From dcac5190461e22f0776c78705a0d5221abf2824e Mon Sep 17 00:00:00 2001
From: Mathieu Tarral <mathieu.tarral@intel.com>
Date: Fri, 7 Mar 2025 09:11:50 -0800
Subject: [PATCH 1/6] Dockerfile: add tsffs-dev target

---
 .dockerignore |  3 ++-
 Dockerfile    | 33 ++++++++++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 50092522..dde5f6f4 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -5,4 +5,5 @@
 **/*.diff.craff
 # Don't add scripts so that builds dont have to rerun on script changes to those builds
 scripts
-target
\ No newline at end of file
+target
+packages
diff --git a/Dockerfile b/Dockerfile
index 9a7eae80..4611b7f4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # hadolint global ignore=DL3041,DL3040
 
-FROM fedora:42@sha256:ee88ab8a5c8bf78687ddcecadf824767e845adc19d8cdedb56f48521eb162b43
+FROM fedora:42@sha256:ee88ab8a5c8bf78687ddcecadf824767e845adc19d8cdedb56f48521eb162b43 AS tsffs-base
 
 # Download links can be obtained from:
 # https://lemcenter.intel.com/productDownload/?Product=256660e5-a404-4390-b436-f64324d94959
@@ -124,3 +124,34 @@ RUN ispm projects /workspace/projects/example/ --create \
     ninja
 
 RUN echo 'echo "To run the demo, run ./simics -no-gui --no-win fuzz.simics"' >> /root/.bashrc
+
+FROM tsffs-base AS tsffs-dev
+ARG USER_UID=1000
+ARG USERNAME=vscode
+
+# To build and run the dev image:
+#   docker build --build-arg USER_UID=$(id -u) --target tsffs-dev -t tsffs:dev .
+#   docker run --rm -ti -v .:/workspace/tsffs tsffs:dev
+
+RUN <<EOF
+set -e
+echo "%wheel ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers.d/sudogrp
+# create group for developers
+groupadd dev
+# set /workspace/simics permissions to root:dev
+chown -R root:dev /workspace/{simics,projects} && chmod -R g+w /workspace/{simics,projects}
+
+# create user with matching host UID/GID
+groupadd -g $USER_GID $USERNAME || groupmod -n $USERNAME $(getent group $USER_GID | cut -d: -f1)
+useradd --create-home -u $USER_UID -g $USER_GID $USERNAME --groups dev,wheel
+
+# install Rust nightly for the user
+sudo -E -u $USERNAME bash -c 'curl https://sh.rustup.rs -sSf | bash -s -- -y --default-toolchain none'
+
+# copy Simics ISPM config  
+mkdir -p /home/$USERNAME/.config
+cp -r "/root/.config/Intel Simics Package Manager/" "/home/$USERNAME/.config/"
+chown -R $USERNAME:$USERNAME "/home/$USERNAME/.config/"
+EOF
+
+WORKDIR /workspace/tsffs

From 66e5ff2ee6865dd04e97b625f1a76002ffe459d9 Mon Sep 17 00:00:00 2001
From: Mathieu Tarral <mathieu.tarral@intel.com>
Date: Tue, 20 May 2025 05:47:43 -0700
Subject: [PATCH 2/6] add DevContainer

---
 .devcontainer.json | 23 +++++++++++++++++++++++
 .dockerignore      |  1 +
 Dockerfile         | 17 +++++++++++------
 3 files changed, 35 insertions(+), 6 deletions(-)
 create mode 100644 .devcontainer.json

diff --git a/.devcontainer.json b/.devcontainer.json
new file mode 100644
index 00000000..188cf269
--- /dev/null
+++ b/.devcontainer.json
@@ -0,0 +1,23 @@
+{
+    "build": {
+        "dockerfile": "Dockerfile",
+        "target": "tsffs-dev"
+    },
+    "remoteUser": "vscode",
+    "updateRemoteUserUID": true,
+    "runArgs": [
+        "--group-add",
+        "dev"
+    ],
+    "workspaceMount": "source=${localWorkspaceFolder},target=/workspace/tsffs,type=bind",
+    "workspaceFolder": "/workspace/tsffs",
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "rust-lang.rust-analyzer",
+                "tamasfe.even-better-toml",
+                "ms-azuretools.vscode-containers"
+            ]
+        }
+    }
+}
diff --git a/.dockerignore b/.dockerignore
index dde5f6f4..e25d71f2 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -3,6 +3,7 @@
 **/target/
 **/*.img
 **/*.diff.craff
+.devcontainer.json
 # Don't add scripts so that builds dont have to rerun on script changes to those builds
 scripts
 target
diff --git a/Dockerfile b/Dockerfile
index 4611b7f4..1edd7d9a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -135,20 +135,25 @@ ARG USERNAME=vscode
 
 RUN <<EOF
 set -e
-echo "%wheel ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers.d/sudogrp
 # create group for developers
 groupadd dev
+# Create group and user with a home at /home/vscode
+useradd \
+      --create-home    \
+      --uid $USER_UID \
+      --user-group     \
+      --groups dev \
+      --shell /bin/bash \
+      $USERNAME        \
+ && echo "$USERNAME ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/$USERNAME
+
 # set /workspace/simics permissions to root:dev
 chown -R root:dev /workspace/{simics,projects} && chmod -R g+w /workspace/{simics,projects}
 
