ROX-31807: Adding Analytics for Base Images #87468
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| commit: | |
| description: 'Commit SHA to build' | |
| required: true | |
| type: string | |
| workflow_call: | |
| push: | |
| tags: | |
| - '*-nightly-*' | |
| branches: | |
| - master | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| defaults: | |
| run: | |
| # This enables `-o pipefail` for all jobs as compared to when shell isn't set. | |
| # See https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#defaultsrunshell | |
| shell: bash | |
| jobs: | |
| define-job-matrix: | |
| outputs: | |
| matrix: ${{ steps.define-job-matrix.outputs.matrix }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - name: Define the matrix for build jobs | |
| id: define-job-matrix | |
| run: | | |
| source './scripts/ci/lib.sh' | |
| matrix='{ | |
| "pre_build_go_binaries": { "name":[], "arch":[] }, | |
| "build_and_push_main": { "name":[], "arch":[] }, | |
| "push_main_multiarch_manifests": { "name":[] }, | |
| "build_and_push_operator": { "name":[], "arch":[] }, | |
| "push_operator_multiarch_manifests": { "name":[] }, | |
| "scan_images_with_roxctl": { "name":[], "image":[], "exclude":[] } | |
| }' | |
| # The base matrix | |
| matrix="$(jq '.pre_build_go_binaries.name += ["default"]' <<< "$matrix")" | |
| matrix="$(jq '.pre_build_go_binaries.arch += ["amd64", "arm64"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.arch += ["amd64", "arm64"]' <<< "$matrix")" | |
| matrix="$(jq '.push_main_multiarch_manifests.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_operator.name += ["RHACS_BRANDING"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_operator.arch += ["amd64", "arm64"]' <<< "$matrix")" | |
| matrix="$(jq '.push_operator_multiarch_manifests.name += ["RHACS_BRANDING"]' <<< "$matrix")" | |
| matrix="$(jq '.push_operator_multiarch_manifests.archs = [.build_and_push_operator.arch | join(",")]' <<< "$matrix")" | |
| matrix="$(jq '.scan_images_with_roxctl.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")" | |
| matrix="$(jq '.scan_images_with_roxctl.image += ["central-db", "collector", "main", "roxctl", "scanner", "scanner-db", "scanner-db-slim", "scanner-slim", "stackrox-operator"]' <<< "$matrix")" | |
| # TODO(ROX-27191): remove the exclusion once there's a community operator. | |
| matrix="$(jq '.scan_images_with_roxctl.exclude += [{ "name": "STACKROX_BRANDING", "image": "stackrox-operator" }]' <<< "$matrix")" | |
| if ! is_in_PR_context || pr_has_label ci-build-all-arch; then | |
| matrix="$(jq '.pre_build_go_binaries.arch += ["ppc64le", "s390x"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.arch += ["ppc64le", "s390x"]' <<< "$matrix")" | |
| fi; | |
| # Conditionally add a prerelease build (binaries built with GOTAGS=release) | |
| if ! is_tagged; then | |
| if ! is_in_PR_context || pr_has_label ci-build-prerelease; then | |
| matrix="$(jq '.pre_build_go_binaries.name += ["prerelease"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.name += ["prerelease"]' <<< "$matrix")" | |
| matrix="$(jq '.push_main_multiarch_manifests.name += ["prerelease"]' <<< "$matrix")" | |
| fi | |
| fi | |
| # Conditionally add a -race debug build (binaries built with -race) | |
| if ! is_in_PR_context || pr_has_label ci-build-race-condition-debug; then | |
| matrix="$(jq '.pre_build_go_binaries.name += ["race-condition-debug"]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.name += ["race-condition-debug"]' <<< "$matrix")" | |
| matrix="$(jq '.push_main_multiarch_manifests.name += ["race-condition-debug"]' <<< "$matrix")" | |
| # Exclude "arm64", "ppc64le", "s390x" | |
| matrix="$(jq '.pre_build_go_binaries.exclude = [{ "name": "race-condition-debug", "arch": "arm64" }]' <<< "$matrix")" | |
| matrix="$(jq '.pre_build_go_binaries.exclude += [{ "name": "race-condition-debug", "arch": "ppc64le" }]' <<< "$matrix")" | |
| matrix="$(jq '.pre_build_go_binaries.exclude += [{ "name": "race-condition-debug", "arch": "s390x" }]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.exclude = [{ "name": "race-condition-debug", "arch": "arm64" }]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.exclude += [{ "name": "race-condition-debug", "arch": "ppc64le" }]' <<< "$matrix")" | |
| matrix="$(jq '.build_and_push_main.exclude += [{ "name": "race-condition-debug", "arch": "s390x" }]' <<< "$matrix")" | |
| fi | |
| echo "Job matrix after conditionals:" | |
