build tiny docker images

[JadedBlueEyes]

Appropriate semver, branch/PR and SHA tags are automatically generated, with the following suffixes:

• -tiny: amd64 + arm64 generic builds
• -tiny-haswell: amd64 haswell-optimised builds

Images are 24-30MB, and are tagged with metadata, build attestations, SBOM, etc.

• Binaries are built against glibc. All linked-against dependencies are automatically copied into the runtime image.
• Root certificates are also included.
• ARM images are cross-compiled from the host (as compiling under QEMU can take over three and a half hours)
• Additional architectures and CPU targets can be added by adding to the appropriate lists in the dockerfile and/or build matrix
• The build process is cached as much as possible, typically taking ~10mins due to rocksdb. 20 mins with no cache, 3 mins if the entire build is cached by buildkit and cargo isn't called.
• SOURCE_DATE_EPOCH is set, so builds should be reproducible as far as the build chains support that.

Possible enhancements:

• Use clang as the C++ compiler and enable cross-language LTO
• Smoke-test images before pushing the index / tags
• Optimise binaries with cargo-pgo (would require a representative benchmark suite)

Todo:

• Update docs
• Add an action to set the docker hub description Publish README to docker hub #663

Let me know if you want me to rebase the commit history to be a bit more sane.

[tcpipuk]

I'm excited to see this, thanks for writing it!

I'd probably squash the commits though as it's purely modifying the CI 🙂

[JadedBlueEyes]

Thanks! ❤️
I'd probably not squash all of them, as some are meaningful - like 7fc2e6a

[JadedBlueEyes]

Commits rebased, from 26 to 9!