From 62dc5c8d5cdeb7f8b932202a5b18f78035cd9cc1 Mon Sep 17 00:00:00 2001 From: Harmen Stoppels Date: Thu, 19 Dec 2024 21:57:50 +0100 Subject: [PATCH 1/4] updates --- .github/workflows/build.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b7bb3c6..defd752 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -12,10 +12,10 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Setup Spack - uses: spack/setup-spack@5ab3c91bdefffffad9a7e45d1d156146afebb3a7 + uses: spack/setup-spack@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Find compilers run: spack -e . compiler find --mixed-toolchain @@ -29,7 +29,10 @@ jobs: make -Orecurse -j $(($(nproc) + 1)) SPACK_INSTALL_FLAGS=--no-check-signature - name: Push packages and update index + env: + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - spack mirror set --push --oci-username ${{ github.actor }} --oci-password "${{ secrets.GITHUB_TOKEN }}" github-actions-buildcache + spack mirror set --push --oci-username-variable GITHUB_USER --oci-password-variable GITHUB_TOKEN github-actions-buildcache spack -e . buildcache push -j $(($(nproc) + 1)) --base-image ubuntu:20.04 --update-index github-actions-buildcache if: ${{ !cancelled() }} From be42abe6de454e283c7526ba8c0e949e4b42d9ee Mon Sep 17 00:00:00 2001 From: Harmen Stoppels Date: Thu, 19 Dec 2024 21:58:37 +0100 Subject: [PATCH 2/4] update --- .github/workflows/update-index.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-index.yaml b/.github/workflows/update-index.yaml index 5db7fb5..cf91aaf 100644 --- a/.github/workflows/update-index.yaml +++ b/.github/workflows/update-index.yaml @@ -12,7 +12,7 @@ jobs: packages: write steps: - name: Checkout - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Setup Spack uses: spack/setup-spack@5ab3c91bdefffffad9a7e45d1d156146afebb3a7 From 51c1e0c63ff76460ed2b20082aa1cb1f21260d87 Mon Sep 17 00:00:00 2001 From: Harmen Stoppels Date: Thu, 19 Dec 2024 22:01:17 +0100 Subject: [PATCH 3/4] wut --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index defd752..807ffba 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -15,7 +15,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Setup Spack - uses: spack/setup-spack@11bd71901bbe5b1630ceea73d27597364c9af683 + uses: spack/setup-spack@5ab3c91bdefffffad9a7e45d1d156146afebb3a7 - name: Find compilers run: spack -e . compiler find --mixed-toolchain From 5edf0b0ea007205e195549951efca136327fa1f8 Mon Sep 17 00:00:00 2001 From: Harmen Stoppels Date: Thu, 19 Dec 2024 22:16:22 +0100 Subject: [PATCH 4/4] update readme --- README.md | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index ba82390..4680d7c 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ jobs: run: spack -e . install --no-check-signature - name: Run - run: ./my_view/bin/python -c 'print("hello world")' + run: ./my_view/bin/python3 -c 'print("hello world")' ``` ## Caching your own binaries @@ -71,7 +71,13 @@ If you want to cache your own binaries too, there are three steps to take: root: /opt/spack padded_length: 128 mirrors: - local-buildcache: oci://ghcr.io//spack-buildcache + local-buildcache: + url: oci://ghcr.io//spack-buildcache + signed: false + access_pair: + id_variable: GITHUB_USER + secret_variable: GITHUB_TOKEN + ``` 2. Configure the permissions for `GITHUB_TOKEN`: @@ -92,9 +98,10 @@ If you want to cache your own binaries too, there are three steps to take: example: steps: - name: Push packages and update index - run: | - spack -e . mirror set --push --oci-username ${{ github.actor }} --oci-password "${{ secrets.GITHUB_TOKEN }}" local-buildcache - spack -e . buildcache push --base-image ubuntu:22.04 --unsigned --update-index local-buildcache + env: + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: spack -e . buildcache push --base-image ubuntu:22.04 --update-index local-buildcache if: ${{ !cancelled() }} ``` NOTE: Make sure to add `if: ${{ !cancelled() }}`, so that binaries for successfully @@ -104,17 +111,16 @@ If you want to cache your own binaries too, there are three steps to take: When your local buildcache is stored in a private GitHub package, you need to specify the OCI credentials already *before* `spack concretize`. -This is because Spack needs to fetch the buildcache index. Also, remember to -remove the `--push` flag from `spack mirror set`, since fetching needs -credentials too: +This is because Spack needs to fetch the buildcache index. ```yaml +env: + GITHUB_USER: ${{ github.actor }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + jobs: example-private: steps: - - name: Login - run: spack -e . mirror set --oci-username ${{ github.actor }} --oci-password "${{ secrets.GITHUB_TOKEN }}" local-buildcache - - name: Concretize run: spack -e . concretize @@ -122,12 +128,11 @@ jobs: run: spack -e . install --no-check-signature - name: Push packages and update index - run: spack -e . buildcache push --base-image ubuntu:22.04 --unsigned --update-index local-buildcache + run: spack -e . buildcache push --base-image ubuntu:22.04 --update-index local-buildcache ``` -From a security perspective, notice that the `GITHUB_TOKEN` is exposed to every -subsequent job step. (This is no different from `docker login`, which also likes -to store credentials in the home directory.) +From a security perspective, do note that the `GITHUB_TOKEN` is exposed to every +job step. ## Contributing