| jq <<< "$matrix" | |
| condensed="$(jq -c <<< "$matrix")" | |
| echo "matrix=$condensed" >> "$GITHUB_OUTPUT" | |
| pre-build-ui: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| branding: [ RHACS_BRANDING, STACKROX_BRANDING ] | |
| env: | |
| ROX_PRODUCT_BRANDING: ${{ matrix.branding }} | |
| # For consistency with `image/rhel/konflux.Dockerfile`, see comment there. | |
| UI_PKG_INSTALL_EXTRA_ARGS: --ignore-scripts | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9 | |
| volumes: | |
| - /usr:/mnt/usr | |
| - /opt:/mnt/opt | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - uses: ./.github/actions/cache-ui-dependencies | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Fetch UI deps | |
| run: make -C ui deps | |
| - name: Build UI | |
| run: make -C ui build | |
| - uses: ./.github/actions/upload-artifact-with-retry | |
| with: | |
| name: ui-${{env.ROX_PRODUCT_BRANDING}}-build | |
| path: | | |
| ui/build | |
| ui/apps/platform/package-lock.json | |
| pre-build-cli: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9 | |
| volumes: | |
| - /usr:/mnt/usr | |
| - /opt:/mnt/opt | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Cache Go dependencies | |
| uses: ./.github/actions/cache-go-dependencies | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Build CLI | |
| run: make cli | |
| - name: Bundle build to preserve permissions | |
| run: tar -cvzf cli-build.tgz bin | |
| - uses: ./.github/actions/upload-artifact-with-retry | |
| with: | |
| name: cli-build | |
| path: cli-build.tgz | |
| pre-build-go-binaries: | |
| strategy: | |
| # Supports three go binary builds: | |
| # default - built with environment defaults (see handle-tagged-build & env.mk) | |
| # prerelease - built with GOTAGS=release | |
| # race-condition-debug - built with -race | |
| matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).pre_build_go_binaries }} | |
| needs: define-job-matrix | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9 | |
| volumes: | |
| - /usr:/mnt/usr | |
| - /opt:/mnt/opt | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Cache Go dependencies | |
| env: | |
| GOARCH: ${{ matrix.arch }} | |
| uses: ./.github/actions/cache-go-dependencies | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: PR labels | |
| uses: joerick/pr-labels-action@v1.0.9 | |
| - name: Setup build env for debugging support | |
| run: | | |
| if [[ "${GITHUB_HEAD_REF:-}" =~ -debug ]]; then | |
| echo "DEBUG_BUILD=yes" >> "${GITHUB_ENV}" | |
| fi | |
| - name: Setup Go build environment for release | |
| if: | | |
| contains(github.event.pull_request.labels.*.name, 'ci-release-build') | |
| || | |
| matrix.name == 'prerelease' | |
| run: echo "GOTAGS=release" >> "$GITHUB_ENV" | |
| - name: Setup Go build environment for -race | |
| if: | | |
| matrix.arch == 'amd64' | |
| && | |
| ( | |
| contains(github.event.pull_request.labels.*.name, 'ci-race-tests') | |
| || | |
| matrix.name == 'race-condition-debug' | |
| ) | |
| run: echo "RACE=true" >> "$GITHUB_ENV" | |
| - name: Build Go Binaries | |
| run: | | |
| if [[ "${{ matrix.arch }}" != "amd64" ]]; then | |
| echo "Building non-amd binary" | |
| GOOS=linux GOARCH=${{ matrix.arch }} CGO_ENABLED=0 make build-prep main-build-nodeps | |
| else | |
| echo "Building amd binary" | |
| GOOS=linux GOARCH=${{ matrix.arch }} CGO_ENABLED=1 make build-prep main-build-nodeps | |
| fi | |
| - name: Bundle the build to preserve permissions | |
| run: tar -cvzf go-binaries-build.tgz bin/linux_${{ matrix.arch }} | |
| - uses: ./.github/actions/upload-artifact-with-retry | |
| with: | |
| name: go-binaries-build-${{ matrix.arch }}-${{ matrix.name }} | |
| path: go-binaries-build.tgz | |
| pre-build-docs: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9 | |
| volumes: | |
| - /usr:/mnt/usr | |
| - /opt:/mnt/opt | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Cache Go dependencies | |
| uses: ./.github/actions/cache-go-dependencies | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Resolve mods for protos | |
| run: go mod tidy | |
| - name: Generate the swagger docs | |
| run: | | |
| make swagger-docs | |
| # Workaround to handle https://github.com/actions/cache/issues/753 | |
| rm -rf .proto | |
| - uses: ./.github/actions/upload-artifact-with-retry | |
| with: | |
| name: docs-build | |
| path: | | |
| image/rhel/docs | |
| build-and-push-main: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - define-job-matrix | |
