Skip to content

feat: multi-arch operator, bundle, and catalog image builds#3055

Open
polasudo wants to merge 9 commits into
redhat-developer:mainfrom
polasudo:feat/multi-arch-operator-build
Open

feat: multi-arch operator, bundle, and catalog image builds#3055
polasudo wants to merge 9 commits into
redhat-developer:mainfrom
polasudo:feat/multi-arch-operator-build

Conversation

@polasudo

Copy link
Copy Markdown
Member

Summary

  • Replace the single-runner amd64-only CI build with a matrix strategy that builds on both ubuntu-24.04 (amd64) and ubuntu-24.04-arm (arm64)
  • Add a merge job that creates multi-arch manifest lists using docker buildx imagetools create
  • All three images (operator, operator-bundle, operator-catalog) are now published as multi-arch manifest lists

What changes

File: .github/workflows/next-container-build.yaml

The single next-build job is replaced with two jobs:

  1. build — matrix over [ubuntu-24.04, ubuntu-24.04-arm], each runner builds all 3 images for its native architecture using existing Makefile targets (image-build, bundle-build, catalog-build with PLATFORM override), then pushes with per-arch tag suffixes (e.g., operator:next-amd64)

  2. merge — downloads build markers, creates multi-arch manifest lists via docker buildx imagetools create, tags final images (e.g., operator:next), and optionally cleans up per-arch tags via Quay API

Why

The community hub image (quay.io/rhdh-community/rhdh) already ships as a multi-arch manifest list (amd64 + arm64). The operator stack is the remaining gap blocking ARM64 RHDH deployments via the operator.

No Makefile or Dockerfile changes are needed — the operator Dockerfile already uses TARGETOS/TARGETARCH build args and bundle images use FROM scratch.

Pattern

Follows the same proven multi-arch build pattern from the hub repo's next-build-image.yaml workflow (matrix runners → per-arch push → manifest merge).

Test plan

  • Both matrix runners (amd64, arm64) complete successfully
  • docker buildx imagetools inspect quay.io/rhdh-community/operator:next shows both architectures
  • podman pull --platform linux/arm64 quay.io/rhdh-community/operator:next succeeds
  • Same for operator-bundle and operator-catalog images
  • Per-arch tags are cleaned up after manifest creation

🤖 Generated with Claude Code

Comment thread .github/workflows/next-container-build.yaml Fixed
@Fortune-Ndlovu

Copy link
Copy Markdown
Member

/agentic_review

@rhdh-qodo-merge

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (1) 📜 Skill insights (0)

Grey Divider


Action required

1. Branch detection uses HEAD 🐞 Bug ≡ Correctness
Description
LATEST_NEXT is computed using git rev-parse --abbrev-ref HEAD, but the checkout step does not set
ref: and commonly results in a detached HEAD; this can resolve to HEAD and incorrectly pick
latest even on main. That mis-tags published images/manifests (next vs latest) for the main
branch.
Code

.github/workflows/next-container-build.yaml[R93-98]

+          latestNext="next"
+          # for main branch, use next tags; for 1.y branches, use :latest tags
+          if [[ $(git rev-parse --abbrev-ref HEAD) != "main" ]]; then
+            latestNext="latest"
+          fi
+          echo "LATEST_NEXT=$latestNext" >> $GITHUB_ENV
Relevance

⭐⭐⭐ High

Team accepted pinning checkout ref/SHA to avoid ambiguous HEAD in workflows (PR #2293, #3076).

PR-#2293
PR-#3076

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The workflow derives the branch name from git, while the checkout step doesn’t pin a branch ref;
elsewhere in the repo, workflows use github.ref_name to avoid detached-HEAD ambiguity.

.github/workflows/next-container-build.yaml[34-38]
.github/workflows/next-container-build.yaml[93-99]
.github/workflows/update-rpm-lockfile.yaml[77-82]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Branch/tag selection uses `git rev-parse --abbrev-ref HEAD`, which is unreliable under `actions/checkout` because the repo may be in detached HEAD state. This can miscompute `LATEST_NEXT`.

