Conversation
Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com>
pingsutw
previously approved these changes
Apr 28, 2026
pingsutw
reviewed
Apr 28, 2026
| BASE_IMAGE=base | ||
| push: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} | ||
| cache-from: type=gha,scope=demo-gpu | ||
| cache-to: type=gha,mode=max,scope=demo-gpu |
Member
There was a problem hiding this comment.
does depot cache it automatically?
Contributor
Author
There was a problem hiding this comment.
Yes — Depot persists Docker layer cache to NVMe storage per project automatically, shared across all builds in the project (across runs, branches, PRs). That's why this PR drops all the cache-from: type=gha / cache-to: type=gha and registry buildcache plumbing — it's redundant on Depot.
Ref: https://depot.dev/docs/container-builds/overview ("Persistent shared caching … available across builds")
Contributor
There was a problem hiding this comment.
Pull request overview
Switches GitHub Actions Docker builds from local Buildx/QEMU to Depot (OIDC-authenticated), aiming to build multi-arch images natively and simplify caching configuration.
Changes:
- Replace
docker/setup-buildx-action+docker/build-push-actionwithdepot/setup-action+depot/build-push-action. - Add
id-token: writejob permissions for Depot OIDC auth and updatedocker/login-actiontov3. - Remove explicit GHA/registry cache configuration in favor of Depot’s per-project persistent cache.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| .github/workflows/flyte-binary-v2.yml | Migrates multi-arch image export/push steps to Depot and adds OIDC permissions. |
| .github/workflows/build-ci-image.yml | Migrates CI image build/push to Depot, adds OIDC permissions, and removes Buildx caching plumbing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
78
to
82
| - name: Export ARM64 Image | ||
| uses: docker/build-push-action@v6 | ||
| uses: depot/build-push-action@v1 | ||
| with: | ||
| project: ${{ vars.DEPOT_PROJECT_ID }} | ||
| context: . |
Comment on lines
29
to
+33
| permissions: | ||
| contents: read | ||
| packages: write | ||
| pull-requests: write | ||
| id-token: write # required for Depot OIDC auth |
| uses: docker/build-push-action@v6 | ||
| uses: depot/build-push-action@v1 | ||
| with: | ||
| project: ${{ vars.DEPOT_PROJECT_ID }} |
🐳 Docker CI Image BuiltThe CI Docker image has been built and pushed for this PR! Image: This image will be automatically used by CI workflows in this PR. To test locally: make gen DOCKER_CI_IMAGE=ghcr.io/flyteorg/flyte/ci:pr-7306 |
- Hoist DEPOT_PROJECT_ID to workflow-level env to deduplicate plumbing - Add fail-fast validation when the repo variable is missing - Fix broken digest reference (metadata-action doesn't expose digest; read it from the build step output instead) - Drop unused packages: write from flyte-binary-v2 jobs (they auth to GHCR via FLYTE_BOT_PAT, not GITHUB_TOKEN) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s CI image build pipelines to use Depot (depot.dev) for native multi-architecture Docker builds, and adds a README sponsor acknowledgment for Depot’s support.
Changes:
- Switch multi-arch Docker builds in GitHub Actions workflows from Buildx/QEMU to
depot/setup-action+depot/build-push-action. - Introduce
DEPOT_PROJECT_IDworkflow env wiring + a guard step to fail fast if the repo variable is missing. - Add a “Sponsors” section to README acknowledging Depot.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
README.md |
Adds sponsor acknowledgement and a “Built with Depot” badge. |
.github/workflows/flyte-binary-v2.yml |
Migrates Flyte v2 image builds to Depot; removes Buildx/QEMU setup and GHA cache plumbing; adds OIDC permission for Depot auth. |
.github/workflows/build-ci-image.yml |
Migrates CI image build workflow to Depot; wires DEPOT_PROJECT_ID; updates digest output source; adds OIDC permission for Depot auth. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+141
to
144
| permissions: | ||
| contents: read | ||
| id-token: write # required for Depot OIDC auth (GHCR auth uses FLYTE_BOT_PAT) | ||
| steps: |
Comment on lines
30
to
35
| permissions: | ||
| contents: read | ||
| packages: write | ||
| pull-requests: write | ||
| id-token: write # required for Depot OIDC auth | ||
|
|
Comment on lines
+43
to
+51
| - name: Validate Depot project id | ||
| run: | | ||
| if [ -z "${DEPOT_PROJECT_ID}" ]; then | ||
| echo "::error::DEPOT_PROJECT_ID repo variable is not set. Add it under Settings → Secrets and variables → Actions → Variables." >&2 | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Set up Depot | ||
| uses: depot/setup-action@v1 |
Comment on lines
+43
to
46
| permissions: | ||
| contents: read | ||
| id-token: write # required for Depot OIDC auth (GHCR auth uses FLYTE_BOT_PAT) | ||
| steps: |
pingsutw
previously approved these changes
Apr 29, 2026
Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com>
Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com>
Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the repository’s CI Docker build pipelines to run on depot.dev (native multi-arch builds with persistent caching), and adjusts branch triggers accordingly. It also adds a README acknowledgment for the CI build sponsorship.
