Unified Docker image with CI auto-build (#17)

thomas-schweich · web-flow · commit a05ef6e3fd60 · 2026-03-28T16:57:45.000-07:00
* Unified Docker image with CI auto-build on merge to main

- Simplify Dockerfile to a single image (no multi-target builds)
- Uses RunPod base entrypoint (SSH + Jupyter) — run experiments via SSH
- Add .github/workflows/docker.yml: builds and pushes to Docker Hub
  on every merge to main, tagged as :latest and :sha
- Uses GitHub Actions cache for Docker layer reuse
- Update CLAUDE.md to reflect the new workflow

Requires DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets in GitHub.

* Address review: fix broken COPYs, .dockerignore, GIT_TAG, workflow_dispatch

- Remove COPY data/ (doesn't exist in repo)
- Simplify .dockerignore to allow deploy/, docs/, cards/ into build context
- Fix GIT_TAG: use git tag --points-at HEAD instead of github.ref_name
- Add workflow_dispatch trigger for manual rebuilds
diff --git a/.dockerignore b/.dockerignore
@@ -1,21 +1,13 @@
 .git
 .venv
+.env
 __pycache__
 *.pyc
 *.pyo
 *.egg-info
 .mypy_cache
 engine/target
+*.so
 data/
 checkpoints/
 logs/
-deploy/
-!deploy/entrypoint-run.sh
-!deploy/entrypoint-extract.sh
-!deploy/entrypoint-lc0.sh
-!deploy/entrypoint-rosa-sweep.sh
-!deploy/entrypoint-lc0-selfplay.sh
-!deploy/entrypoint-lichess-parquet.sh
-*.so
-CLAUDE.md
-docs/
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,46 @@
+name: Docker
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  IMAGE: thomasschweich/pawn
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Resolve git tag
+        id: meta
+        run: echo "tag=$(git tag --points-at HEAD | head -1)" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64
+          tags: |
+            ${{ env.IMAGE }}:latest
+            ${{ env.IMAGE }}:${{ github.sha }}
+          build-args: |
+            GIT_HASH=${{ github.sha }}
+            GIT_TAG=${{ steps.meta.outputs.tag }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -221,27 +221,19 @@ from the trainer. Load via HF repo ID (e.g. `--checkpoint thomas-schweich/pawn-b
 
 ## RunPod Operations
 
-### Docker Build & Push
+### Docker Image
 
-```bash
-# Build runner target (auto-stop after training completes)
-docker build --platform linux/amd64 \
-    --build-arg GIT_HASH=$(git rev-parse HEAD) \
-    --build-arg GIT_TAG=$(git tag --points-at HEAD) \
-    --target runner \
-    -t thomasschweich/pawn:latest-runner .
+A single Docker image (`thomasschweich/pawn:latest`) is **automatically built and pushed to Docker Hub by CI** on every merge to main. No manual builds needed.
+
+The image is based on `runpod/pytorch` (CUDA + SSH + Jupyter) with all Python deps pre-installed. Code lives at `/opt/pawn` on pods. SSH in and run experiments directly.
 
