workflows: Rewrite build-ci-container to work on larger runners

.github/workflows/build-ci-container.yml

@@ -18,95 +18,70 @@ on:
       - '.github/workflows/containers/github-action-ci/**'
 
 jobs:
-  # TODO(boomanaiden154): Switch this back to a single stage build when we can
-  # run this on the self-hosted runners and don't have to do it this way to
-  # avoid timeouts.
-  build-ci-container-stage1:
+  build-ci-container:
     if: github.repository_owner == 'llvm'
-    runs-on: ubuntu-latest
+    runs-on: depot-ubuntu-22.04-16
+    outputs:
+      container-name: ${{ steps.vars.outputs.container-name }}
+      container-name-tag: ${{ steps.vars.outputs.container-name-tag }}
+      container-filename: ${{ steps.vars.outputs.container-filename }}
     steps:
       - name: Checkout LLVM
         uses: actions/checkout@v4
         with:
           sparse-checkout: .github/workflows/containers/github-action-ci/
-      - name: Change podman Root Direcotry
-        run: |
-          mkdir -p ~/.config/containers
-          sudo mkdir -p /mnt/podman
-          sudo chown `whoami`:`whoami` /mnt/podman
-          cp ./.github/workflows/containers/github-action-ci/storage.conf ~/.config/containers/storage.conf
-          podman info
-      - name: Build container stage1
-        working-directory: ./.github/workflows/containers/github-action-ci/
-        run: |
-          podman build -t stage1-toolchain --target stage1-toolchain -f stage1.Dockerfile .
-      - name: Save container image
-        run: |
-          podman save stage1-toolchain > stage1-toolchain.tar
-      - name: Upload container image
-        uses: actions/upload-artifact@v4
-        with:
-          name: stage1-toolchain
-          path: stage1-toolchain.tar
-          retention-days: 1
-  build-ci-container-stage2:
-    if: github.repository_owner == 'llvm'
-    runs-on: ubuntu-latest
-    needs: build-ci-container-stage1
-    permissions:
-      packages: write
-    steps:
       - name: Write Variables
         id: vars
         run: |
           tag=`date +%s`
           container_name="ghcr.io/$GITHUB_REPOSITORY_OWNER/ci-ubuntu-22.04"
           echo "container-name=$container_name" >> $GITHUB_OUTPUT
           echo "container-name-tag=$container_name:$tag" >> $GITHUB_OUTPUT
-
-      - name: Checkout LLVM
-        uses: actions/checkout@v4
-        with:
-          sparse-checkout: .github/workflows/containers/github-action-ci/
-
-      - name: Change podman Root Direcotry
+          echo "container-filename=$(echo $container_name:$tag  | sed -e 's/\//-/g' -e 's/:/-/g').tar" >> $GITHUB_OUTPUT
+      - name: Build container
+        working-directory: ./.github/workflows/containers/github-action-ci/
         run: |
-          mkdir -p ~/.config/containers
-          sudo mkdir -p /mnt/podman
-          sudo chown `whoami`:`whoami` /mnt/podman
-          cp ./.github/workflows/containers/github-action-ci/storage.conf ~/.config/containers/storage.conf
-          podman info
+          podman build -t ${{ steps.vars.outputs.container-name-tag }} .
 
-        # Download the container image into /mnt/podman rather than
-        # $GITHUB_WORKSPACE to avoid space limitations on the default drive
-        # and use the permissions setup for /mnt/podman.
-      - name: Download stage1-toolchain
-        uses: actions/download-artifact@v4
-        with:
-          name: stage1-toolchain
-          path: /mnt/podman
-
-      - name: Load stage1-toolchain
+      # Save the container so we have it in case the push fails.  This also
+      # allows us to separate the push step into a different job so we can
+      # maintain minimal permissions while building the container.
+      - name: Save container image
         run: |
-          podman load -i /mnt/podman/stage1-toolchain.tar
+          podman save  ${{ steps.vars.outputs.container-name-tag }} >  ${{ steps.vars.outputs.container-filename }}
 
-      - name: Build Container
-        working-directory: ./.github/workflows/containers/github-action-ci/
-        run: |
-          podman build -t ${{ steps.vars.outputs.container-name-tag }} -f stage2.Dockerfile .
-          podman tag ${{ steps.vars.outputs.container-name-tag }} ${{ steps.vars.outputs.container-name }}:latest
+      - name: Upload container image
+        uses: actions/upload-artifact@v4
+        with:
+          name: container
+          path: ${{ steps.vars.outputs.container-filename }}
+          retention-days: 14
 
