From cc67c70ea4e5eb1d92aed27adb7e8a5809f5858d Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Mon, 22 Sep 2025 21:21:46 +0200 Subject: [PATCH 1/5] feat: Build docker image with both amd64 and arm64 support Signed-off-by: Helio Chissini de Castro --- .github/workflows/docker-build.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 4dca38360a781..9ad4a010d366d 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -8,7 +8,7 @@ on: branches: - main tags: - - "[0-9]+.[0-9]+.[0-9]+" + - '[0-9]+.[0-9]+.[0-9]+' workflow_dispatch: env: @@ -32,6 +32,8 @@ jobs: run: | ORT_VERSION=$(./gradlew -q printVersion) echo "ORT_VERSION=${ORT_VERSION}" >> $GITHUB_ENV + - name: Set up QEMU + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to GitHub Container Registry @@ -63,6 +65,7 @@ jobs: cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache,mode=max build-args: ORT_VERSION=${{ env.ORT_VERSION }} + platforms: linux/amd64,linux/arm64 sbom: true - name: Build 'ort' Docker Image if: ${{ github.event_name == 'pull_request' }} @@ -73,6 +76,7 @@ jobs: labels: ${{ steps.meta-ort.outputs.labels }} cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache build-args: ORT_VERSION=${{ env.ORT_VERSION }} + platforms: linux/amd64,linux/arm64 sbom: true - name: Extract Metadata for 'ort-minimal' Docker Image id: meta-ort-minimal @@ -98,6 +102,7 @@ jobs: target: minimal cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ github.repository_owner }}/ort:cache build-args: ORT_VERSION=${{ env.ORT_VERSION }} + platforms: linux/amd64,linux/arm64 sbom: true - name: Print Disk Space run: df -h From 02592165a4a3fe8f6c29097e2973e8b2521642c0 Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Tue, 30 Sep 2025 19:24:43 +0200 Subject: [PATCH 2/5] feat(python): Use astral.sh Python binary distribution Signed-off-by: Helio Chissini de Castro --- .env.versions | 3 +- Dockerfile | 89 ++++++++++++++++++++++++++++++--------------------- 2 files changed, 54 insertions(+), 38 deletions(-) diff --git a/.env.versions b/.env.versions index 69d370ef16cae..1453f2481dcba 100644 --- a/.env.versions +++ b/.env.versions @@ -22,10 +22,11 @@ PYTHON_PIPENV_VERSION=2023.12.1 PYTHON_POETRY_VERSION=2.1.3 PYTHON_POETRY_PLUGIN_EXPORT_VERSION=1.9.0 PYTHON_SETUPTOOLS_VERSION=74.1.3 -PYTHON_VERSION=3.13.5 +PYTHON_VERSION=3.13.7 RUBY_VERSION=3.4.4 RUST_VERSION=1.90.0 SBT_VERSION=1.10.0 SCANCODE_VERSION=32.4.1 SWIFT_VERSION=6.0.3 UBUNTU_VERSION=jammy +UV_VERSION=0.9.3 diff --git a/Dockerfile b/Dockerfile index 505aaf86a6c5a..62c22a9a21370 100644 --- a/Dockerfile +++ b/Dockerfile @@ -115,13 +115,12 @@ WORKDIR $HOME ENTRYPOINT [ "/bin/bash" ] #------------------------------------------------------------------------ -# PYTHON - Build Python as a separate component with pyenv -FROM base AS pythonbuild +# PYTHON - Install Python binaries from astral-sh +FROM base AS python_install -ARG CONAN_VERSION ARG CONAN2_VERSION +ARG CONAN_VERSION ARG PIP_VERSION -ARG PYENV_GIT_TAG ARG PYTHON_INSPECTOR_VERSION ARG PYTHON_PIPENV_VERSION ARG PYTHON_POETRY_PLUGIN_EXPORT_VERSION @@ -129,42 +128,40 @@ ARG PYTHON_POETRY_VERSION ARG PYTHON_SETUPTOOLS_VERSION ARG PYTHON_VERSION ARG SCANCODE_VERSION +ARG UV_VERSION SHELL ["/bin/bash", "-o", "pipefail", "-c"] +ENV PYTHON_INSTALL_ROOT=/opt/python +ENV PATH=$PATH:$PYTHON_INSTALL_ROOT/bin:$PYTHON_INSTALL_ROOT/conan2/bin + +RUN ARCH=$(arch | sed