third_party/rust: update rules_rust and deps

This is required for rules_rust to work with CC toolchains.

Change-Id: I15f20c7bde09697fda248f7107be8bcd00e24d57
Reviewed-on: https://review.monogon.dev/c/monogon/+/1073
Tested-by: Jenkins CI
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
diff --git a/build/ci/Dockerfile b/build/ci/Dockerfile
index aa79dc7..39bbb00 100644
--- a/build/ci/Dockerfile
+++ b/build/ci/Dockerfile
@@ -1,77 +1,34 @@
-FROM fedora:35
+FROM docker.io/fedora:37@sha256:3487c98481d1bba7e769cf7bcecd6343c2d383fdd6bed34ec541b6b23ef07664
 
 RUN dnf -y upgrade && \
-	dnf -y install \
-	"@Development Tools" \
-	g++ \
-	llvm \
-	clang \
-	lld \
-	libuuid-devel \
-	python3 \
-	nasm \
-	acpica-tools \
-	gettext-devel \
-	autoconf \
-	bison \
-	libtool \
-	automake \
-	flex \
-	glibc-static \
-	elfutils-libelf-devel \
-	libblkid-devel \
-	lz4 \
-	bc \
-	hostname \
-	which \
-	swtpm-tools \
-	rsync \
-	qemu-system-x86-core \
-	expect \
-	grpc-cli \
-	nc \
-	python-unversioned-command \
-	openssl-devel \
+	dnf -y install --setopt=tsflags=nodocs \
 	java-11-openjdk-headless \
-	dotnet-runtime-5.0 \
+	dotnet-runtime-6.0 \
 	jq \
-	tini
-
+	tini \
+    golang && \
+    dnf clean all
 
 # (java-11-openjdk-headless and tini are required for the Jenkins CI agent)
 # (dotnet-runtime-5.0 and jq are required for the GitHub Actions runner)
+# (golang is required for us to build bazelisk - see below)
 
-# Create CI build user. This is not used by scripts/bin/bazel, but instead only
-# used by CI infrastructure to run build agents as.
+# Create CI build user. It is used by CI infrastructure to run build agents as.
 # The newly created user will have a UID of 500, and a corresponding CI group
 # of GID 500 will be created as well. This UID:GID pair's numeric values are
 # relied on by the CI infrastructure and must not change without coordination.
 RUN set -e -x ;\
 	useradd -u 500 -U -m -d /home/ci ci
 
-# Install Bazel binary
-RUN curl -o /usr/local/bin/bazel \
-	https://releases.bazel.build/4.2.2/release/bazel-4.2.2-linux-x86_64 && \
-	echo '11dea6c7cfd866ed520af19a6bb1d952f3e9f4ee60ffe84e63c0825d95cb5859  /usr/local/bin/bazel' | sha256sum --check && \
-	chmod +x /usr/local/bin/bazel
-
 # Use a shared Go module cache for gazelle
 # https://github.com/bazelbuild/bazel-gazelle/pull/535
 ENV GO_REPOSITORY_USE_HOST_CACHE=1
 
-# Install ibazel (bazel-watcher)
-RUN set -e -x ;\
-    cd /tmp ;\
-    git clone -b v0.15.10 https://github.com/bazelbuild/bazel-watcher ;\
-    cd bazel-watcher ;\
-    [ $(git rev-parse HEAD) == "84cab6f15f64850fb972ea88701e634c8b611301" ] ;\
-    bazel --output_user_root /tmp/bazel-watcher-cache build //ibazel ;\
-    cp bazel-bin/ibazel/linux_amd64_stripped/ibazel /usr/local/bin/ibazel ;\
-    cd /tmp ;\
-    rm -rf bazel-watcher bazel-watcher-cache
+USER ci
 
-# --userns=keep-id uses the workdir as $HOME otherwise
-RUN mkdir /user
-ENV HOME=/user
+# Install Bazelisk. We do not have to pin a checksum since Go automatically
+# relies on its built-in transparency log for pinning.
+RUN go install github.com/bazelbuild/bazelisk@v1.15.0
+ENV PATH="/home/ci/go/bin:${PATH}"
 
 WORKDIR /work