stackrox · mclasmeier · Oct 1, 2025 · Sep 19, 2025 · Sep 30, 2025 · Sep 30, 2025
@@ -44,7 +44,8 @@ jobs:
             "pre_build_go_binaries": { "name":[], "arch":[] },
             "build_and_push_main": { "name":[], "arch":[] },
             "push_main_multiarch_manifests": { "name":[] },
-            "build_and_push_operator": { "name":[] },
+            "build_and_push_operator": { "name":[], "arch":[] },
+            "push_operator_multiarch_manifests": { "name":[] },
             "scan_images_with_roxctl": { "name":[], "image":[], "exclude":[] }
           }'
 
@@ -58,6 +59,10 @@ jobs:
           matrix="$(jq '.push_main_multiarch_manifests.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")"
 
           matrix="$(jq '.build_and_push_operator.name += ["RHACS_BRANDING"]' <<< "$matrix")"
+          matrix="$(jq '.build_and_push_operator.arch += ["amd64", "arm64"]' <<< "$matrix")"
+
+          matrix="$(jq '.push_operator_multiarch_manifests.name += ["RHACS_BRANDING"]' <<< "$matrix")"
+          matrix="$(jq '.push_operator_multiarch_manifests.archs = [.build_and_push_operator.arch | join(",")]' <<< "$matrix")"
 
           matrix="$(jq '.scan_images_with_roxctl.name += ["RHACS_BRANDING", "STACKROX_BRANDING"]' <<< "$matrix")"
           matrix="$(jq '.scan_images_with_roxctl.image += ["central-db", "collector", "main", "roxctl", "scanner", "scanner-db", "scanner-db-slim", "scanner-slim", "stackrox-operator"]' <<< "$matrix")"
@@ -579,6 +584,7 @@ jobs:
         QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
         QUAY_RHACS_ENG_BEARER_TOKEN: ${{ secrets.QUAY_RHACS_ENG_BEARER_TOKEN }}
     strategy:
+      fail-fast: false
       matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).build_and_push_operator }}
     env:
       ROX_PRODUCT_BRANDING: ${{ matrix.name }}
@@ -594,7 +600,12 @@ jobs:
           free-disk-space: 30
           gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }}
 
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Cache Go dependencies
+        env:
+          GOARCH: ${{ matrix.arch }}
         uses: ./.github/actions/cache-go-dependencies
 
       - uses: ./.github/actions/handle-tagged-build
@@ -620,19 +631,46 @@ jobs:
         run: |
           make -C operator/ bundle bundle-build
 
+      - name: Operator unit tests
+        if: matrix.arch == 'amd64'
+        run: |
+          scripts/lib.sh retry 2 true make -C operator/ test
+
       - name: Build Operator image
         run: |
-          scripts/lib.sh retry 6 true make -C operator/ build docker-build
+          CGO_ENABLED=0 GOARCH=${{ matrix.arch }} scripts/lib.sh retry 6 true make -C operator/ build docker-build
+
+      - name: Set up QEMU
+        if: matrix.arch != 'amd64'
+        uses: docker/setup-qemu-action@v3
 
       - name: Check that Operator image is runnable
-        run: docker run --rm "quay.io/rhacs-eng/stackrox-operator:$(make --quiet --no-print-directory -C operator tag)" --help
+        run: docker run --rm --platform linux/${{ matrix.arch }} "quay.io/rhacs-eng/stackrox-operator:$(make --quiet --no-print-directory -C operator tag)" --help
 
-      - name: Push images
+      - name: Push image
+        # Skip for external contributions.
+        if: |
+          github.event_name == 'push' || !github.event.pull_request.head.repo.fork
+        run: |
+            source ./scripts/ci/lib.sh
+            echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}"
+            push_context=""
+            if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then
+              push_context="merge-to-master"
+            fi
+            echo "Starting operator image push for context: \"$push_context\", branding: \"${{ env.ROX_PRODUCT_BRANDING }}\", arch: \"${{ matrix.arch }}\""
+            if ! push_operator_image "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" "${{ matrix.arch }}"; then
+              echo "ERROR: push_operator_image failed" >&2
+              exit 1
+            fi
+            echo "Operator image push completed successfully"
+
+      - name: Push bundle image
         # Skip for external contributions.
         if: |
           github.event_name == 'push' || !github.event.pull_request.head.repo.fork
         run: |
-          make -C operator/ docker-push docker-push-bundle | cat
+          make -C operator/ docker-push-bundle | cat
 
