fix(ci): make buildkitd-config opt-in for setup-buildx (#970)

#966 hard-coded `buildkitd-config: /etc/buildkit/buildkitd.toml` inside
the `driver: local` branch of the setup-buildx composite action. The only
caller using that driver is shadow-docker-build.yml, which runs inside
the ghcr.io/nvidia/openshell/ci:latest container — so the host-side
buildkitd.toml was invisible to docker/setup-buildx-action and every
matrix job failed at "Set up buildx".

Revert the hard-coded path and expose it as an opt-in input on the
action (empty default, passed through to both the remote and local
branches). Wire shadow-docker-build.yml to bind-mount /etc/buildkit
into the ci container and pass the path explicitly, so the action can
read the file from inside the container. Remote-driver callers are
unaffected (empty input is a no-op).

Signed-off-by: Jonas Toelke <jtoelke@nvidia.com>

Author: jtoelke2

.github/actions/setup-buildx/action.yml

@@ -21,6 +21,15 @@ inputs:
   name:
     description: Builder instance name
     default: openshell
+  buildkitd-config:
+    description: >
+      Path to a buildkitd.toml to configure the builder with (e.g. the
+      nv-gha-runners Docker Hub mirror at /etc/buildkit/buildkitd.toml).
+      Must be readable *from where this action runs* — in a containerized
+      job that means the caller must bind-mount the host path into the job
+      container (e.g. `volumes: [/etc/buildkit:/etc/buildkit:ro]`). Empty
+      disables the config (default).
+    default: ""
 
 runs:
   using: composite
@@ -36,6 +45,7 @@ runs:
         append: |
           - endpoint: ${{ inputs.arm64-endpoint }}
             platforms: linux/arm64
+        buildkitd-config: ${{ inputs.buildkitd-config }}
 
     - name: Set up Docker Buildx (local)
       if: inputs.driver == 'local'
@@ -44,8 +54,4 @@ runs:
         name: ${{ inputs.name }}
         driver: docker-container
         platforms: linux/amd64,linux/arm64
-        # Use the nv-gha-runners Docker Hub mirror to avoid unauthenticated
-        # pull rate limits on shared runners. The TOML is pre-populated on
-        # every nv-gha-runner. Per:
-        # https://docs.gha-runners.nvidia.com/platform/best-practices/#use-docker-cache-for-buildkit
-        buildkitd-config: /etc/buildkit/buildkitd.toml
+        buildkitd-config: ${{ inputs.buildkitd-config }}

.github/workflows/shadow-docker-build.yml

@@ -45,6 +45,11 @@ jobs:
       options: --privileged
       volumes:
         - /var/run/docker.sock:/var/run/docker.sock
+        # Expose the nv-gha-runners buildkitd.toml (registry-mirror config)
+        # inside the container so docker/setup-buildx-action can read it.
+        # The file is pre-populated on every nv-gha-runner per:
+        # https://docs.gha-runners.nvidia.com/platform/best-practices/#use-docker-cache-for-buildkit
+        - /etc/buildkit:/etc/buildkit:ro
     timeout-minutes: 45
     steps:
       - uses: actions/checkout@v4
@@ -61,6 +66,10 @@ jobs:
         uses: ./.github/actions/setup-buildx
         with:
           driver: local
+          # Bind-mounted above via container.volumes; without that, the file
+          # is on the host but invisible to the action (which runs inside
+          # the ci:latest container).
+          buildkitd-config: /etc/buildkit/buildkitd.toml
 
       - name: Package Helm chart (cluster only)
         if: matrix.component == 'cluster'