From 4437214e782d92065e0159dd027e43a6dba50b96 Mon Sep 17 00:00:00 2001
From: Jakob Krantz <mail@jakobkrantz.se>
Date: Sat, 6 Dec 2025 15:22:06 +0100
Subject: [PATCH 1/3] Make image smaller by removing stuff we don't need.

---
 .github/workflows/zswatch-ci-image.yml |  1 +
 Dockerfile.zswatch-ci                  | 34 +++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/zswatch-ci-image.yml b/.github/workflows/zswatch-ci-image.yml
index 185d457..7c3e14c 100644
--- a/.github/workflows/zswatch-ci-image.yml
+++ b/.github/workflows/zswatch-ci-image.yml
@@ -6,6 +6,7 @@ on:
       - main
       - zswatch_*
     paths:
+      - Dockerfile.zswatch-ci
       - Dockerfile.base
       - Dockerfile.ci
       - .github/workflows/zswatch-ci-image.yml
diff --git a/Dockerfile.zswatch-ci b/Dockerfile.zswatch-ci
index 31255ef..05e45e4 100644
--- a/Dockerfile.zswatch-ci
+++ b/Dockerfile.zswatch-ci
@@ -12,6 +12,9 @@ ARG UBUNTU_MIRROR_PORTS=ports.ubuntu.com/ubuntu-ports
 
 ARG ZSDK_VERSION=0.17.4
 ENV ZSDK_VERSION=$ZSDK_VERSION
+# Limit installed SDK content to the toolchains used by ZSWatch to keep the image lean.
+ARG ZSDK_TOOLCHAINS="arm-zephyr-eabi,x86_64-zephyr-elf"
+ENV ZSDK_TOOLCHAINS=$ZSDK_TOOLCHAINS
 
 # Install minimal extra APT packages required for ZSWatch CI
 RUN <<EOF
@@ -24,14 +27,43 @@ RUN <<EOF
 	rm -rf /var/lib/apt/lists/*
 EOF
 
+# Remove large tooling from ci-base that ZSWatch does not need (keeps image small)
+RUN <<'EOF'
+	if [ "${HOSTTYPE}" = "x86_64" ]; then
+		# Drop 32-bit support and multilib toolchains not needed for nRF/native_sim_64
+		apt-get purge --auto-remove -y \
+			gcc-multilib g++-multilib \
+			libc6-dbg:i386 libfuse-dev:i386 libsdl2-dev:i386 || true
+		dpkg --remove-architecture i386 || true
+	fi
+
+	# Remove heavy debug/coverage/doc tools unused in ZSWatch CI builds
+	apt-get purge --auto-remove -y \
+		valgrind \
+		lcov \
+		gcovr \
+		doxygen \
+		thrift-compiler || true
+
+	apt-get clean -y
+	rm -rf /var/lib/apt/lists/*
+EOF
+
 # Install Zephyr SDK
 RUN <<EOF
 	mkdir -p /opt/toolchains
 	cd /opt/toolchains
 	wget ${WGET_ARGS} https://github.com/zephyrproject-rtos/sdk-ng/releases/download/v${ZSDK_VERSION}/zephyr-sdk-${ZSDK_VERSION}_linux-${HOSTTYPE}.tar.xz
 	tar xf zephyr-sdk-${ZSDK_VERSION}_linux-${HOSTTYPE}.tar.xz
-	zephyr-sdk-${ZSDK_VERSION}/setup.sh -t all -h -c
+	# Convert comma/space separated toolchain list into repeated -t flags (required by setup.sh)
+	set --
+	for toolchain in $(printf '%s' "$ZSDK_TOOLCHAINS" | tr ',' ' '); do
+		set -- "$@" -t "$toolchain"
+	done
+	set -- "$@" -h -c
+	zephyr-sdk-${ZSDK_VERSION}/setup.sh "$@"
 	rm zephyr-sdk-${ZSDK_VERSION}_linux-${HOSTTYPE}.tar.xz
+	find zephyr-sdk-${ZSDK_VERSION}/sysroots -maxdepth 4 -type d \( -name doc -o -name man -o -name info \) -exec rm -rf '{}' +
 EOF
 
 # Run the Zephyr SDK setup script as 'user' in order to ensure that the

From af33da7899db8698a24d596f6df00db4d2ed8c35 Mon Sep 17 00:00:00 2001
From: Jakob Krantz <mail@jakobkrantz.se>
Date: Sat, 6 Dec 2025 19:32:45 +0100
Subject: [PATCH 2/3] Reclaim ci runner storage.

---
 .github/workflows/zswatch-ci-image.yml | 11 +++++++++++
 Dockerfile.zswatch-ci                  | 17 +++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/.github/workflows/zswatch-ci-image.yml b/.github/workflows/zswatch-ci-image.yml
index 7c3e14c..58ef549 100644
--- a/.github/workflows/zswatch-ci-image.yml
+++ b/.github/workflows/zswatch-ci-image.yml
@@ -24,6 +24,14 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Free disk space
+        run: |
+          df -h
+          sudo rm -rf /usr/share/dotnet /opt/ghc /usr/local/lib/android /opt/hostedtoolcache/CodeQL
+          docker system prune -af || true
+          docker volume prune -f || true
+          df -h
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -44,6 +52,9 @@ jobs:
             ghcr.io/zswatch/ci-base:${{ github.ref_name }}
             ghcr.io/zswatch/ci-base:latest
 
+      - name: Prune buildx cache
+        run: docker buildx prune -af --keep-storage 5GB
+
       - name: Build and push CI image
         uses: docker/build-push-action@v5
         with:
diff --git a/Dockerfile.zswatch-ci b/Dockerfile.zswatch-ci
index 05e45e4..d90a725 100644
--- a/Dockerfile.zswatch-ci
+++ b/Dockerfile.zswatch-ci
@@ -45,6 +45,23 @@ RUN <<'EOF'
 		doxygen \
 		thrift-compiler || true
 
+	apt-get purge --auto-remove -y \
+		libgtk2.0-0 \
+		libcairo2-dev \
+		libglib2.0-dev \
+		libpcap-dev \
+		ovmf \
+		parallel || true
+
+	apt-get clean -y
+	rm -rf /var/lib/apt/lists/*
+	rm -rf /usr/share/doc /usr/share/man /usr/share/info
+EOF
+
+# Reinstall SDL2 dev headers explicitly (native_sim needs sdl2.pc)
+RUN <<EOF
+	apt-get update -y
+	apt-get install --no-install-recommends -y libsdl2-dev
 	apt-get clean -y
 	rm -rf /var/lib/apt/lists/*
 EOF

From 219bac2fae2566d4c8f81bf1ab6049a7ec4bb154 Mon Sep 17 00:00:00 2001
From: Jakob Krantz <mail@jakobkrantz.se>
Date: Sat, 6 Dec 2025 23:31:41 +0100
Subject: [PATCH 3/3] Split into a slim base dockerfile.

---
 .github/workflows/zswatch-ci-image.yml |   9 +-
 Dockerfile.zswatch-base                | 122 +++++++++++++++++++++++++
 Dockerfile.zswatch-ci                  |   3 +
 3 files changed, 130 insertions(+), 4 deletions(-)
 create mode 100644 Dockerfile.zswatch-base

diff --git a/.github/workflows/zswatch-ci-image.yml b/.github/workflows/zswatch-ci-image.yml
index 58ef549..21a7ce9 100644
--- a/.github/workflows/zswatch-ci-image.yml
+++ b/.github/workflows/zswatch-ci-image.yml
@@ -6,6 +6,7 @@ on:
       - main
       - zswatch_*
     paths:
+      - Dockerfile.zswatch-base
       - Dockerfile.zswatch-ci
       - Dockerfile.base
       - Dockerfile.ci
@@ -46,11 +47,11 @@ jobs:
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: ./Dockerfile.base
+          file: ./Dockerfile.zswatch-base
           push: true
           tags: |
-            ghcr.io/zswatch/ci-base:${{ github.ref_name }}
-            ghcr.io/zswatch/ci-base:latest
+            ghcr.io/zswatch/ci-base-slim:${{ github.ref_name }}
+            ghcr.io/zswatch/ci-base-slim:latest
 
