run our docker ci on gha runners directly (#17442)

* run our docker ci on gha runners directly

* chore: pin hashes

Signed-off-by: Mike Fiedler <[email protected]>

* chore: ignore cache poisoning as the artifact is not reused

Signed-off-by: Mike Fiedler <[email protected]>

* nit: use non-legacy syntax

Signed-off-by: Mike Fiedler <[email protected]>

* run depot and GHA in parallel

* don't change name of the base CI tasks, since that's how branch protection ids them

* another way of naming

---------

Signed-off-by: Mike Fiedler <[email protected]>
Co-authored-by: Mike Fiedler <[email protected]>
Co-authored-by: Dustin Ingram <[email protected]>

Author: 3 people

.github/workflows/ci.yml renamed to .github/workflows/ci-base.yml

@@ -1,54 +1,42 @@
-name: CI
+name: CI Base
 on:
-  push:
-    branches:
-      - main
-  pull_request:
-  merge_group:
-    types: [checks_requested]
-  workflow_dispatch:  # generally only for the "combine-prs" workflow
-permissions:
-  contents: read
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
-  cancel-in-progress: true
+  workflow_call:
+    inputs:
+      runner:
+        required: true
+        type: string
+        description: 'Runner to use for jobs'
+      runner_large:
+        required: false
+        type: string
+        description: 'Large runner to use for heavy jobs'
+      image_registry:
+        required: true
+        type: string
+        description: 'Container registry for images'
+      build_id:
+        required: true
+        type: string
+        description: 'Build ID for the container image'
+      use_depot:
+        required: false
+        type: boolean
+        default: false
+        description: 'Whether to use Depot for builds'
+
 jobs:
-  build:
-    if: github.repository == 'pypi/warehouse'
-    runs-on: depot-ubuntu-24.04-arm
-    outputs:
-      buildId: ${{ steps.build.outputs.build-id}}
-    permissions:
-      id-token: write
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with:
-          persist-credentials: false
-      - name: Set up Depot CLI
-        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
-      - name: Build image
-        id: build
-        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
-        with:
-          save: true
-          build-args: |
-            DEVEL=yes
-            CI=yes
-          tags: pypi/warehouse:ci-${{ github.run_id }}
   test:
     # Time out if our test suite has gotten hung
     timeout-minutes: 15
-    needs: build
     strategy:
       matrix:
         include:
           - name: Tests
             command: bin/tests --postgresql-host postgres
-            runs_on: depot-ubuntu-24.04-arm-4
+            use_large_runner: true
           - name: Lint
             command: bin/lint
-            runs_on: depot-ubuntu-24.04-arm-4
+            use_large_runner: true
           - name: User Documentation
             command: bin/user-docs
           - name: Developer Documentation
@@ -59,13 +47,14 @@ jobs:
             command: bin/licenses
           - name: Translations
             command: bin/translations
-    runs-on: ${{ (matrix.runs_on != null) && matrix.runs_on || 'depot-ubuntu-24.04-arm' }}
+    runs-on: ${{ (matrix.use_large_runner && inputs.runner_large != '') && inputs.runner_large || inputs.runner }}
     container:
-      image: registry.depot.dev/rltf7cln5v:${{ needs.build.outputs.buildId }}
+      image: ${{ inputs.image_registry }}:${{ inputs.build_id }}
       env:
         BILLING_BACKEND: warehouse.subscriptions.services.MockStripeBillingService api_base=http://stripe:12111 api_version=2020-08-27
     permissions:
       id-token: write
+      packages: read
     services:
       postgres:
         image: ${{ (matrix.name == 'Tests') && 'postgres:17.5' || '' }}
@@ -84,7 +73,7 @@ jobs:
         image: ${{ (matrix.name == 'Tests') && 'stripe/stripe-mock:v0.162.0' || '' }}
         ports:
           - 12111:12111
-    name: ${{ matrix.name }}
+    name: ${{ matrix.name }}${{ !inputs.use_depot && ' (GHA)' || '' }}
     steps:
       - name: Check out repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -101,14 +90,14 @@ jobs:
         run: ${{ matrix.command }}
 
   check_db:
-    name: Check Database Consistency
-    needs: build
-    runs-on: depot-ubuntu-24.04-arm
+    name: Check Database Consistency${{ !inputs.use_depot && ' (GHA)' || '' }}
+    runs-on: ${{ inputs.runner }}
     continue-on-error: true
     container:
-      image: registry.depot.dev/rltf7cln5v:${{ needs.build.outputs.buildId }}
+      image: ${{ inputs.image_registry }}:${{ inputs.build_id }}
     permissions:
       id-token: write
+      packages: read
     services:
       postgres:
         image: postgres:17.5
@@ -139,4 +128,4 @@ jobs:
         run: bin/db-check
         env:
           # override the hostname set in `dev/environment`
-          DATABASE_URL: 'postgresql+psycopg://postgres@postgres/warehouse'
+          DATABASE_URL: 'postgresql+psycopg://postgres@postgres/warehouse'