-# create user with matching host UID/GID
-groupadd -g $USER_GID $USERNAME || groupmod -n $USERNAME $(getent group $USER_GID | cut -d: -f1)
-useradd --create-home -u $USER_UID -g $USER_GID $USERNAME --groups dev,wheel
-
 # install Rust nightly for the user
 sudo -E -u $USERNAME bash -c 'curl https://sh.rustup.rs -sSf | bash -s -- -y --default-toolchain none'
 
-# copy Simics ISPM config  
+# copy Simics ISPM config
 mkdir -p /home/$USERNAME/.config
 cp -r "/root/.config/Intel Simics Package Manager/" "/home/$USERNAME/.config/"
 chown -R $USERNAME:$USERNAME "/home/$USERNAME/.config/"

From 37b2c26d8a619ab9cb3b56ea9358dfe1df532fd3 Mon Sep 17 00:00:00 2001
From: Mathieu Tarral <mathieu.tarral@intel.com>
Date: Tue, 29 Jul 2025 08:20:06 -0700
Subject: [PATCH 3/6] Dockerfile: add tsffs-prod target

---
 Dockerfile | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 1edd7d9a..a80db109 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -160,3 +160,12 @@ chown -R $USERNAME:$USERNAME "/home/$USERNAME/.config/"
 EOF
 
 WORKDIR /workspace/tsffs
+
+FROM fedora:42@sha256:ee88ab8a5c8bf78687ddcecadf824767e845adc19d8cdedb56f48521eb162b43 AS tsffs-prod
+
+COPY --from=tsffs-base /workspace/projects /workspace/projects
+COPY --from=tsffs-base /workspace/simics /workspace/simics
+COPY --from=tsffs-base /root/.bashrc /root/.bashrc
+COPY --from=tsffs-base /root/.cargo /root/.cargo
+
+WORKDIR /workspace/projects/example

From d5c2cfd7cb3cb8057bc398b1b1c0971742a947e9 Mon Sep 17 00:00:00 2001
From: Mathieu Tarral <mathieu.tarral@intel.com>
Date: Tue, 29 Jul 2025 09:06:57 -0700
Subject: [PATCH 4/6] Dockerfile: ignore hadolint error

---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index a80db109..724e0136 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -133,6 +133,7 @@ ARG USERNAME=vscode
 #   docker build --build-arg USER_UID=$(id -u) --target tsffs-dev -t tsffs:dev .
 #   docker run --rm -ti -v .:/workspace/tsffs tsffs:dev
 
+# hadolint ignore=DL3004,SC3009
 RUN <<EOF
 set -e
 # create group for developers

From 513a8c2d8da9d96e71bb529d50b1cca52456dda4 Mon Sep 17 00:00:00 2001
From: Mathieu Tarral <mathieu.tarral@protonmail.com>
Date: Tue, 29 Jul 2025 21:49:38 +0200
Subject: [PATCH 5/6] ci: add check_docker_image for voth targets

---
 .github/workflows/ci.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 32fe10d9..fe982487 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -683,3 +683,33 @@ jobs:
         with:
           name: simics-pkg-31337-linux64
           path: packages/simics-pkg-31337-*-linux64.ispm
+
+  check_docker_image:
+    name: Check Docker Image
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        target: [tsffs-dev, tsffs-prod]
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+          lfs: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+
+      - name: Build ${{ matrix.target }} target
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          target: ${{ matrix.target }}
+          push: false
+          tags: tsffs:${{ matrix.target }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

From d738385908efb69541b36ba92f452e60b6f95638 Mon Sep 17 00:00:00 2001
From: Mathieu Tarral <mathieu.tarral@intel.com>
Date: Wed, 30 Jul 2025 05:35:12 -0700
Subject: [PATCH 6/6] Dockerfile: specify simics vars through build-time
 variables with defaults

---
 Dockerfile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 724e0136..12244495 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,9 +6,9 @@ FROM fedora:42@sha256:ee88ab8a5c8bf78687ddcecadf824767e845adc19d8cdedb56f48521eb
 
 # Download links can be obtained from:
 # https://lemcenter.intel.com/productDownload/?Product=256660e5-a404-4390-b436-f64324d94959
-ENV PUBLIC_SIMICS_PKGS_URL="https://registrationcenter-download.intel.com/akdlm/IRC_NAS/ead79ef5-28b5-48c7-8d1f-3cde7760798f/simics-6-packages-2024-05-linux64.ispm"
-ENV PUBLIC_SIMICS_ISPM_URL="https://registrationcenter-download.intel.com/akdlm/IRC_NAS/ead79ef5-28b5-48c7-8d1f-3cde7760798f/intel-simics-package-manager-1.8.3-linux64.tar.gz"
-ENV PUBLIC_SIMICS_PACKAGE_VERSION_1000="6.0.185"
+ARG PUBLIC_SIMICS_PKGS_URL="https://registrationcenter-download.intel.com/akdlm/IRC_NAS/ead79ef5-28b5-48c7-8d1f-3cde7760798f/simics-6-packages-2024-05-linux64.ispm"
+ARG PUBLIC_SIMICS_ISPM_URL="https://registrationcenter-download.intel.com/akdlm/IRC_NAS/ead79ef5-28b5-48c7-8d1f-3cde7760798f/intel-simics-package-manager-1.8.3-linux64.tar.gz"
+ARG PUBLIC_SIMICS_PACKAGE_VERSION_1000="6.0.185"
 ENV SIMICS_BASE="/workspace/simics/simics-${PUBLIC_SIMICS_PACKAGE_VERSION_1000}/"
 # Add cargo and ispm to the path
 ENV PATH="/root/.cargo/bin:/workspace/simics/ispm:${PATH}"