From b7dd6e862d4e9b0b8f2435578310d506f591fd58 Mon Sep 17 00:00:00 2001 From: Ee Durbin Date: Fri, 17 Jan 2025 13:54:54 -0500 Subject: [PATCH 1/4] run our docker ci on gha runners directly --- .github/workflows/ci.yml | 65 ++++++++++++++++++++++++++++------------ 1 file changed, 46 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ba0c515f944e..53474e0fc753 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,28 +14,57 @@ concurrency: cancel-in-progress: true jobs: build: - if: github.repository == 'pypi/warehouse' - runs-on: depot-ubuntu-24.04-arm + runs-on: ubuntu-24.04-arm outputs: - buildId: ${{ steps.build.outputs.build-id}} + buildId: ${{ github.run_id }} permissions: - id-token: write + packages: write steps: - name: Check out repository uses: actions/checkout@v4 with: persist-credentials: false - - name: Set up Depot CLI - uses: depot/setup-action@v1 - - name: Build image - id: build - uses: depot/build-push-action@v1 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 # zizmor: ignore[cache-poisoning] + - name: Cache + uses: actions/cache@v3 # zizmor: ignore[cache-poisoning] + id: cache with: - save: true + path: | + var-cache-apt + var-lib-apt + root-cache-pip + root-npm + key: cache-${{ hashFiles('Dockerfile') }} + - name: inject cache into docker + uses: reproducible-containers/buildkit-cache-dance@v3.1.0 + with: + cache-map: | + { + "var-cache-apt": "/var/cache/apt", + "var-lib-apt": "/var/lib/apt", + "root-cache-pip": "/root/.cache/pip", + "root-npm": "/root/.npm" + } + skip-extraction: ${{ steps.cache.outputs.cache-hit }} + - name: Login To GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: . + cache-from: type=gha + cache-to: type=gha,mode=max + push: true build-args: | DEVEL=yes CI=yes - tags: pypi/warehouse:ci-${{ github.run_id }} + tags: | + ghcr.io/pypi/warehouse:ci-${{ github.run_id }} test: # Time out if our test suite has gotten hung timeout-minutes: 15 @@ -45,10 +74,8 @@ jobs: include: - name: Tests command: bin/tests --postgresql-host postgres - runs_on: depot-ubuntu-24.04-arm-4 - name: Lint command: bin/lint - runs_on: depot-ubuntu-24.04-arm-4 - name: User Documentation command: bin/user-docs - name: Developer Documentation @@ -59,13 +86,13 @@ jobs: command: bin/licenses - name: Translations command: bin/translations - runs-on: ${{ (matrix.runs_on != null) && matrix.runs_on || 'depot-ubuntu-24.04-arm' }} + runs-on: ubuntu-24.04-arm container: - image: registry.depot.dev/rltf7cln5v:${{ needs.build.outputs.buildId }} + image: ghcr.io/pypi/warehouse:ci-${{ needs.build.outputs.buildId }} env: BILLING_BACKEND: warehouse.subscriptions.services.MockStripeBillingService api_base=http://stripe:12111 api_version=2020-08-27 permissions: - id-token: write + packages: read services: postgres: image: ${{ (matrix.name == 'Tests') && 'postgres:16.1' || '' }} @@ -103,12 +130,12 @@ jobs: check_db: name: Check Database Consistency needs: build - runs-on: depot-ubuntu-24.04-arm + runs-on: ubuntu-24.04-arm continue-on-error: true container: - image: registry.depot.dev/rltf7cln5v:${{ needs.build.outputs.buildId }} + image: ghcr.io/pypi/warehouse:ci-${{ needs.build.outputs.buildId }} permissions: - id-token: write + packages: read services: postgres: image: postgres:16.1 From 8a1642ebf371503ba6b044f62ab558775172d5fe Mon Sep 17 00:00:00 2001 From: Mike Fiedler Date: Fri, 9 May 2025 11:51:58 -0400 Subject: [PATCH 2/4] chore: pin hashes Signed-off-by: Mike Fiedler --- .github/workflows/ci.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c8528335b982..c088e25eac19 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,9 +25,9 @@ jobs: with: persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 # zizmor: ignore[cache-poisoning] + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Cache - uses: actions/cache@v3 # zizmor: ignore[cache-poisoning] + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 id: cache with: path: | @@ -37,7 +37,7 @@ jobs: root-npm key: cache-${{ hashFiles('Dockerfile') }} - name: inject cache into docker - uses: reproducible-containers/buildkit-cache-dance@v3.1.0 + uses: reproducible-containers/buildkit-cache-dance@653a570f730e3b9460adc576db523788ba59a0d7 # v3.2.0 with: cache-map: | { @@ -48,13 +48,13 @@ jobs: } skip-extraction: ${{ steps.cache.outputs.cache-hit }} - name: Login To GHCR - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v5 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 with: context: . cache-from: type=gha From 9410d553cba036f6be7708b5129304da046704c8 Mon Sep 17 00:00:00 2001 From: Mike Fiedler Date: Fri, 9 May 2025 12:11:01 -0400 Subject: [PATCH 3/4] chore: ignore cache poisoning as the artifact is not reused Signed-off-by: Mike Fiedler --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c088e25eac19..ba1068e44e7f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,7 +27,7 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 - name: Cache - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 # zizmor: ignore[cache-poisoning] id: cache with: path: | From f32643049b6327f4c9e18bf7e3a3e3234ea4f11c Mon Sep 17 00:00:00 2001 From: Mike Fiedler Date: Fri, 9 May 2025 12:18:07 -0400 Subject: [PATCH 4/4] nit: use non-legacy syntax Signed-off-by: Mike Fiedler --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 413d192e1906..3c283d71d808 100644 --- a/Dockerfile +++ b/Dockerfile @@ -190,8 +190,8 @@ RUN --mount=type=cache,target=/root/.cache/pip \ FROM python:3.13.2-slim-bookworm # Setup some basic environment variables that are ~never going to change. -ENV PYTHONUNBUFFERED 1 -ENV PYTHONPATH /opt/warehouse/src/ +ENV PYTHONUNBUFFERED=1 +ENV PYTHONPATH=/opt/warehouse/src/ ENV PATH="/opt/warehouse/bin:${PATH}" WORKDIR /opt/warehouse/src/