ci: add Docker Hub authentication to mitigate pull rate limits

[yongwww]

📌 Description

We are running both Jenkins (should be disabled soon though) and GHA workflow for the public unit tests at this moment, the docker pull might hit rate limit of 100 pulls/6hr, for example this job: https://github.com/flashinfer-ai/flashinfer/actions/runs/21193948826/job/60965961746.

In this pr, we are trying to add docker/login-action to authenticate with Docker Hub before running tests. This increases the pull rate limit from 100 pulls/6hr (anonymous) to 200 pulls/6hr (authenticated), reducing the likelihood of rate limit errors when running concurrent CI jobs.

🔍 Related Issues

🚀 Pull Request Checklist

Thank you for contributing to FlashInfer! Before we review your pull request, please make sure the following items are complete.

✅ Pre-commit Checks

• I have installed pre-commit by running pip install pre-commit (or used your preferred method).
• I have installed the hooks with pre-commit install.
• I have run the hooks manually with pre-commit run --all-files and fixed any reported issues.

If you are unsure about how to set up pre-commit, see the pre-commit documentation.

🧪 Tests

• Tests have been added or updated as needed.
• All tests are passing (unittest, etc.).

Reviewer Notes

Summary by CodeRabbit

• Chores
  • Added Docker Hub login steps to CI workflows for build and GPU test jobs to improve artifact access; steps are configured to continue on error so forks without secrets don't fail.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Docker Hub login steps (docker/login-action@v3) to three jobs in .github/workflows/pr-test.yml, authenticating with username flashinfer and DOCKERHUB_TOKEN (each step uses continue-on-error and is placed before subsequent job steps).

Changes

Cohort / File(s)	Summary
GitHub Actions workflow /.github/workflows/pr-test.yml	Inserted docker/login-action@v3 login step into three jobs: AOT Build Import, GPU JIT Tests (A10G), GPU JIT Tests (T4). Each step uses username: "flashinfer", password: ${{ secrets.DOCKERHUB_TOKEN }} and continue-on-error: true, placed before following steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: introduce GitHub Actions workflow for PR testing #2326: Modifies .github/workflows/pr-test.yml; likely introduces/changes the PR Test workflow that this PR augments.

Suggested reviewers

• nvmbreughe
• kahyunnam
• jimmyzho
• yzh119

Poem

🐰 I hopped into CI late at night,
Pushed a login step to make builds light,
Flashinfer named, token in tow,
Docker welcomes us—steady and slow. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding Docker Hub authentication to CI workflows to address pull rate limit issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Tools execution failed with the following error:

Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @.github/workflows/pr-test.yml:
- Around line 173-178: The "Login to Docker Hub" step using
docker/login-action@v3 should be skipped for external-fork PRs; add an if
condition to the step to only run when the repository owner is the org/user
(e.g., github.repository_owner == 'flashinfer'). Modify the step that currently
uses docker/login-action@v3 (named "Login to Docker Hub") to include if: ${{
github.repository_owner == 'flashinfer' }} so external contributors' workflows
don't attempt to use the repo secrets.
- Around line 218-223: The Docker Hub login step ("Login to Docker Hub" using
docker/login-action@v3 with username flashinfer) needs the same fork-PR guard as
earlier; add an if condition to the step (e.g. if: ${{
github.event.pull_request.head.repo.full_name == github.repository }}) so the
docker/login step is skipped for external/forked PRs to avoid failing when
secrets are unavailable.
- Around line 124-129: The Docker Hub login step ("Login to Docker Hub" using
docker/login-action@v3 with username flashinfer and password ${{
secrets.DOCKERHUB_TOKEN }}) will fail for forked PRs because secrets are not
exposed; update that step to run only when the PR is not from a fork (i.e., skip
login for pull_request events where head repo differs from the base repo) so
anonymous pulls are used instead, and apply the same conditional guard to the
other two docker/login-action@v3 login steps in the workflow.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Login will fail for fork PRs due to inaccessible secrets.

GitHub Actions does not expose repository secrets to workflows triggered by pull requests from forked repositories. This causes the login step to fail for external contributors, breaking their CI.

Add a condition to skip login for fork PRs (they'll fall back to anonymous rate limits):

🔧 Proposed fix

      - name: Login to Docker Hub
+       if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          username: flashinfer
          password: ${{ secrets.DOCKERHUB_TOKEN }}

Apply this same fix to all three login steps in this file.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Login to Docker Hub
	uses: docker/login-action@v3
	with:
	username: flashinfer
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	- name: Login to Docker Hub
	if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'
	uses: docker/login-action@v3
	with:
	username: flashinfer
	password: ${{ secrets.DOCKERHUB_TOKEN }}

🤖 Prompt for AI Agents

In @.github/workflows/pr-test.yml around lines 124 - 129, The Docker Hub login
step ("Login to Docker Hub" using docker/login-action@v3 with username
flashinfer and password ${{ secrets.DOCKERHUB_TOKEN }}) will fail for forked PRs
because secrets are not exposed; update that step to run only when the PR is not
from a fork (i.e., skip login for pull_request events where head repo differs
from the base repo) so anonymous pulls are used instead, and apply the same
conditional guard to the other two docker/login-action@v3 login steps in the
workflow.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Apply the same conditional fix here.

Same fork PR issue as noted above. Add the if condition to prevent failures for external contributors.

🤖 Prompt for AI Agents

In @.github/workflows/pr-test.yml around lines 173 - 178, The "Login to Docker
Hub" step using docker/login-action@v3 should be skipped for external-fork PRs;
add an if condition to the step to only run when the repository owner is the
org/user (e.g., github.repository_owner == 'flashinfer'). Modify the step that
currently uses docker/login-action@v3 (named "Login to Docker Hub") to include
if: ${{ github.repository_owner == 'flashinfer' }} so external contributors'
workflows don't attempt to use the repo secrets.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Apply the same conditional fix here.

Same fork PR issue as noted above. Add the if condition to prevent failures for external contributors.

🤖 Prompt for AI Agents

In @.github/workflows/pr-test.yml around lines 218 - 223, The Docker Hub login
step ("Login to Docker Hub" using docker/login-action@v3 with username
flashinfer) needs the same fork-PR guard as earlier; add an if condition to the
step (e.g. if: ${{ github.event.pull_request.head.repo.full_name ==
github.repository }}) so the docker/login step is skipped for external/forked
PRs to avoid failing when secrets are unavailable.