From 0ca814a2a65e412cd9e3e887bfdaa8946ef798e4 Mon Sep 17 00:00:00 2001 From: Larry Gritz Date: Fri, 29 Nov 2024 08:46:57 -0800 Subject: [PATCH] ci: Fix broken CI for ASWF 2021 and 2022 containers (#4543) The background here takes some explaining... The ASWF's prepared Docker containers that reproduce a CentOS7-based environment corresponding to VFX Platform 2021 and 2022 years contain a glibc that is too old to run a newer version of "node" -- which GitHub Actions themselves use. The old one is no longer receiving support, and GitHub finally changed the policy that was allowing its GHA runners to still run the old version that worked with those ASWF containers. The new node version that is happy on the GHA runners requires a glibc newer than the one in the containers. So that breaks all our CI runs in 2021 and 2022 VFX Platform configurations. See this thread, if you dare: https://academysoftwarefdn.slack.com/archives/C0169RX7MMK/p1732574400981949 Anyway, Jean-Francois Panisset proposed and tested a fix, which lets us continue working (for now) by downloading an old node implemenation (which is happy with the old glibc) and installing it atop the conainers, so it's this old one that the GH actions will use. It feels like it's all held together by chewing gum and duct tape, but it unbreaks our CI and hopefully it will keep working until all the studios have switched fully to RHEL/Alma/Rocky 9.x and we no longer care about testing on CentOS-7 based containers or supporting the VFX Platform years that are too old to be relevant to the new OS that the studios are using. Signed-off-by: Larry Gritz --- .github/workflows/ci.yml | 189 +++++++++++++++++++++++++++++++-------- 1 file changed, 151 insertions(+), 38 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ad11030229..fd70afc747 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -31,7 +31,7 @@ permissions: read-all jobs: - aswf: + aswf-old: name: "VFX${{matrix.vfxyear}} ${{matrix.desc}}" strategy: fail-fast: false @@ -42,6 +42,7 @@ jobs: runner: ubuntu-latest container: aswf/ci-osl:2021 vfxyear: 2021 + old_node: 1 cxx_std: 17 openexr_ver: v3.1.13 python_ver: 3.7 @@ -55,6 +56,7 @@ jobs: runner: ubuntu-latest container: aswf/ci-osl:2021-clang10 vfxyear: 2021 + old_node: 1 cc_compiler: clang cxx_compiler: clang++ cxx_std: 17 @@ -70,6 +72,7 @@ jobs: runner: ubuntu-latest container: aswf/ci-osl:2022-clang11 vfxyear: 2022 + old_node: 1 cxx_std: 17 python_ver: 3.9 simd: "avx2,f16c" @@ -81,6 +84,7 @@ jobs: runner: ubuntu-latest container: aswf/ci-osl:2022-clang13 vfxyear: 2022 + old_node: 1 cc_compiler: clang cxx_compiler: clang++ cxx_std: 17 @@ -94,6 +98,7 @@ jobs: runner: ubuntu-latest container: aswf/ci-osl:2022 vfxyear: 2022 + old_node: 1 cxx_std: 17 opencolorio_ver: v2.2.1 python_ver: 3.9 @@ -112,6 +117,7 @@ jobs: runner: ubuntu-latest container: aswf/ci-osl:2022 vfxyear: 2022 + old_node: 1 cc_compiler: icx cxx_compiler: icpx cxx_std: 17 @@ -127,47 +133,13 @@ jobs: # to use g++. # Building libuhdr with icx results in test failures # so we force using gcc/g++. - - desc: sanitizers - nametag: sanitizer - runner: ubuntu-latest - container: aswf/ci-osl:2024-clang17 - vfxyear: 2024 - cc_compiler: clang - cxx_compiler: clang++ - cxx_std: 17 - opencolorio_ver: v2.3.2 - python_ver: "3.11" - setenvs: export SANITIZE=address,undefined - OIIO_CMAKE_FLAGS="-DSANITIZE=address,undefined -DUSE_PYTHON=0" - CMAKE_BUILD_TYPE=Debug - CTEST_TEST_TIMEOUT=1200 - CTEST_EXCLUSIONS="broken|png-damaged" - - desc: gcc11/C++17 py3.10 exr3.1 ocio2.2 - nametag: linux-vfx2023 - runner: ubuntu-latest - container: aswftesting/ci-osl:2023-clang15 - vfxyear: 2023 - cxx_std: 17 - python_ver: "3.10" - simd: "avx2,f16c" - fmt_ver: 10.1.1 - pybind11_ver: v2.10.0 - - desc: gcc11/C++17 py3.11 exr3.2 ocio2.3 - nametag: linux-vfx2024 - runner: ubuntu-latest - container: aswftesting/ci-osl:2024-clang17 - vfxyear: 2024 - cxx_std: 17 - python_ver: "3.11" - simd: "avx2,f16c" - fmt_ver: 10.1.1 - pybind11_ver: v2.12.0 - desc: oldest gcc9.3/C++17 py3.7 exr-3.1 # Oldest versions of the dependencies that we support. nametag: linux-oldest runner: ubuntu-latest container: aswf/ci-osl:2021 vfxyear: 2021 + old_node: 1 cxx_std: 17 fmt_ver: 7.0.1 opencolorio_ver: v2.2.1 @@ -186,6 +158,7 @@ jobs: runner: ubuntu-latest container: aswf/ci-osl:2021 vfxyear: 2021 + old_node: 1 cxx_std: 17 fmt_ver: 7.0.1 opencolorio_ver: v2.2.1 @@ -202,6 +175,148 @@ jobs: FREETYPE_VERSION=VER-2-10-0 depcmds: sudo rm -rf /usr/local/include/OpenEXR + runs-on: ${{ matrix.runner }} + container: + image: ${{ matrix.container }} + volumes: + - /node20217:/node20217:rw,rshared + - /node20217:/__e/node20:ro,rshared + env: + CXX: ${{matrix.cxx_compiler}} + CC: ${{matrix.cc_compiler}} + CMAKE_CXX_STANDARD: ${{matrix.cxx_std}} + USE_SIMD: ${{matrix.simd}} + FMT_VERSION: ${{matrix.fmt_ver}} + OPENCOLORIO_VERSION: ${{matrix.opencolorio_ver}} + OPENEXR_VERSION: ${{matrix.openexr_ver}} + PYBIND11_VERSION: ${{matrix.pybind11_ver}} + PYTHON_VERSION: ${{matrix.python_ver}} + ABI_CHECK: ${{matrix.abi_check}} + steps: + # Install nodejs 20 with glibc 2.17, to work around the face that the + # GHA runners are insisting on a node version that is too new for the + # glibc in the ASWF containers prior to 2023. + - name: install nodejs20glibc2.17 + if: matrix.old_node == '1' + run: | + curl --silent https://unofficial-builds.nodejs.org/download/release/v20.18.1/node-v20.18.1-linux-x64-glibc-217.tar.xz | tar -xJ --strip-components 1 -C /node20217 -f - + # We would like to use harden-runner, but it flags too many false + # positives, every time we download a dependency. We should use it only + # on CI runs where we are producing artifacts that users might rely on. + # - name: Harden Runner + # uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 # v1.4.3 + # with: + # egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + # Note: can't upgrade to actions/checkout 4.0 because it needs newer + # glibc than these containers have. + - name: Prepare ccache timestamp + id: ccache_cache_keys + run: echo "date=`date -u +'%Y-%m-%dT%H:%M:%SZ'`" >> $GITHUB_OUTPUT + - name: ccache + id: ccache + uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3 + # Note: can't upgrade to actions/cache 4.0 because it needs newer + # glibc than these containers have. + with: + path: /tmp/ccache + key: ${{github.job}}-${{matrix.nametag}}-${{steps.ccache_cache_keys.outputs.date}} + restore-keys: ${{github.job}}- + - name: Build setup + run: | + ${{matrix.setenvs}} + src/build-scripts/ci-startup.bash + - name: Dependencies + run: | + ${{matrix.depcmds}} + src/build-scripts/gh-installdeps.bash + - name: Build + if: matrix.skip_build != '1' + run: src/build-scripts/ci-build.bash + - name: Testsuite + if: matrix.skip_tests != '1' + run: src/build-scripts/ci-test.bash + - name: Check out ABI standard + if: matrix.abi_check != '' + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + ref: ${{matrix.abi_check}} + path: abi_standard + - name: Build ABI standard + if: matrix.abi_check != '' + run: | + mkdir -p abi_standard/build + pushd abi_standard + src/build-scripts/ci-build.bash + popd + - name: Check ABI + if: matrix.abi_check != '' + run: | + src/build-scripts/ci-abicheck.bash ./build abi_standard/build libOpenImageIO libOpenImageIO_Util + - name: Build Docs + if: matrix.build_docs == '1' + run: | + cd src/doc + time make doxygen + time make sphinx + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + # Note: versions of upload-artifact >= 4.0 can't run on the ASWF + # containers because they need a newer glibc than they have. + if: ${{ failure() || matrix.build_docs == '1'}} + with: + name: oiio-${{github.job}}-${{matrix.nametag}} + path: | + build/cmake-save + build/compat_reports + build/sphinx + build/testsuite/*/*.* + !build/testsuite/oiio-images + !build/testsuite/openexr-images + !build/testsuite/fits-images + !build/testsuite/j2kp4files_v1_5 + + + aswf: + name: "VFX${{matrix.vfxyear}} ${{matrix.desc}}" + strategy: + fail-fast: false + matrix: + include: + - desc: gcc11/C++17 py3.10 exr3.1 ocio2.2 + nametag: linux-vfx2023 + runner: ubuntu-latest + container: aswftesting/ci-osl:2023-clang15 + vfxyear: 2023 + cxx_std: 17 + python_ver: "3.10" + simd: "avx2,f16c" + fmt_ver: 10.1.1 + pybind11_ver: v2.10.0 + - desc: gcc11/C++17 py3.11 exr3.2 ocio2.3 + nametag: linux-vfx2024 + runner: ubuntu-latest + container: aswftesting/ci-osl:2024-clang17 + vfxyear: 2024 + cxx_std: 17 + python_ver: "3.11" + simd: "avx2,f16c" + fmt_ver: 10.1.1 + pybind11_ver: v2.12.0 + - desc: sanitizers + nametag: sanitizer + runner: ubuntu-latest + container: aswf/ci-osl:2024-clang17 + vfxyear: 2024 + cc_compiler: clang + cxx_compiler: clang++ + cxx_std: 17 + opencolorio_ver: v2.3.2 + python_ver: "3.11" + setenvs: export SANITIZE=address,undefined + OIIO_CMAKE_FLAGS="-DSANITIZE=address,undefined -DUSE_PYTHON=0" + CMAKE_BUILD_TYPE=Debug + CTEST_TEST_TIMEOUT=1200 + CTEST_EXCLUSIONS="broken|png-damaged" # Test ABI stability. `abi_check` is the version or commit that we # believe is the current standard against which we don't want to # break the ABI. Basically, we will build that version as well as @@ -237,8 +352,6 @@ jobs: PYBIND11_VERSION: ${{matrix.pybind11_ver}} PYTHON_VERSION: ${{matrix.python_ver}} ABI_CHECK: ${{matrix.abi_check}} - ACTIONS_RUNNER_FORCE_ACTIONS_NODE_VERSION: node16 - ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true steps: # We would like to use harden-runner, but it flags too many false # positives, every time we download a dependency. We should use it only