.github/workflows/ci-depot.yml

@@ -0,0 +1,52 @@
+name: CI
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  merge_group:
+    types: [checks_requested]
+  workflow_dispatch:  # generally only for the "combine-prs" workflow
+permissions:
+  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+jobs:
+  build:
+    if: github.repository == 'pypi/warehouse'
+    runs-on: depot-ubuntu-24.04-arm
+    outputs:
+      buildId: ${{ steps.build.outputs.build-id}}
+    permissions:
+      id-token: write
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - name: Set up Depot CLI
+        uses: depot/setup-action@b0b1ea4f69e92ebf5dea3f8713a1b0c37b2126a5 # v1.6.0
+      - name: Build image
+        id: build
+        uses: depot/build-push-action@9785b135c3c76c33db102e45be96a25ab55cd507 # v1.16.2
+        with:
+          save: true
+          build-args: |
+            DEVEL=yes
+            CI=yes
+          tags: pypi/warehouse:ci-${{ github.run_id }}
+
+  ci:
+    if: github.repository == 'pypi/warehouse'
+    needs: build
+    uses: ./.github/workflows/ci-base.yml
+    with:
+      runner: depot-ubuntu-24.04-arm
+      runner_large: depot-ubuntu-24.04-arm-4
+      image_registry: registry.depot.dev/rltf7cln5v
+      build_id: ${{ needs.build.outputs.buildId }}
+      use_depot: true
+    permissions:
+      id-token: write
+      packages: read

.github/workflows/ci-gha.yml

@@ -0,0 +1,79 @@
+name: CI (GHA)
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  merge_group:
+    types: [checks_requested]
+  workflow_dispatch:  # generally only for the "combine-prs" workflow
+permissions:
+  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+jobs:
+  build:
+    runs-on: ubuntu-24.04-arm
+    outputs:
+      buildId: ${{ github.run_id }}
+    permissions:
+      packages: write
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+      - name: Cache
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3 # zizmor: ignore[cache-poisoning]
+        id: cache
+        with:
+          path: |
+            var-cache-apt
+            var-lib-apt
+            root-cache-pip
+            root-npm
+          key: cache-${{ hashFiles('Dockerfile') }}
+      - name: inject cache into docker
+        uses: reproducible-containers/buildkit-cache-dance@653a570f730e3b9460adc576db523788ba59a0d7 # v3.2.0
+        with:
+          cache-map: |
+            {
+              "var-cache-apt": "/var/cache/apt",
+              "var-lib-apt": "/var/lib/apt",
+              "root-cache-pip": "/root/.cache/pip",
+              "root-npm": "/root/.npm"
+            }
+          skip-extraction: ${{ steps.cache.outputs.cache-hit }}
+      - name: Login To GHCR
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        with:
+          context: .
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          push: true
+          build-args: |
+            DEVEL=yes
+            CI=yes
+          tags: |
+            ghcr.io/pypi/warehouse:ci-${{ github.run_id }}
+
+  ci:
+    needs: build
+    uses: ./.github/workflows/ci-base.yml
+    with:
+      runner: ubuntu-24.04-arm
+      image_registry: ghcr.io/pypi/warehouse
+      build_id: ci-${{ needs.build.outputs.buildId }}
+      use_depot: false
+    permissions:
+      id-token: write
+      packages: read

Dockerfile

@@ -184,8 +184,8 @@ RUN --mount=type=cache,target=/root/.cache/pip \
 FROM python:${PYTHON_IMAGE_VERSION}
 
 # Setup some basic environment variables that are ~never going to change.
-ENV PYTHONUNBUFFERED 1
-ENV PYTHONPATH /opt/warehouse/src/
+ENV PYTHONUNBUFFERED=1
+ENV PYTHONPATH=/opt/warehouse/src/
 ENV PATH="/opt/warehouse/bin:${PATH}"
 
 WORKDIR /opt/warehouse/src/