ROX-23362: conditionally build Scanner V4 with -race #9473
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scanner build and push images | |
| on: | |
| workflow_call: | |
| push: | |
| tags: | |
| - '*-nightly-*' | |
| branches: | |
| - master | |
| pull_request: | |
| types: | |
| - opened | |
| - reopened | |
| - synchronize | |
| jobs: | |
| define-scanner-job-matrix: | |
| outputs: | |
| matrix: ${{ steps.define-scanner-job-matrix.outputs.matrix }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Define the matrix for build jobs | |
| id: define-scanner-job-matrix | |
| run: | | |
| source './scripts/ci/lib.sh' | |
| # If goarch is updated, be sure to update architectures in push-manifests below. | |
| matrix='{ "build_and_push": { "name":["default"], "goos":["linux"], "goarch":["amd64", "arm64", "ppc64le", "s390x"] }, "push_manifests": { "name":["default"] } }' | |
| # Conditionally add a prerelease build (binaries built with GOTAGS=release) | |
| if ! is_tagged; then | |
| if ! is_in_PR_context || pr_has_label ci-build-prerelease; then | |
| matrix="$(jq '.build_and_push.name += ["prerelease"]' <<< "$matrix")" | |
| matrix="$(jq '.push_manifests.name += ["prerelease"]' <<< "$matrix")" | |
| fi | |
| fi | |
| # Conditionally add a -race debug build (binaries built with -race) | |
| if ! is_in_PR_context || pr_has_label ci-build-race-condition-debug; then | |
| matrix="$(jq '.build_and_push.name += ["race-condition-debug"]' <<< "$matrix")" | |
| matrix="$(jq '.push_manifests.name += ["race-condition-debug"]' <<< "$matrix")" | |
| fi | |
| echo "Job matrix after conditionals:" | |
| jq <<< "$matrix" | |
| condensed="$(jq -c <<< "$matrix")" | |
| echo "matrix=$condensed" >> "$GITHUB_OUTPUT" | |
| build-and-push-scanner: | |
| needs: define-scanner-job-matrix | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| # Supports three go binary and image builds: | |
| # default - built with environment defaults (see handle-tagged-build & env.mk) | |
| # prerelease - built with GOTAGS=release | |
| # race-condition-debug - built with -race | |
| matrix: ${{ fromJson(needs.define-scanner-job-matrix.outputs.matrix).build_and_push }} | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.69 | |
| env: | |
| QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
| QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
| QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} | |
| QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} | |
| # If true, scanner-db image will ship with the DB init bundle. | |
| SCANNER_DB_INIT_BUNDLE_ENABLED: ${{ contains(github.event.pull_request.labels.*.name, 'pr-scanner-db-init-bundle') }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - uses: ./.github/actions/job-preamble | |
| with: | |
| gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Setup Go build environment for release | |
| if: | | |
| contains(github.event.pull_request.labels.*.name, 'ci-release-build') | |
| || | |
| matrix.name == 'prerelease' | |
| run: echo "GOTAGS=release" >> "$GITHUB_ENV" | |
| - name: Set build tag for prerelease images | |
| if: matrix.name == 'prerelease' | |
| run: echo "BUILD_TAG=$(make -C scanner --quiet --no-print-directory tag)-prerelease" >> "$GITHUB_ENV" | |
| - name: Setup Go build environment for -race | |
| if: | | |
| matrix.goarch == 'amd64' | |
| && | |
| ( | |
| contains(github.event.pull_request.labels.*.name, 'ci-race-tests') | |
| || | |
| matrix.name == 'race-condition-debug' | |
| ) | |
| run: echo "RACE=1" >> "$GITHUB_ENV" | |
| - name: Set build tag for race condition images | |
| if: matrix.name == 'race-condition-debug' | |
| run: echo "BUILD_TAG=$(make -C scanner --quiet --no-print-directory tag)-rcd" >> "$GITHUB_ENV" | |
| - name: Build Scanner and ScannerDB images | |
| run: make -C scanner GOOS=${{ matrix.goos }} GOARCH=${{ matrix.goarch }} images | |
| - name: Push Scanner and ScannerDB images | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| source ./scripts/ci/lib.sh | |
| push_scanner_image_set ${{ matrix.goarch }} | |
| push-manifests: | |
| needs: | |
| - define-scanner-job-matrix | |
| - build-and-push-scanner | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| # Supports three image builds: | |
| # default | |
| # prerelease | |
| # race-condition-debug | |
| matrix: ${{ fromJson(needs.define-scanner-job-matrix.outputs.matrix).push_manifests }} | |
| container: | |
| image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.69 | |
| env: | |
| QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }} | |
| QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }} | |
| QUAY_STACKROX_IO_RW_USERNAME: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }} | |
| QUAY_STACKROX_IO_RW_PASSWORD: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Ignore dubious repository ownership | |
| run: | | |
| # Prevent fatal error "detected dubious ownership in repository" from recent git. | |
| git config --global --add safe.directory "$(pwd)" | |
| - uses: ./.github/actions/handle-tagged-build | |
| - name: Set build tag for prerelease images | |
| if: matrix.name == 'prerelease' | |
| run: echo "BUILD_TAG=$(make -C scanner --quiet --no-print-directory tag)-prerelease" >> "$GITHUB_ENV" | |
| - name: Set build tag for race condition images | |
| if: matrix.name == 'race-condition-debug' | |
| run: echo "BUILD_TAG=$(make -C scanner --quiet --no-print-directory tag)-rcd" >> "$GITHUB_ENV" | |
| - name: Push Scanner and ScannerDB image manifests | |
| # Skip for external contributions. | |
| if: | | |
| github.event_name == 'push' || !github.event.pull_request.head.repo.fork | |
| run: | | |
| source ./scripts/ci/lib.sh | |
| # If this is updated, be sure to update goarch in define-scanner-job-matrix above. | |
| architectures="amd64,arm64,ppc64le,s390x" | |
| if [[ "${{ matrix.name }}" == "race-condition-debug" ]]; then | |
| architectures="amd64" | |
| fi | |
| push_scanner_image_manifest_lists "$architectures" | |
| run-e2e-tests: | |
| name: Run standalone E2E test | |
| # The test requires the DB init bundle. | |
| if: ${{ contains(github.event.pull_request.labels.*.name, 'pr-scanner-db-init-bundle') }} | |
| needs: | |
| - push-manifests | |
| uses: ./.github/workflows/scanner-e2e-test.yaml | |
| secrets: inherit |