update github actions workflow

ablack3 · ablack3 · commit cc41e3e9aa7e · 2026-02-05T17:46:15.000+01:00
diff --git a/.Rprofile b/.Rprofile
diff --git a/.github/workflows/build-test-sign-image.yaml b/.github/workflows/build-test-sign-image.yaml
@@ -42,13 +42,55 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Log in to Azure Container Registry
+      # Log in to Azure CR with token that can pull the base image (ARACHNE_DOCKER_REGISTRY_TOKEN).
+      - name: Log in to Azure CR (pull base image)
+        uses: docker/login-action@v3
+        with:
+          registry: executionengine.azurecr.io
+          username: github-actions-push
+          password: ${{ secrets.ARACHNE_DOCKER_REGISTRY_TOKEN }}
+
+      # Try to pull base image; only build if pull fails (e.g. first run or base not yet published).
+      - name: Try pull base image
+        id: pull_base
+        run: |
+          BASE_IMAGE="executionengine.azurecr.io/${{ steps.image.outputs.name }}-base:latest"
+          if docker pull "$BASE_IMAGE"; then
+            docker tag "$BASE_IMAGE" examplestudy-base:latest
+            echo "need_build=false" >> $GITHUB_OUTPUT
+          else
+            echo "need_build=true" >> $GITHUB_OUTPUT
+          fi
+
+      # Build base image only when it could not be pulled.
+      - name: Build base image (CI / local load)
+        if: steps.pull_base.outputs.need_build == 'true'
+        run: |
+          docker buildx build \
+            --load \
+            --file ./Dockerfile.base \
+            --tag examplestudy-base:latest \
+            --cache-from type=gha \
+            --cache-to type=gha,mode=max \
+            --platform linux/amd64 \
+            .
+
+      # Re-login to Azure CR with token that can push (for release step).
+      - name: Log in to Azure Container Registry (push)
         uses: docker/login-action@v3
         with:
           registry: executionengine.azurecr.io
           username: github-actions-push
           password: ${{ secrets.CONTAINER_REGISTRY_TOKEN }}
 
+      # When we built the base locally, push it so future runs can pull it.
+      - name: Push base image to Azure CR
+        if: steps.pull_base.outputs.need_build == 'true'
+        run: |
+          BASE_REPO="executionengine.azurecr.io/${{ steps.image.outputs.name }}-base:latest"
+          docker tag examplestudy-base:latest "$BASE_REPO"
+          docker push "$BASE_REPO"
+
       # Produces tags + labels (commit SHA, semver if you use tags, etc.)
       - name: Docker metadata
         id: meta
@@ -63,17 +105,17 @@ jobs:
             org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}
             org.opencontainers.image.revision=${{ github.sha }}
 
-      # 1) CI build (LOAD locally) so we can run tests inside the image.
-      #    Attestations (sbom/provenance) require pushing, so we do that only after tests pass.
-      #    Build is run with --progress=plain and teed to build.log for artifact upload on failure.
-      - name: Build (CI / local load)
+      # 1b) Build study image (LOAD) so we can run tests inside it.
+      #     Attestations (sbom/provenance) require pushing, so we do that only after tests pass.
+      - name: Build study image (CI / local load)
         id: build_ci
         run: |
           set -o pipefail
           docker buildx build \
             --progress=plain \
             --load \
             --file ./Dockerfile \
+            --build-arg BASE_IMAGE=examplestudy-base:latest \
             --tag ${{ env.REGISTRY }}/${{ steps.image.outputs.name }}:ci-${{ github.sha }} \
             --label "org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" \
             --label "org.opencontainers.image.revision=${{ github.sha }}" \
@@ -118,6 +160,7 @@ jobs:
         with:
           context: .
           file: ./Dockerfile
+          build-args: BASE_IMAGE=examplestudy-base:latest
           platforms: linux/amd64
           push: true
           tags: |
diff --git a/Dockerfile b/Dockerfile
@@ -1,95 +1,15 @@
-# Ubuntu 22.04 (Jammy) · R 4.2 · Dependencies for ExampleStudy
-# For Snowflake ODBC use: docker build --platform linux/amd64 ...
-FROM rocker/rstudio:4.2
+# Study image: prebuilt base + repo + renv::restore().
+# Build in two steps:
+#   1) Base:  docker build -f Dockerfile.base -t examplestudy-base:latest .
+#             (Optionally push: docker push <registry>/examplestudy-base:latest)
+#   2) Study: docker build -t examplestudy:latest .
+#             (Then sign and push per your CI, e.g. cosign sign, docker push)
+ARG BASE_IMAGE=examplestudy-base:latest
+FROM ${BASE_IMAGE}
 LABEL org.opencontainers.image.maintainer="Adam Black <a.black@darwin-eu.org>"
 
