From 73870668f31bf204f3f764fef239c00f5cabe29e Mon Sep 17 00:00:00 2001 From: Mark Merritt Date: Thu, 14 May 2026 19:11:45 -0700 Subject: [PATCH] add buildkit-setup composite action Wires up docker/setup-buildx-action with driver=remote pointed at the shared buildkitd in the tooling-prod EKS cluster (lightsparkdev/tooling-infra PRs #30 + lightsparkdev/ops#2727 set up the cluster side). Workflow authors get a one-line replacement for the standard setup-buildx-action call: - uses: lightsparkdev/.github/actions/buildkit-setup@v1 - uses: docker/build-push-action@v6 The runner pod has the mTLS client cert mounted at /etc/buildkit-client/ already (gha-runner-scale-set chart in tooling-infra), so the action doesn't need any secrets or auth plumbing. --- .github/actions/buildkit-setup/README.md | 42 ++++++++++++++++++++++ .github/actions/buildkit-setup/action.yaml | 26 ++++++++++++++ 2 files changed, 68 insertions(+) create mode 100644 .github/actions/buildkit-setup/README.md create mode 100644 .github/actions/buildkit-setup/action.yaml diff --git a/.github/actions/buildkit-setup/README.md b/.github/actions/buildkit-setup/README.md new file mode 100644 index 0000000..f4830b7 --- /dev/null +++ b/.github/actions/buildkit-setup/README.md @@ -0,0 +1,42 @@ +# buildkit-setup + +Composite action that wires up `docker/setup-buildx-action` against the shared +rootless buildkitd in the `tooling-prod` EKS cluster. Use on any ARC runner +before `docker/build-push-action`. + +## Usage + +```yaml +jobs: + build: + runs-on: arc-runner-4 + steps: + - uses: actions/checkout@v4 + - uses: lightsparkdev/.github/actions/buildkit-setup@v1 + - uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ... +``` + +That's it. No `setup-buildx-action` call of your own, no per-workflow TLS +plumbing. The runner pod has the mTLS client cert mounted at +`/etc/buildkit-client/{ca,tls.crt,tls.key}` (handled by the gha-runner-scale-set +chart in `lightsparkdev/tooling-infra`). + +## Inputs + +| Name | Default | Notes | +|------------|--------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------| +| `endpoint` | `tcp://buildkitd.buildkit.svc.cluster.local:1234` | Override for testing against a specific replica via per-pod DNS (`buildkitd-N.buildkitd.buildkit.svc.cluster.local`). | + +## Where this works + +- `runs-on: arc-runner-{1,2,4,8}` — the in-cluster ARC scale sets. +- Not GH-hosted runners (the buildkit service is cluster-internal; the certs aren't there). + +## When NOT to use this + +- Workflows that need `services:` blocks (postgres, redis, etc.) — those need a real docker daemon, not just buildx. +- `kind`/`tilt`-based hermetic tests — same reason. These should stay on GH-hosted. diff --git a/.github/actions/buildkit-setup/action.yaml b/.github/actions/buildkit-setup/action.yaml new file mode 100644 index 0000000..2969cb8 --- /dev/null +++ b/.github/actions/buildkit-setup/action.yaml @@ -0,0 +1,26 @@ +name: "buildkit-setup" +description: > + Point docker/setup-buildx-action at the shared buildkitd service in the + tooling-prod EKS cluster. Use this on any ARC runner before + `docker/build-push-action`. + + The runner pod has the mTLS client cert pre-mounted at + /etc/buildkit-client (see charts/arc-runner/values.yaml in + lightsparkdev/tooling-infra). No per-workflow auth wiring needed. + +inputs: + endpoint: + description: "buildkitd TCP endpoint. Override for testing against a specific replica via per-pod DNS (e.g. tcp://buildkitd-2.buildkitd.buildkit.svc.cluster.local:1234)." + required: false + default: "tcp://buildkitd.buildkit.svc.cluster.local:1234" + +runs: + using: composite + steps: + - uses: docker/setup-buildx-action@v3 + with: + driver: remote + endpoint: ${{ inputs.endpoint }} + cacert: /etc/buildkit-client/ca.crt + cert: /etc/buildkit-client/tls.crt + key: /etc/buildkit-client/tls.key