ci(fix): Switch test workflows to also use the buildx docker-container driver
#3072
Conversation
As the test workflow does not use the `docker-container` buildx driver, it uses the Docker Engine bundled BuildKit version which until v23 release does not support attestations. Likewise the current buildx version in CI is `0.10.0` which does not respect `--provenance false`, the presence of the option appears to trigger a BuildKit version compatibility check and fail early before it considers the value of the option.
polarathene
requested review from
casperklein,
wernerfred and
georglauterbach
|
I'm not sure if i 100% get the point? Wouldn't that mean that that all tests should always have failed? So if not, why would they fail only sometimes? And how will we make sure to enable it in the future again (what i want to say is: if it will be available sometime this month isn't it easier to wait that 20days instead of disabling and then thinking of re-adding it again)? |
I would opt for this, if that's easily possible. |
|
@wernerfred tests only failed recently because of adding This only affected our test workflow. Obviously we don't want to wait 7-20 days for a fix if it means the test suite can't run in the CI 😅 The PR has been updated to use the Original response
All tests will fail presently now since we added the As explained this adds the
I have seen some runners use buildx This wasn't an issue prior to us adding
We've chosen to opt-out intentionally already in build and publish. It's not actually relevant to the test workflow, so opt-in/out explicitly (or omit it for an implicit enable when supported) won't matter. It's only presently an issue due to the bug with explicit Having an explicit Leaving it as-is, means our CI will fail the test suite for that duration...I'm not sure why you'd be okay with 20 days of tests failing due to this? If you're concerned about someone forgetting, we can raise an issue as a reminder and the stale bot will ping any maintainer subscribed as a reminder. Or we just leave it disabled / removed 🤷♂️ |
@casperklein yeah no worries we can do that I think. EDIT: Done. I looked into this a bit more and I think it affected our cache during re-builds of the image for test workflows. Could improve those each by up to 60 seconds from what I saw 🤔 Original responseThe So to clarify:
If you'd like more consistency, I can bring in the buildx action into the test workflow as well (the qemu one isn't necessary), which configures buildx with the While it's not necessary, it may look easier to maintain that way if it's more consistent with the build and publish workflows. |
An alternative solution to omitting `provenance: false` (_not supported by buildx 0.10.0 with default `docker` driver when Docker Engine bundles BuildKit less than 0.10.0, which is the case prior to the Docker Engine v23 release_). This approach provides more consistency with the build and publish workflows by using the same buildx `docker-container` driver (_and thus newer BuildKit, enabling support for `provenance: false`_).
|
@casperklein was right to prefer being consistent with the buildx The PR has been updated to use that solution instead. It looks like it will improve our caching in test workflow as a bonus 👍 (EDIT: The build step does seem to be completed faster with improved caching, but the added buildx step adds about 40s+ to the workflow run effectively cancelling out most of the gains 😅 ) Original commentDocker buildx docs:
Switching to I just reviewed some prior CI runs when they were working, and observed that while the build workflow cached the image and re-built withn 30 secs, the |
Buildx `docker-container` driver is not needed here, but it does seem like it improves cache-hit ratio when building from the retrieved build cache (from the earlier build workflow). Possibly due to building with the same BuildKit version.
@polarathene thanks for your detailed answer and clarification! I've read through the other PR as well and now my original comment doesn't make sense anymore 😆 |
polarathene
changed the title
provenancedocker-container driver
Description
As the test workflow does not use the
docker-containerbuildx driver (our build and publish workflows do), it uses the Docker Engine bundled BuildKit version (BuildKit release over 2 years old) which until the recent v23 release (Feb 2023) does not support attestations. Github should have v23 available in runners sometime this month.This driver difference is causing the current CI failures for test workflow runs:
docker/build-push-actionv4 will only add the--provenanceoption to buildx command, if explicitly configured in the action. By not adding a value we can avoid causing this failure happening in buildx.0.10.0when there is a version of BuildKit that supports it. The option will cause buildx to fail early if the feature is not available the detected BuildKit (only when supported, does it acknowledge an opt-out). This appears to be resolved in newer buildx releases, at least0.10.2.As the test workflows don't do anything with Docker beyond re-use the build cache to import a local image for testing, the value of
--provenanceisn't relevant to this workflow regardless.Alternative options considered were:
docker-containerdriver to always use the same BuildKit version (only during the rebuild of the image, not that relevant to this workflow).--provenanceoption to buildx.References
open_dkim.bats#3060 (comment)--provenance falsefails on Buildx 0.10.0, but works with0.10.2? docker/buildx#1608docker/build-push-actionto v4 PR that introduced the issue (due toprovenance: false, not v4): chore(deps): Bump docker/build-push-action from 3.3.0 to 4.0.0 #3066Type of change