| - pre-build-ui | |
| - pre-build-cli | |
| - pre-build-go-binaries | |
| - pre-build-docs | |
| # This step will run even if required pre-* steps failed. By following this | |
| # approach as much of the build matrix as possible is completed despite | |
| # transient issues e.g. docker pull timeouts. In this way some e2e jobs that | |
| # require some part of the build matrix can still proceed. | |
| if: ${{ !cancelled() }} | |
| strategy: | |
| # Supports four image builds (see Setup build env): | |
| # STACKROX_BRANDING | |
| # RHACS_BRANDING | |
| # prerelease | |
| # race-condition-debug | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).build_and_push_main }} | |
| env: | |
| GO_BINARIES_BUILD_ARTIFACT: "" | |
| ROX_PRODUCT_BRANDING: "" | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9 | |
| volumes: | |
| - /usr:/mnt/usr | |
| - /opt:/mnt/opt | |
| env: | |
| QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} | |
| QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} | |
| QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
| QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
| QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} | |
| QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} | |
| steps: | |
| - name: Setup build env | |
| run: | | |
| case "${{ matrix.name }}" in | |
| STACKROX_BRANDING) | |
| go_binaries="default" | |
| brand="STACKROX_BRANDING" | |
| ;; | |
| RHACS_BRANDING) | |
| go_binaries="default" | |
| brand="RHACS_BRANDING" | |
| ;; | |
| race-condition-debug) | |
| go_binaries="race-condition-debug" | |
| brand="RHACS_BRANDING" | |
| ;; | |
| prerelease) | |
| go_binaries="prerelease" | |
| brand="RHACS_BRANDING" | |
| ;; | |
| *) | |
| echo "Unsupported build: ${{ matrix.name }}" | |
| exit 1 | |
| esac | |
| { | |
| echo "GO_BINARIES_BUILD_ARTIFACT=go-binaries-build-${{ matrix.arch }}-${go_binaries}" | |
| echo "ROX_PRODUCT_BRANDING=${brand}" | |
| } >> "$GITHUB_ENV" | |
| if [[ "${GITHUB_HEAD_REF:-}" =~ -debug ]]; then | |
| echo "DEBUG_BUILD=yes" >> "${GITHUB_ENV}" | |
| fi | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Login to docker.io to mitigate rate limiting on downloading images | |
| uses: docker/login-action@v3 | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| with: | |
| username: ${{ secrets.DOCKERHUB_CI_ACCOUNT_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_CI_ACCOUNT_PASSWORD }} | |
| - name: Set up QEMU | |
| if: matrix.arch != 'amd64' | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Checkout submodules | |
| run: | | |
| git submodule update --init | |
| - uses: ./.github/actions/handle-tagged-build | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: ui-${{ env.ROX_PRODUCT_BRANDING }}-build | |
| path: ui | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: cli-build | |
| - name: Unpack cli build | |
| run: | | |
| tar xvzf cli-build.tgz | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: ${{ env.GO_BINARIES_BUILD_ARTIFACT }} | |
| - name: Unpack Go binaries build | |
| run: | | |
| tar xvzf go-binaries-build.tgz | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: docs-build | |
| path: image/rhel/docs | |
| # needed to restore node_modules for ossls-nostice | |
| - uses: ./.github/actions/cache-ui-dependencies | |
| # explicitly fetch deps just in case cache was not ready | |
| - name: Fetch UI deps | |
| run: make -C ui deps | |
| - name: Generate OSS notice | |
| run: make ossls-notice | |
| - name: Set build tag for prerelease images | |
| if: matrix.name == 'prerelease' | |
| run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-prerelease" >> "$GITHUB_ENV" | |
| - name: Set build tag for race condition images | |
| if: matrix.name == 'race-condition-debug' | |
| run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-rcd" >> "$GITHUB_ENV" | |
| - name: Build main images | |
| run: | | |
| GOOS=linux GOARCH=${{ matrix.arch }} scripts/lib.sh retry 6 true make docker-build-main-image | |
| - name: Check debugger presence in the main image | |
| run: make check-debugger | |
| - name: Build roxctl image | |
| run: | | |
| GOOS=linux GOARCH=${{ matrix.arch }} scripts/lib.sh retry 6 true make docker-build-roxctl-image | |
| # needed for docs ensure_image.sh initial pull with RHACS_BRANDING | |
| - name: Docker login | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| ./scripts/ci/lib.sh registry_ro_login "quay.io/rhacs-eng" | |
| - name: Push images | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| source ./scripts/ci/lib.sh | |
| echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}" | |
| push_context="" | |
| if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then | |
| push_context="merge-to-master" | |
| fi | |
| push_main_image_set "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" "${{ matrix.arch }}" | |
| - name: Push matching collector and scanner images | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| # Need to free up some space before push_matching_collector_scanner_images() does its pull. | |
| docker system prune --all --force | |
| source ./scripts/ci/lib.sh | |
| push_matching_collector_scanner_images "${{ env.ROX_PRODUCT_BRANDING }}" "${{ matrix.arch }}" | |
| push-main-manifests: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - define-job-matrix | |
| - build-and-push-main | |
| # This step will run even if some of the build-and-push-matrix steps failed. | |
| # By following this approach as much of the build matrix as possible is | |
| # completed despite transient issues e.g. docker pull timeouts. In this way | |
| # some e2e jobs that require some part of the build matrix can still | |
| # proceed. | |
| if: ${{ !cancelled() }} | |
| strategy: | |
| # Supports four image builds (see Setup build env): | |
| # STACKROX_BRANDING | |
| # RHACS_BRANDING | |
| # prerelease | |
| # race-condition-debug | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).push_main_multiarch_manifests }} | |
| env: | |
| ROX_PRODUCT_BRANDING: "" | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9 | |
| volumes: | |
| - /usr:/mnt/usr | |
| - /opt:/mnt/opt | |
| env: | |
| QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} | |
| QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} | |
| QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
| QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
| QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} | |
| QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} | |
| steps: | |
| - name: Setup build env | |
| run: | | |
| case "${{ matrix.name }}" in | |
| STACKROX_BRANDING) | |
| brand="STACKROX_BRANDING" | |
| ;; | |
| RHACS_BRANDING) | |
| brand="RHACS_BRANDING" | |
| ;; | |
| race-condition-debug) | |
| brand="RHACS_BRANDING" | |
| ;; | |
| prerelease) | |
| brand="RHACS_BRANDING" | |
| ;; | |
| *) | |
| echo "Unsupported build: ${{ matrix.name }}" | |
| exit 1 | |
| esac | |
| { | |
| echo "ROX_PRODUCT_BRANDING=${brand}" | |
| } >> "$GITHUB_ENV" | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Checkout submodules | |
| run: | | |
| git submodule update --init | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Set build tag for prerelease images | |
| if: matrix.name == 'prerelease' | |
| run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-prerelease" >> "$GITHUB_ENV" | |
| - name: Set build tag for race condition images | |
| if: matrix.name == 'race-condition-debug' | |
| run: echo "BUILD_TAG=$(make --quiet --no-print-directory tag)-rcd" >> "$GITHUB_ENV" | |
| - name: Build and push manifest lists | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| source ./scripts/ci/lib.sh | |
| echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}" | |
| push_context="" | |
| if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then | |
| push_context="merge-to-master" | |
| fi | |
| architectures="amd64,arm64" | |
| if ! is_in_PR_context || pr_has_label ci-build-all-arch; then | |
| architectures="amd64,arm64,ppc64le,s390x" | |
| fi | |
| if [[ "${{ matrix.name }}" == "race-condition-debug" ]]; then | |
| architectures="amd64" | |
| fi | |
| push_image_manifest_lists "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" "$architectures" | |
| - name: Comment on the PR | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| env: | |
| GITHUB_TOKEN: "${{ secrets.RHACS_BOT_GITHUB_TOKEN }}" | |
| run: | | |
| source ./scripts/ci/lib.sh | |
| add_build_comment_to_pr | |
| build-and-push-operator: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - define-job-matrix | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9 | |
| volumes: | |
| - /usr:/mnt/usr | |
| - /opt:/mnt/opt | |
| env: | |
| QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
| QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
| QUAY_RHACS_ENG_BEARER_TOKEN: ${{ secrets.QUAY_RHACS_ENG_BEARER_TOKEN }} | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).build_and_push_operator }} | |
