run our docker ci on gha runners directly #17442
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
ewdurbin
force-pushed
the
testing_gha_runners
branch
2 times, most recently
from
f0bc2ba to
5a0d26c
Compare
ewdurbin
force-pushed
the
testing_gha_runners
branch
from
1311420 to
095c511
Compare
ewdurbin
force-pushed
the
testing_gha_runners
branch
from
095c511 to
b7dd6e8
Compare
|
Overall, this has proven pretty flaky... seemingly unrelated to anything we're doing in particular :/ 
|
|
|
zizmor errors can probably be resolved easily with https://gha-update.readthedocs.io/ |
|
#18103 should unblock this |
Signed-off-by: Mike Fiedler <[email protected]>
miketheman
added
testing
Signed-off-by: Mike Fiedler <[email protected]>
| save: true | ||
| context: . | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max |
There was a problem hiding this comment.
I think we need something like:
| cache-to: type=gha,mode=max | |
| cache-to: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository && '' || 'type=gha,mode=max' }} |
Otherwise action runs on PRs from untrusted forks can overwrite this cache as well.
(cc @woodruffw, should zizmor flag this?)
There was a problem hiding this comment.
Huh yeah, it should -- I'm actually confused as to why it didn't, since I have a coordinate for the push: true part of this:
There was a problem hiding this comment.
Oh never mind, I see why it didn't: it considers docker/build-push-action a "publish sink" but not a "cache source" at the moment, since I'm only detecting push: true and not the cache-to: ... field.
This is a shortcoming in the current audit, I'll file an issue 🙂
There was a problem hiding this comment.
Awesome, thanks! Just to confirm, this suggestion resolves the issue, correct?
There was a problem hiding this comment.
I think so, although I'm murky on whether doing the same for cache-from is also needed: that's a sink rather than a source so I think it's okay, but I might be missing something.
There was a problem hiding this comment.
I think we specifically want cache-from to always be permitted here, so PRs can take advantage of our central cache to speed up builds (but can't write to it).
| var-lib-apt | ||
| root-cache-pip | ||
| root-npm | ||
| key: cache-${{ hashFiles('Dockerfile') }} |
There was a problem hiding this comment.
| key: cache-${{ hashFiles('Dockerfile') }} | |
| key: cache-${{ hashFiles('Dockerfile') }} | |
| lookup-only: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }} |
https://github.com/actions/cache/blob/5a3ec84eff668545956fd18022155c47e93e2684/README.md?plain=1#L78
Signed-off-by: Mike Fiedler <[email protected]>
No description provided.