echidna icon indicating copy to clipboard operation
echidna copied to clipboard

Published 20 hours ago verified publisher icon crytic

GitHub Actions: switch to GitHub Container Registry

Open elopez opened this issue 5 years ago • 5 comments

This PR switches from GitHub Packages Docker to GitHub Container Registry. See the following document for more details:

https://docs.github.com/en/free-pro-team@latest/packages/getting-started-with-github-container-registry/migrating-to-github-container-registry-for-docker-images

This change requires enabling the feature on GitHub by completing the following instructions:

https://docs.github.com/en/free-pro-team@latest/packages/getting-started-with-github-container-registry/enabling-improved-container-support

The feature must be also enabled on the organization level.

Then you must also get a Personal Access Token (PAT) with only write:packages scope (repo or any additional ones are not needed), and store it in the repository settings as a secret with the name CR_PAT, together with a CR_USERNAME secret. You can read the document linked above for more details, and then create the token by going to:

https://github.com/settings/tokens

Additionally, this change disables pushes to the trailofbits Docker Hub repository for non-crytic owned repositories, so pushes are not attempted from echidna forks without proper credentials.

As a final thing, the Dockerfile and actions were slightly reworked to enable layer caching and speed up the docker image builds.

Closes: #555

elopez avatar Nov 19 '20 03:11 elopez

There's probably room for improvement in the Dockerfile still. Most of the build time is spent building Haskell deps, so maybe we can do something like:

  1. copy just stack.yaml & package.yaml
  2. stack build ... --only-dependencies
  3. copy all of the code
  4. stack install ...

This way layers 1 and 2 get invalidated very infrequently, and most of the time is spent there.

elopez avatar Nov 19 '20 03:11 elopez

you are the docker/github actions machine... thanks for all the work. i'll take a look into all this tomorrow.

incertia avatar Nov 19 '20 04:11 incertia

@ESultanik would you happen to know what's going on with migrating to GHCR internally and are able to turn these settings on for us?

incertia avatar Nov 19 '20 04:11 incertia

@incertia I'm not sure. Switching to GHCR would require changes to other dependencies like eth-security-toolbox, so we need to tread carefully if we are going to abandon the current deployment method.

ESultanik avatar Nov 20 '20 16:11 ESultanik

@ESultanik Where we can discuss the eth-security-toolbox changes to merge this? Perhaps @elopez can help with that.

gustavo-grieco avatar Jan 25 '21 18:01 gustavo-grieco

Most of the changes here have been implemented through other PRs, so I'll close this.

elopez avatar Mar 30 '23 12:03 elopez