test new path for cache and build-jax

Steboss · Steboss · commit fcd3d050258a · 2026-03-16T12:03:36.000Z
diff --git a/.github/actions/build-container/action.yml b/.github/actions/build-container/action.yml
@@ -51,9 +51,17 @@ inputs:
     required: true
     default: ""
   bazel-remote-cache-url:
-    description: "URL of the Bazel remote cache to use for building the image"
-    required: true
+    description: "URL of the Bazel remote cache to use for building the image (http/grpc). Leave empty to use Dockerfile-default cache mount paths."
+    required: false
     default: ""
+  CACHE_REGISTRY:
+    description: "OCI registry used for BuildKit layer cache (cache-to/cache-from). Must be writable by the GITHUB_TOKEN."
+    required: false
+    default: "ghcr.io/nvidia/jax-toolbox-buildcache"
+  ENABLE_BAZEL_REPO_CACHE:
+    description: "Enable Bazel repository-cache save/restore via actions/cache and build-context injection. Set to 'true' only for containers that run Bazel (i.e. build-jax)."
+    required: false
+    default: "false"
 
 outputs:
   DOCKER_TAG_MEALKIT:
@@ -73,6 +81,60 @@ runs:
         echo 'UPLD_IMAGE=ghcr.io/nvidia/jax-toolbox-internal' >> $GITHUB_ENV
         echo "BADGE_FILENAME_FULL=${{ inputs.BADGE_FILENAME }}-${{ inputs.ARCHITECTURE }}.json" >> $GITHUB_ENV
 
