Try Depot caching approach instead of GHCR

PostHog · Jul 27, 2023 · dc1e85f · dc1e85f
1 parent e737e75
commit dc1e85f
Show file tree

Hide file tree

Showing 8 changed files with 59 additions and 80 deletions.
diff --git a/.github/actions/build-n-cache-image/action.yml b/.github/actions/build-n-cache-image/action.yml
@@ -0,0 +1,39 @@
+name: Build and cache Docker image
+
+inputs:
+    actions-id-token-request-url:
+        required: true
+    load:
+        required: false
+        default: 'false'
+
+outputs:
+    tag:
+        description: The tag of the image that was built
+        value: ${{ steps.emit.outputs.tag }}
+
+runs:
+    using: 'composite'
+    steps:
+        - name: Check out
+          uses: actions/checkout@v3
+
+        - name: Set up Depot CLI
+          uses: depot/setup-action@v1
+
+        - name: Build image # We don't push this because we use Depot cache as the communication channel
+          id: build
+          uses: depot/build-push-action@v1
+          with:
+              project: x19jffd9zf # posthog
+              buildx-fallback: false # buildx is so slow it's better to just fail
+              load: ${{ inputs.load }}
+              tags: PostHog/posthog:${{ github.sha }}
+              platforms: linux/amd64,linux/arm64
+          env:
+              ACTIONS_ID_TOKEN_REQUEST_URL: ${{ inputs.actions-id-token-request-url }}
+
+        - name: Emit image tag
+          id: emit
+          shell: bash
+          run: echo "tag=PostHog/posthog:${{ github.sha }}" >> $GITHUB_OUTPUT
diff --git a/.github/actions/run-backend-tests/action.yml b/.github/actions/run-backend-tests/action.yml
@@ -2,29 +2,22 @@
 # This is a composite action that packages our backend Django tests.
 # It is called by the `ci-backend.yml` job using a matrix.
 #
-name: Run Backend Django tests
+name: Run Django tests
 inputs:
     python-version:
         required: true
-        type: string
     clickhouse-server-image:
         required: true
-        type: string
     segment:
         required: true
-        type: string
     concurrency:
         required: true
-        type: number
     group:
         required: true
-        type: number
     person-on-events:
         required: true
-        type: boolean
     token:
         required: false
-        type: string
         description: GitHub token
 
 runs:

diff --git a/.github/workflows/ci-e2e.yml b/.github/workflows/ci-e2e.yml
@@ -70,7 +70,7 @@ jobs:
                   repo-token: ${{ secrets.GITHUB_TOKEN }}
                   wait-interval: 10
 
-            - name: Checkout code
+            - name: Check out
               uses: actions/checkout@v3
 
             - name: List cypress/e2e and produce a JSON array of the files, in chunks
@@ -83,7 +83,8 @@ jobs:
         timeout-minutes: 30
         needs: [cypress_prep, changes]
         permissions:
-            packages: read # allow pull from ghcr.io
+            id-token: write # allow issuing OIDC tokens for this workflow run
+            contents: read # allow at least reading the repo contents, add other permissions if necessary
 
         strategy:
             # when one test fails, DO NOT cancel the other
@@ -171,28 +172,21 @@ jobs:
                   GITHUB_ACTION_RUN_URL="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
                   EOT
 
-            - name: Lowercase repository
-              id: lowercase
-              env:
-                  GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }}
-              run: |
-                  echo "repository=${GITHUB_HEAD_REPOSITORY,,}" >> "$GITHUB_OUTPUT"
-
-            - name: Get the PostHog container image of this PR
-              if: needs.changes.outputs.shouldTriggerCypress == 'true'
-              id: meta
-              uses: docker/metadata-action@v4
+            - name: Get Docker image cached in Depot
+              uses: ./.github/actions/build-n-cache-image
+              id: docker-build
               with:
-                  images: ghcr.io/${{ steps.lowercase.outputs.repository }}/posthog
+                  actions-id-token-request-url: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
+                  load: true
 
             - name: Start PostHog
               # these are required checks so, we can't skip entire sections
               if: needs.changes.outputs.shouldTriggerCypress == 'true'
               run: |
                   mkdir -p /tmp/logs
 
-                  echo "Starting PostHog using the container image ${{ steps.meta.outputs.tags }}"
-                  DOCKER_RUN="docker run --rm --network host --add-host kafka:127.0.0.1 --env-file .env ${{ steps.meta.outputs.tags }}"
+                  echo "Starting PostHog using the container image ${{ steps.docker-build.outputs.tag }}"
+                  DOCKER_RUN="docker run --rm --network host --add-host kafka:127.0.0.1 --env-file .env ${{ steps.docker-build.outputs.tag }}"
 
