From 1096c849816a2366915ee6a234a77f35ee9b24b8 Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Mon, 11 Nov 2024 07:35:38 -0800
Subject: [PATCH 01/15] Add GPG key import to the Redhat build to avoid package
 signature errors

---
 Dockerfile.redhat | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/Dockerfile.redhat b/Dockerfile.redhat
index f7101cbb1..d485da817 100644
--- a/Dockerfile.redhat
+++ b/Dockerfile.redhat
@@ -9,10 +9,14 @@ RUN yum update -y && \
 
 # Install additional FEDORA packages
 # from https://www.cyberciti.biz/faq/install-epel-repo-on-an-rhel-8-x/
-# Currently the FEDORA packages are needed only for Z3
-# NOTE: we might have to eventually use *only* RedHat packages
+# NOTE: Import the GPG key is needed, see https://www.redhat.com/en/blog/rpm-gpg-verify-packages
+# NOTE: Currently the FEDORA packages are needed only for Z3
+# NOTE: We might have to eventually use *only* RedHat packages
 # which would mean installing Z3 directly from the release page
-RUN yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
+RUN wget https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9 && \
+    rpm --import RPM-GPG-KEY-EPEL-9 && \
+    rm RPM-GPG-KEY-EPEL-9 && \
+    yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
     yum update -y && \
     yum install -y z3
 

From 1d0ef22da03fe597e63f640c7a5d081bae9b570b Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Mon, 11 Nov 2024 11:37:21 -0800
Subject: [PATCH 02/15] Fix the docker test script, and update z3 installation

---
 .github/workflows/docker.yml |  2 +-
 Dockerfile.redhat            | 14 +-------------
 2 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index d706c6f08..97f8359aa 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -94,4 +94,4 @@ jobs:
     - name: Run CN CI tests
       run: |
         docker pull ${{env.CERBERUS_IMAGE_ID}}:${{ matrix.tag }}
-        docker run -v $PWD:/work ${{env.CERBERUS_IMAGE_ID}}:${{ matrix.tag }} tests/run-cn.sh
+        docker run -v $PWD:/work ${{env.CERBERUS_IMAGE_ID}}:${{ matrix.tag }} bash tests/run-cn.sh
diff --git a/Dockerfile.redhat b/Dockerfile.redhat
index d485da817..697323522 100644
--- a/Dockerfile.redhat
+++ b/Dockerfile.redhat
@@ -7,19 +7,6 @@ RUN yum update -y && \
     git perl wget ca-certificates \
     mpfr-devel gmp-devel m4
 
-# Install additional FEDORA packages
-# from https://www.cyberciti.biz/faq/install-epel-repo-on-an-rhel-8-x/
-# NOTE: Import the GPG key is needed, see https://www.redhat.com/en/blog/rpm-gpg-verify-packages
-# NOTE: Currently the FEDORA packages are needed only for Z3
-# NOTE: We might have to eventually use *only* RedHat packages
-# which would mean installing Z3 directly from the release page
-RUN wget https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9 && \
-    rpm --import RPM-GPG-KEY-EPEL-9 && \
-    rm RPM-GPG-KEY-EPEL-9 && \
-    yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
-    yum update -y && \
-    yum install -y z3
-
 # Install OPAM
 # See https://opam.ocaml.org/doc/1.2/Install.html
 RUN curl -fsSL https://opam.ocaml.org/install.sh | sh
@@ -30,6 +17,7 @@ RUN opam init --disable-sandboxing
 ADD . /opt/cerberus
 WORKDIR /opt/cerberus
 RUN opam install --deps-only  ./cerberus-lib.opam ./cn.opam
+RUN opam install z3
 
 RUN eval `opam env` \
   && make install_cn

From db820d6096a8f644acc2da0a20a3b1f0cd2c8d1b Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Tue, 12 Nov 2024 08:54:10 -0800
Subject: [PATCH 03/15] Run docker actions any time a dockerfile is changed

---
 .github/workflows/docker.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 97f8359aa..3756da38b 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -1,8 +1,13 @@
 name: docker
 
 on:
+  # Run this action every day
   schedule:
     - cron: '30 18 * * *'
+  # Run this action any time any dockerfile changes
+  pull_request:
+    paths:
+      - 'Dockerfile**'
 
 env:
   CERBERUS_IMAGE_ID: ghcr.io/rems-project/cerberus/cn

From 756ac4df6dd3397628dc5f69333a3018f566f842 Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Tue, 12 Nov 2024 09:09:48 -0800
Subject: [PATCH 04/15] Specify the working directory for the container

