Build NV-Ingest Runtime Image (arm64) workflow (NVIDIA/NeMo-Retriever)
The Build NV-Ingest Runtime Image (arm64) workflow from NVIDIA/NeMo-Retriever, explained and optimized by Latchkey.
CI health: B - good
Run this on Latchkey for self-healing, caching, and up to 58% lower cost.
Grade your own workflow free or run it on Latchkey →What it does
This is the Build NV-Ingest Runtime Image (arm64) workflow from the NVIDIA/NeMo-Retriever repository, a real project running GitHub Actions. It is shown here with attribution under its Apache-2.0 license.
Below, Latchkey shows a faster, safer version produced by its optimization engine.
The workflow
name: Build NV-Ingest Runtime Image (arm64)
on:
# Manual-only: arm64 builds run in scheduled nightly workflow.
workflow_dispatch:
jobs:
build:
runs-on: linux-large-disk
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Get current date (yyyy.mm.dd)
run: echo "CURRENT_DATE=$(date +'%Y.%m.%d')" >> $GITHUB_ENV
# Set up QEMU emulation for arm64
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
# Set up Docker Buildx, useful for building multi-platform images
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Create HF token file
run: |
mkdir -p ./scripts/private_local
echo "${{ secrets.HF_ACCESS_TOKEN }}" > ./scripts/private_local/hf_token.txt
# Build the Docker image using the Dockerfile
# Github does not allowing access secrets on pull requests. Therefore for this action we use the open source ubuntu
# base image and not the one hosted in nvcr.io
- name: Build Docker image
run: |
SECRET_ARG=""
if [ -s ./scripts/private_local/hf_token.txt ]; then
SECRET_ARG="--secret id=hf_token,src=./scripts/private_local/hf_token.txt"
fi
docker buildx create --use
docker buildx build -f Dockerfile --platform linux/arm64 --load --target service --build-arg GIT_COMMIT=${GITHUB_SHA} --build-arg BASE_IMG=ubuntu --build-arg BASE_IMG_TAG=jammy-20250415.1 --build-arg DOWNLOAD_LLAMA_TOKENIZER=True $SECRET_ARG -t nrl-service:latest .
- name: Cleanup HF token file
if: always()
run: rm -f ./scripts/private_local/hf_token.txt
# Only test a random subset (see --random-selection) because running pytest with QEMU emulation can be very slow.
- name: Run Pytest inside Docker container
run: |
docker run --platform=linux/arm64 nrl-service:latest bash -lc "set -euo pipefail; source /opt/retriever_runtime/bin/activate; uv pip install -e './nemo_retriever[all,dev]' && uv pip install pytest; python -m pytest -rs -m 'not integration' --random-selection 100 nemo_retriever/tests"
- name: Upload test report
uses: actions/upload-artifact@v4
with:
name: pytest-report
path: coverage.xml
The same workflow, on Latchkey
Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.
name: Build NV-Ingest Runtime Image (arm64) on: # Manual-only: arm64 builds run in scheduled nightly workflow. workflow_dispatch: jobs: build: timeout-minutes: 30 runs-on: linux-large-disk steps: - name: Checkout code uses: actions/checkout@v4 - name: Get current date (yyyy.mm.dd) run: echo "CURRENT_DATE=$(date +'%Y.%m.%d')" >> $GITHUB_ENV # Set up QEMU emulation for arm64 - name: Set up QEMU uses: docker/setup-qemu-action@v3 # Set up Docker Buildx, useful for building multi-platform images - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Create HF token file run: | mkdir -p ./scripts/private_local echo "${{ secrets.HF_ACCESS_TOKEN }}" > ./scripts/private_local/hf_token.txt # Build the Docker image using the Dockerfile # Github does not allowing access secrets on pull requests. Therefore for this action we use the open source ubuntu # base image and not the one hosted in nvcr.io - name: Build Docker image run: | SECRET_ARG="" if [ -s ./scripts/private_local/hf_token.txt ]; then SECRET_ARG="--secret id=hf_token,src=./scripts/private_local/hf_token.txt" fi docker buildx create --use docker buildx build -f Dockerfile --platform linux/arm64 --load --target service --build-arg GIT_COMMIT=${GITHUB_SHA} --build-arg BASE_IMG=ubuntu --build-arg BASE_IMG_TAG=jammy-20250415.1 --build-arg DOWNLOAD_LLAMA_TOKENIZER=True $SECRET_ARG -t nrl-service:latest . - name: Cleanup HF token file if: always() run: rm -f ./scripts/private_local/hf_token.txt # Only test a random subset (see --random-selection) because running pytest with QEMU emulation can be very slow. - name: Run Pytest inside Docker container run: | docker run --platform=linux/arm64 nrl-service:latest bash -lc "set -euo pipefail; source /opt/retriever_runtime/bin/activate; uv pip install -e './nemo_retriever[all,dev]' && uv pip install pytest; python -m pytest -rs -m 'not integration' --random-selection 100 nemo_retriever/tests" - name: Upload test report uses: actions/upload-artifact@v4 with: name: pytest-report path: coverage.xml
What changed
- Add a job timeout so a hung step cannot burn hours of runner time.
2 third-party actions are referenced by a movable tag. Pin them to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.
What Latchkey heals here
This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:
- Dependency installs
- Container pulls and builds
This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.