}
+REGISTRY_ORG=${REGISTRY_ORG:-"mullvad"}
 
 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 REPO_DIR="$( cd "$SCRIPT_DIR/.." && pwd )"
@@ -23,13 +23,13 @@ case ${1-:""} in
         container_name="mullvadvpn-app-build"
         containerfile_path="$SCRIPT_DIR/Dockerfile"
         container_context_dir="$REPO_DIR"
-        container_image_tag_path="$SCRIPT_DIR/linux-container-image-tag.txt"
+        container_image_name_file_path="$SCRIPT_DIR/linux-container-image.txt"
     ;;
     android)
         container_name="mullvadvpn-app-build-android"
         containerfile_path="$REPO_DIR/android/docker/Dockerfile"
         container_context_dir="$REPO_DIR/android/docker/"
-        container_image_tag_path="$SCRIPT_DIR/android-container-image-tag.txt"
+        container_image_name_file_path="$SCRIPT_DIR/android-container-image.txt"
     ;;
     *)
         log_error "Invalid platform. Specify 'linux' or 'android' as first argument"
@@ -80,11 +80,11 @@ fi
 
 cp "$tmp_signature_dir/signature-2" "$signature_dir/"
 
-log_info "Storing container tag to $container_image_tag_path"
-echo "$tag" > "$container_image_tag_path"
+log_info "Storing container image name to $container_image_name_file_path"
+echo "$full_container_name:$tag" > "$container_image_name_file_path"
 
-log_header "Commiting signatures and new tag name to git"
-git add "$container_image_tag_path" "$signature_dir"
+log_header "Commiting signatures and new container image name to git"
+git add "$container_image_name_file_path" "$signature_dir"
 GPG_TTY=$(tty) git commit -S -m "Updating build container for $1 to $tag"
 
 log_success "***********************"
diff --git a/building/containerized-build.sh b/building/containerized-build.sh
new file mode 100755
index 0000000000..d2386473cb
--- /dev/null
+++ b/building/containerized-build.sh
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Builds the Android or Linux app in the current build container, as designated
+# by the *-container-image.txt files. Uses podman unless overridden using the
+# environment variable `CONTAINER_RUNNER`. Note that this script uses named
+# docker volumes that can be overridden using enviornment variables (see the
+# beginning of the script).
+
+set -eu
+
+REPO_MOUNT_TARGET="/build"
+CARGO_TARGET_VOLUME_NAME=${CARGO_TARGET_VOLUME_NAME:-"cargo-target"}
+CARGO_REGISTRY_VOLUME_NAME=${CARGO_REGISTRY_VOLUME_NAME:-"cargo-registry"}
+GRADLE_CACHE_VOLUME_NAME=${GRADLE_CACHE_VOLUME_NAME:-"gradle-cache"}
+CONTAINER_RUNNER=${CONTAINER_RUNNER:-"podman"}
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+REPO_DIR="$( cd "$SCRIPT_DIR/.." && pwd )"
+cd "$SCRIPT_DIR"
+
+source "$REPO_DIR/scripts/utils/log"
+
+case ${1-:""} in
+    linux)
+        container_image_name=$(cat "$SCRIPT_DIR/linux-container-image.txt")
+        build_command=("$REPO_MOUNT_TARGET/build.sh")
+        shift 1
+    ;;
+    android)
+        container_image_name=$(cat "$SCRIPT_DIR/android-container-image.txt")
+        build_command=("$REPO_MOUNT_TARGET/build-apk.sh" "--no-docker")
+        optional_gradle_cache_volume=(-v "$GRADLE_CACHE_VOLUME_NAME:/root/.gradle:Z")
+        shift 1
+    ;;
+    *)
+        log_error "Invalid platform. Specify 'linux' or 'android' as first argument"
+        exit 1
+esac
+
+set -x
+exec "$CONTAINER_RUNNER" run --rm -it \
+    -v "$REPO_DIR:$REPO_MOUNT_TARGET:Z" \
+    -v "$CARGO_TARGET_VOLUME_NAME:/root/.cargo/target:Z" \
+    -v "$CARGO_REGISTRY_VOLUME_NAME:/root/.cargo/registry:Z" \
+    "${optional_gradle_cache_volume[@]}" \
+    "$container_image_name" \
+    "${build_command[@]}" "$@"
diff --git a/building/linux-container-image-tag.txt b/building/linux-container-image-tag.txt
deleted file mode 100644
index 152933ef05..0000000000
--- a/building/linux-container-image-tag.txt
+++ /dev/null
@@ -1 +0,0 @@
-62371bb6c
diff --git a/building/linux-container-image.txt b/building/linux-container-image.txt
new file mode 100644
index 0000000000..92eaa86c59
--- /dev/null
+++ b/building/linux-container-image.txt
@@ -0,0 +1 @@
+ghcr.io/mullvad/mullvadvpn-app-build:62371bb6c