ROX-30858: optimize image retagging with buildx imagetools#19710
Merged
ROX-30858: optimize image retagging with buildx imagetools#19710
Conversation
Contributor
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The new
push_matching_collector_scanner_imagesfunction assumesBUILD_TAG,SCANNER_VERSION,COLLECTOR_VERSION, andFACT_VERSIONenvironment/files are present; if this script is reused outside the GitHub workflow, consider adding validation/error messages for missing env vars/files to fail fast with a clear cause. - Since
push_matching_collector_scanner_imagesnow shells out todocker buildx imagetools, it may be worth guarding the call with a check thatdocker buildxis available (or emitting a clear error) for non-GitHub CI or local runs where Buildx might not be configured. - You removed the arch parameter and now retag images without the
-archsuffix; double-check whether any downstream consumers or scripts still expect:<tag>-amd64(or similar) tags, and if so, consider keeping a compatibility path or updating those references in the same change.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The new `push_matching_collector_scanner_images` function assumes `BUILD_TAG`, `SCANNER_VERSION`, `COLLECTOR_VERSION`, and `FACT_VERSION` environment/files are present; if this script is reused outside the GitHub workflow, consider adding validation/error messages for missing env vars/files to fail fast with a clear cause.
- Since `push_matching_collector_scanner_images` now shells out to `docker buildx imagetools`, it may be worth guarding the call with a check that `docker buildx` is available (or emitting a clear error) for non-GitHub CI or local runs where Buildx might not be configured.
- You removed the arch parameter and now retag images without the `-arch` suffix; double-check whether any downstream consumers or scripts still expect `:<tag>-amd64` (or similar) tags, and if so, consider keeping a compatibility path or updating those references in the same change.
## Individual Comments
### Comment 1
<location path=".github/workflows/build.yaml" line_range="565-566" />
<code_context>
+ ROX_PRODUCT_BRANDING: ${{ matrix.name }}
+ BUILD_TAG: ${{ needs.define-job-matrix.outputs.build-tag }}
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v6
+ with:
+ ref: ${{ inputs.commit || github.event.pull_request.head.sha }}
</code_context>
<issue_to_address>
**issue (bug_risk):** actions/checkout@v6 does not currently exist and will cause the job to fail
`actions/checkout` only exposes up to `v4` today, so `@v6` will fail at workflow runtime. Unless you have an internal `v6`, this should be updated to a valid major version (e.g. `@v4`) so the workflow runs successfully.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
📝 WalkthroughSummary by CodeRabbit
WalkthroughAdded a dedicated GitHub Actions job that runs per branding to push matching collector/scanner/fact images; consolidated image retag/push into the CI library using Docker Buildx imagetools and removed the separate pull-retag-push helper and amd64-only manifest logic. Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub Actions
participant Runner as Runner
participant CIlib as scripts/ci/lib.sh
participant Buildx as Docker Buildx
participant Quay as Quay Registry (rhacs / stackrox)
GH->>Runner: start push-matching-collector-scanner job (per branding)
Runner->>CIlib: invoke push_matching_collector_scanner_images(<brand>)
CIlib->>Buildx: docker buildx imagetools create -t <target> <source>
Buildx->>Quay: push created manifest/tag to target registry
Quay-->>Buildx: ack
Buildx-->>CIlib: result
CIlib-->>Runner: finish
Runner-->>GH: job completed
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@scripts/ci/lib.sh`:
- Around line 527-534: The BUILD_TAG environment variable can be empty causing
main_tag="${BUILD_TAG}" to produce empty tags and fail later; add a validation
check after assigning main_tag (or before use) to ensure BUILD_TAG/main_tag is
set and non-empty (trim whitespace if needed) and if not, print a clear error
mentioning BUILD_TAG and exit non‑zero so downstream retag operations do not run
(update the block around main_tag and its usages to perform this guard).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: b30e2bd2-3b06-45e0-a7fd-7526b893f51b
📒 Files selected for processing (3)
.github/workflows/build.yamlscripts/ci/lib.shscripts/ci/pull-retag-push.sh
💤 Files with no reviewable changes (1)
- scripts/ci/pull-retag-push.sh
d0b9689 to
c7f8205
Compare
Contributor
|
Images are ready for the commit at 2e14309. To use with deploy scripts, first |
Contributor
|
Images are ready for the commit at c7f8205. To use with deploy scripts, first |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19710 +/- ##
=======================================
Coverage 49.58% 49.58%
=======================================
Files 2756 2756
Lines 207951 207951
=======================================
+ Hits 103112 103118 +6
+ Misses 97177 97172 -5
+ Partials 7662 7661 -1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
janisz
commented
Mar 31, 2026
davdhacs
approved these changes
Mar 31, 2026
Contributor
davdhacs
left a comment
There was a problem hiding this comment.
Excellent.
Konflux is not affected by this because it uses .tekton/retag-pipeline.yaml(with https://github.com/stackrox/konflux-tasks) and doesn't use the changed lib.sh or the removed retag script.
124a23d to
2e14309
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/build.yaml:
- Around line 582-617: The new publish job push-matching-collector-scanner
creates a race because downstream jobs (e.g., scan-images-with-roxctl and
push-main-manifests) still run before matching images are published; update the
workflow to wait for it by adding push-matching-collector-scanner to the needs:
list of any jobs that currently depend on BUILD_TAG images (notably
scan-images-with-roxctl and push-main-manifests), or alternatively introduce a
small fan-in job that has needs: [push-main-manifests,
push-matching-collector-scanner] and move the PR “images are ready” comment to
that fan-in job so scans and the comment only run after both publish paths
complete.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: ab89a4e5-11d0-48bd-938f-d476573732d6
📒 Files selected for processing (3)
.github/workflows/build.yamlscripts/ci/lib.shscripts/ci/pull-retag-push.sh
💤 Files with no reviewable changes (1)
- scripts/ci/pull-retag-push.sh
Contributor
|
/retest |
Contributor
|
Images are ready for the commit at 4174680. To use with deploy scripts, first |
Replace pull-tag-push workflow with docker buildx imagetools create for scanner, collector, and fact image retagging. This eliminates unnecessary image pulls and pushes by copying manifests directly in the registry. Changes: - Extract image retagging to separate job that runs once per branding instead of per-architecture - Use docker buildx imagetools create for registry-to-registry manifest copying without local pulls - Remove pull-retag-push.sh script (inlined into lib.sh) - Copy full multi-arch manifests instead of amd64-only - Remove scanner/collector/fact from manifest creation step (buildx creates multi-arch manifests directly) Benefits: - Eliminates GBs of network transfer (6 images × pull + push) - Near-instantaneous manifest copy vs pull+push - Supports all architectures from source images - Runs in parallel with build-and-push-main job ROX-30858 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
2e14309 to
4174680
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Replace pull-tag-push workflow with
docker buildx imagetoolscreate for scanner, collector, and fact image retagging. This eliminates unnecessary image pulls and pushes by copying manifests directly in the registry.See: https://stackoverflow.com/questions/26763427/add-remote-tag-to-a-docker-image/70526615#70526615
Benefits:
User-facing documentation
Testing and quality
Automated testing
How I validated my change
CI