ci: Switch CI to GitHub & update deps

Docker Hub now costs $5/month to build open source projects, and it's
always been a clunky and slow builder. So let's switch everything to
GitHub CI.

We also add a note encouraging as many users as possible to replace
OpenSSL with `rustls` and switch to `cross`.

Author: emk

.github/workflows/ci.yml

@@ -0,0 +1,104 @@
+name: Test and publish image
+
+on:
+  schedule:
+    # Rust tends to make stable releases every six weeks on Thursday 10am
+    # Pacific Time. Force a build a few hours later than that (every week) to
+    # scoop up the newest stable and beta (including patch releases).
+    #
+    # This way, even if we don't update the matrix below we should still have
+    # images.
+    - cron: '0 21 * * THU'
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+# See https://docs.github.com/en/actions/guides/publishing-docker-images for the
+# theory, but we do some things differently.
+
+jobs:
+  test_image:
+    name: Test static linking (using stable Rust)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+
+      # Run some fairly extensive tests to make sure that we actually produce
+      # static, working programs.
+      - name: Test image
+        run: ./test-image
+
+  build_and_push:
+    name: Build image & push
+    runs-on: ubuntu-latest
+
+    needs:
+      - test_image
+
+    strategy:
+      matrix:
+        # We build multiple versions of the image from the same Dockerfile each
+        # time we push. This is different that the standard strategy for
+        # maintaining images using GitHub actions, which involves a lot of tags
+        # and branches. But since there are new Rust releases far more often
+        # than we change this project, it works.
+        toolchain:
+          - "stable"
+          - "beta"
+          - "1.57.0"
+
+          # We never built these, so include them until they get built and released once.
+          - 1.56.1
+          - 1.55.0
+          - 1.54.0
+          - 1.53.0
+          - 1.52.1
+
+          # See https://rust-lang.github.io/rustup-components-history/ and choose
+          # the newest nightly build that has all the components (except RLS,
+          # which is obsolete).
+          - "nightly-2021-12-23"
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+
+      - name: Login to GitHub Container Registry
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build release image
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          build-args: |
+            TOOLCHAIN=${{ matrix.toolchain }}
+          # Use some slightly funky substituations to tag only `stable` as `latest`.
+          tags: |
+            ghcr.io/emk/rust-musl-builder:${{ matrix.toolchain }}
+            ekidd/rust-musl-builder:${{ matrix.toolchain }}
+            ${{ matrix.toolchain == 'stable' && 'ghcr.io/emk/rust-musl-builder:latest' || '' }}
+            ${{ matrix.toolchain == 'stable' && 'ekidd/rust-musl-builder:latest' || '' }}
+          labels: |
+            org.opencontainers.image.title=rust-musl-builder
+            org.opencontainers.image.description=Tools for statically linked Rust programs using musl-libc
+            org.opencontainers.image.url=https://github.com/emk/rust-musl-builder
+            org.opencontainers.image.source=https://github.com/emk/rust-musl-builder
+            net.randomhacks.rust-musl-builder.toolchain=${{ matrix.toolchain }}

.travis.yml

@@ -4,7 +4,25 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). We do not use Semantic Versioning, because our images are tagged based on Rust releases. However, we try to maintain as much backwards compatibility as possible.
 
-For maximum stablity, use images with tags like `ekidd/rust-musl-builder:1.46.0` or `ekidd/rust-musl-builder:nightly-2020-08-26`. These may occasionally be rebuilt, but only while they're "current", or possibly if they're recent and serious security are discovered in a library.
+For maximum stablity, use images with tags like `ekidd/rust-musl-builder:1.46.0` or `ekidd/rust-musl-builder:nightly-2020-08-26`. These may occasionally be rebuilt, but only while they're "current", or possibly if they're recent and serious security issues are discovered in a library.
+
+## 2021-12-23
+
+### Added
+
+- Set up weekly cron builds every Thursday, a few hours after Rust releases often happen. This should keep `stable` and `beta` more-or-less up-to-date. (Tagged releases like `1.57.0` will still need to be made manually.)
+
+### Changed
+
+- **Moved release builds from Docker Hub to GitHub!** This allows us to once again start building images without paying Docker Hub for slow, frustrating builders.
+- Moved PR tests from Travis CI to GitHub.
+- Updated `examples/` to use newer dependencies.
+- Updated to OpenSSL 1.1.1m.
+- Updated to mdbook 0.4.14.
+- Updated to mbbook-graphviz 0.1.3 (now using upstream binaries).
+- Updated to cargo-about 0.4.4.
+- Updated to cargo-audit 0.16.0 (now using upstream binaries).
+- Updated to PostgreSQL 11.14. Still no PostgreSQL 12 unless someone wants to look into diesel and static linking.
 
