Migrate from docker save/load to registry push/pull

.github/workflows/_build-app.yml

@@ -45,49 +45,19 @@ jobs:
         run: |-
           echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://us-docker.pkg.dev
 
-      - name: Cache Requirements
-        id: cache-requirements
-        uses: actions/cache@v4
-        env:
-          # Forks can't access the variable containing our actual image repository. We want to
-          # use a separate cache to make sure they don't interfere with reqs images being pushed.
-          cache-name: ${{ !github.event.pull_request.repo.fork && 'umbrella-requirements' || 'umbrella-requirements-fork' }}
-        with:
-          path: |
-            ./requirements.tar
-          key: ${{ runner.os }}-${{ runner.arch }}-${{ env.cache-name }}-${{ hashFiles('uv.lock') }}-${{ hashFiles('docker/Dockerfile.requirements') }}-${{ hashFiles('libs/shared/**') }}
-
-      - name: Cache App
-        id: cache-app
-        uses: actions/cache@v4
-        env:
-          cache-name: ${{ inputs.repo }}-app
-        with:
-          path: |
-            ${{ inputs.output_directory }}/app.tar
-          key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}
-
-      - name: Load requirements from cache
-        if: ${{ steps.cache-requirements.outputs.cache-hit == 'true' }}
-        run: |
-          make load.requirements
-
-      # This shouldn't happen; the _build-requirements.yml job should have run.
-      - name: Build/pull requirements
-        if: ${{ steps.cache-requirements.outputs.cache-hit != 'true' }}
+      - name: Build app
         run: |
-          echo "Warning: requirements image not in cache, building a new one"
           make build.requirements
-          make save.requirements
+          make ${{ inputs.make_target_prefix }}build.app
 
-      - name: Build app
+      - name: Push app
+        if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' && inputs.make_target_prefix != 'shared.' }}
         run: |
-          make ${{ inputs.make_target_prefix }}build.app
-          make ${{ inputs.make_target_prefix }}save.app
+          make ${{ inputs.make_target_prefix }}push.app-temp
 
   build-test-app:
     name: Build Test App
-    runs-on: ubuntu-large
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -109,40 +79,13 @@ jobs:
         run: |-
           echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://us-docker.pkg.dev
 
-      - name: Cache Test Requirements
-        id: cache-test-requirements
-        uses: actions/cache@v4
-        env:
-          cache-name: umbrella-test-requirements
-        with:
-          path: |
-            ./test-requirements.tar
-          key: ${{ runner.os }}-${{ runner.arch }}-${{ env.cache-name }}-${{ hashFiles('./uv.lock') }}-${{ hashFiles('docker/Dockerfile.requirements') }}-${{ hashFiles('docker/Dockerfile.test-requirements') }}-${{ hashFiles('libs/shared/**') }}
-
-      - name: Cache Test App
-        id: cache-test-app
-        uses: actions/cache@v4
-        env:
-          cache-name: ${{ inputs.repo }}-test-app
-        with:
-          path: |
-            ${{ inputs.output_directory }}/test-app.tar
-          key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}
-
-      - name: Load test requirements from cache
-        if: ${{ steps.cache-test-requirements.outputs.cache-hit == 'true' }}
-        run: |
-          make load.test-requirements
-
-      # This shouldn't happen; the _build-requirements.yml job should have run.
-      - name: Build/pull test requirements
-        if: ${{ steps.cache-test-requirements.outputs.cache-hit != 'true' }}
+      - name: Build Test App
         run: |
-          echo "Warning: test requirements image not in cache, building a new one"
           make build.test-requirements
-          make save.test-requirements
+          make ${{ inputs.make_target_prefix }}build.test-app
 
-      - name: Build Test App
+      - name: Push Test App
+        if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' && inputs.make_target_prefix != 'shared.' }}
         run: |
-          make ${{ inputs.make_target_prefix }}build.test-app
-          make ${{ inputs.make_target_prefix }}save.test-app
+          make ${{ inputs.make_target_prefix }}push.test-app-temp
+

.github/workflows/_build-requirements.yml

@@ -16,39 +16,8 @@ jobs:
         with:
           fetch-depth: 2
 
-      ######
-      # Setting up caches for the base and test requirements images.
-      #
-      # If both caches hit, we don't need to do anything else.
-      # Otherwise, we have to auth with GCP and Docker Hub, build the missing
-      # images, and then push them.
-      ######
-      - name: Cache Requirements
-        id: cache-requirements
-        uses: actions/cache@v4
-        env:
-          # Forks can't access the variable containing our actual image repository. We want to
-          # use a separate cache to make sure they don't interfere with reqs images being pushed.
-          cache-name: ${{ !github.event.pull_request.repo.fork && 'umbrella-requirements' || 'umbrella-requirements-fork' }}
-        with:
-          path: |
-            ./requirements.tar
-          key: ${{ runner.os }}-${{ runner.arch }}-${{ env.cache-name }}-${{ hashFiles('./uv.lock') }}-${{ hashFiles('docker/Dockerfile.requirements') }}-${{ hashFiles('libs/shared/**') }}
-
-      - name: Cache Test Requirements
-        id: cache-test-requirements
-        uses: actions/cache@v4
-        env:
-          cache-name: umbrella-test-requirements
-        with:
-          path: |
-            ./test-requirements.tar
-          key: ${{ runner.os }}-${{ runner.arch }}-${{ env.cache-name }}-${{ hashFiles('./uv.lock') }}-${{ hashFiles('docker/Dockerfile.requirements') }}-${{ hashFiles('docker/Dockerfile.test-requirements') }}-${{ hashFiles('libs/shared/**') }}
-
       - id: "auth"
-        if: |
-          (steps.cache-requirements.outputs.cache-hit != 'true' || steps.cache-test-requirements.outputs.cache-hit != 'true') &&
-          !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov'
+        if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
         name: "Authenticate to Google Cloud"
         uses: "google-github-actions/[email protected]"
         with:
@@ -57,36 +26,30 @@ jobs:
           service_account: ${{ secrets.CODECOV_GCP_WIDSA }}
 
