singularityhub / github-ci Goto Github PK

Hi

Thanks for this nifty actions :P they are really a nice alternative to rebuild locally and provide a nice source of container images.

Would it be possible to use a prebuilt docker image with aingularity installed instead of rebuilding it every time?
Or is that limited by the docker image that one can use in the actions workflow?

I wanted to used the docker image at ghcr.io/truatpasteurdotfr/docker-c7-singularity-builder:latest instead of ubuntu-latest + installing from source singularity by just replacing:
runs-on: ubuntu-latest -> runs-on: ghcr.io/truatpasteurdotfr/docker-c7-singularity-builder
But of course that didn't ended well!

Does that make sense?

Tru

Hi,
following your GREAT workflow I've managed to create a singularity image for my project and upload it to ghcr.io.
I still have some issues:

• it seems that the package is advertised as a "docker image" in my project package page from github:

Install from the command line:
Learn more
$ docker pull ghcr.io/feelpp/salome.docker:latest

How can I tell github to display a more appropriate message like: singularity pull oras://....

• Next as my project is private I need to pass some credentials to pull the singularity image. How can do that?

Thanks for your help

Hi @vsoch ,
I've tried the manual deploy workflow for the attached recipe.
It fails with following error:

ERROR  : Failed to create user namespace: user namespace requires to set /proc/sys/kernel/unprivileged_userns_clone to 1
FATAL:   While performing build: while running engine: exit status 1
Error: Process completed with exit code 255.

I guess this has something to do with the quay.io/singularity/singularity:v3.8.3 image?

Best, C.

recipe.txt

Could you please add one ? I hope it will be an open source one :D

I was wondering if it is in any way possible to use a singularity image that was pushed to ghcr.io with this workflow as the source for bootstrapping in a new singularity definition?

Another question:

Is public pulling without auth on the client possible?

When I try to pull the container associated with this repo I get this error:

FATAL:   While pulling image from oci registry: error fetching image to cache: failed to get checksum for oras://ghcr.io/singularityhub/github-ci:latest: while resolving reference: failed to authorize: failed to fetch oauth token: unexpected status: 403 Forbidden

If I login to to github using a PAK, it works.

Hi, I'm trying to build a Singularity and push it to Github Container Registry using one of the Github Actions workflow provided in this repo as a template.

I run a modified version of the "Docker" workflow, where I skip the step that checks whether the Singularity recipe has been changed in order to build the image at every push. Here is the content of the .yaml file for this workflow.

name: Singularity Build (docker)
on: 
  push:

    # Edit the branches here if you want to change deploy behavior
    branches:
      - main
      - master

  # Do the builds on all pull requests (to test them)
  # pull_request: []

jobs:
  build-test-containers:
    runs-on: ubuntu-latest
    strategy:
      # Keep going on other deployments if anything bloops
      fail-fast: false
      matrix:
        singularity_version:
        - '3.8.1'
        recipe: ["Singularity"]


    container:
      image: quay.io/singularity/singularity:v${{ matrix.singularity_version }}
      options: --privileged

    name: Check ${{ matrix.recipe }}
    steps:

      - name: Check out code for the container builds
        uses: actions/checkout@v2

      - name: Continue if Singularity Recipe Exists
        run: |
          if [[ -f "${{ matrix.recipe }}" ]]; then
            echo "keepgoing=true" >> $GITHUB_ENV
          fi        
      - name: Build Container
        if: ${{ env.keepgoing == 'true' }}
        env:
          recipe: ${{ matrix.recipe }}
        run: |
         ls 
         if [ -f "${{ matrix.recipe }}" ]; then
            sudo -E singularity build container.sif ${{ matrix.recipe }}
            tag=$(echo "${recipe/Singularity\./}")
            if [ "$tag" == "Singularity" ]; then
                tag=latest
            fi
            # Build the container and name by tag
            echo "Tag is $tag."
            echo "tag=$tag" >> $GITHUB_ENV
         else
           echo "${{ matrix.recipe }} is not found."
           echo "Present working directory: $PWD"
           ls
         fi
      - name: Login and Deploy Container
        if: (github.event_name != 'pull_request')
        env:
          keepgoing: ${{ env.keepgoing }}
        run: |         
            if [[ "${keepgoing}" == "true" ]]; then
                echo ${{ secrets.GITHUB_TOKEN }} | singularity remote login -u ${{ secrets.GHCR_USERNAME }} --password-stdin oras://ghcr.io
                singularity push container.sif oras://ghcr.io/${GITHUB_REPOSITORY}:${tag}
            fi

The container is built without error but it fails on the Login and Deploy Container step with a 404 error:

Password (or token when username is empty): 
INFO:    Token stored in /root/.singularity/remote.yaml
FATAL:   Unable to push image to oci registry: unable to push: unexpected status: 404 Not Found
Error: Process completed with exit code 255.

One of the failed runs

Am I doing something wrong?
Thanks,
Gianluca

If deploying an image to an existing tag, it would be nice if this workflow only deployed .sif files that are actually different from the currently hosted image. That way the timestamp of a tag doesn't change, for example, when a readme change is pushed to main. Any thoughts on how best to test identicalness?

Thank for this awesome example.

I've got this working on my project here: neuroscout/neuroscout-cli#136
I set it up to build based on Docker Hub builds using the same meta-data.

One thing I noticed is that for some reason, using {{ secrets.GITHUB_TOKEN }} did not work for me. Instead, I had to create a personal token from my account, and add it to the repository secrets.

If so, it may be worth updating the example.

I believe there are some links in the README aimed at a URL containing 'workfolws'.
I think it should be 'workflows' ?

Thanks for writeup/template!