Introduce isolation in artifacts.yaml #749
Conversation
| @@ -75,6 +75,9 @@ jobs: | |||
| path: ${{ env.x86_64_image_path }} | |||
| export-docker-image-arm64: | |||
There was a problem hiding this comment.
We have another job export-docker-image-x86_64 above. If it does for arm64, why don't we do it for x86_64 as well?
There was a problem hiding this comment.
x86_64 is run on Github-hosted runner, so it would be unnecessary
.github/workflows/artifacts.yaml
Outdated
| container: | ||
| image: arm64v8/ubuntu:22.04 # Specify an arm64 Docker image here | ||
| options: --security-opt=no-new-privileges # Optional: Add additional Docker security options |
There was a problem hiding this comment.
Looks like it fails the presubmit check, could you check it?
There was a problem hiding this comment.
I skipped this on purpose since the job is run in runs-on: ubuntu-22.04, which is a Github-hosted runner. It will have it's own isolation so this is not really necessary.
There was a problem hiding this comment.
Regardless of the purpose of this PR, it shouldn't break any presubmit checks. This PR is currently breaking export-docker-image-arm64.
https://github.com/google/android-cuttlefish/actions/runs/11336098940/job/31525430431?pr=749
There was a problem hiding this comment.
Sorry, it takes some time to see if it possible to do docker-in-docker for bazel to work on building docker images
|
Hey, I have updated the code, but can we launch it on your setup? |
Ah, sure. I wasn't able to visit here for a couple of days due to my personal reasons. You wanted to trigger the presubmit, right? |
|
Hey!The whole github actions pipeline would be great. I need to see if i have any discrepancies with your self hosted setupBest,Anatoly IvanovOn 25 Oct 2024, at 05:29, seungjaeyoo ***@***.***> wrote:
Hey, I have updated the code, but can we launch it on your setup?
Ah, sure. I wasn't able to visit here for a couple of days due to my personal reasons. You wanted to trigger the presubmit, right?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
|
Sorry, but I don't have enough bandwidth to try that today. Perhaps I can try with your pending PR next Monday. Out of curiosity, what's the purpose for checking the discrepancies? It seems it still fails the presubmit check. |
README.md
Outdated
| 123 | ||
| 123 | ||
| 123 | ||
| 123 | ||
| 123 | ||
| 123 | ||
| 123 | ||
| 123 |
docker/image-builder.sh
Outdated
| pushd $android_cuttlefish_root_dir | ||
| docker build \ | ||
| # Use the PLATFORM environment variable, defaulting to linux/amd64 if not set | ||
| platforms="${PLATFORM:-linux/amd64}" |
There was a problem hiding this comment.
I prefer to remove PLATFORM env variable. It's not a standard one in Linux, so it would lead building amd64 image in arm64 machine as well in default.
.github/workflows/artifacts.yaml
Outdated
| @@ -87,7 +90,7 @@ jobs: | |||
| - name: bazel version | |||
| run: bazel version | |||
| - name: Build docker image | |||
| run: bazel build --sandbox_writable_path=$HOME //docker:orchestration_image_tar | |||
| run: bazel build --sandbox_writable_path=$HOME //docker:orchestration_image_tar --action_env=PLATFORM=linux/arm64 | |||
There was a problem hiding this comment.
Here, future users need to specify the arch when building docker image, though they may not be interested.
Add isolation in Github CI/CD to avoid unsafe code being executed in the self-hosted runner. This could otherwise lead to the runner takeover