Dockerfile: fix cross-compiling gomodjail

Fix issue 4241

Signed-off-by: Akihiro Suda <[email protected]>

Author: AkihiroSuda

.github/workflows/ghcr-image-build-and-publish.yml

@@ -33,6 +33,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
 
+      # FIXME: setup-qemu-action is depended by `gomodjail pack`
       - name: Set up QEMU
         uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392  # v3.6.0
 

.github/workflows/release.yml

@@ -24,6 +24,9 @@ jobs:
       attestations: write  # for provenances
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    # FIXME: setup-qemu-action is depended by `gomodjail pack`
+    - name: "Set up QEMU"
+      uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392  # v3.6.0
     - name: "Install go"
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5  # v5.5.0
       with:

Dockerfile

@@ -107,6 +107,16 @@ ENV CGO_ENABLED=1
 RUN GO=xx-go make static && \
   xx-verify --static bypass4netns && cp -a bypass4netns bypass4netnsd /out/${TARGETARCH}
 
+FROM build-base-debian AS build-gomodjail
+ARG GOMODJAIL_VERSION
+ARG TARGETARCH
+RUN git clone --quiet --depth 1 --branch "${GOMODJAIL_VERSION%@*}" https://github.com/AkihiroSuda/gomodjail.git /go/src/github.com/AkihiroSuda/gomodjail
+WORKDIR /go/src/github.com/AkihiroSuda/gomodjail
+RUN git-checkout-tag-with-hash.sh ${GOMODJAIL_VERSION} && \
+  mkdir -p /out/${TARGETARCH}
+RUN GO=xx-go make STATIC=1 && \
+  xx-verify --static _output/bin/gomodjail && cp -a _output/bin/gomodjail /out/${TARGETARCH}
+
 FROM build-base-debian AS build-kubo
 ARG KUBO_VERSION
 ARG TARGETARCH
@@ -234,12 +244,8 @@ RUN ROOTLESSKIT_VERSION=${ROOTLESSKIT_VERSION/@BINARY}; \
   rm -f "${fname}" /out/bin/rootlesskit-docker-proxy && \
   echo "- RootlessKit: ${ROOTLESSKIT_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG GOMODJAIL_VERSION
-RUN git clone https://github.com/AkihiroSuda/gomodjail.git /go/src/github.com/AkihiroSuda/gomodjail && \
-  cd /go/src/github.com/AkihiroSuda/gomodjail && \
-  git-checkout-tag-with-hash.sh "${GOMODJAIL_VERSION}" && \
-  make STATIC=1 && \
-  cp -a _output/bin/gomodjail /out/bin/ && \
-  echo "- gomodjail: ${GOMODJAIL_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+COPY --from=build-gomodjail /out/${TARGETARCH:-amd64}/* /out/bin/
+RUN echo "- gomodjail: ${GOMODJAIL_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 
 RUN echo "" >> /out/share/doc/nerdctl-full/README.md && \
   echo "## License" >> /out/share/doc/nerdctl-full/README.md && \
@@ -254,6 +260,8 @@ COPY . /go/src/github.com/containerd/nerdctl
 RUN { echo "# nerdctl (full distribution)"; echo "- nerdctl: $(cd /go/src/github.com/containerd/nerdctl && git describe --tags)"; cat /out/share/doc/nerdctl-full/README.md; } > /out/share/doc/nerdctl-full/README.md.new; mv /out/share/doc/nerdctl-full/README.md.new /out/share/doc/nerdctl-full/README.md
 WORKDIR /go/src/github.com/containerd/nerdctl
 RUN BINDIR=/out/bin make binaries install
+# FIXME: `gomodjail pack` depends on QEMU for non-native architecture
+# TODO: gomodjail should provide a plain shell script that utilizes `zip(1)` for packing the self-extract archive, without running `gomodjail pack`..
 RUN /out/bin/gomodjail pack --go-mod=/go/src/github.com/containerd/nerdctl/go.mod /out/bin/nerdctl && \
   cp -a nerdctl.gomodjail /out/bin/
 COPY README.md /out/share/doc/nerdctl/