fix: simplify GHCR image naming to resolve 403 Forbidden #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build CDS Containers | |
| # Only trigger when files in cds-containers/ folder are modified | |
| on: | |
| push: | |
| branches: | |
| - main # Only push images when merging to main | |
| paths: | |
| - 'cds-containers/**' | |
| - '.github/workflows/build-cds-containers.yml' | |
| pull_request: | |
| paths: | |
| - 'cds-containers/**' | |
| - '.github/workflows/build-cds-containers.yml' | |
| workflow_dispatch: # Allow manual trigger | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAMESPACE: nvidia | |
| IMAGE_PREFIX: dsx-cds- # Prefix to identify CDS container images | |
| permissions: | |
| contents: read | |
| packages: write # Required to push to GHCR | |
| jobs: | |
| # Job 1: Read version from VERSION.md | |
| get-version: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.extract-version.outputs.version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Extract version from VERSION | |
| id: extract-version | |
| run: | | |
| VERSION=$(cat cds-containers/VERSION | tr -d '[:space:]') | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| echo "π Container version: $VERSION" | |
| # Job 2: Build and push all container images | |
| build-and-push-images: | |
| runs-on: ubuntu-latest | |
| needs: get-version | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - name: cds-tools | |
| path: cds-containers/tools | |
| description: "CDS tools container with Bazel, Terraform, Helm, kubectl, NGC CLI, etc." | |
| - name: cds-grafana-backup-tool | |
| path: cds-containers/grafana-backup-tool | |
| description: "Grafana backup tool container" | |
| - name: cds-go-dev-1.24-alpine | |
| path: cds-containers/go-dev-1.24-alpine | |
| description: "Go 1.24 development container (Alpine-based, minimal size)" | |
| - name: cds-go-dev-1.24-debian | |
| path: cds-containers/go-dev-1.24-debian | |
| description: "Go 1.24 development container (Debian-based, better compatibility)" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ env.IMAGE_PREFIX }}${{ matrix.image.name }} | |
| tags: | | |
| # Version from VERSION.md: 0.0.1 | |
| type=raw,value=${{ needs.get-version.outputs.version }} | |
| # Major.minor: 0.0.1 β 0.0 | |
| type=raw,value=${{ needs.get-version.outputs.version }},enable=true,suffix=-latest | |
| # Latest tag | |
| type=raw,value=latest | |
| # Commit SHA: dev-abc1234 (for testing specific builds) | |
| type=sha,prefix=dev- | |
| # Branch name (for PR/branch builds) | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| labels: | | |
| org.opencontainers.image.description=${{ matrix.image.description }} | |
| org.opencontainers.image.vendor=NVIDIA | |
| org.opencontainers.image.version=${{ needs.get-version.outputs.version }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./cds-containers | |
| file: ${{ matrix.image.path }}/Dockerfile | |
| # Only push on push events (not PRs) to avoid permission issues | |
| push: ${{ github.event_name == 'push' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build summary | |
| run: | | |
| if [ "${{ github.event_name }}" = "push" ]; then | |
| echo "β Image built and pushed to GHCR:" | |
| echo "${{ steps.meta.outputs.tags }}" | sed 's/^/ - /' | |
| else | |
| echo "β Image built successfully (not pushed in PR)" | |
| echo "π¦ Tags that would be created:" | |
| echo "${{ steps.meta.outputs.tags }}" | sed 's/^/ - /' | |
| fi | |
| # Job 3: Test using the built go-dev image | |
| test-go-dev-image: | |
| runs-on: ubuntu-latest | |
| needs: [get-version, build-and-push-images] | |
| # Only run tests when images are pushed (not on PRs) | |
| if: github.event_name == 'push' | |
| # Use the newly built go-dev container with version tag | |
| container: | |
| image: ghcr.io/nvidia/dsx-cds-go-dev-1.24-alpine:${{ needs.get-version.outputs.version }} | |
| credentials: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Test container tools | |
| run: | | |
| echo "Testing Go development container (v${{ needs.get-version.outputs.version }})..." | |
| go version | |
| golangci-lint --version | |
| goimports -h || true | |
| echo "" | |
| echo "β Go container tools are working!" | |
| - name: Test building Go code | |
| run: | | |
| # Create a simple Go program to test | |
| cat > hello.go << 'EOF' | |
| package main | |
| import "fmt" | |
| func main() { | |
| fmt.Println("Hello from CDS Go container v${{ needs.get-version.outputs.version }}!") | |
| } | |
| EOF | |
| go build hello.go | |
| ./hello | |
| # Job 4: Test using tools container | |
| test-tools-image: | |
| runs-on: ubuntu-latest | |
| needs: [get-version, build-and-push-images] | |
| # Only run tests when images are pushed (not on PRs) | |
| if: github.event_name == 'push' | |
| container: | |
| image: ghcr.io/nvidia/dsx-cds-tools:${{ needs.get-version.outputs.version }} | |
| credentials: | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: Test tools container | |
| run: | | |
| echo "Testing CDS tools container (v${{ needs.get-version.outputs.version }})..." | |
| echo "" | |
| echo "π§ Tool versions:" | |
| echo " - Bazel (default): $(bazel --version)" | |
| echo " - Bazel 6: $(bazel6 --version)" | |
| echo " - Bazel 8: $(bazel8 --version)" | |
| echo " - Kubectl: $(kubectl version --client --short 2>/dev/null || kubectl version --client)" | |
| echo " - Helm: $(helm version --short)" | |
| echo " - Terraform: $(terraform version -json | jq -r '.terraform_version')" | |
| echo " - Terragrunt: $(terragrunt --version)" | |
| echo " - NGC CLI: $(ngc version --json | jq -r '.version')" | |
| echo " - YQ: $(yq --version)" | |
| echo " - Node.js: $(node --version)" | |
| echo " - Python: $(python3 --version)" | |
| echo " - UV: $(uv --version)" | |
| echo "" | |
| echo "β All tools are working!" | |
| # Job 5: Summary | |
| summary: | |
| runs-on: ubuntu-latest | |
| needs: [get-version, build-and-push-images, test-go-dev-image, test-tools-image] | |
| if: always() | |
| steps: | |
| - name: Build summary | |
| run: | | |
| echo "## π CDS Containers Build Summary" | |
| echo "" | |
| echo "π¦ Version: ${{ needs.get-version.outputs.version }}" | |
| echo "π¨ Trigger: ${{ github.event_name }}" | |
| echo "π Commit: ${{ github.sha }}" | |
| echo "" | |
| echo "β Built and pushed 4 container images to GHCR:" | |
| echo " - ghcr.io/nvidia/dsx-cds-tools:${{ needs.get-version.outputs.version }}" | |
| echo " - ghcr.io/nvidia/dsx-cds-grafana-backup-tool:${{ needs.get-version.outputs.version }}" | |
| echo " - ghcr.io/nvidia/dsx-cds-go-dev-1.24-alpine:${{ needs.get-version.outputs.version }}" | |
| echo " - ghcr.io/nvidia/dsx-cds-go-dev-1.24-debian:${{ needs.get-version.outputs.version }}" | |
| echo "" | |
| echo "π Usage example:" | |
| echo " container:" | |
| echo " image: ghcr.io/nvidia/dsx-cds-tools:${{ needs.get-version.outputs.version }}" | |
| echo " credentials:" | |
| echo " username: \${{ github.actor }}" | |
| echo " password: \${{ secrets.GITHUB_TOKEN }}" | |
| echo "" | |
| echo "β All tests passed!" |