+    - name: Set up build cache environment
+      id: cache-env
+      shell: bash
+      run: |
+        # Sanitize branch name: replace / and non-tag chars, cap at 100 chars
+        BRANCH=$(echo "${{ github.ref_name }}" \
+          | sed 's|/|-|g' \
+          | tr -cs 'a-zA-Z0-9._-' '-' \
+          | sed 's/^-//;s/-$//' \
+          | cut -c1-100)
+
+        CONTAINER="${{ inputs.CONTAINER_NAME }}"
+        ARCH="${{ inputs.ARCHITECTURE }}"
+        REGISTRY="${{ inputs.CACHE_REGISTRY }}"
+
+        echo "CACHE_REF_MEALKIT_BRANCH=${REGISTRY}:${CONTAINER}-${ARCH}-${BRANCH}-mealkit" >> $GITHUB_ENV
+        echo "CACHE_REF_MEALKIT_MAIN=${REGISTRY}:${CONTAINER}-${ARCH}-main-mealkit"         >> $GITHUB_ENV
+        echo "CACHE_REF_FINAL_BRANCH=${REGISTRY}:${CONTAINER}-${ARCH}-${BRANCH}-final"     >> $GITHUB_ENV
+        echo "CACHE_REF_FINAL_MAIN=${REGISTRY}:${CONTAINER}-${ARCH}-main-final"             >> $GITHUB_ENV
+
+        # Bazel repo-cache key: keyed on arch only so that restore-keys
+        # always finds the most recent cache for this architecture, regardless of
+        # which JAX/XLA commit is being built. EXTRA_BUILD_ARGS contains
+        # URLREF_JAX=...#<commit> which changes every upstream push; including
+        # it would cause a primary-key miss on every single run.
+        echo "BAZEL_REPO_CACHE_KEY=bazel-repo-${ARCH}" >> $GITHUB_ENV
+
+        # Pass BAZEL_CACHE build-arg only when a remote URL is explicitly given;
+        # otherwise the Dockerfile default (/cache/bazel-disk) applies.
+        if [[ -n "${{ inputs.bazel-remote-cache-url }}" ]]; then
+          echo "BAZEL_CACHE_BUILD_ARG=BAZEL_CACHE=${{ inputs.bazel-remote-cache-url }}" >> $GITHUB_ENV
+        else
+          echo "BAZEL_CACHE_BUILD_ARG=" >> $GITHUB_ENV
+        fi
+
+    # Ensure the directory exists regardless of whether we restore a cache.
+    # An empty directory fed via --build-context is equivalent to FROM scratch.
+    - name: Prepare Bazel repo cache directory
+      shell: bash
+      run: mkdir -p /tmp/bazel-repo-cache
+
+    - name: Restore Bazel repo cache
+      id: restore-bazel-repo-cache
+      if: inputs.ENABLE_BAZEL_REPO_CACHE == 'true'
+      uses: actions/cache/restore@v4
+      with:
+        path: /tmp/bazel-repo-cache
+        # Key: arch-scoped + run_id so each successful run saves a fresh entry.
+        # restore-keys falls back to the most recent cache for this arch,
+        # giving a warm repo cache even when the exact SHA differs.
+        key: ${{ env.BAZEL_REPO_CACHE_KEY }}-${{ github.run_id }}
+        restore-keys: |
+          ${{ env.BAZEL_REPO_CACHE_KEY }}-
+
     - name: Setup SSH
       id: setup-ssh
       uses: ./.github/actions/setup-ssh
@@ -136,9 +198,23 @@ runs:
           "SSH_KNOWN_HOSTS=${{ steps.setup-ssh.outputs.known-hosts-file }}"
         build-args: |
           BASE_IMAGE=${{ inputs.BASE_IMAGE }}
-          BAZEL_CACHE=${{ inputs.bazel-remote-cache-url }}
           BUILD_DATE=${{ inputs.BUILD_DATE }}
+          ${{ env.BAZEL_CACHE_BUILD_ARG }}
           ${{ inputs.EXTRA_BUILD_ARGS }}
+        # Inject pre-restored Bazel repo cache as a named build context.
+        # The Dockerfile declares `FROM scratch AS bazel-repo-seed`; passing this
+        # context overrides that stage with the contents of the local directory.
+        # When the directory is empty (cold start) the bind-mount is a no-op.
+        build-contexts: |
+          bazel-repo-seed=/tmp/bazel-repo-cache
+        cache-from: |
+          type=registry,ref=${{ env.CACHE_REF_MEALKIT_BRANCH }}
+          type=registry,ref=${{ env.CACHE_REF_MEALKIT_MAIN }}
+        # mode=max: cache ALL intermediate stages (builder, mealkit) so
+        # full Bazel layer is reusable on the next run.
+        # ignore-error=true: cache push failure must never kill the build.
+        cache-to: type=registry,ref=${{ env.CACHE_REF_MEALKIT_BRANCH }},mode=max,oci-mediatypes=true,image-manifest=true,compression=zstd,ignore-error=true
