From 6b13f5641f395fdcf3321da1e367b9107ca71c8b Mon Sep 17 00:00:00 2001
From: Tomasz Janiszewski <tomek@redhat.com>
Date: Fri, 27 Mar 2026 15:54:25 +0100
Subject: [PATCH] perf(ci): extract operator bundle build to separate job

Extract operator bundle generation from the build-and-push-operator matrix
job into a standalone build-operator-bundle job.

Changes:
- Add new build-operator-bundle job that runs on ubuntu-latest
- Job has no dependencies (starts immediately for max parallelism)
- Fixed RHACS_BRANDING only (no matrix, no community bundle)
- Includes Python setup for bundle helper scripts
- Remove bundle build/push/index steps from build-and-push-operator job
- Update slack-on-build-failure to depend on build-operator-bundle

Benefits:
- Maximum parallelism: bundle starts immediately, no waiting
- No wasted matrix slots on conditional bundle steps
- Simpler operator build matrix (only handles operator images)
- No container overhead (runs on host with Go + Python + Docker)
- Cleaner separation of bundle vs operator image logic

Related: ROX-33792

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .github/workflows/build.yaml | 77 +++++++++++++++++++++++-------------
 1 file changed, 49 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 9cc15225abc01..b53ac6fa0de95 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -324,6 +324,54 @@ jobs:
           path: |
             image/rhel/docs
 
+  build-operator-bundle:
+    runs-on: ubuntu-latest
+    env:
+      QUAY_ORG: rhacs-eng
+      QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
+      QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
+      ROX_OPERATOR_SKIP_PROTO_GENERATED_SRCS: true
+      ROX_PRODUCT_BRANDING: RHACS_BRANDING
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.commit || github.event.pull_request.head.sha }}
+
+      - uses: ./.github/actions/job-preamble
+        with:
+          gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+          cache: false
+
+      - name: Cache Go dependencies
+        uses: ./.github/actions/cache-go-dependencies
+
+      - uses: ./.github/actions/handle-tagged-build
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version-file: operator/bundle_helpers/.python-version
+
+      - name: Build Operator Bundle
+        run: make -C operator/ bundle bundle-build
+
+      - name: Push Operator Bundle and Index
+        # Skip for external contributions.
+        if: |
+          github.event_name == 'push' || !github.event.pull_request.head.repo.fork
+        run: |
+          ./scripts/ci/lib.sh registry_rw_login "quay.io/${QUAY_ORG}"
+          make -C operator/ docker-push-bundle | cat
+          make -C operator/ index-build
+          make -C operator/ docker-push-index | cat
+
   build-and-push-main:
     runs-on: ubuntu-latest
     needs:
@@ -692,12 +740,6 @@ jobs:
         run: |
           ./scripts/ci/lib.sh registry_rw_login "quay.io/${QUAY_ORG}"
 
-      - name: Build Operator Bundle image
-        if: |
-          matrix.name != 'STACKROX_BRANDING'
-        run: |
-          make -C operator/ bundle bundle-build
-
       - name: Build Operator image
         run: |
           # The first invocation builds native architecture dependencies, which helps avoid the following error,
@@ -745,28 +787,6 @@ jobs:
             fi
             echo "Operator image push completed successfully"
 
-      - name: Push bundle image
-        # Skip for external contributions, and for upstream.
-        if: |
-          matrix.name != 'STACKROX_BRANDING' && (github.event_name == 'push' || !github.event.pull_request.head.repo.fork)
-        run: |
-          make -C operator/ docker-push-bundle | cat
-
-      # Index image can only be built once bundle was pushed
-      - name: Build index
-        # Skip for external contributions and for upstream, as the build relies on the previous image to be pushed.
-        if: |
-          matrix.name != 'STACKROX_BRANDING' && (github.event_name == 'push' || !github.event.pull_request.head.repo.fork)
-        run: |
-          make -C operator/ index-build
-
-      - name: Push index image
-        # Skip for external contributions, and for upstream.
-        if: |
-          matrix.name != 'STACKROX_BRANDING' && (github.event_name == 'push' || !github.event.pull_request.head.repo.fork)
-        run: |
-          make -C operator/ docker-push-index | cat
-
   push-operator-manifests:
     runs-on: ubuntu-latest
     needs:
@@ -960,6 +980,7 @@ jobs:
       - pre-build-cli
       - pre-build-go-binaries
       - pre-build-docs
+      - build-operator-bundle
       - build-and-push-main
       - build-and-push-operator
       - scan-images-with-roxctl