Overview¶
Speed up your build by hosting CI Runners inside your existing EngFlow cluster and benefit from efficiency gains from co-location, warm Bazel instances, and warm Bazel caches.
CI Runners availability
CI Runners are not yet available to the public. Contact us to know when this feature becomes available.
CI Runners work equally well with
- GitHub Actions (with a GitHub App)
- Buildkite
- And more coming soon!
CI Runners can be registered both at an organization and repository level, but they require a different pool separate from the other remote execution pools.
Configure GitHub Action CI Runners with a GitHub App¶
To configure GitHub Action CI Runners you'll need to be a GitHub organization admin.
- Create a GitHub App in your organization with permission to register GitHub Self-hosted runners in the organization.
- Create a Private Key for the GitHub App.
-
Create a .json file containing both the App ID and the Private Key, using the format.
-
Upload that .json file to the Secrets Manager running in your EngFlow cluster. Note the address of the secret.
-
Contact EngFlow support to configure the cluster for CI Runners. We will:
- Adding one or more pools for the CI Runners (one for each combination of architecture and OS).
- Providing the address for the GitHub App credential stored in Secrets Manager.
- (optional) Enabling sysbox docker runtime for docker-in-docker.
Configure GitHub Webhooks¶
- Contact EngFlow support to enable webhooks on the cluster for GitHub actions. EngFlow support will provide you with a confidential UUID for the GitHub webhook.
-
Configure the GitHub webhook, in
https://github.com/<organization>/
Settings Webhooks Add webhook, with the following settings:-
Payload URL:
https://<name>.cluster.engflow.com/webhooks/github/runners/<uuid>
(provided by EngFlow) -
Content type:
application/json
-
Secret:
none
(we use a secret embedded in the webhook URL) -
Select "Let me select individual events" and make sure that the only selected event type is "Workflow Jobs".
-
Use GitHub Action CI Runners¶
Once you've configured the GitHub Action CI Runners, add them to any workflow by adding the following tags to the workflow YAML, including at least one that starts with engflow-*
:
self-hosted
arch=x64
(x64 or arm64)engflow-container-image=docker://<docker URL>
engflow-pool=<pool name>
engflow-runtime=sysbox-runc
(only if Docker-in-Docker is needed)engflow-runner-id=${{ github.repository_id }}_<job-name>_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }}
os=linux
(the arch and os must match the pool configuration)
The engflow-runner-id
tag is mandatory -- it is an attempt to uniquely identify the job for EngFlow's CI Runners orchestration. Unfortunately, the <job-name>
identifier needs to be entered manually (the ${{ github.job }}
context field is not populated until the job is run, so we couldn't use that). It can be any string as long as it is unique within the current workflow -- but we recommend setting it to the actual job name for readability, e.g. build-release-images
.
Important
If the job has a matrix
strategy, meaning it is actually a set of jobs, the runs-on
labels need to include all the dimensions in the matrix
as well, e.g. foo=${{ matrix.foo }}
needs to be copied into the runs-on
labels for every matrix dimension foo
. This is so that the overall label-set values identify the job uniquely, which is required for EngFlow to correctly follow up on the job status.
If you were previously running the action outside a Docker container, and if you are relying on secrets present on the action runner machines, you may have to make changes to the GitHub action. Below an example of a GitHub Action workflow running on CI Runners:
Requirements on images for CI Runners
The GitHub agent must be able to run on the container image that you provide. For your convenience, we have example Debian 12 base images at ghcr.io/engflow/debian12-amd64 and ghcr.io/engflow/debian12-arm64.
Configure Buildkite CI Runners¶
Buildkite CI Runners are referred to as Buildkite agents in the Buildkite documentation. EngFlow Buildkite agents are registered at the organization level, and are available to every pipeline within that organization.
You'll need a Buildkite token to register the agents.
- Create the Buildkite agent token.
-
Upload a JSON secrets file containing the Buildkite agent token and an SSH private key for the source repo to the Secrets Manager in your EngFlow cluster:
JSON The SSH key is written to
~/.ssh/id_rsa
. Other variables are written tohooks/environment
. -
IMPORTANT, unset the secrets before running Bazel so they are not uploaded to the BES.
-
Contact EngFlow support to configure the cluster for CI Runners. We will:
- Adding one or more pools for the CI Runners (one for each combination of architecture and OS).
- Providing the address for the GitHub App credential stored in Secrets Manager.
- Providing a confidential UUID for the Buildkite webhook.
-
Configure Buildkite Webhooks in Organization Settings Notification Settings Add Webhook, with the following settings:
-
Webhook URL:
https://<name>.cluster.engflow.com/webhooks/buildkite/agents/<uuid>
(provided by EngFlow) -
Make sure that the only selected event type is "ping" and "job.scheduled".
-
-
To avoid Bazel creating a new directory for every build, set
BUILDKITE_BUILD_CHECKOUT_PATH
to a fixed path:INI -
To speed up Git checkout, set
BUILDKITE_GIT_MIRRORS_PATH
to a fixed path:INI
Use Buildkite CI Runners¶
Once you've configured the Buildkite CI Runners, add them to any workflow.
In your Buildkite Pipeline configuration, add the following tags:
arch: "amd64"
(amd64 or arm64)engflow-container-image: "docker://<docker URL>"
engflow-pool: "<pool name>"
engflow-runtime: "sysbox-runc"
(only if needed)os: "linux"
(arch and os are currently not inferred from the pool name)