fix: attempt to make linux builds faster (#911)

This work aims to make Linux builds faster to make https://github.com/ooni/probe/issues/2249 more convenient. Since those builds runs inside Docker, the problem to solve here is to save/restore the Go caches notwithstanding Docker. Because Docker runs as root, we need to modify the build a bit to run as a normal user. Otherwise, we will not be able to save the Go cache using actions/cache@v3. (Other approaches such as using `sudo` are possible but running the build as an unprivileged user actually looks cleaner, so I chose to do that.) While there, add a `.editorconfig`.

CLI/.gitignore

@@ -1,2 +1,3 @@
+/Dockerfile
 /miniooni-*
 /ooniprobe-*

CLI/go-build-alpine

@@ -1,15 +1,11 @@
 #!/bin/sh
 set -euxo pipefail
-apk update
-apk upgrade
-apk add --no-progress gcc git linux-headers musl-dev
-# We need to force git to look into this repository owned by the
-# user outside docker rather than by the user running docker
-git config --global --add safe.directory $(pwd)
 # Some of the following exports are redundant but are however
 # useful because they provide explicit logging
 export CGO_ENABLED=1
 export GOARM=$GOARM
+export GOCACHE=$GOCACHE
+export GOMODCACHE=$GOMODCACHE
 export GOOS=$GOOS
 export GOARCH=$GOARCH
 for PACKAGE in $@; do

CLI/go-build-linux-static

@@ -2,11 +2,14 @@
 
 set -euo pipefail
 
-if [[ $# -lt 2 ]]; then
+if [[ $# -lt 3 ]]; then
 	echo "" 1>&2
-	echo "Compiler for a Go PACKAGE producing static linux/OONIARCH binaries." 1>&2
+	echo "Docker-based compiler for a Go PACKAGE producing static linux/OONIARCH binaries." 1>&2
 	echo "" 1>&2
-	echo "usage: $0 OONIARCH PACKAGE..." 1>&2
+	echo "usage: $0 OOGOCACHEDIR OONIARCH PACKAGE..." 1>&2
+	echo "" 1>&2
+	echo "OOGOCACHEDIR is the directory under which to put GOCACHE and GOMODCACHE for" 1>&2
+	echo "this build, which will be mounted and passed to Docker." 1>&2
 	echo "" 1>&2
 	echo "OONIARCH must be one of: 386, amd64, arm64, armv6, armv7." 1>&2
 	echo "" 1>&2
@@ -25,6 +28,8 @@ fi
 
 GOLANG_DOCKER_IMAGE=golang:$(cat GOVERSION)-alpine
 GOOS=linux
+OOGOCACHEDIR=$1
+shift
 OONIARCH=$1
 shift
 
@@ -49,12 +54,41 @@ else
 	OONI_PSIPHON_TAGS=""
 fi
 
+# Implementation note: we must run docker as the user that invokes
+# it for actions/cache@v3 to be able to cache OOGOCACHEDIR. This
+# constraint forces us to run all privileged operations early
+# using a Dockerfile, so the build proper runs as $(id -u):$(id -g).
+
+GOCACHE=$OOGOCACHEDIR/oonibuild/v1/$OONIARCH/buildcache
+GOMODCACHE=$OOGOCACHEDIR/oonibuild/v1/$OONIARCH/modcache
+
+cat > CLI/Dockerfile << EOF
+FROM --platform=linux/$DOCKER_ARCH $GOLANG_DOCKER_IMAGE
+RUN apk update
+RUN apk upgrade
+RUN apk add --no-progress gcc git linux-headers musl-dev
+RUN adduser -D -h /home/oobuild -G nobody -u $(id -u) oobuild
+ENV HOME=/home/oobuild
+EOF
+
+TAGGED_IMAGE=oobuild-$OONIARCH-$(date +%Y%m%d%H)
+
+DOCKER_USER_OPTS="--user $(id -u):$(id -g)"
+
 set -x
 
+mkdir -p $GOCACHE $GOMODCACHE
+
 docker pull --platform linux/$DOCKER_ARCH $GOLANG_DOCKER_IMAGE
 
-docker run --platform linux/$DOCKER_ARCH \
+if ! docker inspect --type=image $TAGGED_IMAGE 1>/dev/null 2>/dev/null; then
+	docker build --platform linux/$DOCKER_ARCH -t $TAGGED_IMAGE CLI
+fi
+
+docker run --platform linux/$DOCKER_ARCH $DOCKER_USER_OPTS \
+	-e GOCACHE=/__gocache -e GOMODCACHE=/__gomodcache \
+	-v "$GOCACHE:/__gocache" -v "$GOMODCACHE:/__gomodcache" \
 	-e GOARM=$GOARM -e GOOS=$GOOS -e GOARCH=$GOARCH \
 	-e OONI_PSIPHON_TAGS=$OONI_PSIPHON_TAGS \
 	-e OONIARCH=$OONIARCH -e GOLANG_EXTRA_FLAGS="${GOLANG_EXTRA_FLAGS:-}" \
-	-v $(pwd):/ooni -w /ooni $GOLANG_DOCKER_IMAGE ./CLI/go-build-alpine "$@"
+	-v $(pwd):/ooni -w /ooni $TAGGED_IMAGE ./CLI/go-build-alpine "$@"