Switch to manual docker #79

samansmink · 2024-09-19T09:45:16Z

This PR removes the ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION flag from the Linux CI.

It achieves this by refactoring the linux jobs to manually invoke docker for the build and test steps effectively pulling out the github actions from the docker image. This has the following benefits:

The jobs will not fail when GH stops supporting the ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION flag
easier to reproduce the environment locally
more robust linux builds because we are not mixing github actions with a horribly old linux version anymore

Also during development I integrated #63 because I needed it, that saved me some CI cycles so I can just merge this PR and close the otherone.

There is quite some duplication between the dockerfiles, but I did not find a clean way to solve this yet, but any suggestions (or follow up PRs) are welcome ofc.

After this PR it makes sense to upstream this into duckdb/duckdb somehow because there we can reuse these images in CI as well to make things more robust and get rid of ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION

Another follow up is to finally enable the vcpkg build cache, because that seems to be able to make quite a difference as well judging from how long vcpkg runs in the delta extension build

carlopi · 2024-09-19T09:54:31Z

Thanks a lot from bringing this in.

At a first look, this looks very solid.

I will later do a proper review, then we can discuss what's the strategy for bringing this in.
I guess we likely can bring this in main, run tests in the various existing extensions (core or community ones) in preparation of the upcoming v1.1.1, then take it from there.

carlopi

Thanks a lot!

This looks great, there are some improvements we can consider moving forward, but this does look solid, and I think it's worth having this merged in.

Question, should we do first this into a next branch, then testing, then into main branch, or directly into main and then testing?

FIxes after duckdb/extension-ci-tools#79 & co

@samansmink

Idea is instead of executing whole workflow job containerized, that means that actions will be run within the container, that in turn means it's hard to use older images since they will not have the required dependecies versions for the actions (in particular node 20). Solution is to containerize explicitly the relevant tests in the workflow, invoking actions outside of the container in the regular image that powers the workflow. Heavy lifting has been done by @samansmink in duckdb/extension-ci-tools#79 and connected PRs. This PR allows to avoid the need for ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION in Python CI.

…RE_NODE_VERSION only on main/feature (#14998) Idea for this PR is avoiding some noise in CI and the potential confusion to DuckDB contributors. For additional context: * Using `container:` implies all actions are run within a given containerized image * for security & maintenance reasons, actions are required to use recent tooling * eventually those tools (like node 20) will not be supported on images such as manylinux_2014 Solution is running the dockerized parts piece-by-piece, while interacting with actions at the `native` layer. This has been worked on in the duckdb/extension-ci-tools repository, via duckdb/extension-ci-tools#79 and subsequent PRs, now we need to port this to duckdb/duckdb. This PR only avoid the noise in CI, given those workflow will fail without fix, I don't see much value in running them at all. Proper fix to be rolled piece-by-piece, Python for example will be eventually solved via: #14987, where this part has then to be reverted.

@samansmink

Idea is instead of executing whole workflow job containerized, that means that actions will be run within the container, that in turn means it's hard to use older images since they will not have the required dependecies versions for the actions (in particular node 20). Solution is to containerize explicitly the relevant tests in the workflow, invoking actions outside of the container in the regular image that powers the workflow. Heavy lifting has been done by @samansmink in duckdb/extension-ci-tools#79 and connected PRs. This PR allows to avoid the need for ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION in Python CI.

@samansmink

Idea is instead of executing whole workflow job containerized, that means that actions will be run within the container, that in turn means it's hard to use older images since they will not have the required dependecies versions for the actions (in particular node 20). Solution is to containerize explicitly the relevant tests in the workflow, invoking actions outside of the container in the regular image that powers the workflow. Heavy lifting has been done by @samansmink in duckdb/extension-ci-tools#79 and connected PRs. This PR allows to avoid the need for ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION in Python CI.

@samansmink

Idea is instead of executing whole workflow job containerized, that means that actions will be run within the container, that in turn means it's hard to use older images since they will not have the required dependecies versions for the actions (in particular node 20). Solution is to containerize explicitly the relevant tests in the workflow, invoking actions outside of the container in the regular image that powers the workflow. Heavy lifting has been done by @samansmink in duckdb/extension-ci-tools#79 and connected PRs. This PR allows to avoid the need for ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION in Python CI.

