Use docker to create a buck2 image

flake.nix

@@ -320,6 +320,18 @@
             os = "linux";
           };
         };
+        toolchain-buck2 = buildImage {
+          name = "toolchain-buck2";
+          # imageDigest and sha256 are generated by toolchain-buck2.sh for non-reproducible builds.
+          fromImage = pullImage {
+            imageName = "localhost:5001/toolchain-buck2";
+            imageDigest = ""; # DO NOT COMMIT BUCK2 IMAGE_DIGEST VALUE
+            sha256 = ""; # DO NOT COMMIT BUCK2 SHA256 VALUE
+            tlsVerify = false;
+            arch = "amd64";
+            os = "linux";
+          };
+        };
       in rec {
         _module.args.pkgs = let
           nixpkgs-patched = (import self.inputs.nixpkgs {inherit system;}).applyPatches {
@@ -370,6 +382,7 @@
             nativelink-worker-lre-java = createWorker lre-java;
             nativelink-worker-siso-chromium = createWorker siso-chromium;
             nativelink-worker-toolchain-drake = createWorker toolchain-drake;
+            nativelink-worker-toolchain-buck2 = createWorker toolchain-buck2;
             nativelink-worker-buck2-toolchain = buck2-toolchain;
             image = nativelink-image;
           }

tools/toolchain-buck2/Dockerfile

@@ -0,0 +1,40 @@
+# Copyright 2022-2024 The NativeLink Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ubuntu:jammy-20240212
+# https://hub.docker.com/layers/library/ubuntu/jammy-20240212/images/sha256-9089166d0211acd54441bb6a532f69e0038287edf625d62fda94784df7f07474
+FROM ubuntu:22.04@sha256:f9d633ff6640178c2d0525017174a688e2c1aef28f0a0130b26bd5554491f0da AS dependencies
+# hadolint ignore=DL3009,DL3015
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive \
+    apt-get install -y \
+        git=1:2.34.1-1ubuntu1.11 \
+        ca-certificates=20230311ubuntu0.22.04.1 \
+        curl=7.81.0-1ubuntu1.17 \
+        xz-utils=5.2.5-2ubuntu1 \
+        python3=3.10.6-1~22.04.1 \
+        unzip=6.0-26ubuntu3.2 && \
+        update-ca-certificates
+
+RUN curl -L https://go.dev/dl/go1.23.0.linux-amd64.tar.gz -o go1.23.0.linux-amd64.tar.gz && \
+    rm -rf /usr/local/go && \
+    tar -C /usr/local -xzf go1.23.0.linux-amd64.tar.gz && \
+    rm go1.23.0.linux-amd64.tar.gz
+
+# hadolint ignore=SC1091,DL4006
+RUN curl -sL -o nix-installer https://install.determinate.systems/nix/nix-installer-x86_64-linux && \
+    chmod +x nix-installer && \
+    ./nix-installer install linux --init none --no-confirm && \
+    . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && \
+    nix develop github:facebook/buck2/d76c189ed6092d7b53506b9411241680923d593b && \
+    echo "export PATH=\"$(nix develop github:facebook/buck2/d76c189ed6092d7b53506b9411241680923d593b --command env | grep '^PATH=' | cut -d '=' -f 2-):/usr/local/go/bin\"" > /etc/profile.d/set_path.sh

tools/toolchain-buck2/toolchain-buck2.sh

@@ -0,0 +1,119 @@
+#!/usr/bin/env bash
+# Copyright 2022-2024 The NativeLink Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Creates a custom toolchain for building https://github.com/facebook/buck2
+# source tree and pushing it to Amazon Elastic Container Registry (ECR).
+
+set -xeuo pipefail
+
+ECR=${ECR:?Error: ECR is not set}
+ECR_PROFILE=${ECR_PROFILE:?Error: ECR_PROFILE is not set}
+ECR_USER=${ECR_USER:?Error: ECR_USER is not set}
+ECR_REGION=${ECR_REGION:?Error: ECR_REGION is not set}
+BUILDX_NO_CACHE=${BUILDX_NO_CACHE:-true}
+ECR_PUBLISH=${ECR_PUBLISH:-true}
+
+SRC_ROOT=$(git rev-parse --show-toplevel)
+FLAKE_NIX_FILE="${SRC_ROOT}/flake.nix"
+echo "WARNING: This script will modify and revert the flake.nix"
+sleep 3
+
+function ecr_login() {
+    aws ecr get-login-password --profile ${ECR_PROFILE} --region ${ECR_REGION} | \
+    docker login --username ${ECR_USER} --password-stdin ${ECR}
+}
+
+# Build a base image for buck2 actions.
+# Base image is published to the local docker engine
+# from the Dockerfile.
+docker buildx build --no-cache=${BUILDX_NO_CACHE} \
+    --platform linux/amd64 \
+    -t localhost:5001/toolchain-buck2:latest \
+    --push \
+    ${SRC_ROOT}/tools/toolchain-buck2
+
+# Parse out the repo digests sha hash to be used as image digest.
+FULL_IMAGE_PATH=$(docker inspect localhost:5001/toolchain-buck2:latest | jq '.[].RepoDigests[0]')
+IMAGE_DIGEST=$(echo $FULL_IMAGE_PATH | awk -F'[@"]' '{print $3}')
+if [ -z "$IMAGE_DIGEST" ]; then
+    echo "Unable to parse RepoDigests"
+    exit 1
+fi
+
+# Capture unpatched flake file for test.
+ORIGINAL_FLAKE_CONTENT=$(cat "${FLAKE_NIX_FILE}")
+
+# Patch flake.nix with image digest.
+sed -i -E "s|imageDigest = \"\"; # DO NOT COMMIT BUCK2 IMAGE_DIGEST VALUE|imageDigest = \"${IMAGE_DIGEST}\"; # DO NOT COMMIT BUCK2 IMAGE_DIGEST VALUE|" "${FLAKE_NIX_FILE}"
+
+# Bail if flake wasn't updated
+PATCHED_FLAKE_CONTENT=$(cat "${FLAKE_NIX_FILE}")
+if [ "$ORIGINAL_FLAKE_CONTENT" == "$PATCHED_FLAKE_CONTENT" ]; then
+    echo "No changes were made to ${FLAKE_NIX_FILE}"
+    exit 1
+else
+    echo "Changes made"
+    pushd $SRC_ROOT
+    git --no-pager diff "${FLAKE_NIX_FILE}"
+    sleep 3
+    popd
+fi
+
+# Get the sha256 value, this will fail due to empty string in the sha256 field.
+set +o pipefail
+SHA256_HASH=$(
+    nix run .#nativelink-worker-toolchain-buck2.copyTo \
+    docker://localhost:5001/nativelink-toolchain-buck2:latest \
+    -- --dest-tls-verify=false 2>&1 | \
+    grep "got:" | \
+    grep -o 'sha256-[^[:space:]]*'
+)
+set -o pipefail
+
+# Capture unpatched flake file for test.
+ORIGINAL_FLAKE_CONTENT=$(cat "${FLAKE_NIX_FILE}")
+
+# Patch flake.nix with sha256 value.
+sed -i -E "s|sha256 = \"\"; # DO NOT COMMIT BUCK2 SHA256 VALUE|sha256 = \"${SHA256_HASH}\"; # DO NOT COMMIT BUCK2 SHA256 VALUE|" "${FLAKE_NIX_FILE}"
+
+# Bail if flake wasn't updated.
+PATCHED_FLAKE_CONTENT=$(cat "${FLAKE_NIX_FILE}")
+if [ "$ORIGINAL_FLAKE_CONTENT" == "$PATCHED_FLAKE_CONTENT" ]; then
+    echo "No changes were made to ${FLAKE_NIX_FILE}"
+    exit 1
+else
+    echo "Changes made"
+    pushd $SRC_ROOT
+    git --no-pager diff "${FLAKE_NIX_FILE}"
+    sleep 3
+    popd
+fi
+
+# Add worker specific files and configurations.
+nix run .#nativelink-worker-toolchain-buck2.copyTo \
+    docker://localhost:5001/nativelink-toolchain-buck2:latest \
+    -- \
+    --dest-tls-verify=false
+
+# Publish image to ECR.
+if [ "$ECR_PUBLISH" = "true" ]; then
+    ecr_login
+    nix run .#nativelink-worker-toolchain-buck2.copyTo ${ECR}
+else
+    echo "Skipping ECR publishing"
+fi
+
+# Restore changes.
+git restore "${FLAKE_NIX_FILE}"

tools/toolchain-drake/toolchain-drake.sh

@@ -1,4 +1,20 @@
 #!/usr/bin/env bash
+# Copyright 2022-2024 The NativeLink Authors. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Creates a custom toolchain for building https://github.com/RobotLocomotion/drake
+# source tree and pushing it to Amazon Elastic Container Registry (ECR).
 
 set -xeuo pipefail