| env: | |
| ROX_PRODUCT_BRANDING: ${{ matrix.name }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| free-disk-space: 30 | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Cache Go dependencies | |
| env: | |
| GOARCH: ${{ matrix.arch }} | |
| uses: ./.github/actions/cache-go-dependencies | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Resolve mods for protos | |
| run: go mod tidy | |
| - name: PR labels | |
| uses: joerick/pr-labels-action@v1.0.9 | |
| - name: Setup Go build environment | |
| if: contains(github.event.pull_request.labels.*.name, 'ci-release-build') | |
| run: echo "GOTAGS=release" >> "$GITHUB_ENV" | |
| - name: Docker login | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| ./scripts/ci/lib.sh registry_rw_login "quay.io/rhacs-eng" | |
| - name: Build Operator Bundle image | |
| run: | | |
| make -C operator/ bundle bundle-build | |
| - name: Operator unit tests | |
| if: matrix.arch == 'amd64' | |
| run: | | |
| scripts/lib.sh retry 2 true make -C operator/ test | |
| - name: Build Operator image | |
| run: | | |
| CGO_ENABLED=0 GOARCH=${{ matrix.arch }} scripts/lib.sh retry 6 true make -C operator/ build docker-build | |
| - name: Login to docker.io to mitigate rate limiting on downloading images | |
| uses: docker/login-action@v3 | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| with: | |
| username: ${{ secrets.DOCKERHUB_CI_ACCOUNT_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_CI_ACCOUNT_PASSWORD }} | |
| - name: Set up QEMU | |
| if: matrix.arch != 'amd64' | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Check that Operator image is runnable | |
| run: docker run --rm --platform linux/${{ matrix.arch }} "quay.io/rhacs-eng/stackrox-operator:$(make --quiet --no-print-directory -C operator tag)" --help | |
| - name: Push image | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| source ./scripts/ci/lib.sh | |
| echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}" | |
| push_context="" | |
| if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then | |
| push_context="merge-to-master" | |
| fi | |
| echo "Starting operator image push for context: \"$push_context\", branding: \"${{ env.ROX_PRODUCT_BRANDING }}\", arch: \"${{ matrix.arch }}\"" | |
| if ! push_operator_image "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" "${{ matrix.arch }}"; then | |
| echo "ERROR: push_operator_image failed" >&2 | |
| exit 1 | |
| fi | |
| echo "Operator image push completed successfully" | |
| - name: Push bundle image | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| make -C operator/ docker-push-bundle | cat | |
| # Index image can only be built once bundle was pushed | |
| - name: Build index | |
| # Skip for external contributions as the build relies on the previous image to be pushed. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| make -C operator/ index-build | |
| - name: Push index image | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| make -C operator/ docker-push-index | cat | |
| push-operator-manifests: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - define-job-matrix | |
| - build-and-push-operator | |
| # This step will run even if some of the build-and-push-matrix steps failed. | |
| # By following this approach as much of the build matrix as possible is | |
| # completed despite transient issues e.g. docker pull timeouts. In this way | |
| # some e2e jobs that require some part of the build matrix can still | |
| # proceed. | |
| if: ${{ !cancelled() }} | |
| strategy: | |
| # Supports image builds (see Setup build env): | |
| # RHACS_BRANDING | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).push_operator_multiarch_manifests }} | |
| env: | |
| ROX_PRODUCT_BRANDING: "" | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9 | |
| volumes: | |
| - /usr:/mnt/usr | |
| - /opt:/mnt/opt | |
| env: | |
| QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} | |
| QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} | |
| QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
| QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
| steps: | |
| - name: Setup build env | |
| run: | | |
| case "${{ matrix.name }}" in | |
| RHACS_BRANDING) | |
| brand="RHACS_BRANDING" | |
| ;; | |
| *) | |
| echo "Unsupported build: ${{ matrix.name }}" | |
| exit 1 | |
| esac | |
| { | |
| echo "ROX_PRODUCT_BRANDING=${brand}" | |
