fix(ci): run e2e as a single local job without GHCR push

johntmyers · johntmyers · commit e26aead59b06 · 2026-03-30T11:20:12.000-07:00
Restructure branch e2e from three separate jobs (build-gateway, build-
cluster, e2e) that push images to GHCR into a single job that builds
and tests locally. This eliminates the GHCR write permission requirement
that blocked fork PRs.

The build scripts already default to --load (no push) for single-
platform builds, and 'mise run e2e' orchestrates the full pipeline:
build images locally, start a local registry, boot the cluster, and
run tests. No workflow_call changes needed.

Permissions reduced from packages: write to packages: read (only needed
to pull the CI container image).
diff --git a/.github/workflows/branch-e2e.yml b/.github/workflows/branch-e2e.yml
@@ -6,28 +6,102 @@ on:
 
 permissions:
   contents: read
-  packages: write
+  packages: read
 
 jobs:
-  build-gateway:
+  e2e:
     if: contains(github.event.pull_request.labels.*.name, 'test:e2e')
-    uses: ./.github/workflows/docker-build.yml
-    with:
-      component: gateway
-      platform: linux/arm64
-      runner: build-arm64
+    name: E2E
+    runs-on: build-arm64
+    timeout-minutes: 45
+    container:
+      image: ghcr.io/nvidia/openshell/ci:latest
+      credentials:
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+      options: --privileged
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
+    env:
+      MISE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # Single platform so buildx uses --load (no registry push needed).
+      DOCKER_PLATFORM: linux/arm64
+      EXTRA_CARGO_FEATURES: openshell-core/dev-settings
+    steps:
+      - uses: actions/checkout@v4
 
-  build-cluster:
-    if: contains(github.event.pull_request.labels.*.name, 'test:e2e')
-    uses: ./.github/workflows/docker-build.yml
-    with:
-      component: cluster
-      platform: linux/arm64
-      runner: build-arm64
+      - name: Install tools
+        run: mise install
 
-  e2e:
-    needs: [build-gateway, build-cluster]
-    uses: ./.github/workflows/e2e-test.yml
-    with:
-      image-tag: ${{ github.sha }}
-      runner: build-arm64
+      - name: Install dependencies
+        run: |
+          uv sync --frozen
+          apt-get update && apt-get install -y --no-install-recommends openssh-client && rm -rf /var/lib/apt/lists/*
+
+      - name: Resolve Docker host gateway
+        id: hostgw
+        shell: bash
+        run: |
+          # Get the IP the CI container uses to reach the Docker host.
+          # The local registry binds to port 5000 on the host, so sibling
+          # containers (CI, k3s) reach it via the default gateway IP.
+          DOCKER_HOST_IP=""
+          if command -v ip >/dev/null 2>&1; then
+            DOCKER_HOST_IP=$(ip route | awk '/default/ {print $3}')
+          fi
+          if [[ -z "$DOCKER_HOST_IP" ]] && [[ -r /proc/net/route ]]; then
+            GW_HEX=$(awk '$2 == "00000000" {print $3; exit}' /proc/net/route)
+            if [[ -n "$GW_HEX" ]]; then
+              DOCKER_HOST_IP=$(printf "%d.%d.%d.%d" \
+                "0x${GW_HEX:6:2}" "0x${GW_HEX:4:2}" "0x${GW_HEX:2:2}" "0x${GW_HEX:0:2}")
+            fi
+          fi
+          if [[ -z "$DOCKER_HOST_IP" ]]; then
+            DOCKER_HOST_IP=$(docker network inspect bridge \
+              --format '{{range .IPAM.Config}}{{.Gateway}}{{end}}' 2>/dev/null || echo "172.17.0.1")
+          fi
+          echo "ip=${DOCKER_HOST_IP}" >> "$GITHUB_OUTPUT"
+          echo "Docker host gateway: ${DOCKER_HOST_IP}"
+
+      - name: Start local registry
+        run: |
+          docker rm -f openshell-local-registry 2>/dev/null || true
+          docker run -d --restart=always --name openshell-local-registry -p 5000:5000 registry:2
+          for i in $(seq 1 20); do
+            if docker exec openshell-local-registry wget -qO- http://localhost:5000/v2/ >/dev/null 2>&1; then
+              echo "Registry ready"
+              break
+            fi
+            sleep 1
+          done
+
+      - name: Build images
+        run: |
+          mise run docker:build:gateway
+          mise run docker:build:cluster
+
+      - name: Push gateway to local registry
+        env:
+          DOCKER_HOST_IP: ${{ steps.hostgw.outputs.ip }}
+        run: |
+          IMAGE_TAG=${IMAGE_TAG:-dev}
+          docker tag openshell/gateway:${IMAGE_TAG} ${DOCKER_HOST_IP}:5000/openshell/gateway:${IMAGE_TAG}
+          docker push ${DOCKER_HOST_IP}:5000/openshell/gateway:${IMAGE_TAG}
+
+      - name: Bootstrap cluster
+        env:
+          GATEWAY_HOST: host.docker.internal
+          GATEWAY_PORT: "8080"
+          SKIP_IMAGE_PUSH: "1"
+          SKIP_CLUSTER_IMAGE_BUILD: "1"
+          OPENSHELL_REGISTRY: ${{ steps.hostgw.outputs.ip }}:5000/openshell
+          OPENSHELL_REGISTRY_HOST: ${{ steps.hostgw.outputs.ip }}:5000
+          OPENSHELL_REGISTRY_NAMESPACE: openshell
+          OPENSHELL_REGISTRY_ENDPOINT: host.docker.internal:5000
+          OPENSHELL_REGISTRY_INSECURE: "true"
+        run: mise run --no-prepare --skip-deps cluster
+
+      - name: Run E2E tests
+        run: |
+          mise run --no-prepare --skip-deps e2e:python
+          mise run --no-prepare --skip-deps e2e:rust
