DO NOT MERGE — smoke-test BuildKit mirror fix (NVIDIA/dsx-github-actions#48)#12
Closed
nvjaxzin wants to merge 2 commits into
Closed
DO NOT MERGE — smoke-test BuildKit mirror fix (NVIDIA/dsx-github-actions#48)#12nvjaxzin wants to merge 2 commits into
nvjaxzin wants to merge 2 commits into
Conversation
DO NOT MERGE. Temporary pin of the docker-build composite action to the head of NVIDIA/dsx-github-actions#48 (commit 480b123eed6fa49a1fe23ea0f963ca9f0d8b7752, branch fix/buildkit-registry-mirror) to verify that the auth-callout Docker Build job successfully pulls golang:1.25.5 via dockerhub.nvidia.com instead of hitting the Docker Hub unauthenticated rate limit. Reverts to the v1.16.0 tag before merge. Tracks nvbug 6225636. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: Brian R. Jackson <brijackson@nvidia.com>
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
4 tasks
Contributor
Author
|
/ok to test |
🔐 TruffleHog Secret Scan✅ No secrets or credentials found! Your code has been scanned for 700+ types of secrets and credentials. All clear! 🎉 🕐 Last updated: 2026-05-26 22:09:23 UTC | Commit: 7284ce9 |
🛡️ CodeQL Analysis✅ No security issues found! 💡 Note: Enable GitHub Advanced Security to see full details in the Security tab. 🕐 Last updated: 2026-05-26 22:10:20 UTC | Commit: 7284ce9 |
DO NOT MERGE. Adds a smoke-test step ahead of each docker-build composite action call that confirms /etc/buildkit/buildkitd.toml is present on the nv-gha-runner. The step echoes the file contents into the job log so reviewers can verify the [registry."docker.io"] mirrors = ["dockerhub.nvidia.com"] block is actually being supplied to BuildKit. Combined with the existing pin to fix/buildkit-registry-mirror, this gives a two-pronged confirmation: (1) the mirror config exists on the runner, and (2) the golang:1.25.5 pull succeeds without 429. Tracks nvbug 6225636. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: Brian R. Jackson <brijackson@nvidia.com>
Contributor
Author
|
/ok to test |
Contributor
Author
|
Closing — PR NVIDIA/dsx-github-actions#48 merged and PR #50 on the same repo unblocked Build CDS Containers on |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose — DO NOT MERGE
Temporary pin of the
docker-buildcomposite action to the head of NVIDIA/dsx-github-actions#48 (fix/buildkit-registry-mirror, commit480b123eed6fa49a1fe23ea0f963ca9f0d8b7752) so we can verify the BuildKit registry-mirror fix end-to-end on the exact build that originally failed.Also adds a small verification step ahead of each
docker-buildcall that dumps/etc/buildkit/buildkitd.tomlfrom the runner into the job log. Reviewers can read that block directly to confirm the mirror is configured to point atdockerhub.nvidia.com.Tracks: nvbug 6225636.
What this validates
The
Docker Build (auth-callout)job pullsgolang:1.25.5as the builder base image. Previously that pull went toregistry-1.docker.ioand hit the Docker Hub unauthenticated rate limit (429 toomanyrequests). With the fix in #48,docker/setup-buildx-actionis givenbuildkitd-config: /etc/buildkit/buildkitd.toml, which routes BuildKit pulls throughdockerhub.nvidia.com(NVIDIA's Artifactory pull-through cache) instead.Two signals to confirm in the job logs:
SMOKE-TEST — verify buildkitd mirror config is present on runner) prints the actual TOML contents. Look for[registry."docker.io"]withmirrors = ["dockerhub.nvidia.com"].golang:1.25.5cleanly, no429. This is the regression-passing signal.The
Container Scan (auth-callout)job exercises the composite action a second time on a separate runner, so a green run there also verifies the config is available across runner instances.Rollback
Close this PR without merging. After NVIDIA/dsx-github-actions#48 merges and a new tag (likely
v1.17.0) is cut, a separate adoption PR will bump bothuses:lines to the new tag and drop the verification step.Test plan
copy-pr-botvetted so workflows can run.SMOKE-TEST — verify buildkitd mirror config is present on runnerstep inDocker Build (auth-callout)succeeds and showsmirrors = ["dockerhub.nvidia.com"].Docker Build (auth-callout)job succeeds end-to-end ongolang:1.25.5.Container Scan (auth-callout).