CI: ghcr の devcontainer image でビルドして apt install を省く#46
Open
thawk105 wants to merge 3 commits into
Open
Conversation
thawk105
added a commit
that referenced
this pull request
May 13, 2026
…e :latest The previous single-stage image bundled zsh / clang-format / sudo / openssh-client / curl — fine for the human-facing devcontainer, but dead weight in CI where `actions/checkout` and the cmake build are the only consumers. Container init in PR #46 paid for those layers on every CI run. Split the Dockerfile into two stages and publish them as two tags from the same workflow: - `base` stage -> :ci (minimum apt deps + vscode user, root by default) - `dev` stage -> :latest (`base` + zsh, clang-format, sudo, openssh-client, curl, USER vscode) `.github/workflows/devcontainer-image.yml` now invokes `docker/build-push-action` twice, each with a different `target:`, sharing the same `:cache` so layers are deduplicated. Devcontainer users keep using :latest with no change. CI's build.yml will be flipped to :ci in a follow-up PR once this lands and the new tag is published.
4 tasks
The devcontainer image at ghcr.io/thawk105/ccbench-devcontainer:latest
already has every apt dep installed (build-essential, autoconf, automake,
libtool, pkg-config, ccache, cmake, libboost-filesystem-dev, libgflags-dev,
libgoogle-glog-dev, g++). Running the CI job inside that image lets us
skip the per-run apt-get install plus the apt-cache restore step that
wrapped it, while also guaranteeing the CI toolchain matches the one
developers see locally.
Changes:
- Add `container: { image: ghcr.io/thawk105/ccbench-devcontainer:latest }`
to the build job. The image is public (anonymous bearer-token pull
works against ghcr.io), so no `credentials:` are needed.
- Delete the "Cache apt packages" step (no longer any apt packages to
cache mid-job).
- Delete the "Install apt dependencies" step (everything is already in
the image).
- Drive-by: update the obsolete "28 binaries" comment to "34" to match
the current target count.
Ccache + third-party caches are kept — they're tied to source state,
not to the image.
…access The devcontainer image's default user is vscode (uid=1000), but the GHA runner's work dir (/__w/_temp, bind-mounted into the container) is owned by the runner user on the host. Without `--user root` the action's internal saveState/issueFileCommand writes fail with EACCES, taking down the very first step. The simplest fix is to run the container as root via container.options; the isolation boundary still keeps it benign.
…ontainer Running inside the container as root, /__w/ccbench/ccbench is owned by the runner user (uid=1001) on the host while git is invoked as uid=0, so git aborts with "fatal: detected dubious ownership". actions/checkout sets safe.directory itself, but later run-steps invoke git from a fresh sh -e shell that doesn't always inherit that scoped config — and the Compute bootstrap cache key step needs `git submodule status`. Set safe.directory globally once after checkout; every subsequent git call (submodule status, etc.) then passes the ownership check.
thawk105
force-pushed
the
gha-use-devcontainer-image
branch
from
6be1518 to
819510a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概要
build.ymlの job をghcr.io/thawk105/ccbench-devcontainer:latestの中で実行するようにする。devcontainer image にはすでにbuild-essential / autoconf / automake / libtool / pkg-config / ccache / cmake / libboost-filesystem-dev / libgflags-dev / libgoogle-glog-dev / g++が揃っているので、毎回のapt-get install(現状 30秒〜1分) とそれを包むための apt cache 操作が丸ごと不要になる。副次効果として、CI のツールチェインが手元の devcontainer と完全に同じ image になり、#44 で起きた「local だと通るのに CI で落ちる」型の事故も構造的に消える。
変更
build: runs-on: ubuntu-latest + container: + image: ghcr.io/thawk105/ccbench-devcontainer:latest - - name: Cache apt packages - ... - - name: Install apt dependencies - ... + (削除)認証
ghcr image は public:
anonymous bearer-token pull が通るので、
credentials:セクションは不要。トレードオフ
.devcontainer/**を触るときだけ注意すれば良い注意点 (#45 との関係)
#45 (devcontainer を ubuntu:22.04 → 24.04 に bump) と独立。
-Werror=maybe-uninitializedは GCC 11 で false negative なだけで build は通る (緑のまま)どちらの順序でも壊れない。
Test plan