Introduce remote caching and optimize docker

Signed-off-by: Dong Hyuk Chang <donghyukc@nvidia.com>

Author: thomasdhc

.github/actions/test-template/action.yml

@@ -53,6 +53,11 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        path: NeMo-Automodel
+
     - name: Install Azure CLI
       if: ${{ inputs.has-azure-credentials == 'true' }}
       shell: bash
@@ -69,78 +74,11 @@ runs:
         tenant-id: ${{ inputs.azure-tenant-id }}
         subscription-id: ${{ inputs.azure-subscription-id }}
 
-    - name: Azure Fileshare
-      if: ${{ inputs.has-azure-credentials == 'true' && inputs.is-unit-test == 'false' }}
-      shell: bash
-      id: azure-fileshare
-      run: |
-        echo "::group::Mount SMB drive"
-        sudo apt update
-        sudo apt install -y cifs-utils
-
-        RESOURCE_GROUP_NAME="azure-gpu-vm-runner_group"
-        STORAGE_ACCOUNT_NAME="nemocistorageaccount2"
-        FILE_SHARE_NAME="fileshare"
-
-        MNT_ROOT="/media"
-        MNT_PATH="$MNT_ROOT/$STORAGE_ACCOUNT_NAME/$FILE_SHARE_NAME"
-
-        echo "MNT_PATH=$MNT_PATH" | tee -a "$GITHUB_OUTPUT"
-
-        sudo mkdir -p $MNT_PATH
-
-        # Create a folder to store the credentials for this storage account and
-        # any other that you might set up.
-        CREDENTIAL_ROOT="/etc/smbcredentials"
-        sudo mkdir -p "/etc/smbcredentials"
-
-        # Get the storage account key for the indicated storage account.
-        # You must be logged in with az login and your user identity must have
-        # permissions to list the storage account keys for this command to work.
-        STORAGE_ACCOUNT_KEY=$(az storage account keys list \
-            --resource-group $RESOURCE_GROUP_NAME \
-            --account-name $STORAGE_ACCOUNT_NAME \
-            --query "[0].value" --output tsv | tr -d '"')
-
-        # Create the credential file for this individual storage account
-        SMB_CREDENTIAL_FILE="$CREDENTIAL_ROOT/$STORAGE_ACCOUNT_NAME.cred"
-        if [ ! -f $SMB_CREDENTIAL_FILE ]; then
-            echo "username=$STORAGE_ACCOUNT_NAME" | sudo tee $SMB_CREDENTIAL_FILE > /dev/null
-            echo "password=$STORAGE_ACCOUNT_KEY" | sudo tee -a $SMB_CREDENTIAL_FILE > /dev/null
-        else
-            echo "The credential file $SMB_CREDENTIAL_FILE already exists, and was not modified."
-        fi
-
-        # Change permissions on the credential file so only root can read or modify the password file.
-        sudo chmod 600 $SMB_CREDENTIAL_FILE
-
-        # This command assumes you have logged in with az login
-        HTTP_ENDPOINT=$(az storage account show --resource-group $RESOURCE_GROUP_NAME --name $STORAGE_ACCOUNT_NAME --query "primaryEndpoints.file" --output tsv | tr -d '"')
-        SMB_PATH=$(echo $HTTP_ENDPOINT | cut -c7-${#HTTP_ENDPOINT})$FILE_SHARE_NAME
-
-        STORAGE_ACCOUNT_KEY=$(az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query "[0].value" --output tsv | tr -d '"')
-
-        sudo mount -t cifs $SMB_PATH $MNT_PATH -o credentials=$SMB_CREDENTIAL_FILE,serverino,nosharesock,actimeo=30,mfsymlinks
-
-        ls -al $MNT_PATH/TestData
-        echo "::endgroup::"
-
-    - name: Checkout repository
-      uses: actions/checkout@v2
-      with:
-        path: NeMo-Automodel
-
-    - name: Build container
+    - name: Azure ACR Login
+      if: ${{ inputs.has-azure-credentials == 'true' }}
       shell: bash
-      env:
-        GH_TOKEN: ${{ inputs.PAT }}
       run: |
-        echo "::group::Build test container"
-        docker system prune -af
-        docker build -f docker/Dockerfile \
-          --build-arg BASE_IMAGE=pytorch \
-          --target automodel_final -t automodel .
-        echo "::endgroup::"
+        az acr login --name nemoci
 