| } >> "$GITHUB_ENV" | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Push operator manifest lists | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| source ./scripts/ci/lib.sh | |
| echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}" | |
| push_context="" | |
| if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then | |
| push_context="merge-to-master" | |
| fi | |
| push_operator_manifest_lists "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" ${{ matrix.archs }} | |
| scan-go-binaries: | |
| if: | | |
| contains(github.event.pull_request.labels.*.name, 'scan-go-binaries') | |
| env: | |
| ARTIFACT_DIR: junit-reports/ | |
| runs-on: ubuntu-latest | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9 | |
| needs: | |
| - pre-build-cli | |
| - pre-build-go-binaries | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 1 | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: cli-build | |
| - name: Unpack cli build | |
| run: | | |
| tar xvzf cli-build.tgz | |
| - uses: ./.github/actions/download-artifact-with-retry | |
| with: | |
| name: go-binaries-build-amd64-default | |
| - name: Unpack Go binaries build | |
| run: | | |
| tar xvzf go-binaries-build.tgz | |
| - name: Scan | |
| run: | | |
| ./scripts/ci/govulncheck.sh | |
| - name: Publish Test Report | |
| uses: test-summary/action@v2 | |
| if: always() | |
| with: | |
| paths: 'junit-reports/**/*.xml' | |
| - name: Report junit failures in jira | |
| uses: ./.github/actions/junit2jira | |
| if: always() | |
| with: | |
| jira-token: ${{ secrets.JIRA_TOKEN }} | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| directory: 'junit-reports' | |
| scan-images-with-roxctl: | |
| if: github.event_name == 'push' || | |
| contains(github.event.pull_request.labels.*.name, 'scan-images-with-roxctl') | |
| needs: | |
| - define-job-matrix | |
| - build-and-push-main | |
| - build-and-push-operator | |
| - push-main-manifests | |
| name: Check images for vulnerabilities | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Needed for stackrox/central-login to create the JWT token. | |
| id-token: write | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).scan_images_with_roxctl }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ inputs.commit || github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Central login | |
| uses: stackrox/central-login@v1 | |
| with: | |
| endpoint: ${{ vars.ACS_DOGFOODING_CENTRAL_URL }} | |
| - name: Install roxctl | |
| uses: stackrox/roxctl-installer-action@v1 | |
| with: | |
| central-endpoint: ${{ vars.ACS_DOGFOODING_CENTRAL_URL }} | |
| central-token: ${{ env.ROX_API_TOKEN }} | |
| - name: Scan images for vulnerabilities | |
| run: | | |
| release_tag="$(make --quiet --no-print-directory tag)" | |
| if [[ "${{ matrix.image }}" =~ "operator" ]]; then | |
| release_tag="$(make -C operator --quiet --no-print-directory tag)" | |
| fi | |
| registry="$(./scripts/ci/lib.sh registry_from_branding "${{ matrix.name }}")" | |
| roxctl image scan --retries=10 --retry-delay=15 --force --severity=CRITICAL,IMPORTANT --output=sarif \ | |
| --image="${registry}/${{ matrix.image }}:${release_tag}" \ | |
| | tee results.sarif | |
| # TODO: re-enable roxctl scan results upload once quota issue has been resolved | |
| # - name: Upload roxctl scan results to GitHub Security tab | |
| # uses: github/codeql-action/upload-sarif@v3 | |
| # with: | |
| # category: ${{ matrix.image }} | |
| # sarif_file: results.sarif | |
| slack-on-build-failure: | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SLACK_CI_INTEGRATION_TESTING_WEBHOOK: ${{ secrets.SLACK_CI_INTEGRATION_TESTING_WEBHOOK }} | |
| TEST_FAILURES_NOTIFY_WEBHOOK: ${{ secrets.TEST_FAILURES_NOTIFY_WEBHOOK }} | |
| if: | | |
| failure() && ( | |
| github.event_name == 'push' || | |
| contains(github.event.pull_request.labels.*.name, 'ci-test-github-action-slack-messages') | |
| ) | |
| name: Post failure message to Slack | |
| runs-on: ubuntu-latest | |
| needs: | |
| - pre-build-ui | |
| - pre-build-cli | |
| - pre-build-go-binaries | |
| - pre-build-docs | |
| - build-and-push-main | |
| - build-and-push-operator | |
| - scan-images-with-roxctl | |
| - scan-go-binaries | |
| permissions: | |
| actions: read | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Slack message | |
| env: | |
| GITHUB_CONTEXT: ${{ toJSON(github) }} | |
| run: | | |
| source scripts/ci/lib.sh | |
| slack_workflow_failure |