-# Install java and rJava
-RUN apt-get -y update && apt-get install -y \
-   default-jdk \
-   r-cran-rjava \
-   sudo \
-   && apt-get clean \
-   && rm -rf /var/lib/apt/lists/ \
-   && sudo R CMD javareconf
-
-RUN echo 'options(repos = c(CRAN = "https://packagemanager.posit.co/cran/__linux__/jammy/2026-02-01"))' >>"${R_HOME}/etc/Rprofile.site"
-RUN install2.r --error rJava && rm -rf /tmp/download_packages/ /tmp/*.rds
-RUN install2.r --error DatabaseConnector && rm -rf /tmp/download_packages/ /tmp/*.rds
-ENV DATABASECONNECTOR_JAR_FOLDER="/opt/hades/jdbc_drivers"
-RUN R -e "DatabaseConnector::downloadJdbcDrivers('all');"
-
-RUN install2.r --error Andromeda && rm -rf /tmp/download_packages/ /tmp/*.rds
-RUN install2.r --error RJSONIO && rm -rf /tmp/download_packages/ /tmp/*.rds
-RUN install2.r --error CirceR && rm -rf /tmp/download_packages/ /tmp/*.rds
-RUN install2.r --error SqlRender && rm -rf /tmp/download_packages/ /tmp/*.rds
-RUN install2.r --error renv && rm -rf /tmp/download_packages/ /tmp/*.rds
-
-# Install utility R packages
-RUN apt-get -y update && apt-get install -y \
-    libxml2-dev libssl-dev libcurl4-openssl-dev \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/
-
-RUN install2.r --error openssl httr xml2 remotes && rm -rf /tmp/download_packages/ /tmp/*.rds
-RUN install2.r --error duckdb && rm -rf /tmp/download_packages/ /tmp/*.rds
-
-# Install odbc and RPostgres drivers (unixODBC + dev headers + pkg-config for R odbc package)
-# CXX required: R was built without C++ compiler; odbc's configure invokes ${CXX} -E
-RUN apt-get -y update && apt-get install -y --install-suggests \
-    unixodbc unixodbc-dev libpq-dev curl pkg-config build-essential \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/ \
-    && PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig:/usr/lib/pkgconfig \
-    CXX=g++ \
-    install2.r --error RPostgres duckdb odbc \
-    && rm -rf /tmp/download_packages/ /tmp/*.rds
-
-# Install Darwin packages (and study Imports: dplyr, ggplot2, shiny, plotly)
-RUN install2.r --error \
-        omopgenerics \
-        CDMConnector \
-        IncidencePrevalence \
-        PatientProfiles \
-        TreatmentPatterns \
-        DrugExposureDiagnostics \
-        DrugUtilisation \
-        dplyr \
-        ggplot2 \
-        shiny \
-        plotly \
-   && rm -rf /tmp/download_packages/ /tmp/*.rds
-
-# GitHub token for installs (pass at build time: docker build --build-arg GITHUB_PAT=xxx)
-RUN echo "DATABASECONNECTOR_JAR_FOLDER=/opt/hades/jdbc_drivers" >> /usr/local/lib/R/etc/Renviron
-RUN echo "RENV_PATHS_CELLAR=/opt/renv_cellar" >> /usr/local/lib/R/etc/Renviron
-
-# SQL Server odbc
-RUN curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc > /dev/null
-RUN curl -fsSL https://packages.microsoft.com/config/ubuntu/22.04/prod.list | sudo tee /etc/apt/sources.list.d/mssql-release.list
-RUN apt-get clean && apt-get update && ACCEPT_EULA=Y apt-get install -y msodbcsql17
-
-# Snowflake odbc
-RUN curl -fsSL --output snowflake-odbc-3.1.1.x86_64.deb https://sfc-repo.snowflakecomputing.com/odbc/linux/3.1.1/snowflake-odbc-3.1.1.x86_64.deb
-RUN sudo dpkg -i snowflake-odbc-3.1.1.x86_64.deb
-
-RUN install2.r --error here log4r testthat renv \
-   && rm -rf /tmp/download_packages/ /tmp/*.rds
-
-RUN echo "EUNOMIA_DATA_FOLDER=/opt/eunomia_data" >> /usr/local/lib/R/etc/Renviron
-RUN R -e 'CDMConnector::downloadEunomiaData()'
-
-# Install vim
-RUN apt-get -y update && apt-get install -y vim && apt-get clean && rm -rf /var/lib/apt/lists/
-
-# Fix Snowflake odbc lib path
-RUN sed -i 's/libodbcinst.so.1/libodbcinst.so.2/g' /usr/lib/snowflake/odbc/lib/simba.snowflake.ini
-
-
-RUN mkdir /results
-
-# Copy package source into image (for running study and CI tests)
-COPY . /code
 WORKDIR /code
+COPY . /code
 
