feat(ci): move Linux CI to UBI 10 container images

.devcontainer/Containerfile

@@ -1,9 +1,9 @@
 # Red Hat Universal Base Image 10
 FROM registry.access.redhat.com/ubi10/ubi
 
-# Enable required repositories
+# Enable CRB and EPEL (both freely available on UBI 10, no subscription required)
 RUN dnf install -y 'dnf-command(config-manager)' && \
-    dnf config-manager --enable ubi-10-codeready-builder-rpms && \
+    dnf config-manager --enable codeready-builder-for-ubi-10-$(arch)-rpms && \
     dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
 
 # Core build tools
@@ -16,33 +16,47 @@ RUN dnf install -y \
 RUN dnf install -y gcc gcc-c++ gdb \
         gcc-toolset-15-gcc gcc-toolset-15-gcc-c++ gcc-toolset-15-binutils
 
-# LLVM / Clang
+# LLVM / Clang (llvm-toolset meta-package not available on UBI)
 RUN dnf install -y \
-        llvm-toolset clang clang-tools-extra clang-devel llvm-devel lld lldb
+        clang clang-tools-extra clang-devel llvm-devel lld lldb
 
 # Static analysis and documentation
-RUN dnf install -y cppcheck doxygen graphviz
+# doxygen not available in UBI repos — only needed for 'docs' target, not CI
+RUN dnf install -y cppcheck graphviz
+
+# Bloaty McBloatface — binary size analyzer (build from source)
+# Uses bundled third-party deps (re2, protobuf, abseil) to avoid
+# version incompatibilities with system packages.
+ARG BLOATY_VERSION="v1.1"
+RUN git clone --branch ${BLOATY_VERSION} --depth 1 --recurse-submodules --shallow-submodules \
+        https://github.com/google/bloaty.git /tmp/bloaty && \
+    cmake -S /tmp/bloaty -B /tmp/bloaty/build \
+        -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -G Ninja && \
+    cmake --build /tmp/bloaty/build -j && \
+    cmake --install /tmp/bloaty/build && \
+    rm -rf /tmp/bloaty
 
 # Editors
 RUN dnf install -y neovim nano
 
 # Python packages
 RUN python3 -m pip install --upgrade pip setuptools && \
-    python3 -m pip install conan && \
+    python3 -m pip install conan gcovr lizard && \
     conan --version
 
 # Conan configuration for containers
 ENV CONAN_SYSREQUIRES_SUDO=0 \
     CONAN_SYSREQUIRES_MODE=enabled
 
-# include-what-you-use (build from source)
-ARG IWYU_BRANCH="clang_19"
+# include-what-you-use (build from source, auto-detect Clang version)
 ENV IWYU=/home/iwyu \
     IWYU_BUILD=/home/iwyu/build \
     IWYU_SRC=/home/iwyu/include-what-you-use
 
-RUN mkdir -p ${IWYU_BUILD} && \
-    git clone --branch ${IWYU_BRANCH} --depth 1 \
+RUN CLANG_MAJOR=$(clang --version | head -1 | grep -oE '[0-9]+' | head -1) && \
+    echo "Detected Clang ${CLANG_MAJOR}, using IWYU branch clang_${CLANG_MAJOR}" && \
+    mkdir -p ${IWYU_BUILD} && \
+    git clone --branch "clang_${CLANG_MAJOR}" --depth 1 \
         https://github.com/include-what-you-use/include-what-you-use.git \
         ${IWYU_SRC}
 

.devcontainer/Containerfile.intel

@@ -0,0 +1,22 @@
+# Intel oneAPI CI image — extends the main CI image with ICX/ICPX
+ARG BASE_IMAGE=ghcr.io/versatushpc/cmake_template/ci:latest
+FROM ${BASE_IMAGE}
+
+# Intel oneAPI repository
+RUN rpm --import https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB && \
+    printf '[oneAPI]\nname=Intel oneAPI repository\nbaseurl=https://yum.repos.intel.com/oneapi\nenabled=1\ngpgcheck=1\ngpgkey=https://yum.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB\n' \
+        > /etc/yum.repos.d/oneAPI.repo
+
+# Install Intel oneAPI DPC++/C++ compiler
+RUN dnf install -y intel-oneapi-compiler-dpcpp-cpp && \
+    dnf clean all && rm -rf /var/cache/dnf
+
+# Make Intel compiler available without setvars.sh
+# The compiler binaries and libraries are under /opt/intel/oneapi/compiler/latest
+ENV PATH="/opt/intel/oneapi/compiler/latest/bin:${PATH}" \
+    LD_LIBRARY_PATH="/opt/intel/oneapi/compiler/latest/lib:${LD_LIBRARY_PATH}" \
+    CMAKE_PREFIX_PATH="/opt/intel/oneapi/compiler/latest:${CMAKE_PREFIX_PATH}" \
+    CC="icx" \
+    CXX="icpx"
+
+CMD ["/bin/bash"]

.github/workflows/build-ci-image.yml

@@ -0,0 +1,99 @@
+name: build-ci-image
+
+on:
+  push:
+    branches: [master, main]
+    paths:
+      - '.devcontainer/Containerfile'
+      - '.devcontainer/Containerfile.intel'
+      - '.github/workflows/build-ci-image.yml'
+  pull_request:
+    paths:
+      - '.devcontainer/Containerfile'
+      - '.devcontainer/Containerfile.intel'
+      - '.github/workflows/build-ci-image.yml'
+  schedule:
+    # Weekly rebuild — picks up UBI 10 base image security updates
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-ci-image:
+    name: CI image
+    runs-on: ubuntu-latest
+    outputs:
+      ci-image: ${{ steps.image-name.outputs.ci }}
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Compute lowercase image name
+        id: image-name
+        run: |
+          REPO="${{ github.repository }}"
+          echo "ci=${{ env.REGISTRY }}/${REPO,,}/ci:latest" >> $GITHUB_OUTPUT
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}/ci
+          tags: |
+            type=raw,value=latest
+            type=sha,prefix=sha-,format=short
+
+      - name: Build and push CI image
+        uses: docker/build-push-action@v6
+        with:
+          context: .devcontainer
+          file: .devcontainer/Containerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+  build-ci-intel-image:
+    name: CI Intel image
+    runs-on: ubuntu-latest
+    needs: build-ci-image
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Image metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ github.repository }}/ci-intel
+          tags: |
+            type=raw,value=latest
+            type=sha,prefix=sha-,format=short
+
+      - name: Build and push Intel CI image
+        uses: docker/build-push-action@v6
+        with:
+          context: .devcontainer
+          file: .devcontainer/Containerfile.intel
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            BASE_IMAGE=${{ needs.build-ci-image.outputs.ci-image }}