Skip to content
Draft
Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
117 commits
Select commit Hold shift + click to select a range
d252a4e
Experiment with Bazel Remote Execution on Namespace
basvandijk Jun 26, 2026
4eebe95
Don't print RBE bazelrc to avoid leaking short-lived credentials
basvandijk Jun 26, 2026
630603e
Address Copilot review: fork guards, consistent worker ref, decouple …
basvandijk Jun 26, 2026
95ee442
chore: force image rebuild
basvandijk Jun 28, 2026
c7118c3
Updating container images to tag: daa25a4984be312c1cf51c5a932a200fa2f…
Jun 28, 2026
7fc1156
Treat bre-worker-image as a required job, like ic-build-image
basvandijk Jun 28, 2026
8e31772
chore: force image rebuild (again)
basvandijk Jun 28, 2026
60eacb9
Fix BRE worker image push: use the Namespace tenant registry
basvandijk Jun 28, 2026
acc567a
Parse BRE worker digest from nsc upload output
basvandijk Jun 28, 2026
dd8e7fb
Potential fix for pull request finding
basvandijk Jun 28, 2026
765211b
Grant id-token: write so nsc can authenticate via GitHub OIDC
basvandijk Jun 28, 2026
41345a5
Revert id-token: write; Namespace runners already have a workspace id…
basvandijk Jun 28, 2026
d6a217a
Address review: least-privilege permissions and safe inputs reference
basvandijk Jun 28, 2026
e94973f
wip
basvandijk Jun 28, 2026
464a535
Switch to namespace-profile-default
basvandijk Jun 28, 2026
a4d7525
Pass BRE test target patterns as a quoted array
basvandijk Jun 28, 2026
7b3e520
Make update-image-references checkout robust on push/dispatch
basvandijk Jun 28, 2026
44aa0e4
Merge remote-tracking branch 'origin' into basvandijk/namespace-bazel…
basvandijk Jun 29, 2026
9c9e323
trigger container build
basvandijk Jun 29, 2026
34c3300
grant ns runner all baseimage permissions
basvandijk Jun 29, 2026
dc11e43
Updating container images to tag: d395e4504a1bf0cf387cbf17335b6a6cf47…
Jun 29, 2026
9c34c77
run bazel inside the container
basvandijk Jun 29, 2026
5f9d3e8
install nsc in the container
basvandijk Jun 29, 2026
a827076
fix
basvandijk Jun 29, 2026
db404e1
Updating container images to tag: a139b8d37688eb2a5e1bc4a85b730a3ea64…
Jun 29, 2026
ee81d00
reference ic-build image via output
basvandijk Jun 29, 2026
b8423ea
trigger
basvandijk Jun 29, 2026
2ddf870
Updating container images to tag: a139b8d37688eb2a5e1bc4a85b730a3ea64…
Jun 29, 2026
dd831d4
bring nsc into scope
basvandijk Jun 29, 2026
fc4d909
debug
basvandijk Jun 29, 2026
d3c7adf
Install nsc to /bin
basvandijk Jun 29, 2026
7758e4b
fix
basvandijk Jun 29, 2026
d182040
Updating container images to tag: 7838da7e90af323eb5aeb8463bc0346ef73…
Jun 29, 2026
d102776
fix
basvandijk Jun 29, 2026
e2c51dd
Updating container images to tag: 7a908e1407f45149e59440b14029c6b9937…
Jun 29, 2026
6b5be94
nsc auth exchange-github-token
basvandijk Jun 29, 2026
109e28d
permissions: id-token: write
basvandijk Jun 29, 2026
4fc49d1
use host's nsc auth
basvandijk Jun 29, 2026
cdab485
uses: namespacelabs/nscloud-setup@v0
basvandijk Jun 29, 2026
5445b3f
Run skylib copy actions locally under Bazel remote execution
basvandijk Jun 29, 2026
10dab84
nsc is not needed in the container since we use namespacelabs/nsclou…
basvandijk Jun 30, 2026
8767ef3
Run non-remote-executable spawns locally under Namespace BRE
basvandijk Jun 30, 2026
b38fdf0
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jun 30, 2026
8a70e66
Updating container images to tag: d395e4504a1bf0cf387cbf17335b6a6cf47…
Jun 30, 2026
3c155aa
Run local-only genrules locally under Namespace BRE
basvandijk Jun 30, 2026
6d3eee7
Keep BRE worker src dynamic, immune to the update-image-references sed
basvandijk Jun 30, 2026
7cde29f
Pass C++ .d files in memory under Namespace BRE
basvandijk Jun 30, 2026
39242c0
Run Namespace BRE job in a privileged container for ic-os podman builds
basvandijk Jun 30, 2026
2b0504f
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jun 30, 2026
f819061
trigger container rebuild
basvandijk Jun 30, 2026
1dac48a
Updating container images to tag: 22378bb2ad2621b518f4000afdb1ebbe793…
Jun 30, 2026
75e5bf8
fix(bazel): ship rust-lld's gcc-ld self-contained linker to Rustc act…
basvandijk Jun 30, 2026
521b674
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jun 30, 2026
c7f598d
ci(bre): drop obsolete --experimental_inmemory_dotd_files flag
basvandijk Jun 30, 2026
085bb0a
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jun 30, 2026
5439548
fix(bazel): keep rust-lld binary in sysroot for wasm canister links
basvandijk Jun 30, 2026
3ef6265
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jun 30, 2026
6c83df8
test(pocket-ic): split requires-network tests into arm64-darwin variants
basvandijk Jul 1, 2026
20bc0f4
test(pocket-ic): set crate_root for multi-source -darwin test variants
basvandijk Jul 1, 2026
c06dcdc
fix: build artifact_bundle locally to avoid dangling symlinks under BRE
basvandijk Jul 1, 2026
380255a
test: run permission-denied tests as an unprivileged user when root
basvandijk Jul 1, 2026
24982cf
--skip_incompatible_explicit_targets
basvandijk Jul 1, 2026
2801748
fix: compile test_utilities/privileges on macOS
basvandijk Jul 1, 2026
a99be41
test: run sns-cli permission-denied tests as unprivileged user when root
basvandijk Jul 1, 2026
ab1b797
Revert " --skip_incompatible_explicit_targets"
basvandijk Jul 1, 2026
861e217
Revert "test(pocket-ic): set crate_root for multi-source -darwin test…
basvandijk Jul 1, 2026
eef3df9
Revert "test(pocket-ic): split requires-network tests into arm64-darw…
basvandijk Jul 1, 2026
9d830fc
Skip pocket-ic:unix test_canister_http_in_live_mode on the BRE job
basvandijk Jul 1, 2026
f6db25c
test(driver): run libvirtd/QEMU/dnsmasq as nobody when the local back…
basvandijk Jul 1, 2026
3e115bb
ci: mitigate remote CAS blob eviction on the BRE job
basvandijk Jul 1, 2026
b1a9eff
test(driver): let nobody traverse to the libvirtd binary and working dir
basvandijk Jul 1, 2026
1794676
test(driver): run net-admin scripts directly (not via capsh) when root
basvandijk Jul 1, 2026
41f73bb
Revert "Skip pocket-ic:unix test_canister_http_in_live_mode on the BR…
basvandijk Jul 1, 2026
1351d03
disable //packages/pocket-ic:unix
basvandijk Jul 1, 2026
0a654ba
BRE -> RBE
basvandijk Jul 1, 2026
1d4ad17
--test_output=errors
basvandijk Jul 1, 2026
015a779
enable //packages/pocket-ic:unix again but disable test_canister_http…
basvandijk Jul 1, 2026
751728f
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jul 1, 2026
5d996b8
start binary search for the hanging //packages/pocket-ic:unix
basvandijk Jul 1, 2026
a4fe22c
more ignores
basvandijk Jul 1, 2026
20ebc34
more ignores
basvandijk Jul 1, 2026
16270df
one more ignore
basvandijk Jul 1, 2026
bf8d8e5
more ignores
basvandijk Jul 1, 2026
283f27e
run resume_killed_instance_strict
basvandijk Jul 1, 2026
213e33b
run resume_killed_instance
basvandijk Jul 1, 2026
a41bc5f
only ignore resume_killed_instance
basvandijk Jul 1, 2026
f02fc80
reduce diff
basvandijk Jul 1, 2026
6850827
experiment: net_admin
basvandijk Jul 1, 2026
1348098
Revert "experiment: net_admin"
basvandijk Jul 1, 2026
8f4f8d9
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jul 2, 2026
0694570
Unshare a self-owned netns when root lacks CAP_NET_ADMIN over the cur…
basvandijk Jul 2, 2026
ac4c025
test: run permission-denied tests as an unprivileged user when root
basvandijk Jul 1, 2026
f914787
fix: compile test_utilities/privileges on macOS
basvandijk Jul 1, 2026
0ff2873
test: run sns-cli permission-denied tests as unprivileged user when root
basvandijk Jul 1, 2026
75903f4
fix: address review comments in run_as_nobody_if_root
basvandijk Jul 2, 2026
39e8abf
Automatically fixing code for linting and formatting issues
Jul 2, 2026
071d0ee
docs: comment why run_as_nobody_if_root is needed at each call site
basvandijk Jul 2, 2026
e224f9f
feat: add #[as_nobody_when_root] attribute form of run_as_nobody_if_root
basvandijk Jul 2, 2026
ceaeddc
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jul 2, 2026
f073f6c
Merge branch 'basvandijk/run-permission-denied-tests-as-nobody' into …
basvandijk Jul 2, 2026
8f6d88a
fix: unwrap double-applied run_as_nobody_if_root after merge
basvandijk Jul 2, 2026
3856b8c
fix: shard zig cache per action under remote execution
basvandijk Jul 2, 2026
42e0d14
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jul 3, 2026
e9f93c4
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jul 3, 2026
e7a44cb
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jul 3, 2026
fb8d89d
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jul 3, 2026
5e37e0a
Refactor RBE workflow to build bazel args in a documented array
basvandijk Jul 3, 2026
6bcb0ba
Revert changes in Cargo.toml
basvandijk Jul 3, 2026
06f7220
Merge remote-tracking branch 'origin' into basvandijk/namespace-bazel…
basvandijk Jul 3, 2026
38afa08
try resume_killed_instance again
basvandijk Jul 3, 2026
7893858
Merge remote-tracking branch 'origin/master' into basvandijk/namespac…
basvandijk Jul 3, 2026
0c41013
rm comments
basvandijk Jul 3, 2026
0bb6ad4
trigger image build
basvandijk Jul 3, 2026
d0f0132
refactor
basvandijk Jul 3, 2026
318c9e5
tweaks
basvandijk Jul 3, 2026
d6b9892
Updating container images to tag: 8daf75b044f16ab4395e9746071e3d09115…
Jul 3, 2026
2deda1c
Merge branch 'master' into basvandijk/namespace-bazel-remote-execution
basvandijk Jul 3, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 88 additions & 0 deletions .github/workflows/bre-namespace-test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
name: BRE Namespace Test