Changes:
- Switch Docker image build steps in GitHub Actions from Docker Buildx/QEMU to Depot (
depot/setup-action,depot/build-push-action) and add OIDC permissions +DEPOT_PROJECT_IDplumbing. - Change workflow branch triggers to
main(removingv2from some workflows). - Add a “Sponsors” section to the README crediting Depot.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| README.md | Adds a Sponsors section acknowledging Depot sponsorship for CI image builds. |
| .github/workflows/go-tests.yml | Updates Go tests workflow to run on main pushes (drops v2). |
| .github/workflows/flyte-binary-v2.yml | Migrates multi-arch image builds to Depot and changes workflow triggers to main. |
| .github/workflows/build-ci-image.yml | Migrates CI image build/push workflow to Depot and removes v2 from push trigger branches. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
200
to
204
| allow: "security.insecure" | ||
| platforms: linux/arm64, linux/amd64 | ||
| platforms: linux/arm64,linux/amd64 | ||
| tags: ${{ steps.image-names.outputs.tags }} | ||
| build-args: "FLYTE_DEVBOX_VERSION=${{ env.FLYTE_DEVBOX_VERSION }}" | ||
| push: true |
Comment on lines
+229
to
+232
| build-args: | | ||
| FLYTE_DEVBOX_VERSION=${{ env.FLYTE_DEVBOX_VERSION }} | ||
| BASE_IMAGE=base | ||
| push: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} | ||
| cache-from: type=gha,scope=demo-gpu | ||
| cache-to: type=gha,mode=max,scope=demo-gpu | ||
| push: true |
| on: | ||
| push: | ||
| branches: [v2, main] | ||
| branches: [main] |
Comment on lines
7
to
+13
| on: | ||
| push: | ||
| branches: | ||
| - v2 | ||
| - main | ||
| pull_request: | ||
| branches: | ||
| - v2 | ||
| - main |
| @@ -64,16 +76,17 @@ | |||
| tags: | | |||
| type=raw,value=nightly,enable=${{ github.event_name == 'pull_request' && github.ref == 'refs/heads/master' }} | |||
Comment on lines
167
to
170
| tags: | | ||
| type=raw,value=nightly,enable=${{ github.event_name == 'push' && github.ref == 'refs/heads/v2' }} | ||
| type=raw,value=latest,enable=${{ github.event_name == 'workflow_dispatch' }} | ||
| type=sha,format=long, |
buildx refuses local OCI export for multi-node multi-arch builds (error: "oci for multi-node builds currently not supported"), and Depot intentionally uses one native node per platform. Switch the CPU build to Depot's ephemeral registry via `save: true` and a unique per-run tag, and have the GPU build resolve `FROM` directly from `registry.depot.dev/<project>:<tag>` — auth is implicit since both builds run in the same Depot project. Drops the OCI tarball extract step and the build-contexts indirection. Refs: docker/buildx#2351 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Lets a maintainer push test images from a PR by applying the `test-push-image` label, and removes the temporary push: true hacks. The gate is hoisted to a single workflow-level PUSH_IMAGES env that all push/if checks read. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates GitHub Actions CI image build pipelines to use Depot for faster native multi-arch builds and adds a sponsor acknowledgement in the README.
Changes:
- Add a Sponsors section to the README recognizing Depot’s CI build sponsorship.
- Switch container image build workflows from Docker Buildx/QEMU to Depot (OIDC auth + Depot build action).
- Adjust workflow triggers/conditions to focus on
mainand add repo-variable validation forDEPOT_PROJECT_ID.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| README.md | Adds Depot sponsorship acknowledgement and badge. |
| .github/workflows/go-tests.yml | Limits push-triggered Go tests to main. |
| .github/workflows/flyte-binary-v2.yml | Migrates multi-arch image build/export/push to Depot and adds gating/validation logic. |
| .github/workflows/build-ci-image.yml | Migrates CI Docker image build/push to Depot with OIDC and project-id validation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -64,16 +79,17 @@ jobs: | |||
| tags: | | |||
| type=raw,value=nightly,enable=${{ github.event_name == 'pull_request' && github.ref == 'refs/heads/master' }} | |||
Comment on lines
172
to
173
| type=raw,value=latest,enable=${{ github.event_name == 'workflow_dispatch' }} | ||
| type=sha,format=long, |
Comment on lines
218
to
219
| type=raw,value=gpu-latest,enable=${{ github.event_name == 'workflow_dispatch' }} | ||
| type=sha,format=long,prefix=gpu- |
The preload step ran rootless podman inside a RUN to fetch and save image tarballs, which required `--security=insecure` and a daemon configured with `--allow-insecure-entitlement security.insecure`. Depot's hosted builders refuse that entitlement. Skopeo does the same job (pull + retag + save as docker-archive) as a privilege-free registry client, so the entitlement isn't needed anywhere now. Drop it from the workflow steps and the local Makefile builder config too. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The GPU build's `FROM registry.depot.dev/<project>:cpu-build-...` was 401-ing because cross-build auth in Depot's registry is not implicit — even within the same project. Generate a short-lived pull-token via the Depot CLI and `docker login` so the runner's docker config (forwarded to remote BuildKit by depot/build-push-action) can resolve the saved CPU base. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates the repository’s CI container-image build pipeline to Depot (native multi-arch builds + persistent caching) and updates the devbox image preloading mechanism accordingly.
Changes:
- Switch devbox image preloading from
podman pull/tag/savetoskopeo copyand remove insecure BuildKit entitlements. - Update GitHub Actions workflows to build with Depot (
depot/setup-action,depot/build-push-action) and adjust branch triggers tomain. - Add a README Sponsors section acknowledging Depot’s CI build sponsorship.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| docker/devbox-bundled/images/preload | Replaces Podman-based image export with Skopeo archive export. |
| docker/devbox-bundled/Makefile | Removes security.insecure allowances from local buildx flows. |
| docker/devbox-bundled/Dockerfile | Uses quay.io/skopeo/stable for preloading and removes insecure RUN. |
| README.md | Adds Depot sponsorship note + badge. |
| .github/workflows/go-tests.yml | Limits push-triggered Go tests to main. |
| .github/workflows/flyte-binary-v2.yml | Migrates builds to Depot; adds Depot project validation and conditional push behavior. |
| .github/workflows/build-ci-image.yml | Migrates CI image build to Depot; adds Depot project validation and OIDC permissions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
221
to
225
| ghcr.io/${{ github.repository_owner }}/flyte-sandbox-v2 | ||
| tags: | | ||
| type=raw,value=gpu-nightly,enable=${{ github.event_name == 'push' && github.ref == 'refs/heads/v2' }} | ||
| type=raw,value=gpu-latest,enable=${{ github.event_name == 'workflow_dispatch' }} | ||
| type=sha,format=long,prefix=gpu- |
Comment on lines
+233
to
+234
| # ephemeral registry above. Auth is implicit because both builds | ||
| # run in the same Depot project. |
| @@ -64,16 +79,17 @@ | |||
| tags: | | |||
| type=raw,value=nightly,enable=${{ github.event_name == 'pull_request' && github.ref == 'refs/heads/master' }} | |||
Comment on lines
169
to
173
| ghcr.io/${{ github.repository_owner }}/flyte-sandbox-v2 | ||
| tags: | | ||
| type=raw,value=nightly,enable=${{ github.event_name == 'push' && github.ref == 'refs/heads/v2' }} | ||
| type=raw,value=latest,enable=${{ github.event_name == 'workflow_dispatch' }} | ||
| type=sha,format=long, |
pingsutw
approved these changes
Apr 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Haytham Abuelfutuh haytham@afutuh.com
Tracking issue
Why are the changes needed?
What changes were proposed in this pull request?
How was this patch tested?
Labels
Please add one or more of the following labels to categorize your PR:
This is important to improve the readability of release notes.
Setup process
Screenshots
Check all the applicable boxes
Related PRs
Stack
If you do use
git townto manage PR Stacks, the stack relevant to this PRwill show below. Otherwise, you can ignore this section.
Docs link