Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Runner image is not pinned on GitLab #6520

Open
hannes-ucsc opened this issue Aug 27, 2024 · 2 comments
Open

Runner image is not pinned on GitLab #6520

hannes-ucsc opened this issue Aug 27, 2024 · 2 comments
Labels
- [priority] Medium bug [type] A defect preventing use of the system as specified debt [type] A defect incurring continued engineering cost infra [subject] Project infrastructure like CI/CD, build and deployment scripts orange [process] Done by the Azul team

Comments

@hannes-ucsc
Copy link
Member

hannes-ucsc commented Aug 27, 2024
edited
Loading

While the 3rd party base image is pinned, we don't pin the runner image we build from that base image. The build refers to that image using the latest tag. The image is typically built locally from the Azul source by an operator but whoever pushes the image last will win, no matter from what commit they build from.

image
@github-actions github-actions bot added the orange [process] Done by the Azul team label Aug 27, 2024
@hannes-ucsc hannes-ucsc mentioned this issue Aug 27, 2024
Closed
@dsotirho-ucsc
Copy link
Contributor

Assignee to consider next steps.

@hannes-ucsc hannes-ucsc added the infra [subject] Project infrastructure like CI/CD, build and deployment scripts label Aug 30, 2024
@hannes-ucsc
Copy link
Member Author

The default runner image is currently configured in the runner's config.toml but can be overridden in .gitlab-ci.yml. The former is tracked in a separate Git repo to which only the system administrator has access. We should remove the setting from config.toml and instead specify a fully qualified image reference in .gitlab-ci.yml where the image is used and in terraform/gitlab/runner/Makefile where the image is built and pushed. We need to figure out a way to consolidate both references. We could try environment.boot but it is not clear if GitLab can be made to read such a file before it launches the first job. The inclusion mechanisms are documented here. We could also have the Makefile parse .gitlab-ci.yml to extract the hard-coded reference from there.

The registry the image is pushed to is associated with the project on GitLab. It would be good to restrict push access to operators, i.e., maintainers of the project.

@hannes-ucsc hannes-ucsc added bug [type] A defect preventing use of the system as specified debt [type] A defect incurring continued engineering cost - [priority] Medium labels Sep 4, 2024
@hannes-ucsc hannes-ucsc removed their assignment Sep 4, 2024
@hannes-ucsc hannes-ucsc mentioned this issue Sep 4, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
- [priority] Medium bug [type] A defect preventing use of the system as specified debt [type] A defect incurring continued engineering cost infra [subject] Project infrastructure like CI/CD, build and deployment scripts orange [process] Done by the Azul team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hannes-ucsc @dsotirho-ucsc