---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 3756da38b..4f99c308b 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -99,4 +99,4 @@ jobs:
     - name: Run CN CI tests
       run: |
         docker pull ${{env.CERBERUS_IMAGE_ID}}:${{ matrix.tag }}
-        docker run -v $PWD:/work ${{env.CERBERUS_IMAGE_ID}}:${{ matrix.tag }} bash tests/run-cn.sh
+        docker run -v $PWD:/work -w /work ${{env.CERBERUS_IMAGE_ID}}:${{ matrix.tag }} bash tests/run-cn.sh

From 62a4d1bbd04fbdf0a628a45e0453a660e38d3bca Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Tue, 12 Nov 2024 09:12:00 -0800
Subject: [PATCH 05/15] Minimal dockerfile change (added documentation) to test
 triggering the docker action

---
 Dockerfile.redhat | 3 ++-
 Dockerfile.ubuntu | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Dockerfile.redhat b/Dockerfile.redhat
index 697323522..b0dd7b231 100644
--- a/Dockerfile.redhat
+++ b/Dockerfile.redhat
@@ -1,6 +1,7 @@
+# Build a minimal cerberus release image
 FROM redhat/ubi9:9.4
 
-# Install basic dependencies
+# Install system packages
 RUN yum update -y && \
     yum install -y xz sudo gcc unzip \
     diffutils patch pkgconfig bzip2 \
diff --git a/Dockerfile.ubuntu b/Dockerfile.ubuntu
index 26657ef57..96d1e8900 100644
--- a/Dockerfile.ubuntu
+++ b/Dockerfile.ubuntu
@@ -1,6 +1,7 @@
-# Build a minimal release image
+# Build a minimal cerberus release image
 FROM ubuntu:22.04
 
+# Install system packages
 RUN apt-get update
 RUN apt-get upgrade -y
 RUN apt-get install -y opam libgmp-dev libmpfr-dev

From 7b4effbbdf8008b02f162553f49a4ae9b70a7c70 Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Tue, 12 Nov 2024 09:14:54 -0800
Subject: [PATCH 06/15] Trigger docker action on any push event that also
 changes a Dockerfile. This should be OK as we don't expect the dockerfiles to
 be changing very often and from multiple branches

---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 4f99c308b..df9b451c6 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -5,7 +5,7 @@ on:
   schedule:
     - cron: '30 18 * * *'
   # Run this action any time any dockerfile changes
-  pull_request:
+  push:
     paths:
       - 'Dockerfile**'
 

From cca96da53d553f3e9cdced9c35fe44ca3d478684 Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Tue, 12 Nov 2024 09:16:17 -0800
Subject: [PATCH 07/15] Also enable docker action run any time there is a
 change in the docker.yml file

---
 .github/workflows/docker.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index df9b451c6..64294c80a 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -8,6 +8,7 @@ on:
   push:
     paths:
       - 'Dockerfile**'
+      - '.github/wokflows/docker.yml'
 
 env:
   CERBERUS_IMAGE_ID: ghcr.io/rems-project/cerberus/cn

From a6ccebfc14dc576aecf00dc67271ac288f89d67a Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Tue, 12 Nov 2024 09:17:59 -0800
Subject: [PATCH 08/15] Change the path hoping to trigger the docker action

---
 .github/workflows/docker.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 64294c80a..b7b5e8d35 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -7,8 +7,8 @@ on:
   # Run this action any time any dockerfile changes
   push:
     paths:
-      - 'Dockerfile**'
-      - '.github/wokflows/docker.yml'
+      - 'Dockerfile.**'
+      - '**/docker.yml'
 
 env:
   CERBERUS_IMAGE_ID: ghcr.io/rems-project/cerberus/cn

From c70c955c71ea965ffc629569d6b4f10dbae4a01d Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Tue, 12 Nov 2024 09:20:44 -0800
Subject: [PATCH 09/15] Try disabling the scheduled run

---
 .github/workflows/docker.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index b7b5e8d35..4906f4fc8 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -2,13 +2,13 @@ name: docker
 
 on:
   # Run this action every day
-  schedule:
-    - cron: '30 18 * * *'
+  # schedule:
+  #   - cron: '30 18 * * *'
   # Run this action any time any dockerfile changes
   push:
     paths:
       - 'Dockerfile.**'
-      - '**/docker.yml'
+      - '**docker.yml'
 
 env:
   CERBERUS_IMAGE_ID: ghcr.io/rems-project/cerberus/cn

From 2d5bb2c5f2605bbbb8a77014d9e5b62733bf3d85 Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Tue, 12 Nov 2024 09:21:46 -0800
Subject: [PATCH 10/15] Re-enabling the scheduled run

