docker: switch to valkey

[emersion]

Recently-ish redis has switched to another license which isn't open-source. An open-source fork named valkey has been established under the Linux Foundation umbrella:
https://www.linuxfoundation.org/press/linux-foundation-launches-open-source-valkey-community

See also this LWN article:
https://lwn.net/Articles/966631/

valkey is a drop-in replacement for redis. Switch to valkey to avoid depending on proprietary software.

(Note, I've only done some basic testing to make sure this works as expected, by playing with the UI a bit.)

[emersion]

Fixed up the commit message prefix.

[emersion]

Hm, seems like there is some kind of permission error:

ERROR: failed to solve: failed to push ghcr.io/openrailassociation/osrd-edge/osrd-front:pr-7515-954eda7a5a979f95f3a0c8714d8b1d63980b2d00-devel: unexpected status from POST request to https://ghcr.io/v2/openrailassociation/osrd-edge/osrd-front/blobs/uploads/: 403 Forbidden

Maybe this only happens for external contributors?

[multun]

Yup, seems like it. I'll have a look

[multun]

The build is pretty darn long, so we're using ghcr to cache build artifacts across commits on development branches.

[emersion]

We could probably either (1) ignore permission errors for PRs or (2) pull & push to the fork's prefix instead of the hardcoded one.

[multun]

We can't really ignore permission errors, as further steps download the built artifacts from the build stage. So yeah either we push artifacts to the fork's registry, or use pull_request_target

[multun]

I'll have a go at making it work for forks

[multun]

@emersion can you rebase and try again?

[emersion]

Thanks! 2e929c8 looks good to me :)

[multun]

ERROR: failed to solve: failed to push ghcr.io/emersion/osrd/osrd-front:pr-7515-dc0dd3dba9f97a4f802d55886dc7c5fd279e70c8-devel: unexpected status from POST request to https://ghcr.io/v2/emersion/osrd/osrd-front/blobs/uploads/: 403 Forbidden :(

[multun]

seems like build artifacts is the only way: https://docs.docker.com/build/ci/github-actions/share-image-jobs/
I'll have a go at it.

[emersion]

That's weird, I can push locally with a write:packages access token:

> podman push --creds=emersion alpine:latest ghcr.io/emersion/osrd/osrd-front:pr-7515-dc0dd3dba9f97a4f802d5588
6dc7c5fd279e70c8-devel
Password: 
Getting image source signatures
Copying blob ef8b9bca8ee8 skipped: already exists  
Copying config 1d34ffeaf1 done   | 
Writing manifest to image destination

Probably GITHUB_TOKEN is generated with permissions in the base repo context?

[emersion]

Yeah, and this circles back to your pull_request_target suggestion above.

[multun]

Yeah, and this circles back to your pull_request_target suggestion above.

Well we can't really do that without giving up the right of anyone messing up with releases. Github's own docs describe this is a bad idea. It would be a lot easier though!

[emersion]

Ah, of course… Got the "target" repository mixed up with the "head"/"base" when reading the docs…

[Khoyo]

I've given you write permissions on the repository, you need to accept them though

(and you should also have an org membership invite)

[emersion]

Thanks! (It would still be super nice to fix CI for external contributors!)

[multun]

Thanks! (It would still be super nice to fix CI for external contributors!)

Yeah leaving it broken isn't really an option, I'll keep working on it

[emersion]

This should be ready now that the CI has been fixed.