Skip to content

Make GHCR cache exports and consumer pushes conditional for external PRs #3423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
joshlf merged 1 commit into from
May 31, 2026
+20 −4
Merged

Make GHCR cache exports and consumer pushes conditional for external PRs #3423

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 17 additions & 3 deletions .github/workflows/anneal.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,9 @@ jobs:
cache-from: |
type=registry,ref=ghcr.io/google/zerocopy/anneal-cache:${{ steps.docker_tag.outputs.tag }}
type=registry,ref=ghcr.io/google/zerocopy/anneal-cache:main
cache-to: type=registry,ref=ghcr.io/google/zerocopy/anneal-cache:${{ steps.docker_tag.outputs.tag }},mode=max
# External pull requests have read-only package permissions, so they
# can consume GHCR caches but cannot export updated cache layers.
cache-to: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && format('type=registry,ref=ghcr.io/google/zerocopy/anneal-cache:{0},mode=max', steps.docker_tag.outputs.tag) || '' }}

- name: Record build time
env:
Expand Down Expand Up @@ -137,7 +139,9 @@ jobs:
# The build portion of this step will always be cached thanks to the
# dry-run build above.
- name: Build and push Docker image
if: steps.check_remote.outputs.match != 'true'
# External pull requests cannot write the PR-specific image tag to GHCR;
# trusted runs still push, so unexpected GHCR write failures stay loud.
if: steps.check_remote.outputs.match != 'true' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
# NOTE: All arguments here must match the dry-run step above exactly
# in order to ensure we hit the cache for the local build!
Expand All @@ -154,7 +158,9 @@ jobs:
cache-from: |
type=registry,ref=ghcr.io/google/zerocopy/anneal-cache:${{ steps.docker_tag.outputs.tag }}
type=registry,ref=ghcr.io/google/zerocopy/anneal-cache:main
cache-to: type=registry,ref=ghcr.io/google/zerocopy/anneal-cache:${{ steps.docker_tag.outputs.tag }},mode=max
# External pull requests have read-only package permissions, so they
# can consume GHCR caches but cannot export updated cache layers.
cache-to: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && format('type=registry,ref=ghcr.io/google/zerocopy/anneal-cache:{0},mode=max', steps.docker_tag.outputs.tag) || '' }}

measure_image_size:
# This job measures the size of the Docker image built in the previous step
Expand Down Expand Up @@ -230,6 +236,10 @@ jobs:
name: Anneal Tests
runs-on: ubuntu-latest
needs: build_docker_env
# External pull requests cannot push the Docker image these jobs pull from
# GHCR. Skip the consumer jobs in that case rather than failing on an
# expected permission denial.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
permissions:
contents: write # Required to push benchmark data to the storage branch
packages: read # required to pull docker caches from ghcr.io
Expand Down Expand Up @@ -355,6 +365,10 @@ jobs:
name: Verify example (${{ matrix.example }})
runs-on: ubuntu-latest
needs: build_docker_env
# External pull requests cannot push the Docker image these jobs pull from
# GHCR. Skip the consumer jobs in that case rather than failing on an
# expected permission denial.
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
permissions:
contents: read
packages: read # required to pull docker caches from ghcr.io
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1040,7 +1040,9 @@ jobs:
cache-from: |
type=registry,ref=ghcr.io/google/zerocopy/zerocopy-ci-cache:${{ steps.docker_tag.outputs.tag }}
type=registry,ref=ghcr.io/google/zerocopy/zerocopy-ci-cache:main
cache-to: type=registry,ref=ghcr.io/google/zerocopy/zerocopy-ci-cache:${{ steps.docker_tag.outputs.tag }},mode=max
# External pull requests have read-only package permissions, so they
# can consume GHCR caches but cannot export updated cache layers.
cache-to: ${{ (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && format('type=registry,ref=ghcr.io/google/zerocopy/zerocopy-ci-cache:{0},mode=max', steps.docker_tag.outputs.tag) || '' }}

# Used to signal to branch protections that all other jobs have succeeded.
all-jobs-succeed:
Expand Down
Loading