 ## 2021-02-13
 

CHANGELOG.md

@@ -9,33 +9,35 @@ ARG TOOLCHAIN=stable
 # - https://www.openssl.org/source/
 #
 # ALSO UPDATE hooks/build!
-ARG OPENSSL_VERSION=1.1.1i
+ARG OPENSSL_VERSION=1.1.1m
 
 # Versions for other dependencies. Here are the places to check for new
 # releases:
 #
 # - https://github.com/rust-lang/mdBook/releases
+# - https://github.com/dylanowen/mdbook-graphviz/releases
 # - https://github.com/EmbarkStudios/cargo-about/releases
+# - https://github.com/rustsec/rustsec/releases
 # - https://github.com/EmbarkStudios/cargo-deny/releases
 # - http://zlib.net/
 # - https://ftp.postgresql.org/pub/source/
 #
 # We're stuck on PostgreSQL 11 until we figure out
 # https://github.com/emk/rust-musl-builder/issues.
-ARG MDBOOK_VERSION=0.4.6
-ARG CARGO_ABOUT_VERSION=0.2.3
-ARG CARGO_DENY_VERSION=0.8.5
+ARG MDBOOK_VERSION=0.4.14
+ARG MDBOOK_GRAPHVIZ_VERSION=0.1.3
+ARG CARGO_ABOUT_VERSION=0.4.4
+ARG CARGO_AUDIT_VERSION=0.16.0
+ARG CARGO_DENY_VERSION=0.11.0
 ARG ZLIB_VERSION=1.2.11
-ARG POSTGRESQL_VERSION=11.11
+ARG POSTGRESQL_VERSION=11.14
 
 # Make sure we have basic dev tools for building C libraries.  Our goal here is
 # to support the musl-libc builds and Cargo builds needed for a large selection
 # of the most popular crates.
 #
 # We also set up a `rust` user by default. This user has sudo privileges if you
 # need to install any more software.
-#
-# `mdbook` is the standard Rust tool for making searchable HTML manuals.
 RUN apt-get update && \
     export DEBIAN_FRONTEND=noninteractive && \
     apt-get install -yq \
@@ -53,18 +55,33 @@ RUN apt-get update && \
         linux-libc-dev \
         pkgconf \
         sudo \
+        unzip \
         xutils-dev \
         && \
     apt-get clean && rm -rf /var/lib/apt/lists/* && \
-    useradd rust --user-group --create-home --shell /bin/bash --groups sudo && \
-    curl -fLO https://github.com/rust-lang-nursery/mdBook/releases/download/v$MDBOOK_VERSION/mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
+    useradd rust --user-group --create-home --shell /bin/bash --groups sudo
+
+# - `mdbook` is the standard Rust tool for making searchable HTML manuals.
+# - `mdbook-graphviz` allows using inline GraphViz drawing commands to add illustrations.
+# - `cargo-about` generates a giant license file for all dependencies.
+# - `cargo-audit` checks for security vulnerabilities. We include it for backwards compat.
+# - `cargo-deny` does everything `cargo-audit` does, plus check licenses & many other things.
+RUN curl -fLO https://github.com/rust-lang-nursery/mdBook/releases/download/v$MDBOOK_VERSION/mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
     tar xf mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
     mv mdbook /usr/local/bin/ && \
     rm -f mdbook-v$MDBOOK_VERSION-x86_64-unknown-linux-gnu.tar.gz && \
+    curl -fLO https://github.com/dylanowen/mdbook-graphviz/releases/download/v$MDBOOK_GRAPHVIZ_VERSION/mdbook-graphviz_v${MDBOOK_GRAPHVIZ_VERSION}_x86_64-unknown-linux-musl.zip && \
+    unzip mdbook-graphviz_v${MDBOOK_GRAPHVIZ_VERSION}_x86_64-unknown-linux-musl.zip && \
+    mv mdbook-graphviz /usr/local/bin/ && \
+    rm -f mdbook-graphviz_v${MDBOOK_GRAPHVIZ_VERSION}_x86_64-unknown-linux-musl.zip && \
     curl -fLO https://github.com/EmbarkStudios/cargo-about/releases/download/$CARGO_ABOUT_VERSION/cargo-about-$CARGO_ABOUT_VERSION-x86_64-unknown-linux-musl.tar.gz && \
     tar xf cargo-about-$CARGO_ABOUT_VERSION-x86_64-unknown-linux-musl.tar.gz && \
     mv cargo-about-$CARGO_ABOUT_VERSION-x86_64-unknown-linux-musl/cargo-about /usr/local/bin/ && \
     rm -rf cargo-about-$CARGO_ABOUT_VERSION-x86_64-unknown-linux-musl.tar.gz cargo-about-$CARGO_ABOUT_VERSION-x86_64-unknown-linux-musl && \
+    curl -fLO https://github.com/rustsec/rustsec/releases/download/cargo-audit%2Fv${CARGO_AUDIT_VERSION}/cargo-audit-x86_64-unknown-linux-gnu-v${CARGO_AUDIT_VERSION}.tgz && \
+    tar xf cargo-audit-x86_64-unknown-linux-gnu-v${CARGO_AUDIT_VERSION}.tgz && \
+    cp cargo-audit-x86_64-unknown-linux-gnu-v${CARGO_AUDIT_VERSION}/cargo-audit /usr/local/bin/ && \
+    rm -rf cargo-audit-x86_64-unknown-linux-gnu-v${CARGO_AUDIT_VERSION}.tgz cargo-audit-x86_64-unknown-linux-gnu-v${CARGO_AUDIT_VERSION} && \
     curl -fLO https://github.com/EmbarkStudios/cargo-deny/releases/download/$CARGO_DENY_VERSION/cargo-deny-$CARGO_DENY_VERSION-x86_64-unknown-linux-musl.tar.gz && \
     tar xf cargo-deny-$CARGO_DENY_VERSION-x86_64-unknown-linux-musl.tar.gz && \
     mv cargo-deny-$CARGO_DENY_VERSION-x86_64-unknown-linux-musl/cargo-deny /usr/local/bin/ && \
@@ -160,14 +177,12 @@ ENV X86_64_UNKNOWN_LINUX_MUSL_OPENSSL_DIR=/usr/local/musl/ \
     LIBZ_SYS_STATIC=1 \
     TARGET=musl
 