# Experimental: run `bazel test` on Namespace runners using Bazel Remote
# Execution (BRE). Actions execute on Namespace workers booted from a custom
# worker image (a mirror of ic-build) that is built, optimized and pinned by the
# `container-autobuild.yml` workflow.
#
# See: https://namespace.so/docs/bazel/execution

on:
workflow_dispatch:
inputs:
targets:
description: 'Bazel target patterns to test'
required: false
default: '//...'
type: string
pull_request:
types: [opened, synchronize, reopened, labeled]
push:
branches:
- 'dev-gh-*'

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

permissions:
contents: read

Comment thread
basvandijk marked this conversation as resolved.
jobs:
bazel-test-bre:
name: Bazel Test (Namespace BRE)
runs-on: namespace-profile-amd64-linux-32x64
timeout-minutes: 120
# Opt-in while experimental: manual dispatch, pushes to dev-gh-* branches, or
# non-fork pull requests labeled 'CI_BRE'. Only on the public repo, where
# Namespace runners are configured (otherwise the job would get stuck). Fork
# PRs are excluded because this job runs on a privileged Namespace runner with
# pre-authenticated 'nsc' and must never execute untrusted PR code.
if: >-
github.repository == 'dfinity/ic' &&
( github.event_name != 'pull_request' ||
( github.event.pull_request.head.repo.full_name == github.repository &&
contains(github.event.pull_request.labels.*.name, 'CI_BRE') ) )
steps:
- name: Set up Bazel Remote Execution
run: |
# Provisions the Namespace RBE cluster and writes a bazelrc fragment with
# the remote executor, remote cache, credentials and recommended defaults.
# 'nsc' is pre-authenticated on Namespace runners.
# NOTE: do not print this bazelrc -- it contains short-lived credentials
# that would leak into the Actions logs.
nsc bazel execution setup --bazelrc=/tmp/bazel-rbe.bazelrc
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: ./.github/actions/netrc
- name: Bazel Test with BRE
shell: bash
env:
BAZEL_TARGETS: ${{ github.event.inputs.targets || '//...' }}
run: |
set -euo pipefail