## Issue Context
Other workflows in this repo already use `${{ github.ref_name }}` to determine the branch.

## Fix Focus Areas
- .github/workflows/next-container-build.yaml[34-38]
- .github/workflows/next-container-build.yaml[93-98]
- .github/workflows/next-container-build.yaml[191-195]

## Implementation notes
Replace the `git rev-parse --abbrev-ref HEAD` checks with `${GITHUB_REF_NAME}` (or `${{ github.ref_name }}`) and compare against `main`. Apply the same fix in both the build and merge "Prepare" steps.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


2. Missing set -u strictness 📘 Rule violation ☼ Reliability
Description
New GitHub Actions run scripts use set -ex (or no strict mode) but omit set -u and do not
validate required environment variables, which can mask unset-variable failures. The scripts also
use unquoted variable expansions (e.g., >> $GITHUB_ENV, ${REGISTRY_WITH_ORG}/${image}...),
increasing brittleness and ShellCheck-style compliance risk.
Code

.github/workflows/next-container-build.yaml[R185-242]

+        run: |
+          SHORT_SHA=$(git rev-parse --short HEAD)
+          echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV
+          BASE_VERSION=$(grep -E "^VERSION \?=" Makefile | sed -r -e "s/.+= //")
+          echo "BASE_VERSION=$BASE_VERSION" >> $GITHUB_ENV
+
+          latestNext="next"
+          if [[ $(git rev-parse --abbrev-ref HEAD) != "main" ]]; then
+            latestNext="latest"
+          fi
+          echo "LATEST_NEXT=$latestNext" >> $GITHUB_ENV
+
+          # Check which architectures actually built
+          echo "Build markers found:"
+          ls -la /tmp/build-markers/ || echo "No markers found"
+
+      - name: Login to registry (${{ env.REGISTRY }})
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ vars.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+      - name: Create manifest lists and push
+        run: |
+          export REGISTRY_WITH_ORG=${{ env.REGISTRY }}/${{ vars.REGISTRY_ORG }}
+          export OPERATOR_IMAGE_NAME=${{ vars.OPERATOR_IMAGE_NAME }}
+          OPERATOR_IMAGE_NAME=${OPERATOR_IMAGE_NAME:-operator}
+
+          set -ex
+
+          for image in ${OPERATOR_IMAGE_NAME} ${OPERATOR_IMAGE_NAME}-bundle ${OPERATOR_IMAGE_NAME}-catalog; do
+            echo "=== Creating manifest list for ${image} ==="
+
+            # Create manifest list for version tag
+            docker buildx imagetools create \
+              -t ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION} \
+              ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-amd64 \
+              ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-arm64
+
+            # Create manifest list for version-sha tag
+            docker buildx imagetools create \
+              -t ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-${SHORT_SHA} \
+              ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-amd64 \
+              ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-arm64
+
+            # Create manifest list for latestNext tag (next or latest)
+            docker buildx imagetools create \
+              -t ${REGISTRY_WITH_ORG}/${image}:${LATEST_NEXT} \
+              ${REGISTRY_WITH_ORG}/${image}:${LATEST_NEXT}-amd64 \
+              ${REGISTRY_WITH_ORG}/${image}:${LATEST_NEXT}-arm64
+
+            echo "=== Inspecting manifest for ${image}:${LATEST_NEXT} ==="
+            docker buildx imagetools inspect ${REGISTRY_WITH_ORG}/${image}:${LATEST_NEXT}
+          done
Relevance

⭐⭐ Medium

Evidence on shell hardening is mixed; repo has accepted some quoting, but no set -u enforcement
history.

PR-#1585
PR-#2293

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
PR Compliance ID 5 requires hardened shell scripting (strict mode incl. -u, quoting, and required
env validation). The new workflow adds multiple run: | blocks that (a) write to GITHUB_ENV using
an unquoted redirection target and (b) use set -ex (not set -euo pipefail) and unquoted
expansions in loops/commands, without any : "${VAR:?}" validations.