       - name: Docker configuration
-        if: |
-          (steps.cache-requirements.outputs.cache-hit != 'true' || steps.cache-test-requirements.outputs.cache-hit != 'true') &&
-          !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov'
+        if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
         run: |-
           echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://us-docker.pkg.dev
 
       ######
-      # Building/pushing the base requirements image if not cached
+      # Building/pushing the base requirements image
       ######
       - name: Build/pull requirements
-        if: ${{ steps.cache-requirements.outputs.cache-hit != 'true' }}
         run: |
           make build.requirements
-          make save.requirements
 
       - name: Push Requirements
-        if: ${{ steps.cache-requirements.outputs.cache-hit != 'true' && !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
+        if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
         run: |
           make push.requirements
 
       ######
-      # Building/pushing the test requirements image if not cached
+      # Building/pushing the test requirements image
       ######
       - name: Build/pull test requirements
-        if: ${{ steps.cache-test-requirements.outputs.cache-hit != 'true' }}
         run: |
           make build.test-requirements
-          make save.test-requirements
 
       - name: Push Test Requirements
-        if: ${{ steps.cache-test-requirements.outputs.cache-hit != 'true' && !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
+        if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
         run: |
           make push.test-requirements

.github/workflows/_push-env.yml

@@ -46,23 +46,13 @@ jobs:
         with:
           fetch-depth: 0
           submodules: 'recursive'
+
       - name: Get Release SHA
         env:
           SHA: ${{ github.sha }}
         id: sha
         run: echo short_sha="${SHA:0:7}" >> $GITHUB_OUTPUT
-      - name: Cache App
-        id: cache-app
-        uses: actions/cache@v4
-        env:
-          cache-name: ${{ inputs.repo }}-app
-        with:
-          path: |
-            ${{ inputs.output_directory }}/app.tar
-          key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}
-      - name: Load built image
-        run: |
-          docker load --input ${{ inputs.output_directory }}/app.tar
+
       - id: "auth"
         name: "Authenticate to Google Cloud"
         uses: "google-github-actions/[email protected]"
@@ -75,10 +65,15 @@ jobs:
         run: |-
           echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://us-docker.pkg.dev
 
+
+      - name: Pull built image
+        run: |
+          make ${{ inputs.make_target_prefix }}pull.app-temp
       - name: Push ${{ inputs.environment }}
         run: |
           make ${{ inputs.make_target_prefix }}tag.${{ inputs.environment }}
           make ${{ inputs.make_target_prefix }}push.${{ inputs.environment }}
+
       - name: Push latest
         if: inputs.environment == 'production'
         run: |
@@ -106,18 +101,9 @@ jobs:
         with:
           fetch-depth: 0
           submodules: 'recursive'
-      - name: Cache App
-        id: cache-app
-        uses: actions/cache@v4
-        env:
-          cache-name: ${{ inputs.repo }}-app
-        with:
-          path: |
-            ${{ inputs.output_directory }}/app.tar
-          key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}
-      - name: Load built image
+      - name: Pull built image
         run: |
-          docker load --input ${{ inputs.output_directory }}/app.tar
+          make ${{ inputs.make_target_prefix }}pull.app-temp
       - name: Log in to Docker Hub
         uses: docker/[email protected]
         with:
@@ -137,18 +123,9 @@ jobs:
         with:
           fetch-depth: 0
           submodules: 'recursive'
-      - name: Cache App
-        id: cache-app
-        uses: actions/cache@v4
-        env:
-          cache-name: ${{ inputs.repo }}-app
-        with:
-          path: |
-            ${{ inputs.output_directory }}/app.tar
-          key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}
-      - name: Load built image
+      - name: Pull built image
         run: |
-          docker load --input ${{ inputs.output_directory }}/app.tar
+          make ${{ inputs.make_target_prefix }}pull.app-temp
       - name: Log in to Docker Hub
         uses: docker/[email protected]
         with:

.github/workflows/_run-tests.yml

@@ -41,18 +41,26 @@ jobs:
         with:
           fetch-depth: 0
           submodules: 'recursive'
-      - name: Cache Test App
-        id: cache-test-app
-        uses: actions/cache@v4
-        env:
-          cache-name: ${{ inputs.repo }}-test-app
+          
+      - id: "auth"
+        if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
+        name: "Authenticate to Google Cloud"
+        uses: "google-github-actions/[email protected]"
         with:
-          path: |
-            ${{ inputs.output_directory }}/test-app.tar
-          key: ${{ runner.os }}-${{ env.cache-name }}-${{ github.run_id }}
-      - name: Load built image
+          token_format: "access_token"
+          workload_identity_provider: ${{ secrets.CODECOV_GCP_WIDP }}
+          service_account: ${{ secrets.CODECOV_GCP_WIDSA }}
+
+      - name: Docker configuration
+        if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
+        run: |-
+          echo ${{steps.auth.outputs.access_token}} | docker login -u oauth2accesstoken --password-stdin https://us-docker.pkg.dev
+
+      - name: Pull or build test image
         run: |
-          docker load --input ${{ inputs.output_directory }}/test-app.tar
+          echo "Pulling test image from registry"
+          make ${{ inputs.make_target_prefix }}pull.test-app-temp
+
       - name: Install docker compose
         run: |
           sudo curl -SL https://github.com/docker/compose/releases/download/v2.20.0/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose