stackrox
diff --git a/‎.github/workflows/collector-builder.yml
Lines changed: 97 additions & 105 deletions b/‎.github/workflows/collector-builder.yml
Lines changed: 97 additions & 105 deletions
@@ -8,16 +8,10 @@ on:
         required: true
         description: |
           The tag used to build the collector image
-      architectures:
-        type: string
-        required: true
-        description: |
-          Space-seperated list of architectures to build
-
     outputs:
       collector-builder-tag:
         description: The builder tag used by the build
-        value: ${{ jobs.builder-needs-rebuilding.outputs.collector-builder-tag }}
+        value: ${{ jobs.build-builder-image.outputs.collector-builder-tag || 'master' }}
 
 env:
   COLLECTOR_TAG: ${{ inputs.collector-tag }}
@@ -29,11 +23,7 @@ jobs:
     name: Determine if builder image needs to be built
     runs-on: ubuntu-24.04
     outputs:
-      build-image: ${{ steps.builder-tag.outputs.build-image || false }}
-      collector-builder-tag: ${{ steps.builder-tag.outputs.collector-builder-tag || 'master'}}
-
-    env:
-      DEFAULT_BUILDER_TAG: master
+      build-image: ${{ steps.changed.outputs.builder-changed }}
 
     steps:
       - uses: actions/checkout@v4
@@ -48,46 +38,30 @@ jobs:
               - builder/Dockerfile
               - .github/workflows/collector-builder.yml
 
-      - name: Check labels and define builder tag
-        id: builder-tag
-        if: |
-          steps.changed.outputs.builder-changed == 'true' ||
-          (github.event_name == 'push' && (
-            github.ref_type == 'tag' || startsWith(github.ref_name, 'release-')
-          )) ||
-          contains(github.event.pull_request.labels.*.name, 'build-builder-image') ||
-          github.event_name == 'schedule'
-        run: |
-          COLLECTOR_BUILDER_TAG="${DEFAULT_BUILDER_TAG}"
-          if [[ "${{ github.event_name }}" == 'pull_request' || \
-                "${{ github.ref_type }}" == 'tag' || \
-                "${{ github.ref_name }}" =~ ^release- ]]; then
-            COLLECTOR_BUILDER_TAG="${{ inputs.collector-tag }}"
-          fi
-
-          echo "Rebuild builder image with tag ${COLLECTOR_BUILDER_TAG}"
-          echo "collector-builder-tag=${COLLECTOR_BUILDER_TAG}" >> "$GITHUB_OUTPUT"
-          echo "build-image=true" >> "$GITHUB_OUTPUT"
-
   build-builder-image:
-    name: Local builder image
+    name: Build the builder image
+    runs-on: ubuntu-24.04
     # Multiarch builds sometimes take for eeeeeeeeeever
     timeout-minutes: 480
     needs:
     - builder-needs-rebuilding
     if: |
-      needs.builder-needs-rebuilding.outputs.build-image == 'true'
+      needs.builder-needs-rebuilding.outputs.build-image == 'true' ||
+      (github.event_name == 'push' && (
+        github.ref_type == 'tag' || startsWith(github.ref_name, 'release-')
+      )) ||
+      contains(github.event.pull_request.labels.*.name, 'build-builder-image') ||
+      github.event_name == 'schedule'
+    outputs:
+      collector-builder-tag: ${{ steps.builder-tag.outputs.collector-builder-tag }}
     strategy:
+      fail-fast: false
       matrix:
-        arch: [amd64, arm64, ppc64le]
-        exclude:
-          - arch: ${{ contains(inputs.architectures, 'ppc64le') && '' || 'ppc64le' }}
-    runs-on: ${{ (matrix.arch == 'arm64' && 'ubuntu-24.04-arm') || 'ubuntu-24.04' }}
+        arch: [amd64, ppc64le, s390x, arm64]
 
     env:
       PLATFORM: linux/${{ matrix.arch }}
       BUILD_TYPE: ci
-      COLLECTOR_BUILDER_TAG: ${{ needs.builder-needs-rebuilding.outputs.collector-builder-tag }}
 
