Split TSan into separate image for lighter default and Codespace support

The main devcontainer image now ships a single "ocaml" switch (~4.5 GB),
making it Codespace-friendly. TSan is available as a separate
"ocaml-devcontainer-tsan" image (~7.5 GB) that adds the "ocaml+tsan"
switch on top.

Key changes:
- Rename switches: 5.4.0 → ocaml, 5.4.0+tsan → ocaml+tsan
- New tsan/Dockerfile layered on top of the dev image
- New .devcontainer-tsan/ configs for pre-built and local-build TSan
- Move fix-tsan-aslr.sh from .devcontainer/ to .devcontainer-tsan/
- Remove ASLR sysctl from base image build (only tsan/ needs it)
- New build-push-tsan.yml workflow triggered after main image builds
- Test matrix: single "ocaml" for main image, [ocaml, ocaml+tsan] for TSan

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: cuihtlauac

.devcontainer-from-scratch/devcontainer.json

@@ -21,14 +21,12 @@
       "settings": {
         "ocaml.sandbox": {
           "kind": "opam",
-          "switch": "5.4.0"
+          "switch": "ocaml"
         }
       }
     }
   },
 
-  "postStartCommand": "bash .devcontainer/fix-tsan-aslr.sh",
-
   "remoteUser": "vscode",
 
   "mounts": [

.devcontainer-tsan-from-scratch/devcontainer.json

@@ -0,0 +1,47 @@
+{
+  "name": "OCaml Development (TSan, Local Build)",
+
+  "build": {
+    "dockerfile": "../tsan/Dockerfile",
+    "context": "..",
+    "args": {
+      "BASE_IMAGE": "ocaml-devcontainer:latest"
+    }
+  },
+
+  "features": {
+    "ghcr.io/anthropics/devcontainer-features/claude-code:1": {}
+  },
+
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "ocamllabs.ocaml-platform"
+      ],
+      "settings": {
+        "ocaml.sandbox": {
+          "kind": "opam",
+          "switch": "ocaml"
+        }
+      }
+    }
+  },
+
+  "postStartCommand": "bash .devcontainer-tsan/fix-tsan-aslr.sh",
+
+  "remoteUser": "vscode",
+
+  "mounts": [
+    "source=dune-cache,target=/home/vscode/.cache/dune,type=volume"
+  ],
+
+  "remoteEnv": {
+    "DUNE_CACHE_ROOT": "/home/vscode/.cache/dune"
+  },
+
+  "hostRequirements": {
+    "cpus": 4,
+    "memory": "8gb",
+    "storage": "32gb"
+  }
+}

.devcontainer-tsan/devcontainer.json

@@ -0,0 +1,42 @@
+{
+  "name": "OCaml Development (TSan)",
+  // Pre-built image from Docker Hub. Also available on GHCR:
+  // ghcr.io/tarides/ocaml-devcontainer-tsan:latest
+  "image": "cuihtlauac/ocaml-devcontainer-tsan:latest",
+
+  "features": {
+    "ghcr.io/anthropics/devcontainer-features/claude-code:1": {}
+  },
+
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "ocamllabs.ocaml-platform"
+      ],
+      "settings": {
+        "ocaml.sandbox": {
+          "kind": "opam",
+          "switch": "ocaml"
+        }
+      }
+    }
+  },
+
+  "postStartCommand": "bash .devcontainer-tsan/fix-tsan-aslr.sh",
+
+  "remoteUser": "vscode",
+
+  "mounts": [
+    "source=dune-cache,target=/home/vscode/.cache/dune,type=volume"
+  ],
+
+  "remoteEnv": {
+    "DUNE_CACHE_ROOT": "/home/vscode/.cache/dune"
+  },
+
+  "hostRequirements": {
+    "cpus": 4,
+    "memory": "8gb",
+    "storage": "32gb"
+  }
+}

.devcontainer/fix-tsan-aslr.sh .devcontainer-tsan/fix-tsan-aslr.sh.devcontainer/fix-tsan-aslr.sh renamed to .devcontainer-tsan/fix-tsan-aslr.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# Fix ASLR entropy for TSan-instrumented binaries (OCaml 5.4.0+tsan switch).
+# Fix ASLR entropy for TSan-instrumented binaries (ocaml+tsan switch).
 # TSan requires vm.mmap_rnd_bits <= 28; modern kernels default to 32.
 # See: https://github.com/google/sanitizers/issues/1716
 
@@ -19,7 +19,7 @@ fi
 if setarch "$(uname -m)" --addr-no-randomize /bin/true 2>/dev/null; then
   sudo tee /etc/profile.d/fix-tsan-aslr.sh >/dev/null <<'EOF'
 # Disable ASLR so ThreadSanitizer-instrumented binaries can run.
-# Installed by .devcontainer/fix-tsan-aslr.sh — safe to remove.
+# Installed by .devcontainer-tsan/fix-tsan-aslr.sh — safe to remove.
 if [ -z "$TSAN_ASLR_FIXED" ]; then
   mmap_rnd_bits=$(cat /proc/sys/vm/mmap_rnd_bits 2>/dev/null || echo 0)
   if [ "$mmap_rnd_bits" -gt 28 ]; then
@@ -33,4 +33,4 @@ EOF
 fi
 
 echo "WARNING: Cannot fix ASLR entropy for TSan (vm.mmap_rnd_bits=$MMAP_RND_BITS)."
-echo "The 5.4.0+tsan switch may not work. See: https://github.com/google/sanitizers/issues/1716"
+echo "The ocaml+tsan switch may not work. See: https://github.com/google/sanitizers/issues/1716"

.devcontainer/devcontainer.json

@@ -16,13 +16,13 @@
       "settings": {
         "ocaml.sandbox": {
           "kind": "opam",
-          "switch": "5.4.0"
+          "switch": "ocaml"
         }
       }
     }
   },
 
-  "postStartCommand": "bash .devcontainer/fix-tsan-aslr.sh; bash .devcontainer/hide-codespaces-badge.sh",
+  "postStartCommand": "bash .devcontainer/hide-codespaces-badge.sh",
 
   "remoteUser": "vscode",
 

.github/workflows/build-push-tsan.yml

@@ -0,0 +1,195 @@
+name: Build and Push TSan Image
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+    paths:
+      - 'tsan/**'
+      - '.github/workflows/build-push-tsan.yml'
+  pull_request:
+    branches: [main]
+    paths:
+      - 'tsan/**'
+  workflow_run:
+    workflows: ["Build and Push Images"]
+    types: [completed]
+    branches: [main]
+  workflow_dispatch:
+
+env:
+  DOCKER_HUB_TSAN: ${{ secrets.DOCKERHUB_USERNAME }}/ocaml-devcontainer-tsan
+  GHCR_TSAN: ghcr.io/${{ github.repository_owner }}/ocaml-devcontainer-tsan
+  GHCR_DEV: ghcr.io/${{ github.repository_owner }}/ocaml-devcontainer
+
+jobs:
+  # ============================================================================
+  # Build TSan Images (parallel per architecture)
+  # ============================================================================
+  build-tsan-amd64:
+    if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Reduce ASLR entropy for TSan build
+        run: sudo sysctl -w vm.mmap_rnd_bits=28
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push TSan image (amd64)
+        uses: docker/build-push-action@v6
+        with:
+          context: ./tsan
+          file: ./tsan/Dockerfile
+          platforms: linux/amd64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: |
+            ${{ env.GHCR_TSAN }}:latest-amd64
+            ${{ env.DOCKER_HUB_TSAN }}:latest-amd64
+          labels: |
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          build-args: |
+            BASE_IMAGE=${{ env.GHCR_DEV }}:latest-amd64
+          cache-from: type=gha,scope=tsan-amd64
+          cache-to: type=gha,mode=max,scope=tsan-amd64
+
+  build-tsan-arm64:
+    if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-24.04-arm
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Reduce ASLR entropy for TSan build
+        run: sudo sysctl -w vm.mmap_rnd_bits=28
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push TSan image (arm64)
+        uses: docker/build-push-action@v6
+        with:
+          context: ./tsan
+          file: ./tsan/Dockerfile
+          platforms: linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: |
+            ${{ env.GHCR_TSAN }}:latest-arm64
+            ${{ env.DOCKER_HUB_TSAN }}:latest-arm64
+          labels: |
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+            org.opencontainers.image.revision=${{ github.sha }}
+          build-args: |
+            BASE_IMAGE=${{ env.GHCR_DEV }}:latest-arm64
+          cache-from: type=gha,scope=tsan-arm64
+          cache-to: type=gha,mode=max,scope=tsan-arm64
+
+  # ============================================================================
+  # Merge TSan Image Tags into Multi-Arch Manifest
+  # ============================================================================
+  merge-tsan:
+    needs: [build-tsan-amd64, build-tsan-arm64]
+    if: |
+      always() &&
+      needs.build-tsan-amd64.result == 'success' &&
+      needs.build-tsan-arm64.result == 'success' &&
+      github.event_name != 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create and push multi-arch manifest (GHCR)
+        run: |
+          docker buildx imagetools create -t ${{ env.GHCR_TSAN }}:latest \
+            ${{ env.GHCR_TSAN }}:latest-amd64 \
+            ${{ env.GHCR_TSAN }}:latest-arm64
+
+          # Add version tag if this is a release
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            VERSION=${GITHUB_REF#refs/tags/}
+            docker buildx imagetools create -t ${{ env.GHCR_TSAN }}:${VERSION} \
+              ${{ env.GHCR_TSAN }}:latest-amd64 \
+              ${{ env.GHCR_TSAN }}:latest-arm64
+          fi
+
+      - name: Create and push multi-arch manifest (Docker Hub)
+        run: |
+          docker buildx imagetools create -t ${{ env.DOCKER_HUB_TSAN }}:latest \
+            ${{ env.DOCKER_HUB_TSAN }}:latest-amd64 \
+            ${{ env.DOCKER_HUB_TSAN }}:latest-arm64
+
+          # Add version tag if this is a release
+          if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
+            VERSION=${GITHUB_REF#refs/tags/}
+            docker buildx imagetools create -t ${{ env.DOCKER_HUB_TSAN }}:${VERSION} \
+              ${{ env.DOCKER_HUB_TSAN }}:latest-amd64 \
+              ${{ env.DOCKER_HUB_TSAN }}:latest-arm64
+          fi
+
+      - name: Verify multi-arch manifest
+        run: |
+          echo "=== GHCR TSan Image ==="
+          docker buildx imagetools inspect ${{ env.GHCR_TSAN }}:latest
+          echo ""
+          echo "=== Docker Hub TSan Image ==="
+          docker buildx imagetools inspect ${{ env.DOCKER_HUB_TSAN }}:latest

.github/workflows/build-push.yml

@@ -70,12 +70,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
 
-      - name: Reduce ASLR entropy for TSan build
-        # TSan requires lower ASLR entropy to avoid memory mapping collisions
-        # Native runners allow this sysctl to take effect (unlike BuildKit containers)
-        # See: https://github.com/google/sanitizers/issues/1716
-        run: sudo sysctl -w vm.mmap_rnd_bits=28
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -126,9 +120,6 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
 
-      - name: Reduce ASLR entropy for TSan build
-        run: sudo sysctl -w vm.mmap_rnd_bits=28
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3