s/aarch64/arm64/) \ + && astral_release="20250918" \ + && download_url="https://github.com/astral-sh/python-build-standalone/releases/download/${astral_release}" \ + && mkdir -p $PYTHON_INSTALL_ROOT \ + && arch="x86_64" \ + && if [ "$ARCH" == "arm64" ]; then \ + arch="aarch64"; \ + fi \ + && curl -L "${download_url}/cpython-${PYTHON_VERSION}+${astral_release}-${arch}-unknown-linux-gnu-install_only_stripped.tar.gz" | tar -C /opt -xz + +# This is required mostly because scancode-mini requirements RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,target=/var/lib/apt,sharing=locked \ sudo apt-get update -qq \ && DEBIAN_FRONTEND=noninteractive sudo apt-get install -y --no-install-recommends \ - libreadline-dev \ - libgdbm-dev \ - libsqlite3-dev \ - libssl-dev \ - libbz2-dev \ - liblzma-dev \ - tk-dev \ + libicu-dev \ + pkg-config \ + clang \ && sudo rm -rf /var/lib/apt/lists/* -ENV PYENV_ROOT=/opt/python -ENV PATH=$PATH:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PYENV_ROOT/conan2/bin -RUN curl -kSs https://pyenv.run | bash \ - && pyenv install -v $PYTHON_VERSION \ - && pyenv global $PYTHON_VERSION - RUN ARCH=$(arch | sed s/aarch64/arm64/) \ - && if [ "$ARCH" == "arm64" ]; then \ + && if [ "$ARCH" == "arm64" ]; then \ pip install -U scancode-toolkit-mini==$SCANCODE_VERSION; \ else \ - curl -Os https://raw.githubusercontent.com/nexB/scancode-toolkit/v$SCANCODE_VERSION/requirements.txt; \ - pip install -U --constraint requirements.txt scancode-toolkit==$SCANCODE_VERSION setuptools==$PYTHON_SETUPTOOLS_VERSION; \ - rm requirements.txt; \ + pip install -U scancode-toolkit==$SCANCODE_VERSION; \ fi -# Extract ScanCode license texts to a directory. -RUN scancode-license-data --path /opt/scancode-license-data \ - && find /opt/scancode-license-data -type f -not -name "*.LICENSE" -exec rm -f {} + \ - && rm -rf /opt/scancode-license-data/static - RUN pip install --no-cache-dir -U \ pip=="$PIP_VERSION" \ wheel \ @@ -175,19 +172,37 @@ RUN pip install --no-cache-dir -U \ poetry=="$PYTHON_POETRY_VERSION" \ poetry-plugin-export=="$PYTHON_POETRY_PLUGIN_EXPORT_VERSION" \ python-inspector=="$PYTHON_INSPECTOR_VERSION" \ - setuptools=="$PYTHON_SETUPTOOLS_VERSION" -RUN mkdir /tmp/conan2 && cd /tmp/conan2 \ - && wget https://github.com/conan-io/conan/releases/download/$CONAN2_VERSION/conan-$CONAN2_VERSION-linux-x86_64.tgz \ - && tar -xvf conan-$CONAN2_VERSION-linux-x86_64.tgz\ + setuptools=="$PYTHON_SETUPTOOLS_VERSION" \ + uv="$UV_VERSION" + +# # Extract ScanCode license texts to a directory. +# RUN ARCH=$(arch | sed s/aarch64/arm64/) \ +# if [ "$ARCH" == "arm64" ]; then \ +# echo "Not av ailable for Arm due distutils problem"; +# else \ +# scancode-license-data --path /opt/scancode-license-data; \ +# find /opt/scancode-license-data -type f -not -name "*.LICENSE" -exec rm -f {} + \; \ +# fi + +# # Extract ScanCode license texts to a directory. +# RUN ARCH=$(arch | sed s/aarch64/arm64/) \ +# if [ "$ARCH" == "arm64" ]; then \ +# echo "Not av ailable for Arm due distutils problem"; +# else \ +# scancode-license-data --path /opt/scancode-license-data; \ +# find /opt/scancode-license-data -type f -not -name "*.LICENSE" -exec rm -f {} + \; \ +# fi + +RUN mkdir -p $PYTHON_INSTALL_ROOT/conan2 \ + && curl -L https://github.com/conan-io/conan/releases/download/$CONAN2_VERSION/conan-$CONAN2_VERSION-linux-x86_64.tgz | tar -C $PYTHON_INSTALL_ROOT/conan2 -zvx bin \ # Rename the Conan 2 executable to "conan2" to be able to call both Conan version from the package manager. - && mkdir $PYENV_ROOT/conan2 && mv /tmp/conan2/bin $PYENV_ROOT/conan2/ \ - && mv $PYENV_ROOT/conan2/bin/conan $PYENV_ROOT/conan2/bin/conan2 + && mv $PYTHON_INSTALL_ROOT/conan2/bin/conan $PYTHON_INSTALL_ROOT/conan2/bin/conan2 FROM scratch AS python -COPY --from=pythonbuild /opt/python /opt/python +COPY --from=python_install /opt/python /opt/python FROM scratch AS scancode-license-data -COPY --from=pythonbuild /opt/scancode-license-data /opt/scancode-license-data +COPY --from=python_install /opt/scancode-license-data /opt/scancode-license-data #------------------------------------------------------------------------ # NODEJS - Build NodeJS as a separate component with nvm @@ -483,9 +498,9 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ && sudo rm -rf /var/lib/apt/lists/* # Python -ENV PYENV_ROOT=/opt/python -ENV PATH=$PATH:$PYENV_ROOT/shims:$PYENV_ROOT/bin:$PYENV_ROOT/conan2/bin -COPY --from=python --chown=$USER:$USER $PYENV_ROOT $PYENV_ROOT +ENV PYTHON_INSTALL_ROOT=/opt/python +ENV PATH=$PATH:$PYTHON_INSTALL_ROOT/shims:$PYTHON_INSTALL_ROOT/bin:$PYTHON_INSTALL_ROOT/conan2/bin +COPY --from=python --chown=$USER:$USER $PYTHON_INSTALL_ROOT $PYTHON_INSTALL_ROOT # NodeJS ENV NVM_DIR=/opt/nvm From 2bfb7ceeadcacb9d92ad3a54443a3dfbf61e52eb Mon Sep 17 00:00:00 2001 From: Helio Chissini de Castro Date: Tue, 30 Sep 2025 22:23:39 +0200 Subject: [PATCH 3/5] fix(scancode): Remove broken scancode-license-data call Scancode utility scancode-license-data has a flaw that inside some environments ignores the path flag. The dependency on distutils, deprecated since Python 3.12+ force install of setuptools to match requirements, but not properly a substitute for distutils. Signed-off-by: Helio Chissini de Castro --- Dockerfile | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index 62c22a9a21370..3c47bdc41ae2e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -184,15 +184,6 @@ RUN pip install --no-cache-dir -U \ # find /opt/scancode-license-data -type f -not -name "*.LICENSE" -exec rm -f {} + \; \ # fi -# # Extract ScanCode license texts to a directory. -# RUN ARCH=$(arch | sed s/aarch64/arm64/) \ -# if [ "$ARCH" == "arm64" ]; then \ -# echo "Not av ailable for Arm due distutils problem"; -# else \ -# scancode-license-data --path /opt/scancode-license-data; \ -# find /opt/scancode-license-data -type f -not -name "*.LICENSE" -exec rm -f {} + \; \ -# fi - RUN mkdir -p $PYTHON_INSTALL_ROOT/conan2 \ && curl -L https://github.com/conan-io/conan/releases/download/$CONAN2_VERSION/conan-$CONAN2_VERSION-linux-x86_64.tgz | tar -C $PYTHON_INSTALL_ROOT/conan2 -zvx bin \ # Rename the Conan 2 executable to "conan2" to be able to call both Conan version from the package manager. @@ -201,9 +192,6 @@ RUN mkdir -p $PYTHON_INSTALL_ROOT/conan2 \ FROM scratch AS python COPY --from=python_install /opt/python /opt/python -FROM scratch AS scancode-license-data -COPY --from=python_install /opt/scancode-license-data /opt/scancode-license-data - #------------------------------------------------------------------------ # NODEJS - Build NodeJS as a separate component with nvm FROM base AS nodejsbuild @@ -525,8 +513,6 @@ ENV GEM_HOME=/var/tmp/gem ENV PATH=$PATH:$RBENV_ROOT/bin:$RBENV_ROOT/shims:$RBENV_ROOT/plugins/ruby-install/bin