@samansmink

Idea is instead of executing whole workflow job containerized, that means that actions will be run within the container, that in turn means it's hard to use older images since they will not have the required dependecies versions for the actions (in particular node 20). Solution is to containerize explicitly the relevant tests in the workflow, invoking actions outside of the container in the regular image that powers the workflow. Heavy lifting has been done by @samansmink in duckdb/extension-ci-tools#79 and connected PRs. This PR allows to avoid the need for ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION in Python CI.

@samansmink

…ons (#14987) Idea is instead of executing whole workflow job containerized, that means that actions will be run within the container, that in turn means it's hard to use older images since they will not have the required dependecies versions for the actions (in particular node 20). Solution is to containerize explicitly the relevant tests in the workflow, invoking actions outside of the container in the regular image that powers the workflow. Heavy lifting has been done by @samansmink in duckdb/extension-ci-tools#79 and connected PRs. This PR allows to avoid the need for ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION in Python CI.

samansmink added 30 commits September 4, 2024 14:38

add rust logging, fix rust ci

951548e

switch to duckdb main for ci building delta

3cdb9cd

switch to bash, update delta

36b5159

first attempt at manual dockerings

3cd8911

disable osx, dont containerize through gha

e8b0720

no -it

b366fc6

incorrect volumne

bdf644a

add more dockerfiles

41dcbf0

fix typo

e186fd6

add git

c8279db

fix typo

96e7185

rustup target add

2bb5c18

quoting problem

7f5993b

install missing cross compiler

335fc22

enable rust build too

caa9418

added the aarch toolchain to the wrong dockerfile

543ba5a

bump checkout action version to v4

9a531a3

Merge branch 'add-rust-logging' into switch-to-manual-docker

e1be3e1

use bash on windows

526767f

ensure openssl from vcpkg is used by rust

c3b69f5

fix path

0272d6b

make path absolute

16edb4f

add missing env variables, merge build and test step

a35535f

split build/test steps again

af75cf8

revert changes to ci test job

119def9

Merge branch 'main' into switch-to-manual-docker

06c1d9c

add conditional toolchains to docker files

43ded74

fix syntax error

8ee5d7e

pass through vcpkg, fix extra toolchains input

7f4556b

refactor to deduplicate env variables

faf244b

samansmink added 13 commits September 18, 2024 11:16

try these weird case statements

6843ed2

typo

0d9acb5

add rust target

9868161

set path before

d89d0a6

remove usage guide, instead refer to the workflow

56b1801

log ccache size

f33e623

twas a typo

3d19e28

is a permissions thing?

e5dacbb

try setting ccache base dir

53840aa

touch doesn't make directories

8e47ac9

cleanup

500051f

remove ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION flag

5293055

perhaps not set base dir?

f916665

samansmink requested a review from carlopi September 19, 2024 09:45

carlopi approved these changes Sep 20, 2024

View reviewed changes

samansmink merged commit c5446f7 into duckdb:main Sep 20, 2024
19 checks passed

samansmink deleted the switch-to-manual-docker branch September 20, 2024 10:38

samansmink mentioned this pull request Sep 20, 2024

force passing ci tools version #80

Merged

carlopi added a commit to duckdb/community-extensions that referenced this pull request Sep 21, 2024

Merge pull request #116 from carlopi/main

9ca3d4b

FIxes after duckdb/extension-ci-tools#79 & co

carlopi mentioned this pull request Sep 27, 2024

Update DuckPGQ for v1.1.1 duckdb/community-extensions#126

Closed

This was referenced Nov 26, 2024

Rely on extension-ci-tools workflow to build linux_amd64_gcc4 extensions duckdb/duckdb#14987

Merged

Run containerized builds requiring deprecatd ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION only on main/feature duckdb/duckdb#14998

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Switch to manual docker #79

Switch to manual docker #79

samansmink commented Sep 19, 2024

carlopi commented Sep 19, 2024

carlopi left a comment

Switch to manual docker #79

Switch to manual docker #79

Conversation

samansmink commented Sep 19, 2024

carlopi commented Sep 19, 2024

carlopi left a comment

Choose a reason for hiding this comment