.github/workflows/next-container-build.yaml[76-99]
.github/workflows/next-container-build.yaml[125-139]
.github/workflows/next-container-build.yaml[213-242]
Best Practice: Repository guidelines

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The workflow `run` scripts are not hardened: they omit `set -euo pipefail` (notably `-u`), do not validate required env vars, and contain unquoted variable expansions.

## Issue Context
PR Compliance ID 5 requires strict modes, quoting, and env validation for shell scripts embedded in workflows.

## Fix Focus Areas
- .github/workflows/next-container-build.yaml[71-99]
- .github/workflows/next-container-build.yaml[114-140]
- .github/workflows/next-container-build.yaml[184-242]
- .github/workflows/next-container-build.yaml[247-264]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


3. Wrong SHA manifest sources 🐞 Bug ≡ Correctness
Description
The merge job creates the ${BASE_VERSION}-${SHORT_SHA} manifest list from
${BASE_VERSION}-amd64/arm64 instead of the SHA-scoped per-arch tags, so the commit-specific tag
points at the wrong image content. This also makes the pushed per-arch SHA tags unused (and cleanup
deletes tags that were never referenced).
Code

.github/workflows/next-container-build.yaml[R228-232]

+            # Create manifest list for version-sha tag
+            docker buildx imagetools create \
+              -t ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-${SHORT_SHA} \
+              ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-amd64 \
+              ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-arm64
Relevance

⭐⭐ Medium

No historical evidence found about correctness of manifest tag inputs (SHA-scoped vs version-scoped)
in workflows.

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The build job pushes SHA-scoped per-arch tags, but the merge job doesn’t use them when building the
${BASE_VERSION}-${SHORT_SHA} manifest list.

.github/workflows/next-container-build.yaml[130-139]
.github/workflows/next-container-build.yaml[228-233]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The merge job tags `${BASE_VERSION}-${SHORT_SHA}` but incorrectly uses `${BASE_VERSION}-{amd64,arm64}` as sources. This makes the SHA tag not represent the commit build.

## Issue Context
The build job already pushes per-arch SHA tags `${BASE_VERSION}-${SHORT_SHA}-${arch}`.

## Fix Focus Areas
- .github/workflows/next-container-build.yaml[228-233]

## Implementation notes
Update the `docker buildx imagetools create` invocation for the `${BASE_VERSION}-${SHORT_SHA}` tag to reference:
- `${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-${SHORT_SHA}-amd64`
- `${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-${SHORT_SHA}-arm64`
(instead of `${BASE_VERSION}-amd64/arm64`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


View more (1)
4. Merge runs without builds 🐞 Bug ☼ Reliability
Description
All build/push and marker upload steps are gated by any_changed == 'true', but the merge job
runs unconditionally and will attempt to download markers and create manifests even when nothing was
built. This can fail the workflow (no artifacts/tags) on pushes that only change ignored files
(e.g., docs/tests).
Code

.github/workflows/next-container-build.yaml[R161-183]

+  merge:
+    name: Create multi-arch manifests
+    runs-on: ubuntu-latest
+    needs:
+      - build
+    permissions:
+      contents: read
+      packages: write
+    env:
+      HAS_QUAY_OAUTH: ${{ secrets.QUAY_OAUTH_TOKEN != '' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Download build markers
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          path: /tmp/build-markers
+          pattern: build-marker-*
+          merge-multiple: true
+
Relevance

⭐⭐ Medium

No direct precedent for gating merge/manifest job when builds skipped; only general use of
conditional guards (PR #1136).

PR-#1136

ⓘ Recommendations generated based on similar findings in past PRs

Evidence
The workflow explicitly skips marker upload when any_changed is false, but still executes merge
and its download/manifest steps without any equivalent guard.

.github/workflows/next-container-build.yaml[39-62]
.github/workflows/next-container-build.yaml[71-160]
.github/workflows/next-container-build.yaml[161-183]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`merge` always runs after the matrix job, but the matrix build/push steps are skipped when `changed-files` reports `any_changed != 'true'`. In that case, `merge` still tries to download build markers and create manifests from tags that were never pushed.