---
 .github/workflows/docker.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 4906f4fc8..7e8c3fe27 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -2,8 +2,8 @@ name: docker
 
 on:
   # Run this action every day
-  # schedule:
-  #   - cron: '30 18 * * *'
+  schedule:
+    - cron: '30 18 * * *'
   # Run this action any time any dockerfile changes
   push:
     paths:

From fa13c8214710dfd8006b7ceac9321f67c5226eaa Mon Sep 17 00:00:00 2001
From: Dhruv Makwana <dc-mak@users.noreply.github.com>
Date: Tue, 12 Nov 2024 18:39:26 +0000
Subject: [PATCH 11/15] Try triggering docker.yml on PR

---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 7e8c3fe27..9bfa3a247 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -5,7 +5,7 @@ on:
   schedule:
     - cron: '30 18 * * *'
   # Run this action any time any dockerfile changes
-  push:
+  pull_request:
     paths:
       - 'Dockerfile.**'
       - '**docker.yml'

From e1b416de2a6bf09afc0ce4a5b7f58381ed6b0832 Mon Sep 17 00:00:00 2001
From: Dhruv Makwana <dc-mak@users.noreply.github.com>
Date: Wed, 13 Nov 2024 12:49:54 +0000
Subject: [PATCH 12/15] Disable Docker push on PRs

It's not allowed anyway (as desired) but it fails the CI spuriously.
---
 .github/workflows/docker.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 9bfa3a247..24c22f0cd 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -50,7 +50,7 @@ jobs:
       with:
         context: .
         platforms: linux/amd64,linux/arm64
-        push: true
+        push: ${{ github.event_name == 'pull_request' }}
         tags: ${{env.CERBERUS_IMAGE_ID}}:release
         file: Dockerfile.ubuntu
         github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -82,7 +82,7 @@ jobs:
       with:
         context: .
         platforms: linux/amd64,linux/arm64
-        push: true
+        push: ${{ github.event_name == 'pull_request' }}
         tags: ${{env.CERBERUS_IMAGE_ID}}:release-redhat
         file: Dockerfile.redhat
         attests: type=sbom

From 63641f07d592ffc80d5230737e7f635ed9b1bbd5 Mon Sep 17 00:00:00 2001
From: Dhruv Makwana <dc-mak@users.noreply.github.com>
Date: Wed, 13 Nov 2024 17:28:49 +0000
Subject: [PATCH 13/15] Fix Docker push condition

---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 24c22f0cd..7afccf7fc 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -82,7 +82,7 @@ jobs:
       with:
         context: .
         platforms: linux/amd64,linux/arm64
-        push: ${{ github.event_name == 'pull_request' }}
+        push: ${{ github.event_name != 'pull_request' }}
         tags: ${{env.CERBERUS_IMAGE_ID}}:release-redhat
         file: Dockerfile.redhat
         attests: type=sbom

From 872876bf1b99466dea93805d69be95fc8c3b72b3 Mon Sep 17 00:00:00 2001
From: Dhruv Makwana <dc-mak@users.noreply.github.com>
Date: Wed, 13 Nov 2024 17:29:38 +0000
Subject: [PATCH 14/15] Fix other Docker push condition

---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 7afccf7fc..dfd5a4e4e 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -50,7 +50,7 @@ jobs:
       with:
         context: .
         platforms: linux/amd64,linux/arm64
-        push: ${{ github.event_name == 'pull_request' }}
+        push: ${{ github.event_name != 'pull_request' }}
         tags: ${{env.CERBERUS_IMAGE_ID}}:release
         file: Dockerfile.ubuntu
         github-token: ${{ secrets.GITHUB_TOKEN }}

From 002381938210b81000121a331cd5ce7aa37f6904 Mon Sep 17 00:00:00 2001
From: Michal Podhradsky <mpodhradsky@galois.com>
Date: Mon, 18 Nov 2024 08:45:19 -0800
Subject: [PATCH 15/15] Update test-docker image dependencies

---
 .github/workflows/docker.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index dfd5a4e4e..6104a323e 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -91,6 +91,7 @@ jobs:
 
   test-docker-images:
     runs-on: ubuntu-latest
+    needs: [docker-release-redhat, docker-release-ubuntu]
     strategy:
       matrix:
         tag: [release, release-redhat]