From 7c25098f7bf86872321e8f8984e66a2fb5e2e781 Mon Sep 17 00:00:00 2001 From: Albert Yau <5298134+mwyau@users.noreply.github.com> Date: Tue, 24 Mar 2026 22:46:00 -0400 Subject: [PATCH 1/6] ci: update Dockerfile for arm64 ducc0 --- Dockerfile | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index fd543d0..40d189e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,15 +11,13 @@ ENV UV_COMPILE_BYTECODE=1 \ WORKDIR /app # Install build dependencies -# Only required for SHTns (amd64) -RUN if [ "$TARGETARCH" = "amd64" ]; then \ - apt-get update && apt-get install -y --no-install-recommends \ +RUN apt-get update && apt-get install -y --no-install-recommends \ gcc \ + g++ \ make \ libc6-dev \ libfftw3-dev \ - && rm -rf /var/lib/apt/lists/*; \ - fi + && rm -rf /var/lib/apt/lists/*; # Install uv COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ @@ -50,12 +48,9 @@ ARG TARGETARCH WORKDIR /app # Install runtime dependencies -# Only required for SHTns (amd64) -RUN if [ "$TARGETARCH" = "amd64" ]; then \ - apt-get update && apt-get install -y --no-install-recommends \ +RUN apt-get update && apt-get install -y --no-install-recommends \ libfftw3-double3 \ - && rm -rf /var/lib/apt/lists/*; \ - fi + && rm -rf /var/lib/apt/lists/*; # Create data directory for mounting RUN mkdir /data && chmod 777 /data From 166d24aa0c77da3f863e8f772de468a9199800a7 Mon Sep 17 00:00:00 2001 From: Albert Yau <5298134+mwyau@users.noreply.github.com> Date: Tue, 24 Mar 2026 22:53:57 -0400 Subject: [PATCH 2/6] ci: restore docker-build --- .github/workflows/ci.yml | 40 +++++----------------------------------- 1 file changed, 5 insertions(+), 35 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a9605ab..6268f14 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -181,13 +181,6 @@ jobs: docker-build: name: docker-build needs: [ruff-lint, ruff-format, mypy-typecheck, unit-tests, integration-tests] - # Only run on merges to main, release branches, tags, or manual dispatch - if: | - github.event_name != 'pull_request' && - (github.ref == 'refs/heads/main' || - startsWith(github.ref, 'refs/heads/release/') || - startsWith(github.ref, 'refs/tags/v') || - github.event_name == 'workflow_dispatch') runs-on: ubuntu-24.04 steps: - name: Checkout repository @@ -195,51 +188,28 @@ jobs: with: fetch-depth: 0 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@v6 - with: - images: | - ${{ github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }} - tags: | - type=sha,format=long,prefix= - ref: ${{ github.sha }} - - - name: Build and load image + - name: Build and load Docker image uses: docker/build-push-action@v7 with: context: . push: false load: true - platforms: linux/amd64 - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha,scope=docker-build - cache-to: type=gha,mode=max,scope=docker-build - - - name: Build ARM64 (cache only) - uses: docker/build-push-action@v7 - with: - context: . - push: false - platforms: linux/arm64 + platforms: linux/amd64, linux/arm64 + tags: "${{ github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }}:${{ github.sha }}" cache-from: type=gha,scope=docker-build cache-to: type=gha,mode=max,scope=docker-build - - name: Smoke test image + - name: Smoke test Docker image run: | # Test CLI help docker run --rm ${{ github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }}:${{ github.sha }} --help # Test library import docker run --rm --entrypoint python ${{ github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }}:${{ github.sha }} -c "import pystormtracker as pst; print('Import success')" - - name: Vulnerability scan + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.35.0 with: image-ref: "${{ github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }}:${{ github.sha }}" From d80f44d840224f0d8410d0810cc9781d3af7a2dd Mon Sep 17 00:00:00 2001 From: Albert Yau <5298134+mwyau@users.noreply.github.com> Date: Tue, 24 Mar 2026 23:43:19 -0400 Subject: [PATCH 3/6] ci: fix docker-build by splitting multi-arch build and re-adding QEMU --- .github/workflows/ci.yml | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6268f14..bf5a0a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -188,20 +188,32 @@ jobs: with: fetch-depth: 0 + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v4 - - name: Build and load Docker image + - name: Build and load Docker image (AMD64) uses: docker/build-push-action@v7 with: context: . push: false load: true - platforms: linux/amd64, linux/arm64 + platforms: linux/amd64 tags: "${{ github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }}:${{ github.sha }}" cache-from: type=gha,scope=docker-build cache-to: type=gha,mode=max,scope=docker-build + - name: Build Docker image (ARM64) + uses: docker/build-push-action@v7 + with: + context: . + push: false + platforms: linux/arm64 + cache-from: type=gha,scope=docker-build + cache-to: type=gha,mode=max,scope=docker-build + - name: Smoke test Docker image run: | # Test CLI help From 2d035752a3ba6a1a395dde6958a4b19ae523ddd4 Mon Sep 17 00:00:00 2001 From: Albert Yau <5298134+mwyau@users.noreply.github.com> Date: Tue, 24 Mar 2026 23:56:36 -0400 Subject: [PATCH 4/6] ci: simplify docker-publish logic and fix syntax errors --- .github/workflows/docker-publish.yml | 43 +++++++--------------------- 1 file changed, 11 insertions(+), 32 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 353d3f8..9c58224 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -11,16 +11,14 @@ on: workflow_dispatch: concurrency: - group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch || github.ref_name }} - cancel-in-progress: ${{ !(github.event.workflow_run.event == 'release' || github.ref_type == 'tag') }} + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true env: - # Publish to ORG on version tag/branch (v*.*), else to OWNER (personal) for merge to main/manual - # We check for both 'v' prefix and a dot to match the v?.?* requirement and avoid false positives - IS_STABLE: ${{ (github.event_name == 'workflow_run' && startsWith(github.event.workflow_run.head_branch, 'v') && contains(github.event.workflow_run.head_branch, '.')) || (github.event_name == 'workflow_dispatch' && (github.ref_type == 'tag' || (startsWith(github.ref_name, 'v') && contains(github.ref_name, '.')))) }} - - DOCKER_HUB_REPO: docker.io/${{ env.IS_STABLE == 'true' && vars.DOCKER_ORG_NAME || github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }} - GHCR_REPO: ghcr.io/${{ env.IS_STABLE == 'true' && vars.DOCKER_ORG_NAME || github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }} + # Use Org Name for production tags (v*), otherwise use Repository Owner + TARGET_OWNER: ${{ (startsWith(github.event.workflow_run.head_branch || github.ref_name, 'v')) && vars.DOCKER_ORG_NAME || github.repository_owner }} + DOCKER_HUB_REPO: ${{ env.TARGET_OWNER }}/${{ vars.DOCKER_IMAGE_NAME }} + GHCR_REPO: ghcr.io/${{ env.TARGET_OWNER }}/${{ vars.DOCKER_IMAGE_NAME }} jobs: build-and-push: @@ -74,31 +72,12 @@ jobs: images: | ${{ env.DOCKER_HUB_REPO }} ${{ env.GHCR_REPO }} - # Determine the symbolic ref to get the correct tags (semver/branch) - ref: >- - ${{ - github.event_name == 'workflow_run' - ? ( - (github.event.workflow_run.event == 'release' || startsWith(github.event.workflow_run.head_branch, 'v')) - ? format('refs/tags/{0}', github.event.workflow_run.head_branch) - : format('refs/heads/{0}', github.event.workflow_run.head_branch) - ) - : github.ref - }} tags: | - # Tag with 'latest' for main branch (used for personal repo/edge) - type=raw,value=latest,enable=${{ (github.event_name == 'workflow_run' && github.event.workflow_run.head_branch == 'main') || (github.event_name != 'workflow_run' && github.ref == 'refs/heads/main') }},priority=1000 - # Tag with 'edge' only for main branch builds - type=edge,branch=main,priority=900 - # Semver tags for releases (includes 'latest') - type=semver,pattern=latest,priority=1000 - type=semver,pattern={{version}},priority=800 - type=semver,pattern={{major}}.