     - name: Start container
       shell: bash

.github/workflows/_build_container.yml

@@ -0,0 +1,113 @@
+# Copyright (c) 2025, NVIDIA CORPORATION. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Build container
+on:
+  workflow_call:
+    inputs:
+      repo_name:
+      description: "The name of the repo to build container"
+      required: true
+      default: ""
+      type: string
+
+jobs:
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Setup python
+      uses: actions/setup-python@v5
+      with:
+        python-version: 3.12
+
+    - name: Get PR info
+      id: get-pr-info
+      if: startsWith(github.ref, 'refs/heads/pull-request/')
+      uses: nv-gha-runners/get-pr-info@main
+
+    - name: Install Azure CLI
+      shell: bash
+      run: |
+        echo "::group::Install Azure CLI"
+        # Create systemd override for proper dependencies
+        curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+        echo "::endgroup::"
+
+    - name: Azure Login
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Azure ACR Login
+      shell: bash
+      run: |
+        az acr login --name nemoci
+
+    - name: Install GH CLI
+      shell: bash
+      run: |
+        apt-get update
+        apt-get install -y gh
+
+    - name: Get last merged PR
+      id: cache_from
+      env:
+        GH_TOKEN: ${{ github.token }}
+        REPO_NAME: ${{ inputs.repo_name }}
+      run: |
+        LAST_PRS=$(gh api graphql -f query='
+          query {
+            repository(owner: "NVIDIA-NeMo", name: "$REPO_NAME") {
+              pullRequests(states: MERGED, first: 100, orderBy: {field: UPDATED_AT, direction: DESC}) {
+                nodes {
+                  number
+                }
+              }
+            }
+          }' | jq -r '.data.repository.pullRequests.nodes[].number' | while read -r number; do
+            echo "type=registry,ref=${{ env.container-registry }}/$REPO_NAME:$number-buildcache,mode=max"
+          done)
+
+        echo "LAST_PRS<<EOF" | tee -a $GITHUB_OUTPUT
+        echo "$LAST_PRS" | tee -a $GITHUB_OUTPUT
+        echo "EOF" | tee -a $GITHUB_OUTPUT
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Build and push
+      uses: docker/build-push-action@v5
+      env:
+        REPO_NAME: ${{ inputs.repo_name }}
+      with:
+        file: ./docker/Dockerfile.ci
+        push: true
+        context: .
+        build-args: |
+          BASE_IMAGE=pytorch
+        cache-from: |
+          type=registry,ref=${{ env.container-registry }}/$REPO_NAME:${{ fromJSON(steps.get-pr-info.outputs.pr-info || '{}').number || 0 }}-buildcache,mode=max
+          type=registry,ref=${{ env.container-registry }}/$REPO_NAME:main-buildcache,mode=max
+          ${{ steps.cache_from.outputs.LAST_PRS }}
+        cache-to: |
+          type=registry,ref=${{ env.container-registry }}/$REPO_NAME:${{ fromJSON(steps.get-pr-info.outputs.pr-info || '{}').number || 0 }}-buildcache,mode=max
+        no-cache: false
+        tags: |
+          ${{ env.container-registry }}/$REPO_NAME:${{ fromJSON(steps.get-pr-info.outputs.pr-info || '{}').number || 0 }}
+          ${{ env.container-registry }}/$REPO_NAME:${{ github.sha }}
+        secrets: |
+          GH_TOKEN=${{ secrets.PAT }}

.github/workflows/cicd-main.yml

@@ -129,6 +129,21 @@ jobs:
         run: |
           echo "Running CI tests"
 
+  cicd-container-build:
+    needs: [pre-flight, cicd-wait-in-queue]
+    runs-on: ${{ needs.pre-flight.outputs.runner_prefix }}-gpu-x2
+    environment: nemo-ci
+    if: |
+      (
+        success()
+        || needs.pre-flight.outputs.is_ci_workload == 'true'
+        || needs.pre-flight.outputs.force_run_all == 'true'
+      )
+      && !cancelled()
+    uses: ./.github/workflows/_build_container.yml
+    with:
+      repo_name: "Automodel"
+
   cicd-unit-tests:
     strategy:
       fail-fast: false

docker/Dockerfile

@@ -123,16 +123,25 @@ RUN if [ "$INSTALL_DEEPEP" = "True" ]; then \
 
 FROM automodel_dep as automodel_final
 
+WORKDIR /opt/Automodel
+
+COPY pyproject.toml uv.lock /opt/Automodel/
+COPY nemo_automodel/__init__.py nemo_automodel/package_info.py /opt/Automodel/nemo_automodel
+
 # Install Automodel
 ARG BASE_IMAGE=cuda
 ARG AUTOMODEL_INSTALL=all
-COPY . /opt/Automodel
-RUN cd /opt/Automodel && \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    --mount=type=cache,target=/root/.cache/uv \
     if [ "$BASE_IMAGE" = "pytorch" ]; then \
         sed -i '/\[tool\.uv\]/r /opt/Automodel/docker/common/uv-pytorch.toml' pyproject.toml && \
         mv /opt/Automodel/docker/common/uv-pytorch.lock /opt/Automodel/uv.lock; \
     fi && \
     uv sync --locked --extra $AUTOMODEL_INSTALL --all-groups
+    uv cache prune
+
+COPY . /opt/Automodel
 
 COPY <<EOF /opt/venv/env.sh
 export UV_PROJECT_ENVIRONMENT=/opt/venv