 # Install R package dependencies from renv.lock
 RUN R -e "renv::restore()"
diff --git a/Dockerfile.base b/Dockerfile.base
@@ -0,0 +1,91 @@
+# Base image for ExampleStudy: R 4.2, Java, DB drivers, Darwin R packages, ODBC, etc.
+# Build and tag before building the study image, e.g.:
+#   docker build -f Dockerfile.base -t examplestudy-base:latest .
+# For Snowflake ODBC use: docker build -f Dockerfile.base --platform linux/amd64 -t examplestudy-base:latest .
+FROM rocker/rstudio:4.2
+LABEL org.opencontainers.image.maintainer="Adam Black <a.black@darwin-eu.org>"
+
+# Install java and rJava
+RUN apt-get -y update && apt-get install -y \
+   default-jdk \
+   r-cran-rjava \
+   sudo \
+   && apt-get clean \
+   && rm -rf /var/lib/apt/lists/ \
+   && sudo R CMD javareconf
+
+RUN echo 'options(repos = c(CRAN = "https://packagemanager.posit.co/cran/__linux__/jammy/2026-02-01"))' >>"${R_HOME}/etc/Rprofile.site"
+RUN install2.r --error rJava && rm -rf /tmp/download_packages/ /tmp/*.rds
+RUN install2.r --error DatabaseConnector && rm -rf /tmp/download_packages/ /tmp/*.rds
+ENV DATABASECONNECTOR_JAR_FOLDER="/opt/hades/jdbc_drivers"
+RUN R -e "DatabaseConnector::downloadJdbcDrivers('all');"
+
+RUN install2.r --error Andromeda && rm -rf /tmp/download_packages/ /tmp/*.rds
+RUN install2.r --error RJSONIO && rm -rf /tmp/download_packages/ /tmp/*.rds
+RUN install2.r --error CirceR && rm -rf /tmp/download_packages/ /tmp/*.rds
+RUN install2.r --error SqlRender && rm -rf /tmp/download_packages/ /tmp/*.rds
+RUN install2.r --error renv && rm -rf /tmp/download_packages/ /tmp/*.rds
+
+# Install utility R packages
+RUN apt-get -y update && apt-get install -y \
+    libxml2-dev libssl-dev libcurl4-openssl-dev \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/
+
+RUN install2.r --error openssl httr xml2 remotes && rm -rf /tmp/download_packages/ /tmp/*.rds
+RUN install2.r --error duckdb && rm -rf /tmp/download_packages/ /tmp/*.rds
+
+# Install odbc and RPostgres drivers (unixODBC + dev headers + pkg-config for R odbc package)
+# CXX required: R was built without C++ compiler; odbc's configure invokes ${CXX} -E
+RUN apt-get -y update && apt-get install -y --install-suggests \
+    unixodbc unixodbc-dev libpq-dev curl pkg-config build-essential \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/ \
+    && PKG_CONFIG_PATH=/usr/lib/x86_64-linux-gnu/pkgconfig:/usr/lib/pkgconfig \
+    CXX=g++ \
+    install2.r --error RPostgres duckdb odbc \
+    && rm -rf /tmp/download_packages/ /tmp/*.rds
+
+# Install Darwin packages (and study Imports: dplyr, ggplot2, shiny, plotly)
+RUN install2.r --error \
+        omopgenerics \
+        CDMConnector \
+        IncidencePrevalence \
+        PatientProfiles \
+        TreatmentPatterns \
+        DrugExposureDiagnostics \
+        DrugUtilisation \
+        dplyr \
+        ggplot2 \
+        shiny \
+        plotly \
+   && rm -rf /tmp/download_packages/ /tmp/*.rds
+
+# GitHub token for installs (pass at build time: docker build --build-arg GITHUB_PAT=xxx)
+RUN echo "DATABASECONNECTOR_JAR_FOLDER=/opt/hades/jdbc_drivers" >> /usr/local/lib/R/etc/Renviron
+RUN echo "RENV_PATHS_CELLAR=/opt/renv_cellar" >> /usr/local/lib/R/etc/Renviron
+
+# SQL Server odbc
+RUN curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc > /dev/null
+RUN curl -fsSL https://packages.microsoft.com/config/ubuntu/22.04/prod.list | sudo tee /etc/apt/sources.list.d/mssql-release.list
+RUN apt-get clean && apt-get update && ACCEPT_EULA=Y apt-get install -y msodbcsql17
+
+# Snowflake odbc
+RUN curl -fsSL --output snowflake-odbc-3.1.1.x86_64.deb https://sfc-repo.snowflakecomputing.com/odbc/linux/3.1.1/snowflake-odbc-3.1.1.x86_64.deb
+RUN sudo dpkg -i snowflake-odbc-3.1.1.x86_64.deb
+
+RUN install2.r --error here log4r testthat renv \
+   && rm -rf /tmp/download_packages/ /tmp/*.rds
+
+RUN echo "EUNOMIA_DATA_FOLDER=/opt/eunomia_data" >> /usr/local/lib/R/etc/Renviron
+RUN R -e 'CDMConnector::downloadEunomiaData()'
+
+# Install vim
+RUN apt-get -y update && apt-get install -y vim && apt-get clean && rm -rf /var/lib/apt/lists/
+
+# Fix Snowflake odbc lib path
+RUN sed -i 's/libodbcinst.so.1/libodbcinst.so.2/g' /usr/lib/snowflake/odbc/lib/simba.snowflake.ini
+
+RUN mkdir /results
+
+CMD ["bash"]
