Add non-ghr version of cpubuilder dockerfile.

[ScottTodd]

I believe we can replace https://github.com/iree-org/iree/blob/main/build_tools/docker/dockerfiles/base.Dockerfile with this. At least, I tested the linux_x64_clang_debug workflow in IREE locally and was able to get it working using this Dockerfile and only minor edits to the workflow:

--- a/.github/workflows/ci_linux_x64_clang_debug.yml
+++ b/.github/workflows/ci_linux_x64_clang_debug.yml
@@ -51,7 +51,7 @@ jobs:
         with:
           submodules: true
       - name: Install Python requirements
-        run: pip install -r ./runtime/bindings/python/iree/runtime/build_requirements.txt
+        run: python3 -m pip install -r ./runtime/bindings/python/iree/runtime/build_requirements.txt
       # Note: Not using ccache here. Debug builds need a lot of cache space
       # and caching only provides marginal build time improvements.
       - name: CMake - configure
@@ -59,6 +59,7 @@ jobs:
           cmake \
             -G Ninja \
             -B ${BUILD_DIR} \
+            -DPython3_EXECUTABLE="$(which python)" \
             -DCMAKE_BUILD_TYPE=Debug \
             -DIREE_BUILD_PYTHON_BINDINGS=ON \
             -DIREE_ENABLE_LLD=ON \

Command history for future-me (could go in docs):

# Host
sudo docker buildx build --file dockerfiles/cpubuilder_ubuntu_jammy_x86_64.dockerfile .
# Note the hash here
sudo docker run --rm --mount type=bind,source="/home/scott/dev/projects/iree",target=/iree,readonly -it --entrypoint /bin/bash ${HASH}

# Docker
python3 -m pip install -r /iree/runtime/bindings/python/iree/runtime/build_requirements.txt
cmake \
  -S /iree \
  -G Ninja \
  -B /build \
  -DPython3_EXECUTABLE="$(which python)" \
  -DCMAKE_BUILD_TYPE=Debug \
  -DIREE_BUILD_PYTHON_BINDINGS=ON \
  -DIREE_ENABLE_LLD=ON \
  -DIREE_ENABLE_ASSERTIONS=ON

# Configure mostly finished, good enough?
-- Configuring done
CMake Error: Cannot open file for write: /iree/.env.tmp86d6a
CMake Error: : System Error: Read-only file system
CMake Error in CMakeLists.txt:
  Could not open file for write in copy operation /iree/.env

For now the Dockerfiles for ghr and non-ghr versions both have large sections of code copy/pasted. Hopefully these will be edited infrequently and we don't need to overcomplicate that with multistage builds. The publish workflow also has duplicated code. That could use a matrix or reusable workflow.

[marbre]

We probably want to pin the action to a specific version

Suggested change

	uses: actions/checkout@v3
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

(will also increase the score if we want to run OpenSSF scorecard, see https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)

[ScottTodd]

Oh, I started switching back to using tags in iree-org/iree#17703

We have been using commit hashes instead of tags, since they are more stable and that was a policy recommendation for Google-managed GitHub repos: https://opensource.google/documentation/reference/github/services#actions

When using a third-party action (one not hosted in a Google-managed org), a fixed version of the action MUST be used by specifying a specific commit, rather than a branch like "master", or a tagged release, which can be overwritten by any maintainer of the action. Docker images should always be run at a fixed version rather than "latest".

Using release tags is easier and more common, so switching back to that style.

Anyways, let's leave that for follow-up work if we want it and apply such a change to all files in the repo.

[ScottTodd]

Oops. Needed to use an uppercase D in the file extension 🤦

[ScottTodd]

Fixed: de9012a