# Sulkta straw-build — reproducible Android + Rust build image for the Straw APK. # # Pushed to git.sulkta.com/sulkta-infra/straw-build:latest and used as the job # `container:` in .forgejo/workflows/build.yml. It bakes the toolchain that # otherwise lives only in bind-mounts on the long-running crafting-table, so a # FRESH Forgejo CI job container is fully self-contained (no host /caches # dependency, no per-machine signing key). # # Toolchain pinned to exactly what builds vc=72 successfully: # JDK 21 · NDK 27.2.12479018 · build-tools 34.0.0 · platforms android-36 # Rust stable + 4 Android targets · cargo-ndk · clang/libclang (rquickjs bindgen) FROM eclipse-temurin:21-jdk-jammy ENV DEBIAN_FRONTEND=noninteractive \ ANDROID_SDK_ROOT=/opt/android-sdk \ ANDROID_HOME=/opt/android-sdk \ ANDROID_NDK_HOME=/opt/android-sdk/ndk/27.2.12479018 \ CARGO_HOME=/opt/cargo \ RUSTUP_HOME=/opt/rustup \ PATH=/opt/cargo/bin:/opt/android-sdk/cmdline-tools/latest/bin:/opt/android-sdk/platform-tools:/usr/bin:/bin # Base OS deps: clang/libclang for rquickjs bindgen, a C toolchain for the # QuickJS C sources, unzip for the SDK zips, git+ca-certs for checkout. RUN apt-get update && apt-get install -y --no-install-recommends \ git curl unzip ca-certificates clang libclang-dev build-essential pkg-config \ && rm -rf /var/lib/apt/lists/* # Android cmdline-tools + the SDK packages the build needs. ARG CMDLINE_TOOLS_ZIP=commandlinetools-linux-11076708_latest.zip RUN mkdir -p "$ANDROID_SDK_ROOT/cmdline-tools" \ && curl -fsSL -o /tmp/cmdtools.zip "https://dl.google.com/android/repository/${CMDLINE_TOOLS_ZIP}" \ && unzip -q /tmp/cmdtools.zip -d "$ANDROID_SDK_ROOT/cmdline-tools" \ && mv "$ANDROID_SDK_ROOT/cmdline-tools/cmdline-tools" "$ANDROID_SDK_ROOT/cmdline-tools/latest" \ && rm /tmp/cmdtools.zip \ && yes | sdkmanager --licenses >/dev/null 2>&1 \ && sdkmanager --install \ "platform-tools" \ "platforms;android-36" \ "build-tools;34.0.0" \ "ndk;27.2.12479018" >/dev/null \ && rm -rf "$ANDROID_SDK_ROOT/.temp" /tmp/* # Rust toolchain + the four Android targets + cargo-ndk. RUN curl -fsSL https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile minimal \ && rustup target add \ aarch64-linux-android armv7-linux-androideabi i686-linux-android x86_64-linux-android \ && cargo install cargo-ndk --locked \ && rm -rf /opt/cargo/registry/cache /opt/cargo/registry/src # Sanity: fail the image build early if anything's missing. RUN java -version && cargo --version && cargo ndk --version || true \ && test -d "$ANDROID_NDK_HOME" && test -d "$ANDROID_SDK_ROOT/build-tools/34.0.0" # Publish tooling (appended last so the heavy toolchain layers stay cached): # docker CLI to talk to the runner's host socket for the fdroid steps, and # openssh-client to stream the signed repo to Rackham. The build steps don't # touch the socket; only the gated publish step does. RUN apt-get update && apt-get install -y --no-install-recommends \ docker.io openssh-client \ && rm -rf /var/lib/apt/lists/* # The signing keystore is NOT baked — it's injected per-build from the Forgejo # secret STRAW_SIGNING_KEYSTORE_B64 → STRAW_KEYSTORE_FILE.