-
Notifications
You must be signed in to change notification settings - Fork 7
Sampleworks container build fully fixed #281
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
fc1bd38
1cab985
3cadcec
f8c9771
3312ca0
19423b8
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -108,7 +108,7 @@ jobs: | |||||||||||||||||
| permissions: | ||||||||||||||||||
| contents: read | ||||||||||||||||||
| outputs: | ||||||||||||||||||
| image-ref: ${{ steps.public-ref.outputs.image }} | ||||||||||||||||||
| image-digest: ${{ steps.public-build.outputs.digest }} | ||||||||||||||||||
|
|
||||||||||||||||||
| steps: | ||||||||||||||||||
| - name: Checkout code | ||||||||||||||||||
|
|
@@ -169,15 +169,9 @@ jobs: | |||||||||||||||||
| BASE_IMAGE=${{ env.CUDA_BASE_IMAGE }} | ||||||||||||||||||
| CHECKPOINTS_IMAGE=${{ steps.checkpoint-ref.outputs.image }} | ||||||||||||||||||
| cache-from: type=registry,ref=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}:buildcache | ||||||||||||||||||
| cache-to: type=registry,ref=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}:buildcache,mode=max | ||||||||||||||||||
| cache-to: type=registry,ref=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}:buildcache,mode=max,ignore-error=true | ||||||||||||||||||
| provenance: false | ||||||||||||||||||
|
|
||||||||||||||||||
| - name: Publish public image ref for Astera overlay | ||||||||||||||||||
| id: public-ref | ||||||||||||||||||
| run: | | ||||||||||||||||||
| short_sha="${GITHUB_SHA:0:${DOCKER_METADATA_SHORT_SHA_LENGTH}}" | ||||||||||||||||||
| echo "image=${PUBLIC_REGISTRY}/${PUBLIC_IMAGE_NAME}:sha-${short_sha}" >> "$GITHUB_OUTPUT" | ||||||||||||||||||
|
|
||||||||||||||||||
| - name: Public image digest | ||||||||||||||||||
| run: echo "Public image pushed with digest ${{ steps.public-build.outputs.digest }}" | ||||||||||||||||||
|
|
||||||||||||||||||
|
|
@@ -204,6 +198,13 @@ jobs: | |||||||||||||||||
| username: ${{ secrets.HARBOR_USERNAME }} | ||||||||||||||||||
| password: ${{ secrets.HARBOR_PASSWORD }} | ||||||||||||||||||
|
|
||||||||||||||||||
| - name: Login to public registry | ||||||||||||||||||
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4 | ||||||||||||||||||
| with: | ||||||||||||||||||
| registry: ${{ env.PUBLIC_REGISTRY }} | ||||||||||||||||||
| username: ${{ secrets.SAMPLEWORKS_PUBLIC_REGISTRY_USERNAME || secrets.DOCKERHUB_USERNAME }} | ||||||||||||||||||
| password: ${{ secrets.SAMPLEWORKS_PUBLIC_REGISTRY_PASSWORD || secrets.DOCKERHUB_TOKEN }} | ||||||||||||||||||
|
|
||||||||||||||||||
| - name: Docker metadata for Astera image | ||||||||||||||||||
| id: astera-meta | ||||||||||||||||||
| uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6 | ||||||||||||||||||
|
|
@@ -216,6 +217,19 @@ jobs: | |||||||||||||||||
| type=semver,pattern={{version}} | ||||||||||||||||||
| type=semver,pattern=v{{version}} | ||||||||||||||||||
|
|
||||||||||||||||||
| - name: Validate public image digest | ||||||||||||||||||
| env: | ||||||||||||||||||
| PUBLIC_IMAGE_DIGEST: ${{ needs.public.outputs.image-digest }} | ||||||||||||||||||
| run: | | ||||||||||||||||||
| if [ -z "${PUBLIC_IMAGE_DIGEST}" ]; then | ||||||||||||||||||
| echo "public job did not produce an image digest." | ||||||||||||||||||
| exit 1 | ||||||||||||||||||
| fi | ||||||||||||||||||
| if [ "${PUBLIC_IMAGE_DIGEST}" = "${PUBLIC_IMAGE_DIGEST#sha256:}" ]; then | ||||||||||||||||||
| echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}" | ||||||||||||||||||
| exit 1 | ||||||||||||||||||
| fi | ||||||||||||||||||
|
Comment on lines
+228
to
+231
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win Validate the full SHA256 digest, not just the prefix.
Suggested fix- if [ "${PUBLIC_IMAGE_DIGEST}" = "${PUBLIC_IMAGE_DIGEST#sha256:}" ]; then
+ if ! printf '%s\n' "${PUBLIC_IMAGE_DIGEST}" | grep -Eq '^sha256:[0-9a-f]{64}$'; then
echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}"
exit 1
fi📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||||||||||||||
|
|
||||||||||||||||||
| - name: Build and push Astera image | ||||||||||||||||||
| id: astera-build | ||||||||||||||||||
| uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7 | ||||||||||||||||||
|
|
@@ -227,9 +241,9 @@ jobs: | |||||||||||||||||
| tags: ${{ steps.astera-meta.outputs.tags }} | ||||||||||||||||||
| labels: ${{ steps.astera-meta.outputs.labels }} | ||||||||||||||||||
| build-args: | | ||||||||||||||||||
| PIXI_WITH_CHECKPOINTS_IMAGE=${{ needs.public.outputs.image-ref }} | ||||||||||||||||||
| PIXI_WITH_CHECKPOINTS_IMAGE=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}@${{ needs.public.outputs.image-digest }} | ||||||||||||||||||
| cache-from: type=registry,ref=${{ env.ASTERA_REGISTRY }}/${{ env.ASTERA_IMAGE_NAME }}:buildcache | ||||||||||||||||||
| cache-to: type=registry,ref=${{ env.ASTERA_REGISTRY }}/${{ env.ASTERA_IMAGE_NAME }}:buildcache,mode=max | ||||||||||||||||||
| cache-to: type=registry,ref=${{ env.ASTERA_REGISTRY }}/${{ env.ASTERA_IMAGE_NAME }}:buildcache,mode=max,ignore-error=true | ||||||||||||||||||
| provenance: false | ||||||||||||||||||
|
|
||||||||||||||||||
| - name: Astera image digest | ||||||||||||||||||
|
|
||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We added CONDA_OVERRIDE_CUDA=12 because CI runs on CPU-only GitHub runners, but our Pixi environments depend on CUDA 12 packages. Newer Pixi checks this more strictly and fails if CUDA is not detected, even before tests start. This variable tells Pixi to resolve the environment as CUDA 12 without requiring a real GPU on the CI runner.