fix(ci): allow check collector/scanner failure#14825
Conversation
|
Images are ready for the commit at de5993d. To use with deploy scripts, first |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #14825 +/- ##
==========================================
- Coverage 48.88% 48.88% -0.01%
==========================================
Files 2547 2547
Lines 186906 186906
==========================================
- Hits 91361 91360 -1
Misses 88313 88313
- Partials 7232 7233 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| echo "collector-version=$(make --quiet --no-print-directory collector-tag)" >> "${GITHUB_OUTPUT}" | ||
|
|
||
| - name: Check image exists | ||
| continue-on-error: true |
There was a problem hiding this comment.
This is a good idea, but I have concerns that also default images (without -fast suffix) will be ignored, and that will cause problems in other places.
What do you think about separating the "default" images check from the fast images check? (in short, unwrap tag_suffix: ["", "-fast"] in two jobs) - or have conditional failure handling for -fast tags.
There was a problem hiding this comment.
If you look at the git history, the default image check was introduced in #13502. There was no reason for it to exist before Konflux was the thing. There is no need for it to check GHA-built images presence.
The reason it seemingly does so, i.e. check GHA tags with "" suffixes is because there wasn't enough clarity whether Konflux-built ScannerV2 and Collector images for release are going to have no suffixes or would come with -fast in tags.
There's still unclarity, but it seems more that ScannerV2 and Collector will remain -fast suffixed (as originally built in their repos) even in release Konflux builds. Therefore we can drop "" from checking.
There are couple other things that bother me even though I reviewed and approved the original PR.
I don't see a good reason to have these checks required by build-and-push-main because the one does not depend on any artifacts from check-*-images-exist because they produce no artifacts. The protection also exists in a different place, check-*-images-exist are required for master merges.
Secondly, I don't see why these checks have to be in the build.yaml.
With all that, I think, it's quickest to create an alternative PR.
|
Closing in favor of #14827. |
Description
Our
Build / check-collector-images-existandBuild / check-scanner-images-existcause the release workflows to fail if they fail. See previous runs from this action for examples: https://github.com/stackrox/stackrox/actions/runs/14172544638I propose we use
continue-on-errorfor these jobs, which I think will give us the ability to continue on with the release pipeline, while indicating failures in PRs.User-facing documentation
Testing and quality
Automated testing
N/A
How I validated my change
I haven't yet.