Skip to content

feat(ci): add shadow-docker-build workflow for OS-49 Phase 3 #964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pimlock merged 1 commit into from
Apr 24, 2026
+89 −0
Merged

feat(ci): add shadow-docker-build workflow for OS-49 Phase 3 #964

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 89 additions & 0 deletions .github/workflows/shadow-docker-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
name: Shadow — Docker Build (local driver + GHA cache)

# OS-49 Phase 3 / PR 3 — non-blocking shadow of docker-build.yml.
#
# Exercises buildx's local (docker-container) driver plus GHA-cache
# (type=gha, scoped per component+arch) so Docker builds no longer depend on
# the in-cluster BuildKit pods. Per-arch matrix on nv-gha-runners; each job
# builds a single platform natively (no QEMU). No multi-arch manifest
# merging — that folds into the real cut-over in Phase 6.
#
# Plan, decision thresholds, and results: OS-127 Linear issue. Dispatch
# manually 4–5 times after merge to collect cold + warm numbers.

on:
push:
branches: [main]
workflow_dispatch:

permissions:
contents: read
packages: read

env:
MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

jobs:
shadow-build:
name: shadow ${{ matrix.component }} (${{ matrix.arch }})
strategy:
fail-fast: false
matrix:
component: [gateway, supervisor, cluster]
arch: [amd64, arm64]
include:
- arch: amd64
runner: linux-amd64-cpu8
- arch: arm64
runner: linux-arm64-cpu8
runs-on: ${{ matrix.runner }}
container:
image: ghcr.io/nvidia/openshell/ci:latest
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
options: --privileged
volumes:
- /var/run/docker.sock:/var/run/docker.sock
timeout-minutes: 45
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Mark workspace safe for git
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

- name: Install tools
run: mise install

- name: Set up buildx (local driver)
uses: ./.github/actions/setup-buildx
with:
driver: local

- name: Package Helm chart (cluster only)
if: matrix.component == 'cluster'
run: |
mkdir -p deploy/docker/.build/charts
helm package deploy/helm/openshell -d deploy/docker/.build/charts/

- name: Build ${{ matrix.component }} (${{ matrix.arch }})
# Matches docker-build.yml's default EXTRA_CARGO_FEATURES so CI image
# content is comparable. No --push: the shadow measures build/cache
# mechanics, not publish behavior. Multi-arch manifests are Phase 6.
run: |
docker buildx build \
--builder openshell \
--platform linux/${{ matrix.arch }} \
--cache-from type=gha,scope=${{ matrix.component }}-${{ matrix.arch }} \
--cache-to type=gha,mode=max,scope=${{ matrix.component }}-${{ matrix.arch }} \
--build-arg EXTRA_CARGO_FEATURES=openshell-core/dev-settings \
--load \
--file deploy/docker/Dockerfile.images \
--target ${{ matrix.component }} \
.

- name: buildx du
if: always()
run: docker buildx du --builder openshell || true
Loading