From 1be5ca17c7ef1c5c7170c42ead8ae3fe4e8cc49e Mon Sep 17 00:00:00 2001
From: "Brian R. Jackson" <brijackson@nvidia.com>
Date: Tue, 26 May 2026 18:36:16 -0400
Subject: [PATCH] refactor(build-cds-containers): run on nv-gha-runners

Move all five jobs in build-cds-containers.yml from runs-on:
ubuntu-latest to runs-on: linux-amd64-cpu4 (NVIDIA self-hosted
runners). With the workflow on nv-gha-runners, the buildkitd-config
introduced in #48 does meaningful work: BuildKit routes docker.io
pulls through dockerhub.nvidia.com instead of going anonymously to
Docker Hub.

Three of the four matrix images today pull base images from
Docker Hub:

  - grafana-backup-tool: ysde/docker-grafana-backup-tool:1.4.2-slim
  - go-dev-1.24-debian:  golang:1.24.3
  - go-dev-1.24-alpine:  golang:1.24.3-alpine

(The tools image bases on nvcr.io and is unaffected either way.)

Rationale:

  1. Consistency. Every other docker-build path in this repo
     (composite action, reusable workflow, security-container-scan
     examples) assumes nv-gha-runners. This workflow being on
     ubuntu-latest was the odd one out.

  2. Per the NVIDIA GHA platform best practice, BuildKit pulls
     from nv-gha-runners should go through the dockerhub.nvidia.com
     Artifactory mirror. That is exactly what the buildkitd-config
     already in this step provides.

  3. Avoid future surprise. If anyone adds another Docker Hub base
     image to this matrix, the build is now insulated from anonymous
     rate-limit failures (nvbug 6225636).

  4. Org policy. NVIDIA-owned CI on NVIDIA OSS repos generally
     belongs on NVIDIA-provisioned runners.

This change supersedes #49 (the revert hotfix). If this PR is the
chosen direction, close #49.

Tracks: nvbug 6225636.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Brian R. Jackson <brijackson@nvidia.com>
---
 .github/workflows/build-cds-containers.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build-cds-containers.yml b/.github/workflows/build-cds-containers.yml
index 900b1a8..d2228a3 100644
--- a/.github/workflows/build-cds-containers.yml
+++ b/.github/workflows/build-cds-containers.yml
@@ -34,7 +34,7 @@ env:
 jobs:
   # Job 1: Read version from VERSION.md
   get-version:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       contents: read
     outputs:
@@ -53,7 +53,7 @@ jobs:
 
   # Job 2: Build and push all container images
   build-and-push-images:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       contents: read
       packages: write  # Required to push to GHCR
@@ -139,7 +139,7 @@ jobs:
 
   # Job 3: Test using the built go-dev image
   test-go-dev-image:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       contents: read
       packages: read
@@ -181,7 +181,7 @@ jobs:
 
   # Job 4: Test using tools container
   test-tools-image:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       contents: read
       packages: read
@@ -219,7 +219,7 @@ jobs:
 
   # Job 5: Summary
   summary:
-    runs-on: ubuntu-latest
+    runs-on: linux-amd64-cpu4
     permissions:
       contents: read
     needs: [get-version, build-and-push-images, test-go-dev-image, test-tools-image]