chore: add utilities for Windows Docker image publishing

MODULE.bazel

@@ -3,9 +3,11 @@ module(name = "com_github_buildbarn_bb_storage")
 bazel_dep(name = "aspect_bazel_lib", version = "2.22.5")
 bazel_dep(name = "aspect_rules_js", version = "2.9.2")
 bazel_dep(name = "bazel_remote_apis", version = "0")
+bazel_dep(name = "bazel_skylib", version = "1.9.0")
 bazel_dep(name = "gazelle", version = "0.47.0")
 bazel_dep(name = "googleapis", version = "0.0.0-20260109-6145b5ff")
 bazel_dep(name = "grpc", version = "1.76.0.bcr.1")
+bazel_dep(name = "hermetic_cc_toolchain", version = "4.1.0")
 bazel_dep(name = "jsonnet_go", version = "0.21.0")
 bazel_dep(name = "opentelemetry-proto", version = "1.8.0")
 bazel_dep(name = "platforms", version = "1.0.0")
@@ -16,6 +18,8 @@ bazel_dep(name = "rules_go", version = "0.59.0")
 bazel_dep(name = "rules_img", version = "0.3.3")
 bazel_dep(name = "rules_jsonnet", version = "0.7.2")
 bazel_dep(name = "rules_nodejs", version = "6.7.3")
+bazel_dep(name = "rules_oci", version = "2.2.7")
+bazel_dep(name = "rules_pkg", version = "1.2.0")
 bazel_dep(name = "rules_proto", version = "7.1.0")
 bazel_dep(name = "rules_shell", version = "0.6.1")
 bazel_dep(name = "toolchains_llvm", version = "1.6.0")
@@ -26,6 +30,13 @@ git_override(
     remote = "https://github.com/bazelbuild/remote-apis.git",
 )
 
+# TODO: remove when https://github.com/bazel-contrib/rules_oci/pull/886 lands
+git_override(
+    module_name = "rules_oci",
+    commit = "2df143255d8e25c09a53707a7ff4fd768021d796",
+    remote = "https://github.com/bazel-contrib/rules_oci.git",
+)
+
 single_version_override(
     module_name = "gazelle",
     patches = ["//:patches/gazelle/dont-flatten-srcs.diff"],
@@ -163,3 +174,38 @@ pull(
     registry = "gcr.io",
     repository = "distroless/static",
 )
+
+pull(
+    name = "nanoserver",
+    digest = "sha256:4bfc3ec32a8b9bb5e7a182440c517b0706267d88fda77b54acddf819920400ad",
+    registry = "mcr.microsoft.com",
+    repository = "windows/nanoserver",
+)
+
+oci = use_extension("@rules_oci//oci:extensions.bzl", "oci")
+oci.pull(
+    name = "distroless_static_oci",
+    digest = "sha256:7e5c6a2a4ae854242874d36171b31d26e0539c98fc6080f942f16b03e82851ab",
+    image = "gcr.io/distroless/static",
+    platforms = [
+        "linux/amd64",
+        "linux/arm64/v8",
+    ],
+)
+use_repo(oci, "distroless_static_oci")
+
+oci.pull(
+    name = "nanoserver_oci",
+    digest = "sha256:723a61e89a2c8c88ceeb92986ab1d895c9ae5278789417a2c768f61d6a70f2c7",
+    image = "mcr.microsoft.com/windows/nanoserver",
+)
+use_repo(oci, "nanoserver_oci")
+
+toolchains = use_extension("@hermetic_cc_toolchain//toolchain:ext.bzl", "toolchains")
+use_repo(toolchains, "zig_sdk")
+register_toolchains(
+    "@zig_sdk//libc_aware/toolchain:linux_amd64_gnu.2.31",
+    "@zig_sdk//libc_aware/toolchain:linux_arm64_gnu.2.31",
+    "@zig_sdk//toolchain:windows_amd64",
+    "@zig_sdk//toolchain:windows_arm64",
+)

tools/container.bzl

@@ -1,6 +1,10 @@
+load("@aspect_bazel_lib//lib:transitions.bzl", "platform_transition_filegroup")
+load("@bazel_skylib//rules:write_file.bzl", "write_file")
 load("@rules_img//img:image.bzl", "image_index", "image_manifest")
 load("@rules_img//img:layer.bzl", "image_layer")
 load("@rules_img//img:push.bzl", "image_push")
+load("@rules_oci//oci:defs.bzl", "oci_image", "oci_image_index", "oci_push")
+load("@rules_pkg//pkg:tar.bzl", "pkg_tar")
 
 def multiarch_go_image(name, binary):
     """Create a container image with two variants of the given go_binary target.
@@ -45,6 +49,62 @@ def multiarch_go_image(name, binary):
         tags = ["manual"],
     )
 
+def multiarch_go_image_with_windows(name, binary):
+    """Create a container image with three variants of the given go_binary target.
+
+    Args:
+        name: resulting oci_image_index target
+        binary: label of a go_binary target; it may be transitioned to another architecture
+    """
+    images = []
+    tar_target = "_{}.tar".format(name)
+    image_target = "_{}.image".format(name)
+    unix_binary_entrypoint = ["/app/{}".format(native.package_relative_label(binary).name)]
+    windows_binary_entrypoint = ["C:\\app\\{}".format(native.package_relative_label(binary).name)]
+
+    pkg_tar(
+        name = tar_target,
+        srcs = [binary],
+        include_runfiles = True,
+        package_dir = "app",
+    )
+
+    write_file(
+        name = image_target + "_entrypoint",
+        content = select({
+            "@rules_go//go/platform:linux_amd64": unix_binary_entrypoint,
+            "@rules_go//go/platform:linux_arm64": unix_binary_entrypoint,
+            "@rules_go//go/platform:windows_amd64": windows_binary_entrypoint,
+        }),
+        out = "entrypoints.txt"
+    )
+
+    oci_image(
+        name = image_target,
+        base = select({
+            "@rules_go//go/platform:linux_amd64": Label("@distroless_static_oci"),
+            "@rules_go//go/platform:linux_arm64": Label("@distroless_static_oci"),
+            "@rules_go//go/platform:windows_amd64": Label("@nanoserver_oci"),
+        }),
+        entrypoint = image_target + "_entrypoint",
+        tars = [tar_target],
+        # Don't build un-transitioned images, as the default target architecture might be unsupported
+        # For example when building on linux-i386.
+        tags = ["manual"],
+    )
+
+    oci_image_index(
+        name = name,
+        images = [image_target],
+        platforms = [
+            Label("//tools/platforms:linux_amd64"),
+            # TODO: re-enable when rules_oci supports this pattern
+#            Label("//tools/platforms:linux_amd64_v3"),
+            Label("//tools/platforms:linux_arm64"),
+            Label("//tools/platforms:windows_amd64"),
+        ]
+    )
+
 def container_push_official(name, image, component):
     image_push(
         name = name,
@@ -56,3 +116,14 @@ def container_push_official(name, image, component):
         # building all variants can be time-consuming.
         tags = ["manual"],
     )
+
+def container_push_official_with_windows(name, image, component):
+    oci_push(
+        name = name,
+        image = image,
+        repository = "ghcr.io/buildbarn/" + component,
+        remote_tags = "@com_github_buildbarn_bb_storage//tools:stamped_tags",
+        # Don't build container image unless explicitly requested, as
+        # building all variants can be time-consuming.
+        tags = ["manual"],
+    )