       - name: Test Container
         run: |
           for image in ${{ steps.vars.outputs.container-name-tag }} ${{  steps.vars.outputs.container-name }}; do
             podman run --rm -it $image /usr/bin/bash -x -c 'printf '\''#include <iostream>\nint main(int argc, char **argv) { std::cout << "Hello\\n"; }'\'' | clang++ -x c++ - && ./a.out | grep Hello'
           done
 
+  push-ci-container:
+    if: github.event_name == 'push'
+    needs:
+      - build-ci-container
+    permissions:
+      packages: write
+    runs-on: ubuntu-24.04
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Download container
+        uses: actions/download-artifact@v4
+        with:
+          name: container
+
       - name: Push Container
-        if: github.event_name == 'push'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          podman load -i ${{ needs.build-ci-container.outptus.container-filename }}
+          podman tag ${{ steps.vars.outputs.container-name-tag }} ${{ steps.vars.outputs.container-name }}:latest
           podman login -u ${{ github.actor }} -p $GITHUB_TOKEN ghcr.io
-          podman push ${{ steps.vars.outputs.container-name-tag }}
-          podman push ${{ steps.vars.outputs.container-name }}:latest
+          podman push ${{ needs.build-ci-container.outputs.container-name-tag }}
+          podman push ${{ needs.build-ci-container.outputs.container-name }}:latest

.github/workflows/containers/github-action-ci/Dockerfile

@@ -0,0 +1,62 @@
+FROM docker.io/library/ubuntu:22.04 as base
+ENV LLVM_SYSROOT=/opt/llvm
+
+FROM base as stage1-toolchain
+ENV LLVM_VERSION=19.1.2
+
+RUN apt-get update && \
+    apt-get install -y \
+    wget \
+    gcc \
+    g++ \
+    cmake \
+    ninja-build \
+    python3 \
+    git \
+    curl
+
+RUN curl -O -L https://github.com/llvm/llvm-project/archive/refs/tags/llvmorg-$LLVM_VERSION.tar.gz && tar -xf llvmorg-$LLVM_VERSION.tar.gz
+
+WORKDIR /llvm-project-llvmorg-$LLVM_VERSION
+
+# Patch to enable better PGO profile data.
+# TODO: Remove this for llvm 20
+ADD https://github.com/llvm/llvm-project/commit/738250989ce516f02f809bdfde474a039c77e81f.patch .
+
+RUN patch -p1 < 738250989ce516f02f809bdfde474a039c77e81f.patch
+
+RUN cmake -B ./build -G Ninja ./llvm \
+  -C ./clang/cmake/caches/BOLT-PGO.cmake \
+  -DBOOTSTRAP_LLVM_ENABLE_LLD=ON \
+  -DBOOTSTRAP_BOOTSTRAP_LLVM_ENABLE_LLD=ON \
+  -DPGO_INSTRUMENT_LTO=Thin \
+  -DLLVM_ENABLE_RUNTIMES="compiler-rt" \
+  -DCMAKE_INSTALL_PREFIX="$LLVM_SYSROOT" \
+  -DLLVM_ENABLE_PROJECTS="bolt;clang;lld;clang-tools-extra" \
+  -DLLVM_DISTRIBUTION_COMPONENTS="lld;compiler-rt;clang-format;scan-build" \
+  -DCLANG_DEFAULT_LINKER="lld"
+
+RUN ninja -C ./build stage2-clang-bolt stage2-install-distribution && ninja -C ./build install-distribution
+
+FROM base
+
+COPY --from=stage1-toolchain $LLVM_SYSROOT $LLVM_SYSROOT
+
+# Need to install curl for hendrikmuhs/ccache-action
+# Need nodejs for some of the GitHub actions.
+# Need perl-modules for clang analyzer tests.
+# Need git for SPIRV-Tools tests.
+RUN apt-get update && \
+    apt-get install -y \
+    binutils \ 
+    cmake \
+    curl \
+    git \
+    libstdc++-11-dev \
+    ninja-build \
+    nodejs \
+    perl-modules \
+    python3-psutil
+
+ENV LLVM_SYSROOT=$LLVM_SYSROOT
+ENV PATH=${LLVM_SYSROOT}/bin:${PATH}