COPY --from=ruby --chown=$USER:$USER $RBENV_ROOT $RBENV_ROOT -COPY --from=scancode-license-data --chown=$USER:$USER /opt/scancode-license-data /opt/scancode-license-data - #------------------------------------------------------------------------ # Container with all supported package managers. FROM minimal-tools AS all-tools From 5365aec0682870aa1112572467d216f6f13d05e9 Mon Sep 17 00:00:00 2001 From: Jan-Niclas Struewer Date: Tue, 21 Oct 2025 14:08:38 +0200 Subject: [PATCH 4/5] fix(Dockerfile): Fixed typo in installing uv version in Dockerfile Signed-off-by: Jan-Niclas Struewer --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3c47bdc41ae2e..1fcdd30ade753 100644 --- a/Dockerfile +++ b/Dockerfile @@ -173,7 +173,7 @@ RUN pip install --no-cache-dir -U \ poetry-plugin-export=="$PYTHON_POETRY_PLUGIN_EXPORT_VERSION" \ python-inspector=="$PYTHON_INSPECTOR_VERSION" \ setuptools=="$PYTHON_SETUPTOOLS_VERSION" \ - uv="$UV_VERSION" + uv=="$UV_VERSION" # # Extract ScanCode license texts to a directory. # RUN ARCH=$(arch | sed s/aarch64/arm64/) \ From 42e706a96b70586206450b4ec40592a1ac79ecdf Mon Sep 17 00:00:00 2001 From: Jan-Niclas Struewer Date: Tue, 21 Oct 2025 14:14:47 +0200 Subject: [PATCH 5/5] fix(Dockerfile): Fixed ScanCode build issues in Dockerfile ScanCode, especially on macOS due to the used Python installation, needs some explicit dependencies (especially click and setuptools) to work correctly. The dependencies must be installed before installing ScanCode for it to work properly. Signed-off-by: Jan-Niclas Struewer --- .env.versions | 1 + Dockerfile | 16 +++++++++------- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/.env.versions b/.env.versions index 1453f2481dcba..c99b6d8e540be 100644 --- a/.env.versions +++ b/.env.versions @@ -17,6 +17,7 @@ NUGET_INSPECTOR_VERSION=0.9.12 PHP_VERSION=8.3 PIP_VERSION=25.2.0 PYENV_GIT_TAG=v2.6.3 +PYTHON_CLICK_VERSION=8.2.1 PYTHON_INSPECTOR_VERSION=0.14.4 PYTHON_PIPENV_VERSION=2023.12.1 PYTHON_POETRY_VERSION=2.1.3 diff --git a/Dockerfile b/Dockerfile index 1fcdd30ade753..ad989c842fce2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -121,6 +121,7 @@ FROM base AS python_install ARG CONAN2_VERSION ARG CONAN_VERSION ARG PIP_VERSION +ARG PYTHON_CLICK_VERSION ARG PYTHON_INSPECTOR_VERSION ARG PYTHON_PIPENV_VERSION ARG PYTHON_POETRY_PLUGIN_EXPORT_VERSION @@ -155,13 +156,6 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ clang \ && sudo rm -rf /var/lib/apt/lists/* -RUN ARCH=$(arch | sed s/aarch64/arm64/) \ - && if [ "$ARCH" == "arm64" ]; then \ - pip install -U scancode-toolkit-mini==$SCANCODE_VERSION; \ - else \ - pip install -U scancode-toolkit==$SCANCODE_VERSION; \ - fi - RUN pip install --no-cache-dir -U \ pip=="$PIP_VERSION" \ wheel \ @@ -172,9 +166,17 @@ RUN pip install --no-cache-dir -U \ poetry=="$PYTHON_POETRY_VERSION" \ poetry-plugin-export=="$PYTHON_POETRY_PLUGIN_EXPORT_VERSION" \ python-inspector=="$PYTHON_INSPECTOR_VERSION" \ + click==$PYTHON_CLICK_VERSION \ setuptools=="$PYTHON_SETUPTOOLS_VERSION" \ uv=="$UV_VERSION" +RUN ARCH=$(arch | sed s/aarch64/arm64/) \ + && if [ "$ARCH" == "arm64" ]; then \ + pip install -U scancode-toolkit-mini==$SCANCODE_VERSION; \ + else \ + pip install -U scancode-toolkit==$SCANCODE_VERSION; \ + fi + # # Extract ScanCode license texts to a directory. # RUN ARCH=$(arch | sed s/aarch64/arm64/) \ # if [ "$ARCH" == "arm64" ]; then \