## Issue Context
The build job already computes `steps.changed-files.outputs.any_changed`, but that value is not available to `merge` and the build marker artifacts are only uploaded when changes exist.

## Fix Focus Areas
- .github/workflows/next-container-build.yaml[39-62]
- .github/workflows/next-container-build.yaml[146-160]
- .github/workflows/next-container-build.yaml[161-183]

## Implementation notes
Recommended approach:
1. Add a new `changes` job that runs `tj-actions/changed-files` once and exposes `outputs.any_changed`.
2. Add job-level `if: needs.changes.outputs.any_changed == 'true'` to both `build` and `merge`.
3. Update `merge.needs` to include `changes`.

Alternative (less clean): re-run `changed-files` in `merge` and gate the manifest/cleanup steps on its result.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment on lines +185 to +242
run: |
SHORT_SHA=$(git rev-parse --short HEAD)
echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV
BASE_VERSION=$(grep -E "^VERSION \?=" Makefile | sed -r -e "s/.+= //")
echo "BASE_VERSION=$BASE_VERSION" >> $GITHUB_ENV

latestNext="next"
if [[ $(git rev-parse --abbrev-ref HEAD) != "main" ]]; then
latestNext="latest"
fi
echo "LATEST_NEXT=$latestNext" >> $GITHUB_ENV

# Check which architectures actually built
echo "Build markers found:"
ls -la /tmp/build-markers/ || echo "No markers found"

- name: Login to registry (${{ env.REGISTRY }})
uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ vars.QUAY_USERNAME }}
password: ${{ secrets.QUAY_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Create manifest lists and push
run: |
export REGISTRY_WITH_ORG=${{ env.REGISTRY }}/${{ vars.REGISTRY_ORG }}
export OPERATOR_IMAGE_NAME=${{ vars.OPERATOR_IMAGE_NAME }}
OPERATOR_IMAGE_NAME=${OPERATOR_IMAGE_NAME:-operator}

set -ex

for image in ${OPERATOR_IMAGE_NAME} ${OPERATOR_IMAGE_NAME}-bundle ${OPERATOR_IMAGE_NAME}-catalog; do
echo "=== Creating manifest list for ${image} ==="

# Create manifest list for version tag
docker buildx imagetools create \
-t ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION} \
${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-amd64 \
${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-arm64

# Create manifest list for version-sha tag
docker buildx imagetools create \
-t ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-${SHORT_SHA} \
${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-amd64 \
${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-arm64

# Create manifest list for latestNext tag (next or latest)
docker buildx imagetools create \
-t ${REGISTRY_WITH_ORG}/${image}:${LATEST_NEXT} \
${REGISTRY_WITH_ORG}/${image}:${LATEST_NEXT}-amd64 \
${REGISTRY_WITH_ORG}/${image}:${LATEST_NEXT}-arm64

echo "=== Inspecting manifest for ${image}:${LATEST_NEXT} ==="
docker buildx imagetools inspect ${REGISTRY_WITH_ORG}/${image}:${LATEST_NEXT}
done

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Missing set -u strictness 📘 Rule violation ☼ Reliability

New GitHub Actions run scripts use set -ex (or no strict mode) but omit set -u and do not
validate required environment variables, which can mask unset-variable failures. The scripts also
use unquoted variable expansions (e.g., >> $GITHUB_ENV, ${REGISTRY_WITH_ORG}/${image}...),
increasing brittleness and ShellCheck-style compliance risk.
Agent Prompt
## Issue description
The workflow `run` scripts are not hardened: they omit `set -euo pipefail` (notably `-u`), do not validate required env vars, and contain unquoted variable expansions.

## Issue Context
PR Compliance ID 5 requires strict modes, quoting, and env validation for shell scripts embedded in workflows.