-# Build interactive target (SSH + Jupyter, stays alive)
+To build locally (rarely needed):
+```bash
 docker build --platform linux/amd64 \
     --build-arg GIT_HASH=$(git rev-parse HEAD) \
-    --target interactive \
     -t thomasschweich/pawn:latest .
-
-docker push thomasschweich/pawn:latest-runner
 ```
 
-Code lives at `/opt/pawn` on pods (outside the `/workspace` volume mount).
-
 ### Pod Lifecycle
 
 Use `deploy/pod.sh` for all pod management. Requires `runpodctl` (`wget -qO- cli.runpod.net | sudo bash`).
diff --git a/Dockerfile b/Dockerfile
@@ -1,23 +1,13 @@
-# PAWN Container for Runpod
+# PAWN — single image for all RunPod workloads
 #
-# Uses runpod/base (CUDA + SSH + Jupyter, no PyTorch) with uv for
-# reproducible Python dependency management from the lockfile.
+# Built automatically by CI on merge to main and pushed to Docker Hub.
+# Uses the RunPod base image (CUDA + SSH + Jupyter) with uv for
+# reproducible Python dependency management.
 #
-# Build targets:
-#   interactive (default) — SSH + Jupyter, stays alive
-#   runner               — runs a command then exits (pod auto-stops)
-#   rosa-sweep           — runs RoSA ablation sweeps then exits
+# Usage: create a RunPod template pointing at thomasschweich/pawn:latest,
+# SSH in, and run experiments. Code lives at /opt/pawn.
 #
-# Build:
-#   docker build --platform linux/amd64 \
-#     --build-arg GIT_HASH=$(git rev-parse HEAD) \
-#     --build-arg GIT_TAG=$(git tag --points-at HEAD) \
-#     [--target runner] \
-#     -t pawn:<tag> .
-#
-# IMPORTANT: Always attach a Runpod network volume. Checkpoints use
-# atomic directory writes (tmp + rename) that require persistent disk.
-# Set HF_TOKEN as a pod env var for HuggingFace checkpoint push.
+# IMPORTANT: Always attach a network volume. Set HF_TOKEN as a pod env var.
 
 # ── Builder: compile Rust engine wheel ───────────────────────────────
 FROM python:3.12-slim AS builder
@@ -40,8 +30,8 @@ COPY scripts/ scripts/
 
 RUN cd engine && uv run --no-project --with maturin maturin build --release
 
-# ── Runtime base (shared by all targets) ─────────────────────────────
-FROM runpod/pytorch:1.0.3-cu1281-torch280-ubuntu2404 AS runtime-base
+# ── Runtime ──────────────────────────────────────────────────────────
+FROM runpod/pytorch:1.0.3-cu1281-torch280-ubuntu2404
 
 ENV PYTHONUNBUFFERED=1 \
     UV_LINK_MODE=copy
@@ -56,12 +46,12 @@ COPY pyproject.toml uv.lock ./
 COPY pawn/ pawn/
 COPY scripts/ scripts/
 COPY tests/ tests/
+COPY deploy/ deploy/
+COPY docs/ docs/
+COPY cards/ cards/
 
-# Install engine wheel first
+# Install engine wheel, then sync Python deps from lockfile
 COPY --from=builder /build/engine/target/wheels/*.whl /tmp/
-
-# Create venv with system packages (picks up pre-installed torch + CUDA)
-# and install remaining deps from lockfile
 RUN uv venv --system-site-packages && \
     uv sync --extra cu128 --no-dev --frozen --no-install-workspace && \
     uv pip install /tmp/*.whl && rm -rf /tmp/*.whl
@@ -80,25 +70,4 @@ RUN echo "export PYTHONPATH=/opt/pawn" >> /etc/environment && \
     echo 'export PATH="/opt/pawn/.venv/bin:$PATH"' >> /etc/environment && \
     cat /etc/environment >> /root/.bashrc
 
-# ── Runner — executes command then exits (pod auto-stops) ────────────
-FROM runtime-base AS runner
-COPY deploy/entrypoint-run.sh /entrypoint-run.sh
-RUN chmod +x /entrypoint-run.sh
-ENTRYPOINT ["/entrypoint-run.sh"]
-
-# ── RoSA sweep — runs all three ablation sweeps then exits ───────────
-FROM runtime-base AS rosa-sweep
-COPY deploy/entrypoint-rosa-sweep.sh /entrypoint-rosa-sweep.sh
-RUN chmod +x /entrypoint-rosa-sweep.sh
-ENTRYPOINT ["/entrypoint-rosa-sweep.sh"]
-
-# ── Lichess extract — downloads PGN, writes Parquet, pushes to HF ───
-FROM runtime-base AS lichess-extract
-RUN pip install --no-cache-dir zstandard
-COPY deploy/entrypoint-lichess-parquet.sh /entrypoint-lichess-parquet.sh
-RUN chmod +x /entrypoint-lichess-parquet.sh
-ENTRYPOINT ["/entrypoint-lichess-parquet.sh"]
-
-# ── Interactive (default) — SSH + Jupyter, stays alive ───────────────
-FROM runtime-base AS interactive
-# Inherits /start.sh entrypoint from Runpod base image
+# Inherits /start.sh entrypoint from RunPod base image (SSH + Jupyter)
