Skip to content

ROX-26026: Matrixize more jobs in .github/workflow/build.yaml#13694

Merged
msugakov merged 3 commits intomasterfrom
misha/ROX-26026-matrixize-gha-builds
Jan 7, 2025
Merged

ROX-26026: Matrixize more jobs in .github/workflow/build.yaml#13694
msugakov merged 3 commits intomasterfrom
misha/ROX-26026-matrixize-gha-builds

Conversation

@msugakov
Copy link
Contributor

@msugakov msugakov commented Jan 3, 2025
edited
Loading

Description

For release builds we need to disable GHA builds which push into quay.io/rhacs-eng/ and use Konflux for that instead.
This change allows more easily conditionally disable GHA builds by suppressing RHACS_BRANDING from the matrix in the define-job-matrix job.

Extracted from #13422 and refined.

User-facing documentation

  • CHANGELOG is updated OR update is not needed
  • documentation PR is created and is linked above OR is not needed

Testing and quality

  • the change is production ready: the change is GA or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

No change to automated tests.

How I validated my change

  • Looked at the Build workflow and checked that it seems to work as before.
  • Added extra labels on this PR to give a chance for anything build-related to blow up.

@openshift-ci
Copy link

openshift-ci bot commented Jan 3, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@msugakov msugakov added backport-for-4.6-konflux-release https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1730134914487439 and removed do-not-merge/work-in-progress labels Jan 3, 2025
@rhacs-bot
Copy link
Contributor

rhacs-bot commented Jan 3, 2025
edited
Loading

Images are ready for the commit at a9e7ecd.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.7.x-353-ga9e7ecde55.

@msugakov msugakov force-pushed the misha/ROX-26026-matrixize-gha-builds branch from 4046cc5 to 37bbd15 Compare January 3, 2025 17:10
@msugakov msugakov added the scan-images-with-roxctl Tells `scan-images-with-roxctl` job to run label Jan 3, 2025
@msugakov msugakov force-pushed the misha/ROX-26026-matrixize-gha-builds branch from ae9f644 to 724aded Compare January 3, 2025 17:48
@msugakov msugakov changed the title ROX-26026: Put jobs in .github/workflow/build.yaml into matrix ROX-26026: Matrixize jobs in .github/workflow/build.yaml Jan 3, 2025
@msugakov msugakov force-pushed the misha/ROX-26026-matrixize-gha-builds branch from 724aded to 39b0e00 Compare January 3, 2025 17:54
@msugakov msugakov marked this pull request as ready for review January 3, 2025 17:58
@msugakov msugakov changed the title ROX-26026: Matrixize jobs in .github/workflow/build.yaml ROX-26026: Matrixize more jobs in .github/workflow/build.yaml Jan 3, 2025
msugakov added a commit that referenced this pull request Jan 3, 2025
@msugakov
Enable -o pipefail
651b731 
I gave lengthy explanation in one of commits in
#13694

Referring to that if you need more info.
msugakov added a commit that referenced this pull request Jan 3, 2025
@msugakov
Switch scan-images-with-roxctl to work with quay.io/stackrox-io
9d66dca 
Since the idea of this overall change is to disable GHA builds into
quay.io/rhacs-eng/ for releases, we can simply switch to scan
GHA-built images in quay.io/stackrox-io/ which should be there
(at least we don't have plans to migrate them to Konflux at this
point).

Some nerdy extra context:

In #13694, the similar
change for `.github/workflows/build.yaml`, I could not do the same
thing because of a situation with the `stackrox-operator` image: the
one is only built into quay.io/rhacs-eng and not built into
quay.io/stackrox-io. Therefore I had to introduce a matrix there for
the `scan-images-with-roxctl` job.

I was musing whether I should introduce the matrix here, in
`.github/workflows/scanner-build.yaml`, as well for this
`scan-images-with-roxctl` job. The benefit is consistency of
workflows. The downside is more complexity to this workflow.
@msugakov
Copy link
Contributor Author

msugakov commented Jan 3, 2025

/test ?

@openshift-ci

This comment was marked as outdated.

Sign in to view
@msugakov
Copy link
Contributor Author

msugakov commented Jan 3, 2025

/test ocp-4-17-operator-e2e-tests

@msugakov
Copy link
Contributor Author

msugakov commented Jan 3, 2025

/test gke-operator-e2e-tests

@msugakov msugakov mentioned this pull request Jan 3, 2025
Merged
4 tasks
msugakov added a commit that referenced this pull request Jan 6, 2025
@msugakov
Enable -o pipefail
5912ccc 
I gave lengthy explanation in one of commits in
#13694

Referring to that if you need more info.
msugakov added a commit that referenced this pull request Jan 6, 2025
@msugakov
Switch scan-images-with-roxctl to work with quay.io/stackrox-io
369ac6c 
Since the idea of this overall change is to disable GHA builds into
quay.io/rhacs-eng/ for releases, we can simply switch to scan
GHA-built images in quay.io/stackrox-io/ which should be there
(at least we don't have plans to migrate them to Konflux at this
point).

Some nerdy extra context:

In #13694, the similar
change for `.github/workflows/build.yaml`, I could not do the same
thing because of a situation with the `stackrox-operator` image: the
one is only built into quay.io/rhacs-eng and not built into
quay.io/stackrox-io. Therefore I had to introduce a matrix there for
the `scan-images-with-roxctl` job.

I was musing whether I should introduce the matrix here, in
`.github/workflows/scanner-build.yaml`, as well for this
`scan-images-with-roxctl` job. The benefit is consistency of
workflows. The downside is more complexity to this workflow.
@msugakov msugakov added ci-build-prerelease Build a GOTAGS=release image tagged with `-prerelease` ci-build-race-condition-debug Build a `-race` image tagged with `-rcd`. Required for `/test gke-race-condition-qa-e2e-tests`. scan-go-binaries Run the scan-go-binaries step on PRs ci-build-all-arch Build binaries and images for all architectures labels Jan 6, 2025
@msugakov
Put jobs in .github/workflow/build.yaml into matrix
6519848 
so that later we can more easily disable the ones for RHACS_BRANDING.
@msugakov
Enable -o pipefail
5b34b6a 
`-e` is already set.
`-u` will remain as an exercise for the future.

When touching the code of `scan-images-with-roxctl`, I wasn't sure
why there's `roxctl > file` followed by `cat file`.
Since I changed that to `| tee`, I wanted to be sure the pipe won't
swallow any bad exit code from the command.

Ran `set -o` in the pipeline and found `pipefile` not being set.
Here's the full dump:

```
allexport      	off
braceexpand    	on
emacs          	off
errexit        	on
errtrace       	off
functrace      	off
hashall        	on
histexpand     	off
history        	off
ignoreeof      	off
interactive-comments	on
keyword        	off
monitor        	off
noclobber      	off
noexec         	off
noglob         	off
nolog          	off
notify         	off
nounset        	off
onecmd         	off
physical       	off
pipefail       	off
posix          	off
privileged     	off
verbose        	off
vi             	off
xtrace         	off
```

I don't know why we wouldn't want `errexit` and `pipefail` always on.
Therefore I change the default shell for the entire workflow.

Notably, `bash` isn't literally the command it's a value from some
enum that GHA has, and the actual command is selected based on the
value from this enum.
`bash` translates to `bash --noprofile --norc -eo pipefail {0}`.
Weird, isn't it?
See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defaultsrunshell
@msugakov
Enable label activation of scan-images-with-roxctl
a9e7ecd 
For easier testing changes in PRs.
@msugakov msugakov force-pushed the misha/ROX-26026-matrixize-gha-builds branch from 39b0e00 to a9e7ecd Compare January 6, 2025 09:57
@msugakov
Copy link
Contributor Author

msugakov commented Jan 6, 2025

/test gke-operator-e2e-tests

tommartensen
tommartensen approved these changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@tommartensen tommartensen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TIL (or remembered) matrix.exclude

@msugakov msugakov merged commit a7b8a0a into master Jan 7, 2025
@msugakov msugakov deleted the misha/ROX-26026-matrixize-gha-builds branch January 7, 2025 09:33
ajheflin pushed a commit that referenced this pull request Jun 24, 2025
@msugakov @ajheflin
ROX-26026: Matrixize more jobs in .github/workflow/build.yaml (#13694)
5623598
msugakov added a commit that referenced this pull request Jun 25, 2025
@msugakov
ROX-26026: Matrixize more jobs in .github/workflow/build.yaml (#13694)
c54ae78
msugakov added a commit that referenced this pull request Jun 25, 2025
@msugakov
ROX-26026: Matrixize more jobs in .github/workflow/build.yaml (#13694)
5e82fbc
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tommartensen tommartensen tommartensen approved these changes

@kylape kylape Awaiting requested review from kylape

Assignees

No one assigned

Labels

area/ci backport-for-4.6-konflux-release https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1730134914487439 ci-build-all-arch Build binaries and images for all architectures ci-build-prerelease Build a GOTAGS=release image tagged with `-prerelease` ci-build-race-condition-debug Build a `-race` image tagged with `-rcd`. Required for `/test gke-race-condition-qa-e2e-tests`. scan-go-binaries Run the scan-go-binaries step on PRs scan-images-with-roxctl Tells `scan-images-with-roxctl` job to run

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@msugakov @rhacs-bot @tommartensen