Updates CI workflow to run on self-hosted runner (#7040)

arcra · web-flow · commit b8afeb7d46ca · 2025-12-18T18:03:38.000-08:00
## Motivation for features / changes
The standard runners provided by GitHub started running out of space, so
we set up self-hosted runners.

By internal policy, these runners cannot publish artifacts, e.g. to
PyPI, so the nightly workflows will need to be update to be produced by
separate infra, but at least this unblocks CI runs for PRs and such.

This change also removes the BUILD cache that was not actually used
before due to misconfiguration issue. To reduce maintenance burden
related to internal security policy and processes, the storage bucket
that was used for this purpose had public access removed, so we're
simply not using this anymore either way.

Note that this PR accomplishes the objective, which is to start running CI workflows in a self-hosted runner. However, tests seem to be failing in the new environment, and thus the CI workflow itself is failing.

I will proceed to merge this change, bypassing the requirement for the CI workflow to be successful, and we should address the test failures in one or more separate PRs.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -32,9 +32,17 @@ env:
   BUILDOZER_SHA256SUM: '3d58a0b6972e4535718cdd6c12778170ea7382de7c75bc3728f5719437ffb84d'
   TENSORFLOW_VERSION: 'tf-nightly'
 
+defaults:
+  run:
+    shell: bash
+
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    # Self-hosted runner since the ones provided by GH were running out of space.
+    # Other workflows are likely ok to use standard GH runners for now.
+    # Googlers, see b/460874304.
+    runs-on: linux-x86-n2-32
+    container: us-docker.pkg.dev/ml-oss-artifacts-published/ml-public-container/ml-build:latest
     needs: lint-python-flake8 # fail fast in case of "undefined variable" errors
     strategy:
       fail-fast: false
@@ -53,26 +61,6 @@ jobs:
           sudo mv ~/bazel /usr/local/bin/bazel
           sudo chmod +x /usr/local/bin/bazel
           cp ./ci/bazelrc ~/.bazelrc
-      - name: 'Configure build cache write credentials'
-        env:
-          CREDS: ${{ secrets.BAZEL_CACHE_SERVICE_ACCOUNT_CREDS }}
-          EVENT_TYPE: ${{ github.event_name }}
-        run: |
-          if [ -z "${CREDS}" ]; then
-            printf 'Using read-only cache (no credentials)\n'
-            exit
-          fi
-          if [ "${EVENT_TYPE}" = pull_request ]; then
-            printf 'Using read-only cache (PR build)\n'
-            exit
-          fi
-          printf 'Using writable cache\n'
-          creds_file=/tmp/service_account_creds.json
-          printf '%s\n' "${CREDS}" >"${creds_file}"
-          printf '%s\n' >>~/.bazelrc \
-            "common --google_credentials=${creds_file}" \
-            "common --remote_upload_local_results=true" \
-            ;
       - name: 'Install TensorFlow'
         run: |
           python -m pip install -U pip