     steps:
       - uses: actions/checkout@v4
@@ -102,54 +76,6 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Create ansible vars
-        run: |
-          cat << EOF > ${{ github.workspace }}/ansible/secrets.yml
-          ---
-          stackrox_io_username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
-          stackrox_io_password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
-          rhacs_eng_username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
-          rhacs_eng_password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
-          collector_git_ref: ${{ github.ref }}
-          collector_builder_tag: ${{ env.COLLECTOR_BUILDER_TAG }}
-          EOF
-
-      - name: Build images
-        timeout-minutes: 480
-        run: |
-          ansible-galaxy install -r ansible/requirements.yml
-          ansible-playbook \
-            --connection local \
-            -i localhost, \
-            --limit localhost \
-            -e arch='${{ matrix.arch }}' \
-            -e @'${{ github.workspace }}/ansible/secrets.yml' \
-            ansible/ci-build-builder.yml
-
-  build-builder-image-remote-vm:
-    name: Remote builder image
-    # Multiarch builds sometimes take for eeeeeeeeeever
-    timeout-minutes: 480
-    needs:
-    - builder-needs-rebuilding
-    if: |
-      needs.builder-needs-rebuilding.outputs.build-image == 'true' &&
-      contains(inputs.architectures, 's390x')
-    strategy:
-      matrix:
-        arch: [s390x]
-    runs-on: ubuntu-24.04
-
-    env:
-      PLATFORM: linux/${{ matrix.arch }}
-      BUILD_TYPE: ci
-      COLLECTOR_BUILDER_TAG: ${{ needs.builder-needs-rebuilding.outputs.collector-builder-tag }}
-
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: true
-
       - uses: actions/setup-python@v5
         with:
           python-version: "3.10"
@@ -175,22 +101,57 @@ jobs:
           job-tag: builder
 
       - name: Create Build VMs
+        if: |
+          matrix.arch == 's390x' &&
+          (github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds'))
         run: |
           make -C "${{ github.workspace }}/ansible" create-build-vms
 
+      - name: Define builder tag
+        id: builder-tag
+        run: |
+          COLLECTOR_BUILDER_TAG="${DEFAULT_BUILDER_TAG}"
+          if [[ "${{ github.event_name }}" == 'pull_request' || \
+                "${{ github.ref_type }}" == 'tag' || \
+                "${{ github.ref_name }}" =~ ^release- ]]; then
+            COLLECTOR_BUILDER_TAG="${{ inputs.collector-tag }}"
+          fi
+
+          echo "COLLECTOR_BUILDER_TAG=${COLLECTOR_BUILDER_TAG}" >> "$GITHUB_ENV"
+          echo "collector-builder-tag=${COLLECTOR_BUILDER_TAG}" >> "$GITHUB_OUTPUT"
+
       - name: Create ansible vars
         run: |
-          cat << EOF > ${{ github.workspace }}/ansible/secrets.yml
-          ---
-          stackrox_io_username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
-          stackrox_io_password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
-          rhacs_eng_username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
-          rhacs_eng_password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
-          collector_git_ref: ${{ github.ref }}
-          collector_builder_tag: ${{ needs.builder-needs-rebuilding.outputs.collector-builder-tag }}
-          EOF
+          {
+            echo "---"
+            echo "stackrox_io_username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}"
+            echo "stackrox_io_password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}"
+            echo "rhacs_eng_username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}"
+            echo "rhacs_eng_password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}"
+            echo "collector_git_ref: ${{ github.ref }}"
+            echo "collector_builder_tag: ${{ env.COLLECTOR_BUILDER_TAG }}"
+          } > ${{ github.workspace }}/ansible/secrets.yml
 