-# Install some useful Rust tools from source. This will use the static linking
-# toolchain, but that should be OK.
+# Install some useful Rust tools from source (as few as we can, because these
+# slow down image builds). This will use the static linking toolchain, but that
+# should be OK.
 #
-# We include cargo-audit for compatibility with earlier versions of this image,
-# but cargo-deny provides a superset of cargo-audit's features.
-RUN env CARGO_HOME=/opt/rust/cargo cargo install -f cargo-audit && \
-    env CARGO_HOME=/opt/rust/cargo cargo install -f cargo-deb && \
-    env CARGO_HOME=/opt/rust/cargo cargo install -f mdbook-graphviz && \
+# - `cargo-deb` builds Debian packages.
+RUN env CARGO_HOME=/opt/rust/cargo cargo install -f cargo-deb && \
     rm -rf /opt/rust/cargo/registry/
 
 # Allow sudo without a password.

Dockerfile

@@ -5,7 +5,14 @@
 - [Source on GitHub](https://github.com/emk/rust-musl-builder)
 - [Changelog](https://github.com/emk/rust-musl-builder/blob/master/CHANGELOG.md)
 
-**UPDATED:** Major updates in this release which may break some builds. See [the CHANGELOG](https://github.com/emk/rust-musl-builder/blob/master/CHANGELOG.md) for details. If these updates break your build, you can update your `Dockerfile` to use `FROM ekidd/rust-musl-builder:1.48.0` to revert to the previous version.
+**UPDATED:** We are now running builds on GitHub, including scheduled builds of `stable` and `beta` every Thursday!
+
+However, **[`rustls`](rustls) now works well** with most of the Rust ecosystem, including `reqwest`, `tokio`, `tokio-postgres`, `sqlx` and many others. The only major project which still requires `libpq` and OpenSSL is [Diesel](https://diesel.rs/). If you don't need `diesel` or `libpq`:
+
+- See if you can switch away from OpenSSL, typically by using `features` in `Cargo.toml` to ask your dependencies to use [`rustls`](rustls) instead.
+- If you don't need OpenSSL, try [`cross build --target=x86_64-unknown-linux-musl --release`](https://github.com/rust-embedded/cross) to cross-compile your binaries for `libmusl`. This supports many more platforms, with less hassle!
+
+[rustls]: https://github.com/rustls
 
 ## What is this?
 
@@ -186,18 +193,6 @@ If you're using Docker crates which require specific C libraries to be installed
 
 If you need an especially common library, please feel free to submit a pull request adding it to the main `Dockerfile`!  We'd like to support popular Rust crates out of the box.
 
-## ARM support (experimental)
-
-To target ARM hard float (Raspberry Pi):
-
-```sh
-rust-musl-builder cargo build --target=armv7-unknown-linux-musleabihf --release
-```
-
-Binaries will be written to `target/$TARGET_ARCHITECTURE/release`. By default it targets `x86_64-unknown-linux-musl` unless specified with `--target`.
-
-This is missing many of the libraries used by the `x86_64` build, and it should probably be split out of the base image and given its own tags.
-
 ## Development notes
 
 After modifying the image, run `./test-image` to make sure that everything works.