       # Index image can only be built once bundle was pushed
       - name: Build index
@@ -649,6 +687,72 @@ jobs:
         run: |
           make -C operator/ docker-push-index | cat
 
+  push-operator-manifests:
+    runs-on: ubuntu-latest
+    needs:
+    - define-job-matrix
+    - build-and-push-operator
+    # This step will run even if some of the build-and-push-matrix steps failed.
+    # By following this approach as much of the build matrix as possible is
+    # completed despite transient issues e.g. docker pull timeouts. In this way
+    # some e2e jobs that require some part of the build matrix can still
+    # proceed.
+    if: ${{ !cancelled() }}
+    strategy:
+      # Supports image builds (see Setup build env):
+      # RHACS_BRANDING
+      fail-fast: false
+      matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).push_operator_multiarch_manifests }}
+    env:
+      ROX_PRODUCT_BRANDING: ""
+    container:
+      image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.4.9
+      env:
+        QUAY_RHACS_ENG_RO_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
+        QUAY_RHACS_ENG_RO_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
+        QUAY_RHACS_ENG_RW_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
+        QUAY_RHACS_ENG_RW_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
+    steps:
+    - name: Setup build env
+      run: |
+        case "${{ matrix.name }}" in
+          RHACS_BRANDING)
+            brand="RHACS_BRANDING"
+            ;;
+          *)
+            echo "Unsupported build: ${{ matrix.name }}"
+            exit 1
+        esac
+
+        {
+          echo "ROX_PRODUCT_BRANDING=${brand}"
+        } >> "$GITHUB_ENV"
+
+    - name: Checkout
+      uses: actions/checkout@v5
+      with:
+        fetch-depth: 0
+        ref: ${{ inputs.commit || github.event.pull_request.head.sha }}
+
+    - uses: ./.github/actions/job-preamble
+      with:
+        gcp-account: ${{ secrets.GCP_SERVICE_ACCOUNT_STACKROX_CI }}
+
+    - uses: ./.github/actions/handle-tagged-build
+
+    - name: Push operator manifest lists
+      # Skip for external contributions.
+      if: |
+        github.event_name == 'push' || !github.event.pull_request.head.repo.fork
+      run: |
+        source ./scripts/ci/lib.sh
+        echo "Will determine context from: ${{ github.event_name }} & ${{ github.ref_name }}"
+        push_context=""
+        if [[ "${{ github.event_name }}" == "push" && "${{ github.ref_name }}" == "master" ]]; then
+          push_context="merge-to-master"
+        fi
+        push_operator_manifest_lists "$push_context" "${{ env.ROX_PRODUCT_BRANDING }}" ${{ matrix.archs }}
+
   scan-go-binaries:
     if: |
       contains(github.event.pull_request.labels.*.name, 'scan-go-binaries')

@@ -1,9 +1,11 @@
 # We have to emulate directory layout as in the repo so that imports in go files work fine.
 ARG roxpath=/workspace/src/github.com/stackrox/rox
+ARG TARGET_ARCH=amd64
 
-FROM quay.io/stackrox-io/apollo-ci:${BUILD_IMAGE_VERSION} AS builder
+FROM registry.access.redhat.com/ubi9/go-toolset:1.24 AS builder
 
 # Build the manager binary
+ARG TARGET_ARCH
 ARG roxpath
 
 WORKDIR ${roxpath}/
@@ -15,7 +17,7 @@ COPY go.sum go.sum
 
 # Cache deps before building and copying source so that we don't need to re-download as much and so that source changes
 # don't invalidate our downloaded layer.
-# We're not using `go mod tidy` here becuase go mod tidy needs to examine _source code_ in order to find unused modules.
+# We're not using `go mod tidy` here because go mod tidy needs to examine _source code_ in order to find unused modules.
 # There's no source code in this docker layer yet and so `go mod tidy` would empty go.mod and go.sum which is not what
 # we want. If we're to COPY source before running `go mod tidy`, local docker build times would go up because any code
 # change will invalidate docker layers and will cause modules redownload (during `tidy`). Therefore we use
@@ -47,14 +49,14 @@ COPY operator/build/status.sh status.sh
 # This creates a git repo in workdir so that `git grep` command in build.sh can succeed and actually find //XDef-s.
 RUN git init && git add .
 
-# We've been historically building operator without CGO both upstream and downstream. The apollo-ci image has that
-# enabled by default, therefore we disable CGO here to keep doing the thing we used to.
+# We've been historically building operator without CGO both upstream and downstream.
 ENV CGO_ENABLED=0
 
 # Build the operator binary.
-RUN GOOS=$(go env GOOS) GOARCH=$(go env GOARCH) scripts/go-build-file.sh operator/cmd/main.go stackrox-operator
+RUN GOOS=linux GOARCH=${TARGET_ARCH} scripts/go-build-file.sh operator/cmd/main.go stackrox-operator
 
-FROM registry.access.redhat.com/ubi8-micro:latest
+ARG TARGET_ARCH
+FROM --platform=linux/${TARGET_ARCH} registry.access.redhat.com/ubi9-micro:latest
 
 ARG roxpath
 

@@ -331,9 +331,10 @@ build/Dockerfile.gen: Dockerfile
 	sed -e 's,$${ROX_IMAGE_FLAVOR},$(ROX_IMAGE_FLAVOR),g; s,$${BUILD_IMAGE_VERSION},$(shell sed 's/\s*\#.*//' ../BUILD_IMAGE_VERSION),' < $< > $@
 
 .PHONY: docker-build
-docker-build: build/Dockerfile.gen test smuggled-status-sh ## Build docker image with the operator.
+docker-build: build/Dockerfile.gen smuggled-status-sh ## Build docker image with the operator.
 	DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=plain docker build \
 		-t ${IMG} \
+		$(if $(GOARCH),--build-arg TARGET_ARCH=$(GOARCH)) \
 		-f $< \
 		..
 

diff --git a/scripts/ci/lib.sh b/scripts/ci/lib.sh
@@ -321,6 +321,45 @@ push_main_image_set() {
     fi
 }
 
+push_operator_image() {
+    info "Pushing stackrox-operator image"
+
+    if [[ "$#" -ne 3 ]]; then
+        die "Missing parameter. Usage: push_operator_image <push_context> <brand> <arch>"
+    fi
+
+    local push_context="$1" # Allowed to be empty.
+    local brand="$2"
+    local arch="$3"
+
+    if [[ "$brand" == "" ]]; then
+        die "Brand must be non-empty"
+    fi
+    if [[ "$arch" == "" ]]; then
+        die "Arch must be non-empty"
+    fi
+
+    _push_operator_image() {
+        local registry="$1"
+        local tag="$2"
+        local arch="$3"
+
+        docker tag "${registry}/stackrox-operator:${tag}" "${registry}/stackrox-operator:${tag}-${arch}"
+        retry 5 true \
+            docker push "${registry}/stackrox-operator:${tag}-${arch}" | cat
+    }
+
+    local registry
+    registry="$(registry_from_branding "$brand")"
+
+    local tag
+    tag="$(make -C operator/ --quiet --no-print-directory tag)"
+
+    registry_rw_login "$registry"
+
+    _push_operator_image "$registry" "$tag" "$arch"
+}
+
 push_scanner_image_manifest_lists() {
     info "Pushing scanner-v4 and scanner-v4-db images as manifest lists"
 
@@ -382,6 +421,32 @@ push_scanner_image_set() {
     _push_scanner_image_set "$registry" "$tag-$arch"
 }
 
+push_operator_manifest_lists() {
+    info "Pushing stackrox-operator images as manifest lists"
+
+    if [[ "$#" -ne 3 ]]; then
+        die "missing arg. usage: push_image_manifest_lists <push_context> <brand> <architectures (CSV)>"
+    fi
+
+    local push_context="$1"
+    local brand="$2"
+    local architectures="$3"
+
+    local registry
+    registry="$(registry_from_branding "$brand")"
+
+    local tag
+    tag="$(make -C operator --quiet --no-print-directory tag)"
+
+    registry_rw_login "$registry"
+    retry 5 true \
+        "$SCRIPTS_ROOT/scripts/ci/push-as-multiarch-manifest-list.sh" "${registry}/stackrox-operator:${tag}" "$architectures" | cat
+    if [[ "$push_context" == "merge-to-master" ]]; then
+        retry 5 true \
+            "$SCRIPTS_ROOT/scripts/ci/push-as-multiarch-manifest-list.sh" "${registry}/stackrox-operator:latest" "$architectures" | cat
+    fi
+}
+
 registry_rw_login() {
     if [[ "$#" -ne 1 ]]; then
         die "missing arg. usage: registry_rw_login <registry>"