       - name: Build images
+        if: |
+          (github.event_name != 'pull_request' && matrix.arch != 's390x') ||
+          matrix.arch == 'amd64' ||
+          (contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') && matrix.arch != 's390x')
+        timeout-minutes: 480
+        run: |
+          ansible-galaxy install -r ansible/requirements.yml
+          ansible-playbook \
+            --connection local \
+            -i localhost, \
+            --limit localhost \
+            -e arch='${{ matrix.arch }}' \
+            -e @'${{ github.workspace }}/ansible/secrets.yml' \
+            ansible/ci-build-builder.yml
+
+      - name: Build s390x images
+        if: |
+          (github.event_name != 'pull_request' && matrix.arch == 's390x') ||
+          (contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds') && matrix.arch == 's390x')
         timeout-minutes: 480
         run: |
           ansible-playbook \
@@ -201,23 +162,22 @@ jobs:
             ansible/ci-build-builder.yml
 
       - name: Destroy VMs
-        if: always()
+        if: always() && matrix.arch == 's390x'
         run: |
           make -C ansible destroy-vms
 
   create-multiarch-manifest:
     needs:
-    - builder-needs-rebuilding
     - build-builder-image
-    - build-builder-image-remote-vm
     name: Create Multiarch manifest
     runs-on: ubuntu-24.04
     if: |
-      always() && !contains(join(needs.*.result, ','), 'failure') &&
-      needs.builder-needs-rebuilding.outputs.build-image == 'true'
+      github.event_name != 'pull_request' ||
+      (needs.build-builder-image.outputs.collector-builder-tag != 'cache' &&
+       contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds'))
     env:
-      COLLECTOR_BUILDER_TAG: ${{ needs.builder-needs-rebuilding.outputs.collector-builder-tag }}
-      ARCHS: ${{ inputs.architectures }}
+      COLLECTOR_BUILDER_TAG: ${{ needs.build-builder-image.outputs.collector-builder-tag }}
+      ARCHS: amd64 ppc64le s390x arm64
 
     steps:
       - uses: actions/checkout@v4
@@ -248,13 +208,45 @@ jobs:
           base-image: quay.io/rhacs-eng/collector-builder:${{ env.COLLECTOR_BUILDER_TAG }}
           archs: ${{ env.ARCHS }}
 
+  retag-x86-image:
+    needs:
+    - build-builder-image
+    name: Retag x86 builder image
+    runs-on: ubuntu-24.04
+    if: |
+      github.event_name == 'pull_request' &&
+      needs.build-builder-image.outputs.collector-builder-tag != 'cache' &&
+      !contains(github.event.pull_request.labels.*.name, 'run-multiarch-builds')
+    env:
+      COLLECTOR_BUILDER_TAG: ${{ needs.build-builder-image.outputs.collector-builder-tag }}
+    steps:
+      - name: Pull image to retag
+        run: |
+          docker pull "quay.io/stackrox-io/collector-builder:${COLLECTOR_BUILDER_TAG}-amd64"
+
+      - name: Retag and push stackrox-io
+        uses: stackrox/actions/images/retag-and-push@v1
+        with:
+          src-image: quay.io/stackrox-io/collector-builder:${{ env.COLLECTOR_BUILDER_TAG }}-amd64
+          dst-image: quay.io/stackrox-io/collector-builder:${{ env.COLLECTOR_BUILDER_TAG }}
+          username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
+          password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
+
+      - name: Retag and push rhacs-eng
+        uses: stackrox/actions/images/retag-and-push@v1
+        with:
+          src-image: quay.io/stackrox-io/collector-builder:${{ env.COLLECTOR_BUILDER_TAG }}-amd64
+          dst-image: quay.io/rhacs-eng/collector-builder:${{ env.COLLECTOR_BUILDER_TAG }}
+          username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
+          password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
+
   notify:
     runs-on: ubuntu-24.04
     if: always() && contains(join(needs.*.result, ','), 'failure') && github.event_name != 'pull_request'
     needs:
       - build-builder-image
-      - build-builder-image-remote-vm
       - create-multiarch-manifest
+      - retag-x86-image
     steps:
       - name: Slack notification
         uses: rtCamp/action-slack-notify@v2