ROX-33792: build operator binary outside Docker for faster builds#19655
ROX-33792: build operator binary outside Docker for faster builds#19655
Conversation
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- The
docker-buildtarget’s CI detection relies onCIbeing exactly"true"; consider relaxing this to a non-empty check (e.g.,[ -n "$$CI" ]) or documenting the expectation, to avoid surprises in other CI environments. - The new prebuilt flow assumes
bin/linux_${GOARCH}/stackrox-operatoris present in the Docker build context and not filtered by.dockerignore/.containerignore; it would be good to double‑check or explicitly comment in those files that this binary must remain included forprebuilt.Dockerfileto work.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The `docker-build` target’s CI detection relies on `CI` being exactly `"true"`; consider relaxing this to a non-empty check (e.g., `[ -n "$$CI" ]`) or documenting the expectation, to avoid surprises in other CI environments.
- The new prebuilt flow assumes `bin/linux_${GOARCH}/stackrox-operator` is present in the Docker build context and not filtered by `.dockerignore`/`.containerignore`; it would be good to double‑check or explicitly comment in those files that this binary must remain included for `prebuilt.Dockerfile` to work.
## Individual Comments
### Comment 1
<location path="operator/Makefile" line_range="393-394" />
<code_context>
+ -f $< \
+ ..
+
+.PHONY: docker-build-prebuilt
+docker-build-prebuilt: prebuilt.Dockerfile ## Build docker image with pre-built operator binary.
BUILDKIT_PROGRESS=plain ../scripts/docker-build.sh \
-t ${IMG} \
</code_context>
<issue_to_address>
**🚨 issue (security):** Align docker-build-prebuilt prerequisites with docker-build-full (e.g., smuggled-status-sh) to preserve the same checks.
After the refactor, `docker-build`’s former prerequisite chain (`build/Dockerfile.gen smuggled-status-sh`) only exists on `docker-build-full`, while `docker-build-prebuilt` depends solely on `prebuilt.Dockerfile`. In CI the prebuilt path will run most often, so any checks or side effects in `smuggled-status-sh` (e.g., license/provenance validation) will be skipped. Please add `smuggled-status-sh` (and any other needed prerequisites) to `docker-build-prebuilt`, or extract them into a shared prerequisite so both build modes run the same checks.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
janisz
force-pushed
the
ROX-33792-undockerize-operator-build
branch
from
41e8b4b to
65aada2
Compare
|
Images are ready for the commit at 9cd0473. To use with deploy scripts, first |
janisz
force-pushed
the
ROX-33792-undockerize-operator-build
branch
from
65aada2 to
33aae4a
Compare
Build operator binary once in pre-build-go-binaries job alongside other Go binaries, then reuse it when building Docker images. This eliminates duplicate compilation and leverages GitHub Actions' Go module cache. Changes: - Add operator/cmd to main-build-nodeps in root Makefile - Create operator/prebuilt.Dockerfile for CI builds - Add conditional docker-build targets in operator/Makefile that use prebuilt binaries in CI mode, fall back to in-Docker build locally - Allow operator binaries in .dockerignore and .containerignore - Update build-and-push-operator job to download prebuilt binaries and skip proto resolution/duplicate builds Benefits: - ~2-5 min savings from eliminating duplicate Go compilation - Better cache utilization via GitHub Actions' Go module cache - Smaller Docker build context - Fully backwards compatible (local builds unchanged) Related: ROX-33792 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
janisz
force-pushed
the
ROX-33792-undockerize-operator-build
branch
from
33aae4a to
7d9eafc
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #19655 +/- ##
==========================================
- Coverage 49.65% 49.64% -0.01%
==========================================
Files 2747 2747
Lines 207261 207261
==========================================
- Hits 102909 102902 -7
- Misses 96698 96703 +5
- Partials 7654 7656 +2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
davdhacs
left a comment
davdhacs
left a comment
There was a problem hiding this comment.
Looks great. My only request is to remove the stackrox_operator exclude and put it into a .dockerignore that is only used for the prebuilt-operator.
Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>
janisz
force-pushed
the
ROX-33792-undockerize-operator-build
branch
from
0421a7f to
fabb46b
Compare
|
/retest |
Co-authored-by: Marcin Owsiany <porridge@redhat.com>
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe PR decouples operator binary compilation from image creation: a pre-build job produces prebuilt Go binaries, and the operator image job downloads those artifacts and builds the Docker image using a new prebuilt-aware Dockerfile/Make target. Changes
Sequence Diagram(s)mermaid Estimated code review effort🎯 3 (Moderate) | ⏱️ ~30 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
operator/prebuilt.Dockerfile.dockerignore (1)
1-1:⚠️ Potential issue | 🟠 MajorThis Dockerfile-specific ignore file turns the ignore rules into a no-op.
