Add CI action for uploading Docker image for wheels

[JCGoran]

The images on https://hub.docker.com/r/neuronsimulator/neuron_wheel/tags are a bit inconsistent; we should use one tag for all platforms (since Docker picks the right one based on the architecture when pulling, no need to have separate tags). They are also a bit of a pain to update: someone (with push permissions!) needs to build the image on their own machine, for both x86_64 and aarch64, tag them correctly, and then upload them to DockerHub. This whole process is a bit error-prone and can take a while.

This CI introduces a manual action that can be run (ran?) to automatically build the neuronsimulator/neuron_wheel image for both x86 and aarch64, and optionally pushes it to DockerHub (by setting upload to true).

Note that DOCKERHUB_USERNAME needs to be set as an env variable for this repo, and DOCKERHUB_TOKEN needs to be set as an env secret for pushing to work.

Once this is merged, and this action is ran at least once, I can make another PR which introduces the necessary changes to use a unified neuronsimulator/neuron_wheel:latest image everywhere.

EDIT: after spending some time fiddling with it, docker buildx is a bit cumbersome to use locally, so in the interest of simplicity, the tags should be x86_64 and aarch64 (to match the outputs of uname -m).

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.08%. Comparing base (ca6e145) to head (352dd48).
Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3268   +/-   ##
=======================================
  Coverage   67.08%   67.08%           
=======================================
  Files         571      571           
  Lines      111039   111039           
=======================================
  Hits        74485    74485           
  Misses      36554    36554           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[azure-pipelines]

✔️ 0e6433d -> Azure artifacts URL

[azure-pipelines]

✔️ 1904ec2 -> Azure artifacts URL

[azure-pipelines]

✔️ dcc62f8 -> Azure artifacts URL

[azure-pipelines]

✔️ 0e3c6a7 -> Azure artifacts URL

[azure-pipelines]

✔️ de6cb90 -> Azure artifacts URL

[JCGoran]

It turns out that the action is very slow to build the aarch64 image since it's using emulation instead of a native runner, so I for now it's easier and faster to just build things locally, and push to dockerhub/GHCR. Native Linux arm runners are on the way, but only in early 2025, so I'll leave this unmerged for now.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[azure-pipelines]

✔️ c5429d6 -> Azure artifacts URL

[bbpbuildbot]

Logfiles from GitLab pipeline #240184 (:no_entry:) have been uploaded here!

Status and direct links:

• ✅ mac_m1_cmake_build: [cmake, ON, OFF, OFF, address]
• ✅ spack_setup
• ✅ build:nmodl
• ✅ build:neuron:nmodl:intel:legacy
• ✅ build:neuron:nmodl:intel:shared
• ✅ build:neuron:nmodl:nvhpc:acc:legacy
• ✅ build:neuron:nmodl:nvhpc:acc:shared
• ✅ build:neuron:nmodl:nvhpc:omp:legacy
• ✅ build:neuron:nmodl:nvhpc:omp
• ✅ test:neuron:nmodl:intel:legacy
• ✅ test:neuron:nmodl:intel:shared
• ⛔ test:neuron:nmodl:nvhpc:acc:legacy
• ⛔ test:neuron:nmodl:nvhpc:acc:shared
• ⛔ test:neuron:nmodl:nvhpc:omp:legacy
• ⛔ test:neuron:nmodl:nvhpc:omp

[JCGoran]

An update on this: GitHub released ARM runners recently 🎉 https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/
I tried building the base image with those, and it turns out they are actually faster to build than the x86_64 one (12 minutes vs. 17 minutes, see for instance https://github.com/neuronsimulator/nrn/actions/runs/12870048372)!

Note that, with this recent update, we could in principle move all of our CI infrastructure to GitHub (if this is desired).

[azure-pipelines]

✔️ 7d5e83a -> Azure artifacts URL

[JCGoran]

TODO: need to specify auth token.

[JCGoran]

In light of #3306, the new images have the tag manylinux_2_28, so maybe this needs some rethinking.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[azure-pipelines]

✔️ 352dd48 -> Azure artifacts URL

[JCGoran]

The way this would ideally work is as follows:

• user changes packaging/python/Dockerfile (or some other fixed path that requires building containers)
• upon opening a PR, a CI job is launched that builds a container with a temporary tag (for instance, with the PR number), and uploads it to ghcr.io
• if the container builds successfully, the job responsible for building NEURON wheels on Linux (or any other job requiring containers) is launched
• once the PR is merged, the CI job that built the container is re-launched, but this time, it tags it with whatever is the "official" tag (currently, those are manylinux_2_28_x86_64 and manylinux_2_28_aarch64), and pushes it to docker.io. Optionally, the temporary-tagged container is deleted to save space
• once the above is done, the job in charge of building wheels (or other jobs requiring containers) is launched

Unfortunately, all of this is rather complex to set-up (also has security implications due to DockerHub not allowing auth tokens for orgs, and scoped ones at that), and having the split between Azure and GitHub Actions is not helping, so I'm kind of leaving this in the "nice idea, but complex implementation" bucket.