diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a271259a..a5cbdc6b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,6 +35,9 @@ concurrency: group: ci-${{ github.ref }} cancel-in-progress: true +env: + CONDA_OVERRIDE_CUDA: "12" + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index e15dc476..c799383f 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -108,7 +108,7 @@ jobs: permissions: contents: read outputs: - image-ref: ${{ steps.public-ref.outputs.image }} + image-digest: ${{ steps.public-build.outputs.digest }} steps: - name: Checkout code @@ -169,15 +169,9 @@ jobs: BASE_IMAGE=${{ env.CUDA_BASE_IMAGE }} CHECKPOINTS_IMAGE=${{ steps.checkpoint-ref.outputs.image }} cache-from: type=registry,ref=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}:buildcache - cache-to: type=registry,ref=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}:buildcache,mode=max + cache-to: type=registry,ref=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}:buildcache,mode=max,ignore-error=true provenance: false - - name: Publish public image ref for Astera overlay - id: public-ref - run: | - short_sha="${GITHUB_SHA:0:${DOCKER_METADATA_SHORT_SHA_LENGTH}}" - echo "image=${PUBLIC_REGISTRY}/${PUBLIC_IMAGE_NAME}:sha-${short_sha}" >> "$GITHUB_OUTPUT" - - name: Public image digest run: echo "Public image pushed with digest ${{ steps.public-build.outputs.digest }}" @@ -204,6 +198,13 @@ jobs: username: ${{ secrets.HARBOR_USERNAME }} password: ${{ secrets.HARBOR_PASSWORD }} + - name: Login to public registry + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 + with: + registry: ${{ env.PUBLIC_REGISTRY }} + username: ${{ secrets.SAMPLEWORKS_PUBLIC_REGISTRY_USERNAME || secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.SAMPLEWORKS_PUBLIC_REGISTRY_PASSWORD || secrets.DOCKERHUB_TOKEN }} + - name: Docker metadata for Astera image id: astera-meta uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6 @@ -216,6 +217,19 @@ jobs: type=semver,pattern={{version}} type=semver,pattern=v{{version}} + - name: Validate public image digest + env: + PUBLIC_IMAGE_DIGEST: ${{ needs.public.outputs.image-digest }} + run: | + if [ -z "${PUBLIC_IMAGE_DIGEST}" ]; then + echo "public job did not produce an image digest." + exit 1 + fi + if [ "${PUBLIC_IMAGE_DIGEST}" = "${PUBLIC_IMAGE_DIGEST#sha256:}" ]; then + echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}" + exit 1 + fi + - name: Build and push Astera image id: astera-build uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7 @@ -227,9 +241,9 @@ jobs: tags: ${{ steps.astera-meta.outputs.tags }} labels: ${{ steps.astera-meta.outputs.labels }} build-args: | - PIXI_WITH_CHECKPOINTS_IMAGE=${{ needs.public.outputs.image-ref }} + PIXI_WITH_CHECKPOINTS_IMAGE=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}@${{ needs.public.outputs.image-digest }} cache-from: type=registry,ref=${{ env.ASTERA_REGISTRY }}/${{ env.ASTERA_IMAGE_NAME }}:buildcache - cache-to: type=registry,ref=${{ env.ASTERA_REGISTRY }}/${{ env.ASTERA_IMAGE_NAME }}:buildcache,mode=max + cache-to: type=registry,ref=${{ env.ASTERA_REGISTRY }}/${{ env.ASTERA_IMAGE_NAME }}:buildcache,mode=max,ignore-error=true provenance: false - name: Astera image digest