Change CI to use Artifacts to pass CI image around workflow#24
Closed
riley-dixon wants to merge 5 commits into
Closed
Change CI to use Artifacts to pass CI image around workflow#24riley-dixon wants to merge 5 commits into
riley-dixon wants to merge 5 commits into
Conversation
riley-dixon
requested review from
derobins,
gaoikawa,
jordan-turbofish and
kurtmcmillan
as code owners
Collaborator
|
Can we use this PR to rename the action files to use hyphens instead of underscores? |
Collaborator
Author
Can we do that in a separate PR please? Happy to make that change either by itself or with other cleanup work. |
Collaborator
I'll do a PR after this merges so we don't create conflicts |
We would like to eventually move to a fork-based development model. However, PR's from fork's are unable to push images to the GHCR registry (they could push something bad). So instead, this changes CI to use artifacts instead to pass around the container image. Surprisingly, this actually slightly reduces the time it takes to load & start the Docker container.
This also provides a trigger to manually initiate an image update. A user must have at least write access to manually start the workflow.
riley-dixon
force-pushed
the
rildixon/ci-use-artifacts
branch
from
84be9fb to
335fe0d
Compare
Collaborator
Author
|
This will likely be closed in favour of #44 |
Collaborator
|
Closed in favor of #44 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
External PR's are not permitted to push to the GHCR registry under
pull_requesttriggers as this presents a security issue. To get around this, we will upload the AIS CI image as a build artifact to the various workflows. This is fine as these build artifacts really should not be used outside of the CI context. They are also short lived and will be deleted automatically after a day.This also introduces a privileged job that runs after a PR has been accepted and merged. This updates the CI image hosted in GHCR that can be used for caching/debugging purposes. Since by this point the code has been accepted, we are taking responsibility for it. This job can also be manually triggered, and requires at a minimum "Write" permissions to kick off.
Technical Details
https://docs.github.com/en/webhooks/webhook-events-and-payloads#about-webhook-events-and-payloads - ${{github.event...}} attributes depending on the trigger.
https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context - Contexts for when using ${{}}
https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request - How to use pull requests, create a job that runs when a PR has been merged, etc.
Sharing build artifacts:
We luckily do not need to worry about passing the build artifact across workflows as our main CI that relies on this image all runs from a common parent workflow.
https://docs.docker.com/build/ci/github-actions/share-image-jobs/
https://github.com/actions/upload-artifact
https://github.com/actions/download-artifact
https://docs.github.com/en/actions/reference/limits - TL;DR: The images are small enough that this works for us.
Test Plan
Tested in a fork of the repo. New CI job properly triggers after PR has been merged, and when manually triggered as well.
Test Result
Submission Checklist