+
     # FINAL IMAGE BUILD
     - name: Set docker metadata - final
       id: final-metadata
@@ -169,9 +245,76 @@ runs:
           "SSH_KNOWN_HOSTS=${{ steps.setup-ssh.outputs.known-hosts-file }}"
         build-args: |
           BASE_IMAGE=${{ inputs.BASE_IMAGE }}
-          BAZEL_CACHE=${{ inputs.bazel-remote-cache-url }}
           BUILD_DATE=${{ inputs.BUILD_DATE }}
+          ${{ env.BAZEL_CACHE_BUILD_ARG }}
           ${{ inputs.EXTRA_BUILD_ARGS }}
+        build-contexts: |
+          bazel-repo-seed=/tmp/bazel-repo-cache
+        cache-from: |
+          type=registry,ref=${{ env.CACHE_REF_FINAL_BRANCH }}
+          type=registry,ref=${{ env.CACHE_REF_FINAL_MAIN }}
+          type=registry,ref=${{ env.CACHE_REF_MEALKIT_BRANCH }}
+          type=registry,ref=${{ env.CACHE_REF_MEALKIT_MAIN }}
+        # mode=min: builder+mealkit layers are already cached under CACHE_REF_MEALKIT_BRANCH
+        # (mode=max above).  Only cache the final stage's unique layers here.
+        cache-to: type=registry,ref=${{ env.CACHE_REF_FINAL_BRANCH }},mode=min,oci-mediatypes=true,image-manifest=true,compression=zstd,ignore-error=true
+
+    # BAZEL REPO CACHE EXPORT
+    # This step extracts /cache/bazel-repo from the builder stage back to the
+    # runner so it can be saved via actions/cache.
+    #
+    # It builds only the lightweight `bazel-repo-export` stage (FROM scratch +
+    # COPY --from=builder), pulling the already-cached builder layer from the
+    # registry.  No Bazel re-invocation occurs.
+    #
+    # Cost: one registry pull of the builder layer + a local copy.
+    # This is bounded (repo cache only, NOT disk cache) and will NOT trigger
+    # the multi-hour `[cache-export] exporting to client directory` stall that
+    # afflicted the old type=local full-cache-export path.
+    - name: Export Bazel repo cache
+      id: export-bazel-repo-cache
+      if: inputs.ENABLE_BAZEL_REPO_CACHE == 'true' && steps.mealkit-build.outcome == 'success'
+      shell: bash
+      env:
+        EXTRA_BUILD_ARGS: ${{ inputs.EXTRA_BUILD_ARGS }}
+      run: |
+        # Convert newline-separated build args into individual --build-arg flags
+        BUILD_ARG_FLAGS=()
+        while IFS= read -r line; do
+          [[ -z "$line" ]] && continue
+          BUILD_ARG_FLAGS+=(--build-arg "$line")
+        done <<< "$EXTRA_BUILD_ARGS"
+
+        # Export to a staging dir to avoid a read/write collision:
+        # the build reads /tmp/bazel-repo-cache via --build-context and
+        # would corrupt the seed if we wrote to the same path concurrently.
+        rm -rf /tmp/bazel-repo-cache-new
+
+        docker buildx build \
+          --platform "linux/${{ inputs.ARCHITECTURE }}" \
+          --file "${{ inputs.DOCKERFILE }}" \
+          --target bazel-repo-export \
+          --output "type=local,dest=/tmp/bazel-repo-cache-new" \
+          --cache-from "type=registry,ref=${{ env.CACHE_REF_MEALKIT_BRANCH }}" \
+          --cache-from "type=registry,ref=${{ env.CACHE_REF_MEALKIT_MAIN }}" \
+          --build-arg "BASE_IMAGE=${{ inputs.BASE_IMAGE }}" \
+          --build-arg "BUILD_DATE=${{ inputs.BUILD_DATE }}" \
+          --build-context "bazel-repo-seed=/tmp/bazel-repo-cache" \
+          "${BUILD_ARG_FLAGS[@]}" \
+          "${{ inputs.DOCKER_CONTEXT }}"
+
+        # Swap staging into the canonical location for actions/cache/save
+        rm -rf /tmp/bazel-repo-cache
+        mv /tmp/bazel-repo-cache-new /tmp/bazel-repo-cache
+
+    - name: Save Bazel repo cache
+      if: inputs.ENABLE_BAZEL_REPO_CACHE == 'true' && steps.export-bazel-repo-cache.outcome == 'success'
+      uses: actions/cache/save@v4
+      with:
+        path: /tmp/bazel-repo-cache
+        # Same key as restore: arch + run_id.  Each successful run overwrites
+        # the previous entry, keeping the cache fresh without unbounded growth.
+        key: ${{ env.BAZEL_REPO_CACHE_KEY }}-${{ github.run_id }}
 
     # SITREP GENERATION
     - name: Generate sitrep
diff --git a/.github/container/Dockerfile.jax b/.github/container/Dockerfile.jax
@@ -19,21 +19,34 @@ ARG SRC_PATH_TRANSFORMER_ENGINE=/opt/transformer-engine
 ARG GIT_USER_NAME="JAX Toolbox"
 ARG GIT_USER_EMAIL=jax@nvidia.com
 
-ARG BAZEL_CACHE=/tmp
+ARG BAZEL_CACHE=/cache/bazel-disk
+ARG BAZEL_REPO_CACHE=/cache/bazel-repo
 ARG BUILD_DATE
 
+###############################################################################
+## Bazel repo-cache seed stage
+## Overridden at build time via:
+##   --build-context bazel-repo-seed=<dir>
+## When not overridden (FROM scratch), the bind-mount below is a no-op and
+## Bazel starts with an empty repository cache.
+###############################################################################
+
+FROM scratch AS bazel-repo-seed
+
 ###############################################################################
 ## Build JAX
 ###############################################################################
 
 FROM ${BASE_IMAGE} AS builder
+ARG TARGETARCH
 ARG URLREF_JAX
 ARG URLREF_TRANSFORMER_ENGINE
 ARG URLREF_XLA
 ARG SRC_PATH_JAX
 ARG SRC_PATH_TRANSFORMER_ENGINE
 ARG SRC_PATH_XLA
 ARG BAZEL_CACHE
+ARG BAZEL_REPO_CACHE
 ARG BUILD_PATH_JAXLIB
 ARG EXTRA_BAZEL_TARGETS
 ARG EXTRA_BUILD_JAX_ARGS
@@ -54,9 +67,21 @@ RUN ARCH="$(dpkg --print-architecture)" && \
     chmod +x /usr/local/bin/bazel
 # Populate ${BUILD_PATH_JAXLIB} with editable wheels; --no-install because
 # (a) this is the builder stage, and (b) pip-finalize.sh does the install
-RUN mkdir -p /builder/extra-targets/{bin,python} && \
+#
+# Cache mounts:
+#   bazel-disk  – arch-scoped BuildKit cache for Bazel --disk_cache; ephemeral
+#                 (not exported), avoids the multi-hour cache-export stall.
+#   bazel-repo-seed bind-mount – read-only snapshot restored from actions/cache
+#                 via --build-context bazel-repo-seed=<dir> on the runner.
+#                 Falls back to empty scratch stage when no context is provided.
+RUN --mount=type=cache,id=bazel-disk-${TARGETARCH},target=/cache/bazel-disk,sharing=locked \
+    --mount=type=bind,from=bazel-repo-seed,source=.,target=/cache/bazel-repo-seed,readonly \
+    mkdir -p /cache/bazel-repo /builder/extra-targets/{bin,python} && \
+    (cp -a /cache/bazel-repo-seed/. /cache/bazel-repo/ \
+      || echo "WARNING: bazel-repo-seed copy failed; proceeding with empty repo cache" >&2) && \
     build-jax.sh \
     --bazel-cache ${BAZEL_CACHE} \
+    --bazel-repo-cache ${BAZEL_REPO_CACHE} \
     --build-path-jaxlib ${BUILD_PATH_JAXLIB} \
     --extra-targets "${EXTRA_BAZEL_TARGETS}" \
     --extra-target-dest /builder/extra-targets \
@@ -148,3 +173,17 @@ RUN install-nsys-jax.sh ${SRC_PATH_NSYS_JAX}
 
 FROM mealkit AS final
 RUN pip-finalize.sh
+
+###############################################################################
+## Bazel repo-cache export stage
+## Used exclusively by the CI action to extract /cache/bazel-repo from the
+## builder layer back to the runner filesystem, without a full image rebuild.
+##
+## Usage in action:
+##   docker buildx build --target bazel-repo-export \
+##     --output type=local,dest=/tmp/bazel-repo-cache \
+##     --cache-from type=registry,ref=<mealkit-cache-ref> ...
+###############################################################################
+
+FROM scratch AS bazel-repo-export
+COPY --from=builder /cache/bazel-repo /
diff --git a/.github/container/build-jax.sh b/.github/container/build-jax.sh
@@ -37,8 +37,9 @@ usage() {
     echo "  Usage: $0 [OPTIONS]"
     echo ""
     echo "    OPTIONS                        DESCRIPTION"
-    echo "    --bazel-cache URI              Path for local bazel cache or URL of remote bazel cache"
+    echo "    --bazel-cache URI              Path for local bazel disk cache or URL of remote bazel cache"
     echo "    --bazel-cache-namespace NAME   Namespace for bazel cache content"
+    echo "    --bazel-repo-cache PATH        Path for local bazel repository cache (--repository_cache)"
     echo "    --build-param PARAM            Param passed to the jaxlib build command. Can be passed many times."
     echo "    --build-path-jaxlib PATH       Editable install prefix for jaxlib and plugins"
     echo "    --clean                        Delete local configuration and bazel cache"
@@ -63,6 +64,7 @@ usage() {
 # Set defaults
 BAZEL_CACHE=""
 BAZEL_CACHE_NAMESPACE="jax${CUDA_BASE_IMAGE:+:}${CUDA_BASE_IMAGE}"
+BAZEL_REPO_CACHE=""
 BUILD_PATH_JAXLIB="/opt/jaxlibs"
 BUILD_PARAM=""
 CLEAN=0
@@ -76,7 +78,7 @@ IS_RELEASE=0
 SRC_PATH_JAX="/opt/jax"
 SRC_PATH_XLA="/opt/xla"
 
