fix(qe): auto-download pseudopotentials, add --allow-run-as-root #39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # Build and push all four chem Docker images to zot.hwcopeland.net/chem/. | |
| # | |
| # Runner: self-hosted runner labeled arc-chem running on the RKE2 cluster. | |
| # The runner pod runs inside the cluster LAN and therefore has direct network | |
| # access to zot.hwcopeland.net — this is the solution to the private registry | |
| # network boundary (GitHub cloud runners cannot reach zot.hwcopeland.net). | |
| # | |
| # Registry credentials are stored as GitHub Actions encrypted repository secrets: | |
| # ZOT_USERNAME — username for zot.hwcopeland.net (from Bitwarden 766ec5c7-...) | |
| # ZOT_PASSWORD — password for zot.hwcopeland.net (from Bitwarden 766ec5c7-...) | |
| # | |
| # Cache strategy: registry-based layer cache (type=registry) with mode=max. | |
| # type=gha (GitHub Actions cache) does not work from on-cluster runners. | |
| # | |
| # Image tag format: build-<NNNNNN>-<sha7> | |
| # Zero-padded run number prefix guarantees lexicographic == chronological order, | |
| # which is required for Flux ImagePolicy alphabetical selection to pick the newest | |
| # build. Pure sha-<sha7> tags fail because hex digits are not monotonic | |
| # (e.g. sha-e063a72 beats sha-2398b71 alphabetically even though it is older). | |
| # Additionally pushes :latest for backward compatibility. | |
| name: Build and Push Chem Images | |
| on: | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'rke2/chem/compute-infrastructure/k8s-jobs/controller/**' | |
| - 'rke2/chem/compute-infrastructure/k8s-jobs/result-writer/**' | |
| - 'rke2/chem/compute-infrastructure/docker/autodock-vina/**' | |
| - '.github/workflows/build-chem-images.yml' | |
| workflow_dispatch: | |
| jobs: | |
| build-and-push: | |
| name: Build ${{ matrix.name }} | |
| runs-on: [self-hosted, arc-chem] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: docking-controller | |
| image: zot.hwcopeland.net/chem/docking-controller | |
| dockerfile: rke2/chem/compute-infrastructure/k8s-jobs/controller/Dockerfile | |
| # Build context MUST be k8s-jobs/ (not k8s-jobs/controller/) because | |
| # the Dockerfile uses: COPY controller/go.mod controller/go.sum ./ | |
| context: rke2/chem/compute-infrastructure/k8s-jobs/ | |
| - name: autodock-vina | |
| image: zot.hwcopeland.net/chem/autodock-vina | |
| dockerfile: rke2/chem/compute-infrastructure/docker/autodock-vina/Dockerfile | |
| context: rke2/chem/compute-infrastructure/docker/autodock-vina/ | |
| - name: result-writer | |
| image: zot.hwcopeland.net/chem/result-writer | |
| dockerfile: rke2/chem/compute-infrastructure/k8s-jobs/result-writer/Dockerfile | |
| context: rke2/chem/compute-infrastructure/k8s-jobs/result-writer/ | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 | |
| - name: Log in to Zot registry | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: zot.hwcopeland.net | |
| username: ${{ secrets.ZOT_USERNAME }} | |
| password: ${{ secrets.ZOT_PASSWORD }} | |
| - name: Compute image tags | |
| id: tags | |
| run: | | |
| SHORT_SHA="${GITHUB_SHA::7}" | |
| RUN_NUM=$(printf '%06d' "${{ github.run_number }}") | |
| BUILD_TAG="build-${RUN_NUM}-${SHORT_SHA}" | |
| echo "build_tag=${BUILD_TAG}" >> "$GITHUB_OUTPUT" | |
| echo "Building ${{ matrix.name }} with tag: ${BUILD_TAG}" | |
| - name: Build and push ${{ matrix.name }} | |
| uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0 | |
| with: | |
| context: ${{ matrix.context }} | |
| file: ${{ matrix.dockerfile }} | |
| platforms: linux/amd64 | |
| push: true | |
| tags: | | |
| ${{ matrix.image }}:${{ steps.tags.outputs.build_tag }} | |
| ${{ matrix.image }}:latest | |
| # Registry-based layer cache with mode=max caches all intermediate layers. | |
| # mode=max is required to cache multi-stage builder layers. | |
| cache-from: type=registry,ref=${{ matrix.image }}:cache | |
| cache-to: type=registry,ref=${{ matrix.image }}:cache,mode=max |