       - name: Prune buildx cache
         run: docker buildx prune -af --keep-storage 5GB
@@ -65,4 +66,4 @@ jobs:
             ghcr.io/zswatch/zswatch-ci:latest
             ghcr.io/zswatch/zswatch-ci:${{ github.ref_name }}
           build-args: |
-            BASE_IMAGE=ghcr.io/zswatch/ci-base:${{ github.ref_name }}
+            BASE_IMAGE=ghcr.io/zswatch/ci-base-slim:${{ github.ref_name }}
diff --git a/Dockerfile.zswatch-base b/Dockerfile.zswatch-base
new file mode 100644
index 0000000..7acfee5
--- /dev/null
+++ b/Dockerfile.zswatch-base
@@ -0,0 +1,122 @@
+# ZSWatch slim base image
+# Minimal tooling for nRF5340 and native_sim builds; omits extras from the upstream base.
+
+FROM ubuntu:24.04
+
+ARG USERNAME=user
+ARG UID=1000
+ARG GID=1000
+ARG PYTHON_VENV_PATH=/opt/python/venv
+ARG UBUNTU_MIRROR_ARCHIVE=archive.ubuntu.com/ubuntu
+ARG UBUNTU_MIRROR_SECURITY=security.ubuntu.com/ubuntu
+ARG UBUNTU_MIRROR_PORTS=ports.ubuntu.com/ubuntu-ports
+
+# Set default shell during Docker image build to bash
+SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
+
+# Set non-interactive frontend for apt-get to skip any user confirmations
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install a trimmed set of APT packages
+RUN <<EOF
+	# Set up custom Ubuntu APT mirrors
+	pushd /etc/apt/sources.list.d
+	cp ubuntu.sources ubuntu.sources.bak
+	sed -i "s#archive.ubuntu.com/ubuntu#${UBUNTU_MIRROR_ARCHIVE}#" ubuntu.sources
+	sed -i "s#security.ubuntu.com/ubuntu#${UBUNTU_MIRROR_SECURITY}#" ubuntu.sources
+	sed -i "s#ports.ubuntu.com/ubuntu-ports#${UBUNTU_MIRROR_PORTS}#" ubuntu.sources
+	popd
+
+	apt-get -y update
+
+	# Core build and tooling stack
+	apt-get install --no-install-recommends -y \
+		build-essential \
+		ca-certificates \
+		ccache \
+		cmake \
+		dfu-util \
+		device-tree-compiler \
+		file \
+		gdb \
+		git \
+		gperf \
+		libffi-dev \
+		libncursesw6 \
+		libreadline8 \
+		libssl-dev \
+		libusb-1.0-0 \
+		libyaml-0-2 \
+		libsdl2-dev \
+		locales \
+		ninja-build \
+		openssh-client \
+		pkg-config \
+		python3 \
+		python3-dev \
+		python3-pip \
+		python3-setuptools \
+		python3-wheel \
+		python3-venv \
+		python-is-python3 \
+		sudo \
+		unzip \
+		wget \
+		xz-utils
+
+	apt-get autoremove --purge -y
+	apt-get clean -y
+	rm -rf /var/lib/apt/lists/*
+
+	# Restore original Ubuntu mirrors
+	pushd /etc/apt/sources.list.d
+	mv -f ubuntu.sources.bak ubuntu.sources
+	popd
+EOF
+
+# Initialise system locale
+RUN locale-gen en_US.UTF-8
+ENV LANG=en_US.UTF-8
+ENV LANGUAGE=en_US:en
+ENV LC_ALL=en_US.UTF-8
+
+# Set up Python virtual environment for Zephyr
+RUN <<EOF
+	mkdir -p ${PYTHON_VENV_PATH}
+	python3 -m venv ${PYTHON_VENV_PATH}
+	source ${PYTHON_VENV_PATH}/bin/activate
+
+	pip install --no-cache-dir --upgrade pip setuptools wheel
+	pip install --no-cache-dir \
+		-r https://raw.githubusercontent.com/zephyrproject-rtos/zephyr/main/scripts/requirements.txt \
+		-r https://raw.githubusercontent.com/zephyrproject-rtos/mcuboot/main/scripts/requirements.txt \
+		'esptool>=5.0.2' \
+		GitPython \
+		imgtool \
+		junitparser \
+		junit2html \
+		nrf-regtool~=9.0.1 \
+		numpy \
+		protobuf \
+		grpcio-tools \
+		PyGithub \
+		pylint \
+		sh \
+		statistics \
+		west
+EOF
+
+# Make Zephyr Python virtual environment available globally
+ENV PATH=${PYTHON_VENV_PATH}/bin:$PATH
+
+# Create user account
+RUN <<EOF
+	userdel -r ubuntu || true
+	groupadd -g $GID -o $USERNAME
+	useradd -u $UID -m -g $USERNAME -G plugdev $USERNAME
+	echo $USERNAME ' ALL = NOPASSWD: ALL' > /etc/sudoers.d/$USERNAME
+	chmod 0440 /etc/sudoers.d/$USERNAME
+EOF
+
+# Ensure that container runs in the 'root' user context
+USER root
diff --git a/Dockerfile.zswatch-ci b/Dockerfile.zswatch-ci
index d90a725..6668c6e 100644
--- a/Dockerfile.zswatch-ci
+++ b/Dockerfile.zswatch-ci
@@ -31,6 +31,7 @@ EOF
 RUN <<'EOF'
 	if [ "${HOSTTYPE}" = "x86_64" ]; then
 		# Drop 32-bit support and multilib toolchains not needed for nRF/native_sim_64
+		apt-get update -y
 		apt-get purge --auto-remove -y \
 			gcc-multilib g++-multilib \
 			libc6-dbg:i386 libfuse-dev:i386 libsdl2-dev:i386 || true
@@ -38,6 +39,7 @@ RUN <<'EOF'
 	fi
 
 	# Remove heavy debug/coverage/doc tools unused in ZSWatch CI builds
+	apt-get update -y
 	apt-get purge --auto-remove -y \
 		valgrind \
 		lcov \
@@ -45,6 +47,7 @@ RUN <<'EOF'
 		doxygen \
 		thrift-compiler || true
 
+	apt-get update -y
 	apt-get purge --auto-remove -y \
 		libgtk2.0-0 \
 		libcairo2-dev \