                   $DOCKER_RUN ./bin/migrate
                   $DOCKER_RUN python manage.py setup_dev

diff --git a/.github/workflows/container-images-cd.yml b/.github/workflows/container-images-cd.yml
@@ -28,7 +28,7 @@ jobs:
             packages: write # allow push to ghcr.io
 
         steps:
-            - name: Checkout code
+            - name: Check out
               uses: actions/checkout@v3
               with:
                   fetch-depth: 2

diff --git a/.github/workflows/container-images-ci.yml b/.github/workflows/container-images-ci.yml
@@ -14,62 +14,15 @@ jobs:
         permissions:
             id-token: write # allow issuing OIDC tokens for this workflow run
             contents: read # allow at least reading the repo contents, add other permissions if necessary
-            packages: write # allow push to ghcr.io
-
-        outputs:
-            container_image_tags: ${{ steps.meta.outputs.tags }}
-            container_image_version: ${{ steps.meta.outputs.version }}
 
         steps:
-            - name: Checkout code
+            - name: Check out
               uses: actions/checkout@v3
 
-            - name: Lowercase repository
-              id: lowercase
-              env:
-                  GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }}
-              run: |
-                  echo "repository=${GITHUB_HEAD_REPOSITORY,,}" >> "$GITHUB_OUTPUT"
-
-
-            - name: Docker meta
-              id: meta
-              uses: docker/metadata-action@v4
-              with:
-                  images: ghcr.io/${{ steps.lowercase.outputs.repository }}/posthog
-                  tags: |
-                      type=schedule
-                      type=ref,event=branch
-                      type=ref,event=tag
-                      type=ref,event=pr
-
-            - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v2
-
-            - name: Set up QEMU
-              uses: docker/setup-qemu-action@v2
-
-            - name: Set up Depot CLI
-              uses: depot/setup-action@v1
-
-            - name: Login to GitHub Container Registry
-              uses: docker/login-action@v2
-              with:
-                  registry: ghcr.io
-                  username: ${{ github.actor }}
-                  password: ${{ secrets.GITHUB_TOKEN }}
-
-            - name: Build container images
-              id: build
-              uses: depot/build-push-action@v1
+            - name: Build and cache Docker image in Depot
+              uses: ./.github/actions/build-n-cache-image
               with:
-                  project: x19jffd9zf # posthog
-                  buildx-fallback: false # the fallback is so slow it's better to just fail
-                  cache-from: type=gha # always pull the layers from GHA
-                  cache-to: type=gha,mode=max # always push the layers to GHA
-                  push: true
-                  tags: ${{ steps.meta.outputs.tags }}
-                  platforms: linux/amd64,linux/arm64
+                actions-id-token-request-url: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL }}
 
     deploy_preview:
         name: Deploy preview environment
@@ -82,7 +35,7 @@ jobs:
         name: Lint Dockerfiles
         runs-on: ubuntu-latest
         steps:
-            - name: Checkout code
+            - name: Check out
               uses: actions/checkout@v3
               with:
                   fetch-depth: 0

diff --git a/.github/workflows/container-images-release-foss.yml b/.github/workflows/container-images-release-foss.yml
@@ -20,7 +20,7 @@ jobs:
             id-token: write # allow issuing OIDC tokens for this workflow run
             contents: read # allow at least reading the repo contents, add other permissions if necessary
         steps:
-            - name: Checkout code
+            - name: Check out
               uses: actions/checkout@v3
 
             - name: Update git SHA

diff --git a/.github/workflows/container-images-release-unstable.yml b/.github/workflows/container-images-release-unstable.yml
@@ -21,7 +21,7 @@ jobs:
             contents: read # allow at least reading the repo contents, add other permissions if necessary
 
         steps:
-            - name: Checkout code
+            - name: Check out
               uses: actions/checkout@v3
 
             - name: Update git SHA

diff --git a/.github/workflows/container-images-release.yml b/.github/workflows/container-images-release.yml
@@ -21,7 +21,7 @@ jobs:
             contents: read # allow at least reading the repo contents, add other permissions if necessary
 
         steps:
-            - name: Checkout code
+            - name: Check out
               uses: actions/checkout@v3
 
             - name: Update git SHA