Skip to content

add buildkit-setup composite action #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
markatto wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

add buildkit-setup composite action #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions .github/actions/buildkit-setup/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# buildkit-setup

Composite action that wires up `docker/setup-buildx-action` against the shared
rootless buildkitd in the `tooling-prod` EKS cluster. Use on any ARC runner
before `docker/build-push-action`.

## Usage

```yaml
jobs:
build:
runs-on: arc-runner-4
steps:
- uses: actions/checkout@v4
- uses: lightsparkdev/.github/actions/buildkit-setup@v1
- uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ...
```

That's it. No `setup-buildx-action` call of your own, no per-workflow TLS
plumbing. The runner pod has the mTLS client cert mounted at
`/etc/buildkit-client/{ca,tls.crt,tls.key}` (handled by the gha-runner-scale-set
chart in `lightsparkdev/tooling-infra`).

## Inputs

| Name | Default | Notes |
|------------|--------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|
| `endpoint` | `tcp://buildkitd.buildkit.svc.cluster.local:1234` | Override for testing against a specific replica via per-pod DNS (`buildkitd-N.buildkitd.buildkit.svc.cluster.local`). |

## Where this works

- `runs-on: arc-runner-{1,2,4,8}` — the in-cluster ARC scale sets.
- Not GH-hosted runners (the buildkit service is cluster-internal; the certs aren't there).

## When NOT to use this

- Workflows that need `services:` blocks (postgres, redis, etc.) — those need a real docker daemon, not just buildx.
- `kind`/`tilt`-based hermetic tests — same reason. These should stay on GH-hosted.
26 changes: 26 additions & 0 deletions .github/actions/buildkit-setup/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: "buildkit-setup"
description: >
Point docker/setup-buildx-action at the shared buildkitd service in the
tooling-prod EKS cluster. Use this on any ARC runner before
`docker/build-push-action`.

The runner pod has the mTLS client cert pre-mounted at
/etc/buildkit-client (see charts/arc-runner/values.yaml in
lightsparkdev/tooling-infra). No per-workflow auth wiring needed.

inputs:
endpoint:
description: "buildkitd TCP endpoint. Override for testing against a specific replica via per-pod DNS (e.g. tcp://buildkitd-2.buildkitd.buildkit.svc.cluster.local:1234)."
required: false
default: "tcp://buildkitd.buildkit.svc.cluster.local:1234"

runs:
using: composite
steps:
- uses: docker/setup-buildx-action@v3
with:
driver: remote
endpoint: ${{ inputs.endpoint }}
cacert: /etc/buildkit-client/ca.crt
cert: /etc/buildkit-client/tls.crt
key: /etc/buildkit-client/tls.key