{{minor}},priority=700 - type=semver,pattern={{major}},enable=${{ !startsWith(github.ref_name, 'v0') }},priority=700 - # Branch tag for all branches except main - type=ref,event=branch,enable=${{ github.ref_name != 'main' && !startsWith(github.ref_name, 'v') }},priority=600 - # Always tag with short SHA - type=sha,format=short,prefix=,priority=100 + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || github.event.workflow_run.head_branch == 'main' }} + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=sha,format=short,prefix= + ref: ${{ github.event.workflow_run.head_branch || github.ref }} - name: Build and push Docker image id: push From c73ff14d492165debd47f733c0ce73ae7c0b03ab Mon Sep 17 00:00:00 2001 From: Albert Yau <5298134+mwyau@users.noreply.github.com> Date: Wed, 25 Mar 2026 00:03:24 -0400 Subject: [PATCH 5/6] ci: remove env context usage and simplify docker-publish logic --- .github/workflows/docker-publish.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 9c58224..c8b0528 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -14,12 +14,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -env: - # Use Org Name for production tags (v*), otherwise use Repository Owner - TARGET_OWNER: ${{ (startsWith(github.event.workflow_run.head_branch || github.ref_name, 'v')) && vars.DOCKER_ORG_NAME || github.repository_owner }} - DOCKER_HUB_REPO: ${{ env.TARGET_OWNER }}/${{ vars.DOCKER_IMAGE_NAME }} - GHCR_REPO: ghcr.io/${{ env.TARGET_OWNER }}/${{ vars.DOCKER_IMAGE_NAME }} - jobs: build-and-push: runs-on: ubuntu-24.04 @@ -70,8 +64,8 @@ jobs: uses: docker/metadata-action@v6 with: images: | - ${{ env.DOCKER_HUB_REPO }} - ${{ env.GHCR_REPO }} + ${{ (startsWith(github.event.workflow_run.head_branch || github.ref_name, 'v')) && vars.DOCKER_ORG_NAME || github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }} + ghcr.io/${{ (startsWith(github.event.workflow_run.head_branch || github.ref_name, 'v')) && vars.DOCKER_ORG_NAME || github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }} tags: | type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' || github.event.workflow_run.head_branch == 'main' }} type=semver,pattern={{version}} @@ -96,7 +90,7 @@ jobs: - name: Attest Provenance (Docker Hub) uses: actions/attest@v4 with: - subject-name: ${{ env.DOCKER_HUB_REPO }} + subject-name: ${{ (startsWith(github.event.workflow_run.head_branch || github.ref_name, 'v')) && vars.DOCKER_ORG_NAME || github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true @@ -111,7 +105,7 @@ jobs: - name: Attest SBOM (Docker Hub) uses: actions/attest@v4 with: - subject-name: ${{ env.DOCKER_HUB_REPO }} + subject-name: ${{ (startsWith(github.event.workflow_run.head_branch || github.ref_name, 'v')) && vars.DOCKER_ORG_NAME || github.repository_owner }}/${{ vars.DOCKER_IMAGE_NAME }} subject-digest: ${{ steps.push.outputs.digest }} sbom-path: 'sbom.cyclonedx.json' push-to-registry: true From 94fdeecfecda0be947ae59bb9218dd99a6f43759 Mon Sep 17 00:00:00 2001 From: Albert Yau <5298134+mwyau@users.noreply.github.com> Date: Wed, 25 Mar 2026 07:39:47 -0400 Subject: [PATCH 6/6] Limit Docker build platforms to linux/amd64 Remove ARM64 platform support from Docker build. Signed-off-by: Albert Yau <5298134+mwyau@users.noreply.github.com> --- .github/workflows/docker-publish.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index c8b0528..92a4f78 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -71,7 +71,6 @@ jobs: type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha,format=short,prefix= - ref: ${{ github.event.workflow_run.head_branch || github.ref }} - name: Build and push Docker image id: push @@ -81,7 +80,7 @@ jobs: push: true provenance: false sbom: false - platforms: linux/amd64,linux/arm64 + platforms: linux/amd64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha,scope=docker-build