Skip to content

ROX-26026: Introduce registry to Scanner build matrix #13695

Merged
msugakov merged 9 commits intomasterfrom
misha/ROX-26026-matrixize-gha-scanner-builds
Jan 7, 2025
Merged

ROX-26026: Introduce registry to Scanner build matrix #13695
msugakov merged 9 commits intomasterfrom
misha/ROX-26026-matrixize-gha-scanner-builds

Conversation

@msugakov
Copy link
Copy Markdown
Contributor

@msugakov msugakov commented Jan 3, 2025
edited
Loading

Description

Similar to #13694 the goal here is to make it possible to disable pushes to quay.io/rhacs-eng/ for release builds (which will be driven by Konflux).
Unlike #13694 where the .github/workflows/build.yaml workflow is defined through branding, the .github/workflows/scanner-build.yaml doesn't have a notion of branding and so I felt introducing one would be too artificial given that the Scanner V4 doesn't have any conditional on the branding. Therefore, I introduce the "registry" quay.io/stackrox-io/quay.io/rhacs-eng as the matrix parameter.

This change can be reviewed by commits or in its eventual state.

Request for reviewers: an extra dimension for build-and-push-scanner and push-scanner-manifests will lead to a double execution of some steps which means more GitHub minutes. Given that these will run in parallel, that we don't pay for these minutes, and that these jobs seem to be quick enough (~5 minutes), I hope the impact is ok to take. Please take a critical look let know if you won't be ok with that.

Also note that this change will require adjusting required jobs for PR since the one set up earlier for Scanner isn't valid anymore. The effect is that everyone will have to rebase their PRs. That's ok we did such things before.
image

User-facing documentation

  • CHANGELOG is updated OR update is not needed
  • documentation PR is created and is linked above OR is not needed

Testing and quality

  • the change is production ready: the change is GA or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

No contributions to the automated testing.

How I validated my change

  • Checked GHA graph and logs that builds are still happening.
  • Added more labels on the PR to give a chance for anything build-related to blow up.

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Jan 3, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@msugakov msugakov changed the title ROX-26026: Introduce registry as matrix ROX-26026: Introduce registry to Scanner build matrix Jan 3, 2025
@msugakov msugakov added the scan-images-with-roxctl Tells `scan-images-with-roxctl` job to run label Jan 3, 2025
@msugakov msugakov changed the title ROX-26026: Introduce registry to Scanner build matrix ROX-26026: Introduce registry to Scanner build matrix Jan 3, 2025
@rhacs-bot
Copy link
Copy Markdown
Contributor

rhacs-bot commented Jan 3, 2025
edited
Loading

Images are ready for the commit at 6adbae7.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.7.x-359-g6adbae72fb.

@msugakov msugakov force-pushed the misha/ROX-26026-matrixize-gha-scanner-builds branch from 738a083 to 17abb05 Compare January 3, 2025 19:51
@msugakov msugakov added the backport-for-4.6-konflux-release https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1730134914487439 label Jan 3, 2025
@msugakov msugakov marked this pull request as ready for review January 4, 2025 18:37
@msugakov msugakov requested a review from a team as a code owner January 4, 2025 18:37
@msugakov
Copy link
Copy Markdown
Contributor Author

msugakov commented Jan 6, 2025

/test ?

@openshift-ci

This comment was marked as outdated.

Sign in to view
@msugakov
Copy link
Copy Markdown
Contributor Author

msugakov commented Jan 6, 2025

/retest

@msugakov msugakov added ci-build-all-arch Build binaries and images for all architectures ci-build-prerelease Build a GOTAGS=release image tagged with `-prerelease` ci-build-race-condition-debug Build a `-race` image tagged with `-rcd`. Required for `/test gke-race-condition-qa-e2e-tests`. scan-go-binaries Run the scan-go-binaries step on PRs labels Jan 6, 2025
@msugakov
Enable label activation for scan-images-with-roxctl job
feaffdd 
For easier testing changes in PRs.
@msugakov
Enable -o pipefail
5912ccc 
I gave lengthy explanation in one of commits in
#13694