-args=$(getopt -o h,r --long bazel-cache:,bazel-cache-namespace:,build-param:,build-path-jaxlib:,clean,release,cpu-arch:,debug,extra-targets:,extra-target-dest:,no-clean,clean-only,help,install,no-install,src-path-jax:,src-path-xla:,sm: -- "$@")
+args=$(getopt -o h,r --long bazel-cache:,bazel-cache-namespace:,bazel-repo-cache:,build-param:,build-path-jaxlib:,clean,release,cpu-arch:,debug,extra-targets:,extra-target-dest:,no-clean,clean-only,help,install,no-install,src-path-jax:,src-path-xla:,sm: -- "$@")
 if [[ $? -ne 0 ]]; then
     exit 1
 fi
@@ -92,6 +94,10 @@ while [ : ]; do
             BAZEL_CACHE_NAMESPACE=$2
             shift 2
             ;;
+        --bazel-repo-cache)
+            BAZEL_REPO_CACHE=$2
+            shift 2
+            ;;
         --build-param)
             BUILD_PARAM="$BUILD_PARAM $2"
             shift 2
@@ -193,6 +199,10 @@ elif [[ ! -z "${BAZEL_CACHE}" ]] ; then
     BUILD_PARAM="${BUILD_PARAM} --bazel_options=--disk_cache=${BAZEL_CACHE}"
 fi
 
+if [[ -n "${BAZEL_REPO_CACHE}" ]]; then
+    BUILD_PARAM="${BUILD_PARAM} --bazel_options=--repository_cache=${BAZEL_REPO_CACHE}"
+fi
+
 if [[ "$DEBUG" == "1" ]]; then
     BUILD_PARAM="${BUILD_PARAM} --bazel_options=-c --bazel_options=dbg --bazel_options=--strip=never --bazel_options=--cxxopt=-g --bazel_options=--cxxopt=-O0"
 fi
@@ -203,6 +213,7 @@ echo "                  Configuration                   "
 echo "--------------------------------------------------"
 
 print_var BAZEL_CACHE
+print_var BAZEL_REPO_CACHE
 print_var BUILD_PATH_JAXLIB
 print_var BUILD_PARAM
 print_var CLEAN
diff --git a/.github/workflows/_ci.yaml b/.github/workflows/_ci.yaml
@@ -82,7 +82,14 @@ jobs:
             ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
             ssh-known-hosts: ${{ vars.SSH_KNOWN_HOSTS }}
             github-token: ${{ secrets.GITHUB_TOKEN }}
-            bazel-remote-cache-url: ${{ vars.BAZEL_REMOTE_CACHE_URL }}
+            # Bazel remote cache URL intentionally omitted: the Dockerfile now
+            # uses --disk_cache=/cache/bazel-disk (BuildKit cache mount) and
+            # --repository_cache=/cache/bazel-repo (seeded via actions/cache).
+            # Set BAZEL_REMOTE_CACHE_URL var in repo settings to re-enable the
+            # legacy remote cache path (e.g. grpc://...) if needed.
+            bazel-remote-cache-url: ""
+            # Enable Bazel repository-cache save/restore for this Bazel-heavy job.
+            ENABLE_BAZEL_REPO_CACHE: 'true'
             EXTRA_BUILD_ARGS: |
               URLREF_JAX=${{ fromJson(inputs.SOURCE_URLREFS).JAX }}
               URLREF_XLA=${{ fromJson(inputs.SOURCE_URLREFS).XLA }}
