build a reproducible environment from a lockfile

[itcarroll]

Description:

Goal of this PR, in conjuction with #169, is to implement building the hub-image without new environment solves while using a stable registry cache for the docker container, and protecting deployment with the "container" environment. Some fixes that could have gone in #169 are implemented here.

• The build, test, and push workflows define and handle secrets and the deploy environment.
• Configuration files recognized by repo2docker are moved to ".binder" folder, and repo2docker uses these first. We have ".binder/environment.yml" that exists only to set the buildpack. Mostly these will use the docker registry cache.
• The root level "environment.yml" is only used to produce "conda-lock.yml". It is not used during the image build.
• The "appendix" has mamba replace ther notebook environment with "conda-lock.yml"
  • mamba does not need a platform-specific and explicit lockfile, so this is removed
  • using the "appendix" rather than "postBuild" allows separate layers in the registry cache

[github-actions]

👈 Test this PR on Binder

[itcarroll]

/condalock

[itcarroll]

/condalock

EDIT: cancelled

[itcarroll]

Trouble is that conda-lock is requesting absurd amounts of memory to perform the lock.

[weiji14]

Trouble is that conda-lock is requesting absurd amounts of memory to perform the lock.

That you can ignore for now since it is orthogonal to what you're doing here. I hit into it ocassionally (e.g. #166 (comment)) and usually need to manually debug on the side (will try to fix it in a separate PR).

[itcarroll]

From failing test logs ...

Booting builder
  /usr/bin/docker buildx inspect --bootstrap --builder builder-01af7d35-5485-4a33-b021-0192727222ae
  #1 [internal] booting buildkit
  #1 pulling image moby/buildkit:buildx-stable-1
  #1 pulling image moby/buildkit:buildx-stable-1 0.3s done
  #1 ERROR: Error response from daemon: Head "https://registry-1.docker.io/v2/moby/buildkit/manifests/buildx-stable-1": unauthorized: incorrect username or password

Dunno, that's never occurred before. Hopefully a transient issue with docker registry.