Add devcontainer and container GC pipeline

Motivated by having a good Codespaces default UX.

This repo will also contain our centralized container
image GC.

Assisted-by: Cursor (Claude Sonnet 4.5)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

.cargo/config.toml

@@ -0,0 +1,4 @@
+# Alias for cargo xtask
+[alias]
+xtask = "run --package xtask --"
+

.devcontainer/devcontainer.json

@@ -0,0 +1,29 @@
+{
+  "name": "bootc-dev",
+  "image": "ghcr.io/bootc-dev/infra/devenv:main",
+  "build": {
+    "context": "..",
+    "dockerfile": "../devenv/Containerfile"
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "rust-lang.rust-analyzer",
+        "tamasfe.even-better-toml"
+      ]
+    }
+  },
+  "features": {},
+  "remoteUser": "root",
+  "mounts": [
+    "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind"
+  ],
+  "runArgs": [
+    "--privileged"
+  ],
+  "postCreateCommand": "echo 'DevContainer ready!'",
+  "remoteEnv": {
+    "PATH": "${containerEnv:PATH}:/usr/local/cargo/bin"
+  }
+}
+

.github/workflows/build-devcontainer.yml

@@ -0,0 +1,117 @@
+name: Build DevContainer
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    paths:
+      - 'devenv/**'
+      - '.github/workflows/build-devcontainer.yml'
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}/devenv
+
+jobs:
+  build:
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - runner: ubuntu-latest
+            platform: linux/amd64
+            arch: amd64
+          - runner: ubuntu-24.04-arm
+            platform: linux/arm64
+            arch: arm64
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      
+      - name: Build and push by digest
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          context: devenv
+          file: devenv/Containerfile
+          platforms: ${{ matrix.platform }}
+          labels: ${{ steps.meta.outputs.labels }}
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
+      
+      - name: Export digest
+        run: |
+          mkdir -p /tmp/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "/tmp/digests/${digest#sha256:}"
+      
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-${{ matrix.arch }}
+          path: /tmp/digests/*
+          if-no-files-found: error
+          retention-days: 1
+  
+  merge:
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.event_name != 'pull_request'
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: /tmp/digests
+          pattern: digests-*
+          merge-multiple: true
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=sha,prefix={{branch}}-,format=short
+            type=sha,prefix={{branch}}-,format=long
+            type=ref,event=pr
+            type=ref,event=tag
+      
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: Create manifest list and push
+        working-directory: /tmp/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+      
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+

.github/workflows/container-gc.yml

@@ -0,0 +1,49 @@
+name: Container Image Garbage Collection
+
+on:
+  workflow_dispatch:
+    inputs:
+      retention-days:
+        description: "Delete container images older than this many days"
+        required: false
+        default: "14"
+        type: string
+      dry-run:
+        description: "Dry run mode - don't actually delete anything"
+        required: false
+        default: false
+        type: boolean
+  schedule:
+    # Run weekly on Sundays at 2 AM UTC
+    - cron: '0 2 * * 0'
+
+env:
+  ORG: bootc-dev
+  RETENTION_DAYS: ${{ github.event.inputs.retention-days || '14' }}
+  DRY_RUN: ${{ github.event.inputs.dry-run || 'false' }}
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+      
+      - name: Cache Cargo dependencies
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: "."
+      
+      - name: Run container garbage collection
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cargo xtask container-gc --retention-days ${{ env.RETENTION_DAYS }} --dry-run ${{ env.DRY_RUN }} --org ${{ env.ORG }}
+

.github/workflows/rust.yml

@@ -0,0 +1,44 @@
+name: Rust CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+env:
+  CARGO_TERM_COLOR: always
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+      
+      - name: Cache Cargo dependencies
+        uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: "."
+      
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+      
+      - name: Run clippy
+        run: cargo clippy --all-targets -- -D warnings
+      
+      - name: Build
+        run: cargo build --release
+      
+      - name: Run tests
+        run: cargo test --all
+

.gitignore

@@ -0,0 +1,17 @@
+# Rust build artifacts
+target/
+Cargo.lock
+
+# macOS
+.DS_Store
+
+# Editor files
+*.swp
+*.swo
+*~
+.vscode/
+.idea/
+
+# Environment files
+.env
+

Cargo.toml

@@ -0,0 +1,27 @@
+[workspace]
+members = ["crates/*"]
+resolver = "2"
+
+[profile.dev]
+opt-level = 1
+
+[profile.release]
+lto = "thin"
+debug = true
+
+[workspace.dependencies]
+anyhow = "1.0"
+chrono = { version = "0.4", default-features = false, features = ["std", "clock"] }
+clap = { version = "4.5", features = ["derive", "env"] }
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+xshell = "0.2"
+
+[workspace.lints.rust]
+unsafe_code = "deny"
+unused_must_use = "forbid"
+
+[workspace.lints.clippy]
+dbg_macro = "deny"
+todo = "deny"
+

Justfile

@@ -0,0 +1,48 @@
+# Build devenv image with local tag
+devenv-build:
+	cd devenv && podman build -t localhost/bootc-devenv .
+
+# Build devenv image with proper tagging (latest + git SHA)
+devenv-build-tagged:
+	#!/usr/bin/env bash
+	set -euo pipefail
+	GIT_SHA=$(git rev-parse --short HEAD)
+	GIT_SHA_LONG=$(git rev-parse HEAD)
+	BRANCH=$(git rev-parse --abbrev-ref HEAD)
+	IMAGE_BASE="ghcr.io/bootc-dev/infra/devenv"
+	cd devenv
+	# Build with multiple tags
+	podman build \
+		-t "${IMAGE_BASE}:latest" \
+		-t "${IMAGE_BASE}:${BRANCH}-${GIT_SHA}" \
+		-t "${IMAGE_BASE}:${BRANCH}-${GIT_SHA_LONG}" \
+		.
+	echo "Built and tagged:"
+	echo "  - ${IMAGE_BASE}:latest"
+	echo "  - ${IMAGE_BASE}:${BRANCH}-${GIT_SHA}"
+	echo "  - ${IMAGE_BASE}:${BRANCH}-${GIT_SHA_LONG}"
+
+# Push devenv image with all tags
+devenv-push: devenv-build-tagged
+	#!/usr/bin/env bash
+	set -euo pipefail
+	GIT_SHA=$(git rev-parse --short HEAD)
+	GIT_SHA_LONG=$(git rev-parse HEAD)
+	BRANCH=$(git rev-parse --abbrev-ref HEAD)
+	IMAGE_BASE="ghcr.io/bootc-dev/infra/devenv"
+	podman push "${IMAGE_BASE}:latest"
+	podman push "${IMAGE_BASE}:${BRANCH}-${GIT_SHA}"
+	podman push "${IMAGE_BASE}:${BRANCH}-${GIT_SHA_LONG}"
+	echo "Pushed all tags to registry"
+
+# Run container garbage collection (dry run by default)
+container-gc-dry-run:
+	cargo xtask container-gc --dry-run true --retention-days 14
+
+# Run container garbage collection (actual deletion)
+container-gc:
+	cargo xtask container-gc --retention-days 14
+
+# Run container garbage collection with custom retention period
+container-gc-custom retention_days:
+	cargo xtask container-gc --retention-days {{retention_days}}