Update verify-devcontainers workflow to match CCCL.

This prevents us from spawning a ton of jobs unless the devcontainers actually change.

.github/workflows/pr.yml

@@ -42,9 +42,19 @@ jobs:
       DEVCONTAINER_VERSION: ${{steps.set-outputs.outputs.DEVCONTAINER_VERSION}}
       PER_CUDA_COMPILER_MATRIX: ${{steps.set-outputs.outputs.PER_CUDA_COMPILER_MATRIX}}
       PER_CUDA_COMPILER_KEYS: ${{steps.set-outputs.outputs.PER_CUDA_COMPILER_KEYS}}
+      base_sha: ${{ steps.export-pr-info.outputs.base_sha }}
+      pr_number: ${{ steps.export-pr-info.outputs.pr_number }}
     steps:
       - name: Checkout repo
         uses: actions/checkout@v4
+      - name: Lookup PR info
+        id: get-pr-info
+        uses: nv-gha-runners/get-pr-info@main
+      - name: Export PR info
+        id: export-pr-info
+        run: |
+          echo "base_sha=${{ fromJSON(steps.get-pr-info.outputs.pr-info).base.sha }}" | tee -a "${GITHUB_OUTPUT}"
+          echo "pr_number=${{ fromJSON(steps.get-pr-info.outputs.pr-info).number }}" | tee -a "${GITHUB_OUTPUT}"
       - name: Compute matrix outputs
         id: set-outputs
         run: |
@@ -69,10 +79,13 @@ jobs:
   verify-devcontainers:
     name: Verify Dev Containers
     if: ${{ !contains(github.event.head_commit.message, '[skip-vdc]') }}
+    needs: compute-matrix
     permissions:
       id-token: write
       contents: read
     uses: ./.github/workflows/verify-devcontainers.yml
+    with:
+      base_sha: ${{ needs.compute-matrix.outputs.base_sha }}
 
   # This job is the final job that runs after all other jobs and is used for branch protection status checks.
   # See: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks
@@ -90,6 +103,5 @@ jobs:
           ${{
                contains(needs.*.result, 'failure')
             || contains(needs.*.result, 'cancelled')
-            || contains(needs.*.result, 'skipped')
           }}
         run: exit 1

.github/workflows/verify-devcontainers.yml

@@ -2,6 +2,12 @@ name: Verify devcontainers
 
 on:
   workflow_call:
+    inputs:
+      base_sha:
+        type: string
+        description: 'For PRs, set the base SHA to conditionally run this workflow only when relevant files are modified.'
+        required: false
+
 
 defaults:
   run:
@@ -11,12 +17,17 @@ permissions:
   contents: read
 
 jobs:
-  verify-make-devcontainers:
+  get-devcontainer-list:
     name: Verify devcontainer files are up-to-date
+    outputs:
+      skip: ${{ steps.inspect-changes.outputs.skip }}
+      devcontainers: ${{ steps.get-list.outputs.devcontainers }}
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Setup jq and yq
       run: |
         sudo apt-get update
@@ -25,7 +36,7 @@ jobs:
         sudo chmod +x /usr/local/bin/yq
     - name: Run the script to generate devcontainer files
       run: |
-        ./.devcontainer/make_devcontainers.sh --verbose
+        ./.devcontainer/make_devcontainers.sh --verbose --clean
     - name: Check for changes
       run: |
         if [[ $(git diff --stat) != '' || $(git status --porcelain | grep '^??') != '' ]]; then
@@ -36,17 +47,45 @@ jobs:
         else
           echo "::note::Dev Container files are up-to-date."
         fi
+    - name: Inspect changes
+      if: ${{ inputs.base_sha != '' }}
+      id: inspect-changes
+      env:
+        BASE_SHA: ${{ inputs.base_sha }}
+      run: |
+        echo "Fetch history and determine merge base..."
+        git fetch origin --unshallow -q
+        git fetch origin $BASE_SHA -q
+        merge_base_sha=$(git merge-base $GITHUB_SHA $BASE_SHA)
 
-  get-devcontainer-list:
-    needs: verify-make-devcontainers
-    name: Get list of devcontainer.json files
-    runs-on: ubuntu-latest
-    outputs:
-      devcontainers: ${{ steps.get-list.outputs.devcontainers }}
-    steps:
-    - name: Check out the code
-      uses: actions/checkout@v4
+        echo "Head SHA: $GITHUB_SHA"
+        echo "PR Base SHA: $BASE_SHA"
+        echo "Merge Base SHA: $merge_base_sha"
+
+        echo "Checking for changes to devcontainer/matrix files..."
+
+        all_dirty_files=$(git diff --name-only "${merge_base_sha}" "${GITHUB_SHA}")
+        echo "::group::All dirty files"
+        echo "${all_dirty_files}"
+        echo "::endgroup::"
+
+        file_regex="^(.devcontainer|ci/matrix.yaml|.github/actions/workflow-build/build-workflow.py)"
+        echo "Regex: ${file_regex}"
+
+        relevant_dirty_files=$(echo "${all_dirty_files}" | grep -E "${file_regex}" || true)
+        echo "::group::Relevant dirty files"
+        echo "${relevant_dirty_files}"
+        echo "::endgroup::"
+
+        if [[ -z "${relevant_dirty_files}" ]]; then
+          echo "No relevant changes detected. Skipping devcontainer testing."
+          echo "skip=true" >> $GITHUB_OUTPUT
+        else
+          echo "Detected relevant changes. Continuing."
+          echo "skip=false" >> $GITHUB_OUTPUT
+        fi
     - name: Get list of devcontainer.json paths and names
+      if: ${{ steps.inspect-changes.outputs.skip != 'true' }}
       id: get-list
       run: |
         devcontainers=$(find .devcontainer/ -name 'devcontainer.json' | while read -r devcontainer; do
@@ -55,9 +94,10 @@ jobs:
         echo "devcontainers=${devcontainers}" | tee --append "${GITHUB_OUTPUT}"
 
   verify-devcontainers:
-    needs: get-devcontainer-list
     name: ${{matrix.devcontainer.name}}
-    runs-on: ubuntu-latest
+    needs: get-devcontainer-list
+    if: ${{ needs.get-devcontainer-list.outputs.skip != 'true' }}
+    runs-on: linux-amd64-cpu4
     strategy:
       fail-fast: false
       matrix:
@@ -68,10 +108,34 @@ jobs:
     steps:
     - name: Check out the code
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+
+    - name: Install dependencies
+      run: |
+        # Add PPA for nodejs, devcontainer CLI requires a newer version:
+        curl -fsSL https://deb.nodesource.com/setup_20.x -o /tmp/nodesource_setup.sh
+        sudo bash /tmp/nodesource_setup.sh
+        sudo apt-get update
+        sudo apt-get install -y nodejs
+        sudo npm install -g @devcontainers/cli
+
       # We don't really need sccache configured, but we need the AWS credentials envvars to be set
       # in order to avoid the devcontainer hanging waiting for GitHub authentication
-    - name: Configure credentials and environment variables for sccache
-      uses: ./.github/actions/configure_cccl_sccache
+    - name: Get AWS credentials for sccache bucket
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: arn:aws:iam::279114543810:role/gha-oidc-NVIDIA
+        aws-region: us-east-2
+        role-duration-seconds: 43200 # 12 hours
+    - name: Set environment variables
+      run: |
+        echo "SCCACHE_BUCKET=rapids-sccache-devs" >> $GITHUB_ENV
+        echo "SCCACHE_REGION=us-east-2" >> $GITHUB_ENV
+        echo "SCCACHE_IDLE_TIMEOUT=32768" >> $GITHUB_ENV
+        echo "SCCACHE_S3_USE_SSL=true" >> $GITHUB_ENV
+        echo "SCCACHE_S3_NO_CREDENTIALS=false" >> $GITHUB_ENV
+
     - name: Run in devcontainer
       uses: devcontainers/ci@v0.3
       with: