Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,9 @@ concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true

env:
CONDA_OVERRIDE_CUDA: "12"

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We added CONDA_OVERRIDE_CUDA=12 because CI runs on CPU-only GitHub runners, but our Pixi environments depend on CUDA 12 packages. Newer Pixi checks this more strictly and fails if CUDA is not detected, even before tests start. This variable tells Pixi to resolve the environment as CUDA 12 without requiring a real GPU on the CI runner.


jobs:
lint:
runs-on: ubuntu-latest
Expand Down
34 changes: 24 additions & 10 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -108,7 +108,7 @@ jobs:
permissions:
contents: read
outputs:
image-ref: ${{ steps.public-ref.outputs.image }}
image-digest: ${{ steps.public-build.outputs.digest }}

steps:
- name: Checkout code
Expand Down Expand Up @@ -169,15 +169,9 @@ jobs:
BASE_IMAGE=${{ env.CUDA_BASE_IMAGE }}
CHECKPOINTS_IMAGE=${{ steps.checkpoint-ref.outputs.image }}
cache-from: type=registry,ref=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}:buildcache
cache-to: type=registry,ref=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}:buildcache,mode=max
cache-to: type=registry,ref=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}:buildcache,mode=max,ignore-error=true
provenance: false

- name: Publish public image ref for Astera overlay
id: public-ref
run: |
short_sha="${GITHUB_SHA:0:${DOCKER_METADATA_SHORT_SHA_LENGTH}}"
echo "image=${PUBLIC_REGISTRY}/${PUBLIC_IMAGE_NAME}:sha-${short_sha}" >> "$GITHUB_OUTPUT"

- name: Public image digest
run: echo "Public image pushed with digest ${{ steps.public-build.outputs.digest }}"

Expand All @@ -204,6 +198,13 @@ jobs:
username: ${{ secrets.HARBOR_USERNAME }}
password: ${{ secrets.HARBOR_PASSWORD }}

- name: Login to public registry
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
with:
registry: ${{ env.PUBLIC_REGISTRY }}
username: ${{ secrets.SAMPLEWORKS_PUBLIC_REGISTRY_USERNAME || secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.SAMPLEWORKS_PUBLIC_REGISTRY_PASSWORD || secrets.DOCKERHUB_TOKEN }}

- name: Docker metadata for Astera image
id: astera-meta
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
Expand All @@ -216,6 +217,19 @@ jobs:
type=semver,pattern={{version}}
type=semver,pattern=v{{version}}

- name: Validate public image digest
env:
PUBLIC_IMAGE_DIGEST: ${{ needs.public.outputs.image-digest }}
run: |
if [ -z "${PUBLIC_IMAGE_DIGEST}" ]; then
echo "public job did not produce an image digest."
exit 1
fi
if [ "${PUBLIC_IMAGE_DIGEST}" = "${PUBLIC_IMAGE_DIGEST#sha256:}" ]; then
echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}"
exit 1
fi
Comment on lines +228 to +231

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Validate the full SHA256 digest, not just the prefix.

sha256: or sha256:not-a-digest passes this check and then fails later in the Astera build FROM, so the early validation does not catch invalid digests.

Suggested fix
-          if [ "${PUBLIC_IMAGE_DIGEST}" = "${PUBLIC_IMAGE_DIGEST#sha256:}" ]; then
+          if ! printf '%s\n' "${PUBLIC_IMAGE_DIGEST}" | grep -Eq '^sha256:[0-9a-f]{64}$'; then
             echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}"
             exit 1
           fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if [ "${PUBLIC_IMAGE_DIGEST}" = "${PUBLIC_IMAGE_DIGEST#sha256:}" ]; then
echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}"
exit 1
fi
if ! printf '%s\n' "${PUBLIC_IMAGE_DIGEST}" | grep -Eq '^sha256:[0-9a-f]{64}$'; then
echo "public job produced a non-sha256 digest: ${PUBLIC_IMAGE_DIGEST}"
exit 1
fi
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/docker.yml around lines 228 - 231, The digest check in the
workflow only verifies the sha256: prefix and can still allow invalid values
like sha256:not-a-digest. Update the validation in the PUBLIC_IMAGE_DIGEST check
to ensure the digest is a complete, valid SHA256 value, not just prefixed
correctly, so the early failure catches bad inputs before the Astera build uses
them.


- name: Build and push Astera image
id: astera-build
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
Expand All @@ -227,9 +241,9 @@ jobs:
tags: ${{ steps.astera-meta.outputs.tags }}
labels: ${{ steps.astera-meta.outputs.labels }}
build-args: |
PIXI_WITH_CHECKPOINTS_IMAGE=${{ needs.public.outputs.image-ref }}
PIXI_WITH_CHECKPOINTS_IMAGE=${{ env.PUBLIC_REGISTRY }}/${{ env.PUBLIC_IMAGE_NAME }}@${{ needs.public.outputs.image-digest }}
cache-from: type=registry,ref=${{ env.ASTERA_REGISTRY }}/${{ env.ASTERA_IMAGE_NAME }}:buildcache
cache-to: type=registry,ref=${{ env.ASTERA_REGISTRY }}/${{ env.ASTERA_IMAGE_NAME }}:buildcache,mode=max
cache-to: type=registry,ref=${{ env.ASTERA_REGISTRY }}/${{ env.ASTERA_IMAGE_NAME }}:buildcache,mode=max,ignore-error=true
provenance: false

- name: Astera image digest
Expand Down
Loading