# Custom worker image: a mirror of ic-build, pinned to an immutable digest
# and optimized for BRE. The ref below (Namespace tenant registry + digest)
# is kept up to date automatically by the 'update-image-references' job in
# container-autobuild.yml.
# NOTE: the placeholder digest below is replaced on the first ic-build
# rebuild after this workflow is introduced; until then this job will fail.
worker_image="docker://nscr.io/c9ptjuknd7oc6/ic-build-worker@sha256:0000000000000000000000000000000000000000000000000000000000000000"

targets="$BAZEL_TARGETS"
# Split the (space-separated) target patterns into an array so each is passed
# as a single, quoted argument -- avoids word-splitting/glob surprises. The
# 'targets' input is workflow_dispatch-only and this job is gated to non-fork.
read -ra target_patterns <<<"$targets"
# We deliberately bypass the workspace .bazelrc (which pulls in the
# DFINITY-internal cache / remote-execution config) and instead pass the
# build config plus the Namespace RBE config explicitly, mirroring the
# bazel-test-arm64 job in ci-main.yml.
bazel \
--noworkspace_rc \
--bazelrc=./bazel/conf/.bazelrc.build --bazelrc=/tmp/bazel-rbe.bazelrc \
test \
--test_tag_filters=-farm_system_test,-system_test_large,-system_test_benchmark,-fuzz_test,-fi_tests_nightly,-nns_tests_nightly,-pocketic_tests_nightly \
--remote_default_exec_properties=container-image="$worker_image" \
--keep_going \
"${target_patterns[@]}"
81 changes: 78 additions & 3 deletions .github/workflows/container-autobuild.yml
Original file line number Diff line number Diff line change
Expand Up @@ -103,10 +103,75 @@ jobs:
exit 1
fi

bre-worker-image:
name: Build BRE Worker Image
# Runs on a Namespace runner where 'nsc' is pre-authenticated. 'update-image-references'
# waits for this job and pins the resulting digest in the same commit. Like
# 'ic-build-image', this job is required: if it fails, that's a bug to fix.
runs-on: namespace-profile-default
# nsc authenticates via the runner's Namespace workspace identity, not the
# GITHUB_TOKEN, so this job needs no GitHub permissions (least privilege).
permissions: {}
needs: [build-image-prep, ic-build-image]
# Restricted to the dfinity/ic repo and, for pull_request events, to non-fork
# PRs -- this job runs on a privileged Namespace runner with pre-authenticated
# 'nsc', so it must never run untrusted code from a fork.
if: |
needs.build-image-prep.outputs.build_image == 'true' &&
github.repository == 'dfinity/ic' &&
(github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
timeout-minutes: 30
outputs:
worker-image: ${{ steps.worker.outputs.worker-image }}
Comment thread
basvandijk marked this conversation as resolved.
steps:
- name: Mirror ic-build to nscr.io and optimize for Bazel Remote Execution
id: worker
shell: bash
run: |
set -xeuo pipefail

# 'nsc base-image upload' pushes a *relative* name into the Namespace tenant
# registry, prepending $NSC_CONTAINER_REGISTRY (e.g. nscr.io/<tenant>). Do NOT
# pass a fully-qualified ref here or it gets double-prefixed.
: "${NSC_CONTAINER_REGISTRY:?NSC_CONTAINER_REGISTRY is not set on this runner}"

# Mirror the (unchanged) ic-build image -- just pushed to GHCR and pinned by
# digest -- into the Namespace tenant registry. Namespace BRE workers boot
# from this image.
src="ghcr.io/dfinity/ic-build@${{ needs.ic-build-image.outputs.ic-build-imageid }}"
worker_repo="${NSC_CONTAINER_REGISTRY}/ic-build-worker"
worker_tag="${{ needs.build-image-prep.outputs.image_tag }}"

nsc docker login

# Upload, then read the pushed digest from nsc's own "Uploaded base image:"
# line. We parse the upload output rather than 'docker buildx imagetools
# inspect', whose --format prints the whole manifest for the multi-platform
# attestation index that docker/build-push-action emits. BRE needs an
# immutable digest (mutable tags are rejected).
upload_log="$(nsc base-image upload "$src" "ic-build-worker:$worker_tag" 2>&1)"
echo "$upload_log"
worker_digest="$(printf '%s\n' "$upload_log" | grep -i 'Uploaded base image' | grep -oE 'sha256:[0-9a-f]{64}' | tail -n1 || true)"
: "${worker_digest:?could not parse pushed image digest from nsc base-image upload output}"
worker_image="${worker_repo}@${worker_digest}"
echo "Resolved worker image: $worker_image"

