ci: verify that codebuild jobs use ghcr.io

marcoieni · marcoieni · commit 21a5e27f5808 · 2025-05-27T12:16:40.000+02:00
diff --git a/src/ci/citool/src/jobs.rs b/src/ci/citool/src/jobs.rs
@@ -2,12 +2,13 @@
 mod tests;
 
 use std::collections::BTreeMap;
+use std::path::Path;
 
 use anyhow::Context as _;
 use serde_yaml::Value;
 
-use crate::GitHubContext;
-use crate::utils::load_env_var;
+use crate::utils::{self, load_env_var};
+use crate::{DOCKER_DIRECTORY, GitHubContext};
 
 /// Representation of a job loaded from the `src/ci/github-actions/jobs.yml` file.
 #[derive(serde::Deserialize, Debug, Clone)]
@@ -46,6 +47,47 @@ impl Job {
     fn is_linux(&self) -> bool {
         self.os.contains("ubuntu")
     }
+
+    /// Validate that CodeBuild jobs use Docker images from ghcr.io registry.
+    /// This is needed because otherwise from CodeBuild we get rate limited by Docker Hub.
+    fn validate_codebuild_image(&self) -> anyhow::Result<()> {
+        let is_job_on_codebuild = self.codebuild.unwrap_or(false);
+        if !is_job_on_codebuild {
+            // Jobs in GitHub Actions don't get rate limited by Docker Hub.
+            return Ok(());
+        }
+
+        let image_name = self.image();
+        // we hardcode host-x86_64 here, because in codebuild we only run jobs for this architecture.
+        let dockerfile_path =
+            Path::new(DOCKER_DIRECTORY).join("host-x86_64").join(&image_name).join("Dockerfile");
+
+        if !dockerfile_path.exists() {
+            return Err(anyhow::anyhow!(
+                "Dockerfile not found for CodeBuild job '{}' at path: {}",
+                self.name,
+                dockerfile_path.display()
+            ));
+        }
+
+        let dockerfile_content = utils::read_to_string(&dockerfile_path)?;
+
+        // Check if all FROM statement uses ghcr.io registry
+        let has_ghcr_from = dockerfile_content
+            .lines()
+            .filter(|line| line.trim_start().to_lowercase().starts_with("from "))
+            .all(|line| line.contains("ghcr.io"));
+
+        if !has_ghcr_from {
+            return Err(anyhow::anyhow!(
+                "CodeBuild job '{}' must use ghcr.io registry in its Dockerfile FROM statement. \
+                Dockerfile path: {dockerfile_path:?}",
+                self.name,
+            ));
+        }
+
+        Ok(())
+    }
 }
 
 #[derive(serde::Deserialize, Debug)]
@@ -214,6 +256,10 @@ fn calculate_jobs(
     let jobs = substitute_github_vars(jobs.clone())
         .context("Failed to substitute GitHub context variables in jobs")?;
     let jobs = skip_jobs(jobs, channel);
+    for j in &jobs {
+        j.validate_codebuild_image()
+            .context(format!("Failed to validate CodeBuild job '{}'", j.name))?;
+    }
     let jobs = jobs
         .into_iter()
         .map(|job| {
diff --git a/src/ci/citool/src/main.rs b/src/ci/citool/src/main.rs
@@ -27,7 +27,7 @@ use crate::test_dashboard::generate_test_dashboard;
 use crate::utils::{load_env_var, output_details};
 
 const CI_DIRECTORY: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/..");
-const DOCKER_DIRECTORY: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/../docker");
+pub const DOCKER_DIRECTORY: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/../docker");
 const JOBS_YML_PATH: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/../github-actions/jobs.yml");
 
 struct GitHubContext {
