From 480b123eed6fa49a1fe23ea0f963ca9f0d8b7752 Mon Sep 17 00:00:00 2001
From: "Brian R. Jackson" <brijackson@nvidia.com>
Date: Tue, 26 May 2026 17:43:03 -0400
Subject: [PATCH] fix(docker-build): point BuildKit at the NVIDIA Docker Hub
 mirror
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Configure docker/setup-buildx-action with a buildkitd config that the
nv-gha-runners pre-populate at /etc/buildkit/buildkitd.toml. That file
routes BuildKit's docker.io pulls through dockerhub.nvidia.com, NVIDIA's
Artifactory pull-through cache, instead of going straight to Docker Hub.

Without this, BuildKit on nv-gha-runners ignores the daemon-level mirror
and pulls anonymously from Docker Hub, which hits the unauthenticated
rate limit and breaks Docker builds across DSX repos (nvbug 6225636).

Three call sites are updated:

- .github/actions/docker-build/action.yml — the composite action used by
  every consumer (e.g. dsx-exchange). Bumping the consuming repos to the
  next tag of this action is all they need to do.
- .github/workflows/build-cds-containers.yml — this repo's own image
  build workflow.
- .github/actions/security-container-scan/README.md — example snippets
  now show the BuildKit config step so adopters copy the right pattern.

Follows the documented NVIDIA GHA platform best practice:
https://docs.gha-runners.nvidia.com/platform/best-practices/#use-docker-cache-for-buildkit

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Brian R. Jackson <brijackson@nvidia.com>
---
 .github/actions/docker-build/action.yml           |  2 ++
 .github/actions/security-container-scan/README.md | 10 ++++++++++
 .github/workflows/build-cds-containers.yml        |  2 ++
 3 files changed, 14 insertions(+)

diff --git a/.github/actions/docker-build/action.yml b/.github/actions/docker-build/action.yml
index fe9278e..2f98b1e 100644
--- a/.github/actions/docker-build/action.yml
+++ b/.github/actions/docker-build/action.yml
@@ -122,6 +122,8 @@ runs:
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
+      with:
+        buildkitd-config: /etc/buildkit/buildkitd.toml
 
     - name: Prepare security scan vars
       if: inputs.security-scan-enabled == 'true'
diff --git a/.github/actions/security-container-scan/README.md b/.github/actions/security-container-scan/README.md
index 870d947..8dda4d4 100644
--- a/.github/actions/security-container-scan/README.md
+++ b/.github/actions/security-container-scan/README.md
@@ -39,6 +39,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          buildkitd-config: /etc/buildkit/buildkitd.toml
+
       - name: Build image locally
         uses: docker/build-push-action@v5
         with:
@@ -68,6 +73,11 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          buildkitd-config: /etc/buildkit/buildkitd.toml
+
       - name: Build image locally
         uses: docker/build-push-action@v5
         with:
diff --git a/.github/workflows/build-cds-containers.yml b/.github/workflows/build-cds-containers.yml
index 08bfeac..900b1a8 100644
--- a/.github/workflows/build-cds-containers.yml
+++ b/.github/workflows/build-cds-containers.yml
@@ -81,6 +81,8 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+        with:
+          buildkitd-config: /etc/buildkit/buildkitd.toml
 
       - name: Log in to GitHub Container Registry
         if: github.ref == 'refs/heads/main'