For
docker build -f prebuilt.Dockerfile .., Docker usesprebuilt.Dockerfile.dockerignoreas the active ignore file rather than layering it on top of the repo-root.dockerignore. With only a!rule here, nothing is excluded, so the whole repo gets sent as build context. That undercuts the CI speedup this PR is trying to get and can re-include paths the root ignore file normally keeps out. Please mirror the root ignore rules here (or drop the Dockerfile-specific file) before whitelistingbin/linux_*/stackrox-operator.When both a root `.dockerignore` and a Dockerfile-specific file like `prebuilt.Dockerfile.dockerignore` exist, does Docker merge them or does the Dockerfile-specific file take precedence?🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@operator/prebuilt.Dockerfile.dockerignore` at line 1, The prebuilt.Dockerfile.dockerignore currently contains only the whitelist rule `!/bin/linux_*/stackrox-operator`, which makes the file override the root .dockerignore and sends the entire repo as build context; update prebuilt.Dockerfile.dockerignore to either mirror the root .dockerignore contents (copy all root ignore rules into this file) and then append the whitelist line `!/bin/linux_*/stackrox-operator`, or remove prebuilt.Dockerfile.dockerignore entirely so Docker uses the root .dockerignore; ensure the final file includes the same exclusions as the repository root before the whitelist is applied.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/build.yaml:
- Around line 628-630: The operator job currently lists "needs:
pre-build-go-binaries" which forces it to wait for every matrix run of that job;
instead split or scope the dependency so the operator only waits for the
default-variant artifacts. Create a new job (e.g.,
pre-build-go-binaries-default) that only builds the default variant (producing
artifacts named like go-binaries-build-${{ matrix.arch }}-default) and change
the operator job's needs to reference that new job (replace needs:
pre-build-go-binaries with needs: pre-build-go-binaries-default), or
alternatively adjust the workflow to publish/select only the default-variant
artifact and have the operator depend on that specific job/output. Ensure the
operator continues to depend on define-job-matrix as before.
---
Duplicate comments:
In `@operator/prebuilt.Dockerfile.dockerignore`:
- Line 1: The prebuilt.Dockerfile.dockerignore currently contains only the
whitelist rule `!/bin/linux_*/stackrox-operator`, which makes the file override
the root .dockerignore and sends the entire repo as build context; update
prebuilt.Dockerfile.dockerignore to either mirror the root .dockerignore
contents (copy all root ignore rules into this file) and then append the
whitelist line `!/bin/linux_*/stackrox-operator`, or remove
prebuilt.Dockerfile.dockerignore entirely so Docker uses the root .dockerignore;
ensure the final file includes the same exclusions as the repository root before
the whitelist is applied.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: f848051b-2bc3-4a25-8444-ad2a36d5f7bd
📒 Files selected for processing (5)
.github/workflows/build.yamlMakefileoperator/Makefileoperator/prebuilt.Dockerfileoperator/prebuilt.Dockerfile.dockerignore
janisz
added
the
auto-retest
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/build.yaml (1)
674-678: Consider addingif: ${{ !cancelled() }}for consistency withbuild-and-push-main.The
build-and-push-mainjob (line 387) usesif: ${{ !cancelled() }}to allow partial matrix completion when some prerequisite jobs fail. This enables building images for architectures where prebuilds succeeded, even if others failed.The
build-and-push-operatorjob lacks this condition, meaning it will be entirely skipped if anypre-build-go-binariesmatrix run fails—even for architectures where prebuilds succeeded.If this asymmetry is intentional (e.g., stricter requirements for operator builds), this comment can be disregarded.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/build.yaml around lines 674 - 678, The build-and-push-operator job lacks the cancellation guard present in build-and-push-main; update the build-and-push-operator job declaration to include the same condition by adding if: ${{ !cancelled() }} so the operator job can proceed for matrix entries that completed even if other pre-build matrix runs failed (apply this change to the job named build-and-push-operator to mirror build-and-push-main).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/build.yaml:
- Around line 674-678: The build-and-push-operator job lacks the cancellation
guard present in build-and-push-main; update the build-and-push-operator job
declaration to include the same condition by adding if: ${{ !cancelled() }} so
the operator job can proceed for matrix entries that completed even if other
pre-build matrix runs failed (apply this change to the job named
build-and-push-operator to mirror build-and-push-main).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro
Run ID: f4959d42-82df-4260-9400-3c716669ddeb
📒 Files selected for processing (2)
.github/workflows/build.yamloperator/Makefile
✅ Files skipped from review due to trivial changes (1)
- operator/Makefile
4 participants
Description
Build operator binary once in pre-build-go-binaries job alongside other Go binaries, then reuse it when building Docker images. This eliminates duplicate compilation and leverages GitHub Actions' Go module cache and Go builder for multiple binaries.
User-facing documentation
Testing and quality
Automated testing
How I validated my change
CI