refactor(build): consolidate sccache AWS credential handling#8323
Closed
dmitry-tokarev-nv wants to merge 2 commits into
Closed
refactor(build): consolidate sccache AWS credential handling#8323dmitry-tokarev-nv wants to merge 2 commits into
dmitry-tokarev-nv wants to merge 2 commits into
Conversation
Switch the wheel_builder BuildKit secret mounts from two per-variable env= mounts to a single shared-credentials-file mount, and point the AWS SDK default provider chain at it via AWS_SHARED_CREDENTIALS_FILE. Lets sccache's aws-sdk-rust resolve credentials transparently without each RUN plumbing them through the Dockerfile environment. CI composes the credentials file once from the existing Actions secrets and emits a single --secret id=aws-credentials,src=... to buildx. An EXIT trap removes the host tempfile. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Dmitry Tokarev <dtokarev@nvidia.com>
Contributor
WalkthroughAWS credential handling is refactored to use a single BuildKit-mounted credentials file instead of separate environment variable secrets. The GitHub Action creates a temporary credentials file (with restricted permissions) and manages its lifecycle with a trap handler. The Dockerfile template is updated across all build stages to mount this single credentials file and configure the AWS SDK to read from it. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/actions/docker-remote-build/action.yml (1)
173-186: Set the EXIT trap before creating the tempfile to close the cleanup gap.Today the tempfile is created at line 175 and the cleanup trap is only installed at line 186. If the script is interrupted (e.g. SIGTERM during heredoc write or by a failing
chmod/cat), the credentials file is left behind on the runner. Installing the trap first — guarded onAWS_CREDENTIALS_FILEbeing non-empty — closes that window without changing behavior on the happy path.♻️ Proposed reorder
set +x SECRET_ARGS="" AWS_CREDENTIALS_FILE="" + # Ensure the credentials tempfile is removed even if buildx (or this step) fails. + trap '[ -n "${AWS_CREDENTIALS_FILE:-}" ] && [ -f "${AWS_CREDENTIALS_FILE}" ] && rm -f "${AWS_CREDENTIALS_FILE}"' EXIT if [ "${{ inputs.use_sccache }}" == "true" ] && [ -n "${AWS_ACCESS_KEY_ID:-}" ]; then AWS_CREDENTIALS_FILE="$(mktemp)" chmod 600 "$AWS_CREDENTIALS_FILE" cat > "$AWS_CREDENTIALS_FILE" <<EOF [default] aws_access_key_id=${AWS_ACCESS_KEY_ID} aws_secret_access_key=${AWS_SECRET_ACCESS_KEY} EOF SECRET_ARGS+=" --secret id=aws-credentials,src=${AWS_CREDENTIALS_FILE}" fi set -x - # Ensure the credentials tempfile is removed even if buildx fails. - trap '[ -n "${AWS_CREDENTIALS_FILE:-}" ] && [ -f "${AWS_CREDENTIALS_FILE}" ] && rm -f "${AWS_CREDENTIALS_FILE}"' EXIT🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/actions/docker-remote-build/action.yml around lines 173 - 186, The cleanup trap is installed after creating the tempfile, leaving a window where an interruption can leak credentials; move the trap installation so it runs immediately before creating AWS_CREDENTIALS_FILE (i.e., place the trap that checks AWS_CREDENTIALS_FILE and removes the file on EXIT before the mktemp/cat/heredoc sequence), keep the same guard logic ([ -n "${AWS_CREDENTIALS_FILE:-}" ] && [ -f "${AWS_CREDENTIALS_FILE}" ] && rm -f "${AWS_CREDENTIALS_FILE}") and leave the rest of the logic that sets AWS_CREDENTIALS_FILE via mktemp, chmod, the heredoc and appending to SECRET_ARGS unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/actions/docker-remote-build/action.yml:
- Around line 174-183: The credentials block only checks AWS_ACCESS_KEY_ID and
uses an unquoted heredoc, which can create a partial creds file or corrupt
values; update the if-condition to require both AWS_ACCESS_KEY_ID and
AWS_SECRET_ACCESS_KEY (e.g., test -n "${AWS_ACCESS_KEY_ID:-}" && -n
"${AWS_SECRET_ACCESS_KEY:-}"), and make the heredoc quoted (use <<'EOF') when
writing AWS_CREDENTIALS_FILE so shell metacharacters in the secret are not
expanded before appending to SECRET_ARGS; ensure references to
AWS_CREDENTIALS_FILE, SECRET_ARGS, mktemp, and the heredoc are preserved.
---
Nitpick comments:
In @.github/actions/docker-remote-build/action.yml:
- Around line 173-186: The cleanup trap is installed after creating the
tempfile, leaving a window where an interruption can leak credentials; move the
trap installation so it runs immediately before creating AWS_CREDENTIALS_FILE
(i.e., place the trap that checks AWS_CREDENTIALS_FILE and removes the file on
EXIT before the mktemp/cat/heredoc sequence), keep the same guard logic ([ -n
"${AWS_CREDENTIALS_FILE:-}" ] && [ -f "${AWS_CREDENTIALS_FILE}" ] && rm -f
"${AWS_CREDENTIALS_FILE}") and leave the rest of the logic that sets
AWS_CREDENTIALS_FILE via mktemp, chmod, the heredoc and appending to SECRET_ARGS
unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 7bb136e6-6f48-4852-bb40-a0aa94173ebf
📒 Files selected for processing (2)
.github/actions/docker-remote-build/action.ymlcontainer/templates/wheel_builder.Dockerfile
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Replace the stage-level AWS_SHARED_CREDENTIALS_FILE ENV with per-RUN inline exports so the path is only set in RUN blocks that actually mount the credentials file. Keeps env scope tight to the BuildKit secret lifetime and avoids a dangling ENV pointer in RUNs that do not request the mount. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Dmitry Tokarev <dtokarev@nvidia.com>
dillon-cullinan
approved these changes
Apr 17, 2026
Contributor
Author
|
closing in favor of #8324 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
wheel_builder.Dockerfileinto a single shared-credentials-file mount.AWS_SHARED_CREDENTIALS_FILEso sccache resolves credentials transparently.--secret id=aws-credentials,src=...to buildx.Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit