Skip to content

chore: update GitHub Actions workflows for UBI 9 and UBI 10 images#250

Open
prabhuk25 wants to merge 1 commit intodevfile:mainfrom
prabhuk25:fix/docker-buildx-publish
Open

chore: update GitHub Actions workflows for UBI 9 and UBI 10 images#250
prabhuk25 wants to merge 1 commit intodevfile:mainfrom
prabhuk25:fix/docker-buildx-publish

Conversation

@prabhuk25
Copy link
Copy Markdown
Contributor

@prabhuk25 prabhuk25 commented Feb 17, 2026
edited by coderabbitai bot
Loading

Updated GitHub Actions workflows for UBI 9 and UBI 10 developer images.

Changes include:

PR check workflows for UBI 10 images.
Main build and publish workflows for UBI 9 and UBI 10 images.
Unified tagging using short SHA for unique image versions.
Multi-architecture support (amd64, arm64, ppc64le) for both base and UDI images.

Summary by CodeRabbit

  • Chores
    • Streamlined multi-architecture image publication using buildx imagetools for simpler, more reliable multi-arch tagging.
    • Exposed a generated unique build tag for downstream workflow steps.
  • Bug Fixes / Reliability
    • Made Java utility download more robust (switched to a more reliable fetch method).
    • Corrected PPC64LE architecture mapping and adjusted tool install behavior (disabled CGO where required); fixed ARM64 release archive mapping.

@prabhuk25
Copy link
Copy Markdown
Contributor Author

prabhuk25 commented Feb 19, 2026

@dkwon17, @ibuziuk, I noticed an image publishing error to the registry in GitHub Actions due to the Docker manifest. I've applied a patch in this PR. Please review and suggest any further updates if needed

@prabhuk25
Copy link
Copy Markdown
Contributor Author

prabhuk25 commented Feb 25, 2026

I'm updating a workflow failure snapshot for you to look over. Image publishing is blocked due to a Docker manifest issue.
image

@prabhuk25
Copy link
Copy Markdown
Contributor Author

prabhuk25 commented Apr 3, 2026

Hey Team,
Just following up on this PR when you get a chance. Let me know if you need any additional context or changes from my side. Thanks!

@dkwon17 dkwon17 mentioned this pull request Apr 14, 2026
Open
@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 15, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Replaced manual per-arch manifest assembly (inspect/jq/create/annotate/push) with docker buildx imagetools create/inspect across CI workflows; added publish-udi job output uniq_tag; updated universal/ubi10/Dockerfile to use curl -fsSL, correct GO_ARCH for ppc64le, set CGO_ENABLED=0 for ppc64le gopls install, and adjust Tekton CLI TKN_ARCH for arm64.

Changes

Cohort / File(s) Summary
CI multi-arch publishing workflows
.github/workflows/pr-check-ubi10.yaml, .github/workflows/pr-check.yaml, .github/workflows/ubi10-build.yaml, .github/workflows/ubi9-build.yaml		 Removed per-arch docker manifest inspect/jq digest extraction and manual docker manifest create/annotate/push. Now use docker buildx imagetools create -t <multi-tag> <arch-tags...> and docker buildx imagetools inspect. Added publish-udi job output uniq_tag in ubi10-build.yaml.
Universal UBI10 Dockerfile
universal/ubi10/Dockerfile		 Switched Lombok download from wget to curl -fsSL -o /usr/local/lib/lombok.jar; corrected Go toolchain arch mapping for ppc64le (GO_ARCH="ppc64le"); set CGO_ENABLED=0 for ppc64le when installing gopls; updated Tekton CLI TKN_ARCH mapping for arm64 to Linux_aarch64.

Sequence Diagram(s)

sequenceDiagram
    rect rgba(220,240,255,0.5)
    participant GH as GitHub Actions Runner
    end
    rect rgba(255,240,220,0.5)
    participant BX as docker buildx / imagetools
    end
    rect rgba(240,255,220,0.5)
    participant REG as Container Registry
    end

    GH->>REG: push per-arch images (`amd64`, `arm64`, `ppc64le`)
    GH->>BX: run `imagetools create -t <multi-tag> <amd64> <arm64> <ppc64le>`
    BX->>REG: assemble multi-arch manifest referencing per-arch images
    BX-->>GH: return manifest digest / result
    GH->>BX: run `imagetools inspect <multi-tag>` (verify)
    BX-->>GH: inspection / metadata output
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 Curl in paw, I fetched the jar,
I hopped through arches near and far,
Buildx wove tags into one song,
Manifests humbed and all tags belong,
The rabbit twitches — CI moves along.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main changes: updates to GitHub Actions workflows for UBI 9 and UBI 10 images, including workflow automation and multi-arch manifest handling improvements.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/ubi10-build.yaml (1)

16-18: ⚠️ Potential issue | 🟠 Major

Fix the reusable workflow output mapping.

Line 18 references an invalid path. The publish-udi job exposes uniq_tag directly (Line 153), not as a nested property under setTagName. Callers of this reusable workflow will receive an empty value for uniq_tag.

Suggested fix 
     outputs:
       uniq_tag:
         description: "The unique tag for the universal developer image"
-        value: ${{ jobs.publish-udi.outputs.setTagName.uniq_tag }}
+        value: ${{ jobs.publish-udi.outputs.uniq_tag }}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ubi10-build.yaml around lines 16 - 18, The reusable
workflow output mapping is using an invalid path; change the mapping for
uniq_tag to reference the output exposed by the publish-udi job directly (use
jobs.publish-udi.outputs.uniq_tag) instead of the nested setTagName property so
callers receive the actual uniq_tag value from the publish-udi job; locate the
output mapping that defines uniq_tag and replace the current value expression
with the direct jobs.publish-udi.outputs.uniq_tag reference.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In @.github/workflows/ubi10-build.yaml:
- Around line 16-18: The reusable workflow output mapping is using an invalid
path; change the mapping for uniq_tag to reference the output exposed by the
publish-udi job directly (use jobs.publish-udi.outputs.uniq_tag) instead of the
nested setTagName property so callers receive the actual uniq_tag value from the
publish-udi job; locate the output mapping that defines uniq_tag and replace the
current value expression with the direct jobs.publish-udi.outputs.uniq_tag
reference.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 531fb305-7b98-40ae-85ca-5a2b5184e56a

📥 Commits

Reviewing files that changed from the base of the PR and between 1909a73 and c546062.

📒 Files selected for processing (5)
  • .github/workflows/pr-check-ubi10.yaml
  • .github/workflows/pr-check.yaml
  • .github/workflows/ubi10-build.yaml
  • .github/workflows/ubi9-build.yaml
  • universal/ubi10/Dockerfile

@prabhuk25 prabhuk25 force-pushed the fix/docker-buildx-publish branch from 3d417a4 to 9dc300e Compare April 15, 2026 10:17
@openshift-ci openshift-ci bot added the lgtm label Apr 15, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 15, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: prabhuk25, rohanKanojia

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot removed the lgtm label Apr 17, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 17, 2026

New changes are detected. LGTM label has been removed.

coderabbitai[bot]
coderabbitai bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/pr-check.yaml (1)

163-196: Add post-create imagetools inspect for parity with the UBI10 workflow.

The sibling pr-check-ubi10.yaml verifies each composed manifest with docker buildx imagetools inspect right after create (lines 176-177 and 202-203 there), but this file skips that step for both publish-base-image and publish-udi. Given the whole point of this PR is to recover from manifest publishing failures, keeping an explicit inspect here would surface a bad manifest immediately in logs and keep the two PR-check workflows symmetric.

♻️ Suggested change 
           docker buildx imagetools create \
             -t ${{ env.REGISTRY }}/base-developer-image:pr-${{github.event.number}} \
             ${{ env.REGISTRY }}/base-developer-image:amd64-pr-${{github.event.number}} \
             ${{ env.REGISTRY }}/base-developer-image:arm64-pr-${{github.event.number}} \
             ${{ env.REGISTRY }}/base-developer-image:ppc64le-pr-${{github.event.number}}
+
+          docker buildx imagetools inspect \
+            ${{ env.REGISTRY }}/base-developer-image:pr-${{github.event.number}}
           docker buildx imagetools create \
             -t ${{ env.REGISTRY }}/universal-developer-image:pr-${{github.event.number}} \
             ${{ env.REGISTRY }}/universal-developer-image:amd64-pr-${{github.event.number}} \
             ${{ env.REGISTRY }}/universal-developer-image:arm64-pr-${{github.event.number}} \
             ${{ env.REGISTRY }}/universal-developer-image:ppc64le-pr-${{github.event.number}}
+
+          docker buildx imagetools inspect \
+            ${{ env.REGISTRY }}/universal-developer-image:pr-${{github.event.number}}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-check.yaml around lines 163 - 196, Add a post-create
verification step that runs "docker buildx imagetools inspect" for both manifest
publishes: after the docker buildx imagetools create in the "Publish UBI9 base
image manifest" step (the step named Publish UBI9 base image manifest) and after
the create in the "Publish UDI9 manifest" step (the step named Publish UDI9
manifest / job publish-udi); run imagetools inspect against the same manifest
tag (e.g., ${{ env.REGISTRY }}/base-developer-image:pr-${{github.event.number}}
and ${{ env.REGISTRY }}/universal-developer-image:pr-${{github.event.number}})
to surface composition errors immediately and mirror the parity behavior from
pr-check-ubi10.yaml.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/pr-check.yaml:
- Around line 163-196: Add a post-create verification step that runs "docker
buildx imagetools inspect" for both manifest publishes: after the docker buildx
imagetools create in the "Publish UBI9 base image manifest" step (the step named
Publish UBI9 base image manifest) and after the create in the "Publish UDI9
manifest" step (the step named Publish UDI9 manifest / job publish-udi); run
imagetools inspect against the same manifest tag (e.g., ${{ env.REGISTRY
}}/base-developer-image:pr-${{github.event.number}} and ${{ env.REGISTRY
}}/universal-developer-image:pr-${{github.event.number}}) to surface composition
errors immediately and mirror the parity behavior from pr-check-ubi10.yaml.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 25aa5125-63ec-42d8-84d6-5d487ae94bf2

📥 Commits

Reviewing files that changed from the base of the PR and between 3d417a4 and fc78e73.

📒 Files selected for processing (5)
  • .github/workflows/pr-check-ubi10.yaml
  • .github/workflows/pr-check.yaml
  • .github/workflows/ubi10-build.yaml
  • .github/workflows/ubi9-build.yaml
  • universal/ubi10/Dockerfile
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/ubi9-build.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • universal/ubi10/Dockerfile
  • .github/workflows/ubi10-build.yaml

@prabhuk25
Fixed buildx-publish issue
f0055f3 
Signed-off-by: Prabhu K <Prabhu.K@ibm.com>
@prabhuk25 prabhuk25 force-pushed the fix/docker-buildx-publish branch from fc78e73 to f0055f3 Compare April 17, 2026 16:26
coderabbitai[bot]
coderabbitai bot reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
universal/ubi10/Dockerfile (1)

401-415: ⚠️ Potential issue | 🟡 Minor

Apply the same Linux_aarch64 fix to universal/ubi9/Dockerfile—arm64 builds will fail.

Linux_aarch64 is the correct asset suffix for both tkn_0.20.0_Linux_aarch64.tar.gz (ubi9) and tkn_0.43.0_Linux_aarch64.tar.gz (ubi10). This PR fixes ubi10's arm64 builds at line 406, but ubi9 still incorrectly uses TKN_ARCH="Linux_arm64" at line 370 for the same Tekton CLI asset naming convention. The arm64 build for ubi9 will fail with the same 404 error unless corrected to Linux_aarch64.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@universal/ubi10/Dockerfile` around lines 401 - 415, The ubi9 Dockerfile uses
the wrong Tekton asset suffix for arm64; locate the TARGETARCH case block that
sets TKN_ARCH (the same pattern as in universal/ubi10/Dockerfile) and change the
arm64 branch from TKN_ARCH="Linux_arm64" to TKN_ARCH="Linux_aarch64" so it
matches the Tekton release filenames (e.g., tkn_0.20.0_Linux_aarch64.tar.gz);
ensure the other branches (amd64, ppc64le, default) remain unchanged.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@universal/ubi10/Dockerfile`:
- Around line 401-415: The ubi9 Dockerfile uses the wrong Tekton asset suffix
for arm64; locate the TARGETARCH case block that sets TKN_ARCH (the same pattern
as in universal/ubi10/Dockerfile) and change the arm64 branch from
TKN_ARCH="Linux_arm64" to TKN_ARCH="Linux_aarch64" so it matches the Tekton
release filenames (e.g., tkn_0.20.0_Linux_aarch64.tar.gz); ensure the other
branches (amd64, ppc64le, default) remain unchanged.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4c927e42-33fa-4257-b5c0-4b72cd4e4330

📥 Commits

Reviewing files that changed from the base of the PR and between fc78e73 and f0055f3.

📒 Files selected for processing (5)
  • .github/workflows/pr-check-ubi10.yaml
  • .github/workflows/pr-check.yaml
  • .github/workflows/ubi10-build.yaml
  • .github/workflows/ubi9-build.yaml
  • universal/ubi10/Dockerfile
✅ Files skipped from review due to trivial changes (1)
  • .github/workflows/ubi9-build.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • .github/workflows/ubi10-build.yaml
  • .github/workflows/pr-check-ubi10.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@rohanKanojia rohanKanojia rohanKanojia approved these changes

@svor svor Awaiting requested review from svor svor is a code owner

@SDawley SDawley Awaiting requested review from SDawley SDawley is a code owner

@dkwon17 dkwon17 Awaiting requested review from dkwon17 dkwon17 is a code owner

Assignees

@rohanKanojia rohanKanojia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prabhuk25 @rohanKanojia