Merge branch 'master' into master

Author: code-killer0

.github/OWNERS

@@ -1,6 +1,8 @@
 approvers:
   - hbelmiro
   - mprahl
+  - nsingla
 reviewers:
   - droctothorpe
   - gmfrasca
+  - nsingla

.github/actions/check-artifact-exists/action.yml

@@ -1,2 +1,2 @@
 kubernetes==30.1.0
-urllib3==2.5.0
+urllib3==2.6.3

.github/actions/check-artifact-exists/check_artifact.py

@@ -9,28 +9,24 @@ jobs:
   check_ci_status:
     runs-on: ubuntu-latest
     permissions:
-      checks: read  
-      pull-requests: write        
+      checks: read
     steps:
       - name: Check out the repository
         uses: actions/checkout@v5
 
       - name: Check for 'needs-ok-to-test' and 'ok-to-test' labels
         id: label_check
-        run: |          
-          LABELS=$(gh pr view ${{ github.event.pull_request.number }} --json labels --jq '.labels[].name')          
-          if echo "$LABELS" | grep -q 'needs-ok-to-test'; then
+        run: |
+          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'needs-ok-to-test') }}" == "true" ]]; then
             echo "Label 'needs-ok-to-test' found. Skipping the workflow."
             exit 0
-          fi                    
-          if echo "$LABELS" | grep -q 'ok-to-test'; then
+          fi
+          if [[ "${{ contains(github.event.pull_request.labels.*.name, 'ok-to-test') }}" == "true" ]]; then
             echo "Label 'ok-to-test' found. Continuing the workflow."
           else
             echo "Label 'ok-to-test' not found. Skipping the workflow."
             exit 0
           fi
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Check if all CI checks passed
         uses: wechuli/allcheckspassed@0b68b3b7d92e595bcbdea0c860d05605720cf479

.github/resources/scripts/kfp-readiness/requirements.txt

@@ -23,25 +23,25 @@ jobs:
     steps:
       - name: Check if author is a Kubeflow GitHub member
         id: membership-check
-        uses: actions/github-script@v8
-        with:
-          script: |
-            const username = context.payload.pull_request.user.login;
-            const org = context.repo.owner;
-            try {
-              const res = await github.rest.orgs.checkMembershipForUser({
-                org,
-                username
-              });
-              core.setOutput("is_member", true);
-            } catch (error) {
-              if (error.status === 404) {
-                // User is not a member
-                core.setOutput("is_member", false);
-              } else {
-                throw error;
-              }
-            }
+        env:
+          AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          echo "::group::PR Information"
+          echo "PR Number: #$PR_NUMBER"
+          echo "PR Author: $PR_AUTHOR"
+          echo "Author Association: $AUTHOR_ASSOCIATION"
+          echo "::endgroup::"
+          
+          # MEMBER = org member, OWNER = org owner, COLLABORATOR = invited collaborator
+          if [[ "$AUTHOR_ASSOCIATION" == "MEMBER" || "$AUTHOR_ASSOCIATION" == "OWNER" || "$AUTHOR_ASSOCIATION" == "COLLABORATOR" ]]; then
+            echo "::notice::Author '$PR_AUTHOR' is a trusted contributor (association: $AUTHOR_ASSOCIATION). Auto-approving workflow runs."
+            echo "is_member=true" >> $GITHUB_OUTPUT
+          else
+            echo "::notice::Author '$PR_AUTHOR' is not a trusted contributor (association: $AUTHOR_ASSOCIATION). Checking for 'ok-to-test' label."
+            echo "is_member=false" >> $GITHUB_OUTPUT
+          fi
 
       - name: Approve Pending Workflow Runs
         if: steps.membership-check.outputs.is_member == 'true' || contains(github.event.pull_request.labels.*.name, 'ok-to-test')

.github/workflows/ci-checks.yml

@@ -82,17 +82,19 @@ jobs:
             echo "registry=${{ env.REGISTRY }}"
           } >> "$GITHUB_OUTPUT"
 
-      # Check if the image tarball already exists or not, if yes, then skip building the image
-      - name: Check artifact exists
-        uses: ./.github/actions/check-artifact-exists
+      # Check if the image was already built for this SHA using cache
+      - name: Check if already built
+        id: cache-check
         if: ${{ github.ref_name != github.event.repository.default_branch }}
+        uses: actions/cache@v5
         with:
-          artifact_name: ${{ env.ARTIFACT_NAME }}
-        id: artifact-check
+          path: .build-marker-${{ matrix.image }}
+          key: image-built-${{ matrix.image }}-${{ github.sha }}
+          lookup-only: true
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-        if: ${{ steps.artifact-check.outputs.exists == 'false' || github.ref_name == github.event.repository.default_branch }}
+        if: ${{ steps.cache-check.outputs.cache-hit != 'true' || github.ref_name == github.event.repository.default_branch }}
         id: setup-buildx
 
       - name: Build and save Docker image
@@ -125,4 +127,15 @@ jobs:
           path: ${{ env.ARTIFACTS_PATH }}/${{ env.ARTIFACT_NAME }}.tar
           retention-days: 1
         # Continue the workflow even if the upload failed, because upload can fail if other jobs were able to upload artifact first before the current one
-        continue-on-error: true
+        continue-on-error: true
+
+      - name: Create build marker
+        if: ${{ steps.save-image.outcome == 'success' || steps.rebuild.outcome == 'success' }}
+        run: echo "built" > .build-marker-${{ matrix.image }}
+
+      - name: Save build marker to cache
+        if: ${{ steps.save-image.outcome == 'success' || steps.rebuild.outcome == 'success' }}
+        uses: actions/cache/save@v5
+        with:
+          path: .build-marker-${{ matrix.image }}
+          key: image-built-${{ matrix.image }}-${{ github.sha }}

.github/workflows/gh-workflow-approve.yml

@@ -25,18 +25,18 @@ grpcio==1.74.0
 idna==3.10
     # via requests
 kubernetes==31.0.0
-    # via -r requirements.in
+    # via -r metadata_writer/requirements.in
 lru-dict==1.3.0
-    # via -r requirements.in
+    # via -r metadata_writer/requirements.in
 ml-metadata==1.17.0
-    # via -r requirements.in
+    # via -r metadata_writer/requirements.in
 oauthlib==3.3.1
     # via
     #   kubernetes
     #   requests-oauthlib
 protobuf==4.25.8
     # via ml-metadata
-pyasn1==0.6.1
+pyasn1==0.6.2
     # via
     #   pyasn1-modules
     #   rsa
@@ -46,7 +46,7 @@ python-dateutil==2.9.0.post0
     # via kubernetes
 pyyaml==6.0.2
     # via
-    #   -r requirements.in
+    #   -r metadata_writer/requirements.in
     #   kubernetes
 requests==2.32.5
     # via
@@ -61,7 +61,7 @@ six==1.17.0
     #   kubernetes
     #   ml-metadata
     #   python-dateutil
-urllib3==2.6.0
+urllib3==2.6.3
     # via
     #   kubernetes
     #   requests

.github/workflows/image-builds-with-cache.yml

@@ -48,7 +48,7 @@ googleapis-common-protos==1.70.0
 idna==3.10
     # via requests
 kfp==2.14.3
-    # via -r -
+    # via -r requirements.in
 kfp-pipeline-spec==2.14.0
     # via kfp
 kfp-server-api==2.14.3
@@ -102,7 +102,7 @@ six==1.17.0
     #   python-dateutil
 tabulate==0.9.0
     # via kfp
-urllib3==2.5.0
+urllib3==2.6.3
     # via
     #   kfp
     #   kfp-server-api