## Fix Focus Areas
- .github/workflows/next-container-build.yaml[71-99]
- .github/workflows/next-container-build.yaml[114-140]
- .github/workflows/next-container-build.yaml[184-242]
- .github/workflows/next-container-build.yaml[247-264]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +228 to +232
# Create manifest list for version-sha tag
docker buildx imagetools create \
-t ${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-${SHORT_SHA} \
${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-amd64 \
${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-arm64

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Wrong sha manifest sources 🐞 Bug ≡ Correctness

The merge job creates the ${BASE_VERSION}-${SHORT_SHA} manifest list from
${BASE_VERSION}-amd64/arm64 instead of the SHA-scoped per-arch tags, so the commit-specific tag
points at the wrong image content. This also makes the pushed per-arch SHA tags unused (and cleanup
deletes tags that were never referenced).
Agent Prompt
## Issue description
The merge job tags `${BASE_VERSION}-${SHORT_SHA}` but incorrectly uses `${BASE_VERSION}-{amd64,arm64}` as sources. This makes the SHA tag not represent the commit build.

## Issue Context
The build job already pushes per-arch SHA tags `${BASE_VERSION}-${SHORT_SHA}-${arch}`.

## Fix Focus Areas
- .github/workflows/next-container-build.yaml[228-233]

## Implementation notes
Update the `docker buildx imagetools create` invocation for the `${BASE_VERSION}-${SHORT_SHA}` tag to reference:
- `${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-${SHORT_SHA}-amd64`
- `${REGISTRY_WITH_ORG}/${image}:${BASE_VERSION}-${SHORT_SHA}-arm64`
(instead of `${BASE_VERSION}-amd64/arm64`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +161 to +183
merge:
name: Create multi-arch manifests
runs-on: ubuntu-latest
needs:
- build
permissions:
contents: read
packages: write
env:
HAS_QUAY_OAUTH: ${{ secrets.QUAY_OAUTH_TOKEN != '' }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0

- name: Download build markers
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: /tmp/build-markers
pattern: build-marker-*
merge-multiple: true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

3. Merge runs without builds 🐞 Bug ☼ Reliability

All build/push and marker upload steps are gated by any_changed == 'true', but the merge job
runs unconditionally and will attempt to download markers and create manifests even when nothing was
built. This can fail the workflow (no artifacts/tags) on pushes that only change ignored files
(e.g., docs/tests).
Agent Prompt
## Issue description
`merge` always runs after the matrix job, but the matrix build/push steps are skipped when `changed-files` reports `any_changed != 'true'`. In that case, `merge` still tries to download build markers and create manifests from tags that were never pushed.

## Issue Context
The build job already computes `steps.changed-files.outputs.any_changed`, but that value is not available to `merge` and the build marker artifacts are only uploaded when changes exist.

## Fix Focus Areas
- .github/workflows/next-container-build.yaml[39-62]
- .github/workflows/next-container-build.yaml[146-160]
- .github/workflows/next-container-build.yaml[161-183]

## Implementation notes
Recommended approach:
1. Add a new `changes` job that runs `tj-actions/changed-files` once and exposes `outputs.any_changed`.
2. Add job-level `if: needs.changes.outputs.any_changed == 'true'` to both `build` and `merge`.
3. Update `merge.needs` to include `changes`.

Alternative (less clean): re-run `changed-files` in `merge` and gate the manifest/cleanup steps on its result.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +93 to +98
latestNext="next"
# for main branch, use next tags; for 1.y branches, use :latest tags
if [[ $(git rev-parse --abbrev-ref HEAD) != "main" ]]; then
latestNext="latest"
fi
echo "LATEST_NEXT=$latestNext" >> $GITHUB_ENV

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

4. Branch detection uses head 🐞 Bug ≡ Correctness

LATEST_NEXT is computed using git rev-parse --abbrev-ref HEAD, but the checkout step does not set
ref: and commonly results in a detached HEAD; this can resolve to HEAD and incorrectly pick
latest even on main. That mis-tags published images/manifests (next vs latest) for the main
branch.
Agent Prompt
## Issue description
Branch/tag selection uses `git rev-parse --abbrev-ref HEAD`, which is unreliable under `actions/checkout` because the repo may be in detached HEAD state. This can miscompute `LATEST_NEXT`.

