[devops] Build and test Docker image on PRs from forks #6451
Conversation
danielhollas
force-pushed
the
docker-from-forks
branch
from
68952ea to
72c1766
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #6451 +/- ##
==========================================
+ Coverage 77.51% 77.86% +0.36%
==========================================
Files 560 562 +2
Lines 41444 41794 +350
==========================================
+ Hits 32120 32539 +419
+ Misses 9324 9255 -69
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
The main trick here is to NOT upload to ghcr.io so that we do not need to have the GITHUB_TOKEN secret.
danielhollas
force-pushed
the
docker-from-forks
branch
from
d8bba2e to
4aaa98b
Compare
|
This is now ready. The one downside is that the tests for different images are run sequentially and not in parallel, but they are quite fast anyway and the whole workflow takes around 6-8 minutes. |
|
Thanks @danielhollas . This may be a naive question, but why can't we just take the existing |
|
@sphuber it's a good question. We can't use it, at least in the current form, since the first publish to ghcr.io happens already during the build step. The publish workflow actually just adds tags to an image that's already there. We could slice and dice things differently, but honestly the new workflow is quite simple so I am not worried about the duplication. The most complicated thing is the build step, and that would have to be different anyways. The rest of duplication is not much worse than duplication that's happening in all the other workflows as well, imo. Happy to answer more questions, but I would like to avoid yet another refactor. :-D |
|
Thanks for the explanation @danielhollas . Ok, let's not go into that for now but keep it in the back of our heads for the future to see if we can unify them. Don't want to put that on your plate just before the holidays |
|
@danielhollas thanks! This strategy looks reasonable, and I'd say it has the same running order as my old implementation 😜
It is not good to use |
| @@ -13,7 +13,6 @@ variable "ORGANIZATION" { | |||
| } | |||
|
|
|||
| variable "REGISTRY" { | |||
| default = "ghcr.io/" | |||
There was a problem hiding this comment.
Hmm, now I am realizing, that I am not sure whether this change will not break the full build. 🤔
There was a problem hiding this comment.
I remember you use env.hcl for aiidalab-docker-stack, did you use it here as well?
There was a problem hiding this comment.
During test, I find it a bit annoying that need to careful about whether put / (same as : in front of the TAG). I think we can always force the REGISTRY is set, either to docker.io or to ghcr.io, then use:
${REGISTRY:-}/${AIIDA_CORE_WITH_SERVICES_IMAGE:-aiidateam/aiida-core-with-services}:${TAG:-}
instead of:
${REGISTRY:-}${AIIDA_CORE_WITH_SERVICES_IMAGE:-aiidateam/aiida-core-with-services}${TAG:-}
There was a problem hiding this comment.
Hmm, now I am realizing, that I am not sure whether this change will not break the full build. 🤔
Not sure if it is because of this, but the build did just fail on main: https://github.com/aiidateam/aiida-core/actions/runs/9398592676/job/25884242952
There was a problem hiding this comment.
Seems it is, it tries push to docker.io as default registry.
|
Yeah, sorry about that, will open a PR shortly.
Dne čt 6. 6. 2024 12:26 uživatel Jusong Yu ***@***.***>
napsal:
… ***@***.**** commented on this pull request.
------------------------------
In .docker/docker-bake.hcl
<#6451 (comment)>
:
> @@ -13,7 +13,6 @@ variable "ORGANIZATION" {
}
variable "REGISTRY" {
- default = "ghcr.io/"
Seems it is, it tries push to docker.io as default registry.
—
Reply to this email directly, view it on GitHub
<#6451 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACIY64JIZXERBQNYRUU6BCLZGA2M7AVCNFSM6AAAAABI2NO6AGVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDCMBRGU3DKNZQGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
…eam#6451) The main trick here is to not upload to `ghcr.io` because that requires the `GITHUB_TOKEN` secret which is not available on forks. The downside is that one cannot download the image for local debugging. But if that is needed, the images can be built locally, or the PR can be opened from origin. A separate workflow is used for now instead of merging it in the existing `docker.yml` workflow, because that already publishes during the build step. It might be possible to refactor this in the future in which case the new workflow may be included.
The strategy here is simple: Build and test Docker images in a single workflow, without pushing to ghcr.io. That way we don't need access to GITHUB_TOKEN.
The downside is that one cannot download the image for local debugging. But if that is needed, I guess one can either build locally, or re-open the PR from origin.
I think @unkcpz had something else in mind, allowing forks access to secrets via
pull_request_targetevent. I am not sure if that is safe / desirable, let's discuss that in #6446. This PR should work in the meantime.Closes #6449
Accompanies #6446