Referring to that if you need more info.
@msugakov
Create separate matrix entries for pre-build and build jobs
4649f82 
because I want to extend the build job's matrix with an extra
attribute that' won't exist in the pre-build job.
@msugakov
Rename matrix entry of the push-scanner-manifests job
0aca70c 
for consistency with others.
@msugakov
Make registry a matrix param for jobs that push images
4d92e76 
This would double execution of job steps. Can we afford that?
@msugakov
Switch scan-images-with-roxctl to work with quay.io/stackrox-io
369ac6c 
Since the idea of this overall change is to disable GHA builds into
quay.io/rhacs-eng/ for releases, we can simply switch to scan
GHA-built images in quay.io/stackrox-io/ which should be there
(at least we don't have plans to migrate them to Konflux at this
point).

Some nerdy extra context:

In #13694, the similar
change for `.github/workflows/build.yaml`, I could not do the same
thing because of a situation with the `stackrox-operator` image: the
one is only built into quay.io/rhacs-eng and not built into
quay.io/stackrox-io. Therefore I had to introduce a matrix there for
the `scan-images-with-roxctl` job.

I was musing whether I should introduce the matrix here, in
`.github/workflows/scanner-build.yaml`, as well for this
`scan-images-with-roxctl` job. The benefit is consistency of
workflows. The downside is more complexity to this workflow.
@msugakov
Matrixize scan-images-with-roxctl
c45ce21 
Here's a commit that makes `scan-images-with-roxctl` matrixized.
If we like it I keep it. Otherwise, I'll just drop it and we'll
stay with only checking quay.io/stackrox-io/ images.
@msugakov msugakov force-pushed the misha/ROX-26026-matrixize-gha-scanner-builds branch from 17abb05 to c45ce21 Compare January 6, 2025 09:52
@msugakov
Copy link
Copy Markdown
Contributor Author

msugakov commented Jan 6, 2025

/retest

RTann
RTann reviewed Jan 6, 2025
View reviewed changes
@msugakov msugakov removed the scan-go-binaries Run the scan-go-binaries step on PRs label Jan 6, 2025
@msugakov msugakov requested a review from RTann January 6, 2025 18:43
RTann
RTann approved these changes Jan 6, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@RTann RTann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for doing this LGTM

tommartensen
tommartensen approved these changes Jan 7, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@tommartensen tommartensen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM pending one typo fix

@msugakov @tommartensen
Fix typo
6adbae7 
Co-authored-by: Tom Martensen <tmartens@redhat.com>
@msugakov msugakov mentioned this pull request Jan 7, 2025
Closed
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Jan 7, 2025

@msugakov: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ocp-4-12-scanner-v4-tests 6adbae7 link false /test ocp-4-12-scanner-v4-tests

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@msugakov msugakov merged commit 7ff1ca8 into master Jan 7, 2025
@msugakov msugakov deleted the misha/ROX-26026-matrixize-gha-scanner-builds branch January 7, 2025 17:51
@msugakov msugakov mentioned this pull request Jan 7, 2025
Closed
ajheflin pushed a commit that referenced this pull request Jun 24, 2025
@msugakov @ajheflin
ROX-26026: Introduce registry to Scanner build matrix (#13695)
f16783d
msugakov added a commit that referenced this pull request Jun 25, 2025
@msugakov
ROX-26026: Introduce registry to Scanner build matrix (#13695)
c118091
msugakov added a commit that referenced this pull request Jun 25, 2025
@msugakov
ROX-26026: Introduce registry to Scanner build matrix (#13695)
b4db434
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tommartensen tommartensen tommartensen approved these changes

@kylape kylape Awaiting requested review from kylape

+1 more reviewer

@RTann RTann RTann approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/ci backport-for-4.6-konflux-release https://redhat-internal.slack.com/archives/C05TS9N0S7L/p1730134914487439 ci-build-all-arch Build binaries and images for all architectures ci-build-prerelease Build a GOTAGS=release image tagged with `-prerelease` ci-build-race-condition-debug Build a `-race` image tagged with `-rcd`. Required for `/test gke-race-condition-qa-e2e-tests`. scan-images-with-roxctl Tells `scan-images-with-roxctl` job to run

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@msugakov @rhacs-bot @RTann @tommartensen