## Issue Context
Other workflows in this repo already use `${{ github.ref_name }}` to determine the branch.

## Fix Focus Areas
- .github/workflows/next-container-build.yaml[34-38]
- .github/workflows/next-container-build.yaml[93-98]
- .github/workflows/next-container-build.yaml[191-195]

## Implementation notes
Replace the `git rev-parse --abbrev-ref HEAD` checks with `${GITHUB_REF_NAME}` (or `${{ github.ref_name }}`) and compare against `main`. Apply the same fix in both the build and merge "Prepare" steps.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

polasudo added 4 commits June 29, 2026 11:47
Replace the single-runner amd64-only build with a matrix strategy
that builds on both ubuntu-24.04 (amd64) and ubuntu-24.04-arm (arm64),
then merges per-arch images into multi-arch manifest lists.

This follows the same proven pattern used by the hub repo's
next-build-image.yaml workflow. The operator Dockerfile already
supports TARGETOS/TARGETARCH and bundle images use FROM scratch,
so no other changes are needed.

All three images (operator, operator-bundle, operator-catalog) are
now built and published as multi-arch manifest lists.

Assisted-by: Claude Code
GitHub Actions doesn't allow direct secrets references in step `if`
conditions. Use an env var intermediary instead.

Assisted-by: Claude Code
The --annotation flag is not supported by docker buildx imagetools
create on the ubuntu-latest runner. Expiry labels are already set
during the per-arch image build via the Makefile LABEL variable.

Assisted-by: Claude Code
- Use ${{ github.ref_name }} instead of detached-HEAD-unsafe git command
  for branch detection; avoids mistagging images (next vs latest)
- Add strict shell mode (set -euo pipefail) and env var validation
  across all run: blocks; quote all variable expansions
- Fix SHA-scoped manifest list to use ${BASE_VERSION}-${SHORT_SHA}-{amd64,arm64}
  instead of ${BASE_VERSION}-{amd64,arm64} (was using wrong image content)
- Add separate `changes` job to gate both `build` and `merge` on
  any_changed output; prevents merge from running when no files changed
- Remove unquoted redirections and improve shell robustness

All 4 Qodo findings resolved.

Assisted-by: Claude Code
@polasudo polasudo force-pushed the feat/multi-arch-operator-build branch from 367d356 to 38ac280 Compare June 29, 2026 09:52
polasudo added 2 commits June 29, 2026 13:14
Add if: needs.changes.outputs.any_changed == 'true' to individual
steps in build job (Prepare, Setup Go, Login, Build, Upload marker)
to explicitly skip when no relevant changes detected. This makes the
gating more granular and avoids unnecessary compute.

Add clarifying comment above Prepare step.

Assisted-by: Claude Code
GitHub Actions doesn't support bash-style default syntax (:-).
Use || 'operator' instead for fallback values.

Assisted-by: Claude Code
@polasudo polasudo marked this pull request as ready for review July 1, 2026 08:22
@polasudo polasudo requested a review from a team as a code owner July 1, 2026 08:22
- Move QUAY_OAUTH_TOKEN from inline ${{ secrets }} expansion in the
  curl command to the step's env: block, resolving SonarCloud warning
  about secrets expanded directly in run steps
- Add always() && needs.build.result == 'success' to merge job's if
  condition so it won't attempt manifest creation when build failed

Assisted-by: Claude Code
@polasudo polasudo force-pushed the feat/multi-arch-operator-build branch from 09fe0c7 to 256a876 Compare July 1, 2026 09:17
polasudo and others added 2 commits July 2, 2026 12:19
The login step in the build job still referenced
steps.changed-files.outputs.any_changed from the old single-job layout.
Since the changed-files step now runs in a separate 'changes' job, this
condition would always evaluate to false, skipping the registry login
and causing all image pushes to fail with auth errors.

Assisted-by: Claude Code
@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@openshift-ci

openshift-ci Bot commented Jul 4, 2026

Copy link
Copy Markdown

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants