diff --git a/.github/workflows/collector-builder.yml b/.github/workflows/collector-builder.yml index 4da23532ec..d535bcb458 100644 --- a/.github/workflows/collector-builder.yml +++ b/.github/workflows/collector-builder.yml @@ -8,6 +8,7 @@ on: required: true description: | The tag used to build the collector image + outputs: collector-builder-tag: description: The builder tag used by the build @@ -23,7 +24,11 @@ jobs: name: Determine if builder image needs to be built runs-on: ubuntu-24.04 outputs: - build-image: ${{ steps.changed.outputs.builder-changed }} + build-image: ${{ steps.builder-tag.outputs.build-image || false }} + collector-builder-tag: ${{ steps.builder-tag.outputs.collector-builder-tag || 'master'}} + + env: + DEFAULT_BUILDER_TAG: master steps: - uses: actions/checkout@v4 @@ -38,11 +43,29 @@ jobs: - builder/Dockerfile - .github/workflows/collector-builder.yml + - name: Check labels and define builder tag + id: builder-tag + if: | + steps.changed.outputs.builder-changed == 'true' || + (github.event_name == 'push' && ( + github.ref_type == 'tag' || startsWith(github.ref_name, 'release-') + )) || + contains(github.event.pull_request.labels.*.name, 'build-builder-image') || + github.event_name == 'schedule' + run: | + COLLECTOR_BUILDER_TAG="${DEFAULT_BUILDER_TAG}" + if [[ "${{ github.event_name }}" == 'pull_request' || \ + "${{ github.ref_type }}" == 'tag' || \ + "${{ github.ref_name }}" =~ ^release- ]]; then + COLLECTOR_BUILDER_TAG="${{ inputs.collector-tag }}" + fi + + echo "::notice::Rebuild builder image with tag ${COLLECTOR_BUILDER_TAG}" + echo "collector-builder-tag=${COLLECTOR_BUILDER_TAG}" >> "$GITHUB_OUTPUT" + echo "build-image=true" >> "$GITHUB_OUTPUT" + build-builder-image: - name: Build the builder image - runs-on: ubuntu-24.04 - # Multiarch builds sometimes take for eeeeeeeeeever - timeout-minutes: 480 + name: Build builder image needs: - builder-needs-rebuilding if: | @@ -57,7 +80,15 @@ jobs: strategy: fail-fast: false matrix: - arch: [amd64, ppc64le, s390x, arm64] + arch: + - amd64 + - arm64 + - ppc64le + - s390x + runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || + (matrix.arch == 'ppc64le' && 'ubuntu-24.04-ppc64le') || + (matrix.arch == 's390x' && 'ubuntu-24.04-s390x') || + 'ubuntu-24.04' }} env: PLATFORM: linux/${{ matrix.arch }} @@ -68,74 +99,27 @@ jobs: with: submodules: true - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - uses: actions/setup-python@v5 - with: - python-version: "3.10" - - - uses: 'google-github-actions/auth@v2' - with: - credentials_json: '${{ secrets.GOOGLE_CREDENTIALS_COLLECTOR_SVC_ACCT }}' - - - uses: 'google-github-actions/setup-gcloud@v2' - - - uses: ./.github/actions/setup-vm-creds - with: - gcp-ssh-key: ${{ secrets.GCP_SSH_KEY }} - gcp-ssh-key-pub: ${{ secrets.GCP_SSH_KEY_PUB }} - s390x-ssh-key: ${{ secrets.IBM_CLOUD_S390X_SSH_PRIVATE_KEY }} - ppc64le-ssh-key: ${{ secrets.IBM_CLOUD_POWER_SSH_PRIVATE_KEY }} - ppc64le-ssh-key-pub: ${{ secrets.IBM_CLOUD_POWER_SSH_PUBLIC_KEY }} - s390x-key: ${{ secrets.IBM_CLOUD_S390x_API_KEY }} - ppc64le-key: ${{ secrets.IBM_CLOUD_POWER_API_KEY }} - redhat-username: ${{ secrets.REDHAT_USERNAME }} - redhat-password: ${{ secrets.REDHAT_PASSWORD }} - vm-type: all - job-tag: builder - - - name: Create Build VMs - if: | - matrix.arch == 's390x' && - (github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds')) + - name: Install ansible on P&Z runners + if: matrix.arch == 'ppc64le' || matrix.arch == 's390x' run: | - make -C "${{ github.workspace }}/ansible" create-build-vms - - - name: Define builder tag - id: builder-tag - run: | - COLLECTOR_BUILDER_TAG="${DEFAULT_BUILDER_TAG}" - if [[ "${{ github.event_name }}" == 'pull_request' || \ - "${{ github.ref_type }}" == 'tag' || \ - "${{ github.ref_name }}" =~ ^release- ]]; then - COLLECTOR_BUILDER_TAG="${{ inputs.collector-tag }}" - fi - - echo "COLLECTOR_BUILDER_TAG=${COLLECTOR_BUILDER_TAG}" >> "$GITHUB_ENV" - echo "collector-builder-tag=${COLLECTOR_BUILDER_TAG}" >> "$GITHUB_OUTPUT" + sudo apt-get install -y ansible - name: Create ansible vars run: | - { - echo "---" - echo "stackrox_io_username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}" - echo "stackrox_io_password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}" - echo "rhacs_eng_username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}" - echo "rhacs_eng_password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}" - echo "collector_git_ref: ${{ github.ref }}" - echo "collector_builder_tag: ${{ env.COLLECTOR_BUILDER_TAG }}" - } > ${{ github.workspace }}/ansible/secrets.yml + cat << EOF > ${{ github.workspace }}/ansible/secrets.yml + --- + stackrox_io_username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} + stackrox_io_password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} + rhacs_eng_username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} + rhacs_eng_password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} + collector_git_ref: ${{ github.ref }} + collector_builder_tag: ${{ env.COLLECTOR_BUILDER_TAG }} + EOF - name: Build images - if: | - (github.event_name != 'pull_request' && matrix.arch != 's390x') || - matrix.arch == 'amd64' || - (contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') && matrix.arch != 's390x') - timeout-minutes: 480 run: | ansible-galaxy install -r ansible/requirements.yml ansible-playbook \ @@ -146,24 +130,6 @@ jobs: -e @'${{ github.workspace }}/ansible/secrets.yml' \ ansible/ci-build-builder.yml - - name: Build s390x images - if: | - (github.event_name != 'pull_request' && matrix.arch == 's390x') || - (contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') && matrix.arch == 's390x') - timeout-minutes: 480 - run: | - ansible-playbook \ - -i ansible/ci \ - -e build_hosts='job_id_${{ env.JOB_ID }}' \ - -e arch='${{ matrix.arch }}' \ - -e @'${{ github.workspace }}/ansible/secrets.yml' \ - ansible/ci-build-builder.yml - - - name: Destroy VMs - if: always() && matrix.arch == 's390x' - run: | - make -C ansible destroy-vms - create-multiarch-manifest: needs: - build-builder-image @@ -174,8 +140,8 @@ jobs: (needs.build-builder-image.outputs.collector-builder-tag != 'cache' && contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds')) env: - COLLECTOR_BUILDER_TAG: ${{ needs.build-builder-image.outputs.collector-builder-tag }} - ARCHS: amd64 ppc64le s390x arm64 + COLLECTOR_BUILDER_TAG: ${{ needs.builder-needs-rebuilding.outputs.collector-builder-tag }} + ARCHS: amd64 arm64 ppc64le s390x steps: - uses: actions/checkout@v4 @@ -208,15 +174,8 @@ jobs: retag-x86-image: needs: - - build-builder-image - name: Retag x86 builder image - runs-on: ubuntu-24.04 - if: | - github.event_name == 'pull_request' && - needs.build-builder-image.outputs.collector-builder-tag != 'cache' && - !contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') - env: - COLLECTOR_BUILDER_TAG: ${{ needs.build-builder-image.outputs.collector-builder-tag }} + - build-builder-image + - create-multiarch-manifest steps: - name: Pull image to retag run: | diff --git a/.github/workflows/collector.yml b/.github/workflows/collector.yml index 3c2f8e4288..17a72331b5 100644 --- a/.github/workflows/collector.yml +++ b/.github/workflows/collector.yml @@ -29,12 +29,19 @@ env: jobs: build-collector-image: - name: Build Collector - runs-on: ubuntu-24.04 + name: Build collector image ${{ matrix.arch }} strategy: fail-fast: false matrix: - arch: [amd64, ppc64le, arm64] + arch: + - amd64 + - arm64 + - ppc64le + - s390x + runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || + (matrix.arch == 'ppc64le' && 'ubuntu-24.04-ppc64le') || + (matrix.arch == 's390x' && 'ubuntu-24.04-s390x') || + 'ubuntu-24.04' }} env: PLATFORM: linux/${{ matrix.arch }} @@ -45,12 +52,14 @@ jobs: with: submodules: true - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Install ansible on P&Z runners + if: matrix.arch == 'ppc64le' || matrix.arch == 's390x' + run: | + sudo apt-get install -y ansible + - name: Create ansible vars run: | cat << EOF > ${{ github.workspace }}/ansible/secrets.yml @@ -69,12 +78,7 @@ jobs: driver_version: ${DRIVER_VERSION} EOF - - name: Build images - if: | - github.event_name != 'pull_request' || - matrix.arch == 'amd64' || - contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') - timeout-minutes: 480 + - name: Build ${{ matrix.arch }} image locally run: | ansible-playbook \ --connection local \ @@ -84,93 +88,16 @@ jobs: -e @'${{ github.workspace }}/ansible/secrets.yml' \ ansible/ci-build-collector.yml - build-collector-image-remote-vm: - name: Build Collector on a remote VM - runs-on: ubuntu-24.04 - if: github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') - strategy: - fail-fast: false - matrix: - arch: [s390x] - - env: - PLATFORM: linux/${{ matrix.arch }} - - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-python@v5 - with: - python-version: "3.10" - - - uses: 'google-github-actions/auth@v2' - with: - credentials_json: '${{ secrets.GOOGLE_CREDENTIALS_COLLECTOR_SVC_ACCT }}' - - - uses: 'google-github-actions/setup-gcloud@v2' - - - uses: ./.github/actions/setup-vm-creds - with: - gcp-ssh-key: ${{ secrets.GCP_SSH_KEY }} - gcp-ssh-key-pub: ${{ secrets.GCP_SSH_KEY_PUB }} - s390x-ssh-key: ${{ secrets.IBM_CLOUD_S390X_SSH_PRIVATE_KEY }} - ppc64le-ssh-key: ${{ secrets.IBM_CLOUD_POWER_SSH_PRIVATE_KEY }} - ppc64le-ssh-key-pub: ${{ secrets.IBM_CLOUD_POWER_SSH_PUBLIC_KEY }} - s390x-key: ${{ secrets.IBM_CLOUD_S390x_API_KEY }} - ppc64le-key: ${{ secrets.IBM_CLOUD_POWER_API_KEY }} - redhat-username: ${{ secrets.REDHAT_USERNAME }} - redhat-password: ${{ secrets.REDHAT_PASSWORD }} - vm-type: rhel-${{ matrix.arch }} - job-tag: builder - - - name: Create Build VMs - run: | - make -C "${{ github.workspace }}/ansible" create-build-vms - - - name: Create ansible vars - run: | - cat << EOF > ${{ github.workspace }}/ansible/secrets.yml - --- - stackrox_io_username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} - stackrox_io_password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} - rhacs_eng_username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} - rhacs_eng_password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} - collector_git_ref: ${{ github.ref }} - collector_git_sha: ${{ github.sha }} - collector_builder_tag: ${{ env.COLLECTOR_BUILDER_TAG }} - disable_profiling: ${{ matrix.arch != 'amd64' && matrix.arch != 'arm64' }} - rhacs_eng_image: ${{ env.RHACS_ENG_IMAGE }} - collector_image: ${{ inputs.collector-image }} - collector_tag: ${{ inputs.collector-tag }} - debug_mode: ${{ github.event_name == 'pull_request' }} - EOF - - - name: Build ${{ matrix.arch }} image - timeout-minutes: 480 - run: | - ansible-playbook \ - -i ansible/ci \ - -e arch='${{ matrix.arch }}' \ - -e build_hosts='job_id_${{ env.JOB_ID }}' \ - -e @'${{ github.workspace }}/ansible/secrets.yml' \ - ansible/ci-build-collector.yml - - - name: Destroy Build VMs - if: always() - run: | - make -C ansible destroy-vms - create-multiarch-manifest: needs: - build-collector-image - - build-collector-image-remote-vm name: Create Multiarch manifest runs-on: ubuntu-24.04 if: | github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') env: - ARCHS: amd64 ppc64le s390x arm64 + ARCHS: amd64 arm64 ppc64le s390x steps: - uses: actions/checkout@v4 @@ -245,12 +172,8 @@ jobs: retag-x86-image: needs: - - build-collector-image - name: Retag x86 slim image - runs-on: ubuntu-24.04 - if: | - github.event_name == 'pull_request' && - !contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') + - build-collector-image + - create-multiarch-manifest steps: - name: Pull image to retag run: | diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index d7c4d41cfb..2a441d78de 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -116,9 +116,6 @@ jobs: s390x-integration-tests: uses: ./.github/workflows/integration-tests-vm-type.yml - if: | - github.event_name != 'pull_request' || - contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') with: vm_type: rhel-s390x collector-tag: ${{ inputs.collector-tag }} @@ -130,9 +127,6 @@ jobs: ppc64le-integration-tests: uses: ./.github/workflows/integration-tests-vm-type.yml - if: | - github.event_name != 'pull_request' || - contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') with: vm_type: rhel-ppc64le collector-tag: ${{ inputs.collector-tag }} diff --git a/ansible/ci-build-builder.yml b/ansible/ci-build-builder.yml index d91284aaee..28706cea0d 100644 --- a/ansible/ci-build-builder.yml +++ b/ansible/ci-build-builder.yml @@ -12,18 +12,6 @@ local_branch: local tasks: - - name: Clone repository - ansible.builtin.git: - repo: https://github.com/stackrox/collector - dest: "{{ collector_root }}" - # We fetch the ref (either master, or pull//merge) and then - # create a local branch based on that. Doing it this way, rather - # than with commit hashes, prevents "reference is not a tree" errors - version: "{{ local_branch }}" - refspec: "+{{ collector_git_ref | replace('refs/', '') }}:{{ local_branch }}" - recursive: true - when: arch == "s390x" - - name: Build the collector builder image community.general.make: chdir: "{{ ansible_env.GITHUB_WORKSPACE | default(collector_root) }}" diff --git a/ansible/ci-build-collector.yml b/ansible/ci-build-collector.yml index 960eb4d8f2..72a4a3eaf0 100644 --- a/ansible/ci-build-collector.yml +++ b/ansible/ci-build-collector.yml @@ -14,19 +14,6 @@ local_branch: local tasks: - - debug: var=collector_root - - name: Clone repository - ansible.builtin.git: - repo: https://github.com/stackrox/collector - dest: "{{ collector_root }}" - # We fetch the ref (either master, or pull//merge) and then - # create a local branch based on that. Doing it this way, rather - # than with commit hashes, prevents "reference is not a tree" errors - version: "{{ local_branch }}" - refspec: "+{{ collector_git_ref | replace('refs/', '') }}:{{ local_branch }}" - recursive: true - when: arch == "s390x" - - name: Run the builder image community.general.make: chdir: "{{ ansible_env.GITHUB_WORKSPACE | default(collector_root) }}"