# Optimize the pinned digest into a fast-booting worker variant. This blocks
# until ready and only needs to be done once per digest.
# NOTE: requires the 'baseimage:optimize' permission on the tenant registry.
nsc base-image optimize --image_ref "$worker_image"

echo "worker-image=$worker_image" >> "$GITHUB_OUTPUT"

update-image-references:
name: Update Image References in Repo
runs-on: ubuntu-latest
needs: [build-image-prep, ic-build-image]
# Waits for the (slower) 'bre-worker-image' to finish before committing: the push
# this job makes triggers a new workflow run, and 'cancel-in-progress' in the
# concurrency group would otherwise cancel 'bre-worker-image' mid-optimize.
# Both 'ic-build-image' and 'bre-worker-image' are required (default 'needs'
# semantics): if either fails, that's a bug to fix.
needs: [build-image-prep, ic-build-image, bre-worker-image]
Comment thread
basvandijk marked this conversation as resolved.
Outdated
if: ${{ needs.build-image-prep.outputs.build_image == 'true' }}
Comment thread
basvandijk marked this conversation as resolved.
Outdated
Comment thread
basvandijk marked this conversation as resolved.
Outdated
steps:
- name: Create GitHub App Token
Expand All @@ -119,7 +184,9 @@ jobs:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ github.head_ref }}
# head_ref is only set for pull_request; fall back to ref_name for push /
# workflow_dispatch so the checkout and git push target the right branch.
ref: ${{ github.head_ref || github.ref_name }}
token: ${{ steps.app-token.outputs.token }}

- name: Update Image References
Expand All @@ -141,13 +208,20 @@ jobs:
sed -i -E "s|${IMAGE_PREFIX}ic-build(:\|@)[^\"]{5,}|$IMG_NAME_IC_BUILD|g" -- workflow*/*
popd

# Pin the BRE worker image (always produced by the required 'bre-worker-image')
# in the experimental BRE test workflow. Match any tenant in the registry path
# so this keeps working if the Namespace tenant ever changes.
WORKER_IMAGE='${{ needs.bre-worker-image.outputs.worker-image }}'
Comment thread
basvandijk marked this conversation as resolved.
Outdated
sed -i -E "s|nscr\.io/[^\"/]+/ic-build-worker@sha256:[0-9a-f]{64}|${WORKER_IMAGE}|g" .github/workflows/bre-namespace-test.yml

git config --global user.name "IDX GitHub Automation"
git config --global user.email "<>"
git add .
git commit \
-m 'Updating container images to tag: ${{ needs.build-image-prep.outputs.image_tag }}' \
-m 'ic-build: ${{ needs.ic-build-image.outputs.ic-build-imageid }}' \
-m 'ic-dev: ${{ needs.ic-build-image.outputs.ic-dev-imageid }}'
-m 'ic-dev: ${{ needs.ic-build-image.outputs.ic-dev-imageid }}' \
-m 'ic-build-worker: ${{ needs.bre-worker-image.outputs.worker-image }}'
Comment thread
basvandijk marked this conversation as resolved.
Outdated
git push

- name: Add PR Comment
Expand All @@ -162,6 +236,7 @@ jobs:
message += 'New container images with tag: `${{ needs.build-image-prep.outputs.image_tag }}`\n'
message += 'ic-build: `${{ needs.ic-build-image.outputs.ic-build-imageid }}`\n'
message += 'ic-dev: `${{ needs.ic-build-image.outputs.ic-dev-imageid }}`\n'
message += 'ic-build-worker: `${{ needs.bre-worker-image.outputs.worker-image }}`\n'
Comment thread
basvandijk marked this conversation as resolved.
Outdated

// Find existing comment from this workflow
const comments = await github.rest.issues.listComments({
Expand Down
2 changes: 1 addition & 1 deletion ci/container/TAG
Original file line number Diff line number Diff line change
@@ -1 +1 @@
daa25a4984be312c1cf51c5a932a200fa2fac895bdd550cac7bacb9dad553bae
0000000000000000000000000000000000000000000000000000000000000000
Comment thread
basvandijk marked this conversation as resolved.
Outdated
Loading