stackrox · janisz · Mar 31, 2026 · Mar 27, 2026 · Mar 30, 2026 · Mar 31, 2026
@@ -675,6 +675,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - define-job-matrix
+      - pre-build-go-binaries
     container:
       image: quay.io/stackrox-io/apollo-ci:stackrox-test-0.5.3
       volumes:
@@ -691,6 +692,8 @@ jobs:
       matrix: ${{ fromJson(needs.define-job-matrix.outputs.matrix).build_and_push_operator }}
     env:
       ROX_PRODUCT_BRANDING: ${{ matrix.name }}
+      # Proto sources freshness is checked in another workflow.
+      ROX_OPERATOR_SKIP_PROTO_GENERATED_SRCS: true
       BUILD_TAG: ${{ needs.define-job-matrix.outputs.build-tag }}
       SHORTCOMMIT: ${{ needs.define-job-matrix.outputs.short-commit }}
       GOTAGS: ${{ needs.define-job-matrix.outputs.gotags }}
@@ -708,15 +711,14 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
 
-      - name: Cache Go dependencies
-        env:
-          GOARCH: ${{ matrix.arch }}
-        uses: ./.github/actions/cache-go-dependencies
+      - name: Download prebuilt operator binaries
+        uses: ./.github/actions/download-artifact-with-retry
         with:
-          key-suffix: ${{ matrix.name }}
+          name: go-binaries-build-${{ matrix.arch }}-default
+          path: .
 
-      - name: Resolve mods for protos
-        run: go mod tidy
+      - name: Extract prebuilt binaries
+        run: tar xzf go-binaries-build.tgz
 
       - name: PR labels
         uses: joerick/pr-labels-action@v1.0.9
@@ -742,16 +744,7 @@ jobs:
 
       - name: Build Operator image
         run: |
-          # The first invocation builds native architecture dependencies, which helps avoid the following error,
-          # which otherwise happens when cross-building. It also needlessly builds the operator binary for the
-          # native architecture, but this is quick and more robust than trying to repeat the dependencies here
-          # or in a separate intermediate target.
-          #   + protoc-gen-go
-          #   go: cannot install cross-compiled binaries when GOBIN is set
-          CGO_ENABLED=0                           scripts/lib.sh retry 6 true make -C operator/ build
-          # Once the native architecture dependencies are installed by the above command, the following one
-          # simply builds the actual operator binary for the correct target architecture.
-          CGO_ENABLED=0 GOARCH=${{ matrix.arch }} scripts/lib.sh retry 6 true make -C operator/ build docker-build
+          GOARCH=${{ matrix.arch }} scripts/lib.sh retry 6 true make -C operator/ docker-build-prebuilt
 
       - name: Login to docker.io to mitigate rate limiting on downloading images
         uses: docker/login-action@v4

diff --git a/Makefile b/Makefile
@@ -489,10 +489,12 @@ main-build-nodeps:
 		compliance/cmd/compliance \
 		config-controller \
 		migrator \
+		operator/cmd \
 		sensor/admission-control \
 		sensor/kubernetes \
 		sensor/upgrader \
 		compliance/virtualmachines/roxagent
+	mv bin/linux_$(GOARCH)/cmd bin/linux_$(GOARCH)/stackrox-operator
 ifndef CI
 	CGO_ENABLED=0 $(GOBUILD) roxctl
 endif

@@ -377,13 +377,22 @@ build/Dockerfile.gen: Dockerfile
 	sed -e 's,$${ROX_IMAGE_FLAVOR},$(ROX_IMAGE_FLAVOR),g; s,$${BUILD_IMAGE_VERSION},$(shell sed 's/\s*\#.*//' ../BUILD_IMAGE_VERSION),' < $< > $@
 
 .PHONY: docker-build
-docker-build: build/Dockerfile.gen smuggled-status-sh ## Build docker image with the operator.
+docker-build: build/Dockerfile.gen smuggled-status-sh ## Build docker image with the operator (build binary inside Docker).
 	BUILDKIT_PROGRESS=plain ../scripts/docker-build.sh \
 		-t ${IMG} \
 		$(if $(GOARCH),--build-arg TARGET_ARCH=$(GOARCH)) \
 		-f $< \
 		..
 
+.PHONY: docker-build-prebuilt
+docker-build-prebuilt: prebuilt.Dockerfile ## Build docker image with pre-built operator binary.
+	BUILDKIT_PROGRESS=plain ../scripts/docker-build.sh \
+		-t ${IMG} \
+		$(if $(GOARCH),--build-arg TARGET_ARCH=$(GOARCH)) \
+		--build-arg ROX_IMAGE_FLAVOR=$(ROX_IMAGE_FLAVOR) \
+		-f $< \
+		..
+
 ##@ Deployment
 
 ifndef ignore-not-found

@@ -0,0 +1,21 @@
+# syntax=docker/dockerfile:1
+
+# Simplified Dockerfile for operator that uses a pre-built binary.
+# This avoids rebuilding the binary inside Docker and leverages external caching.
+
+ARG TARGET_ARCH=amd64
+
+FROM --platform=linux/${TARGET_ARCH} registry.access.redhat.com/ubi9-micro:latest
+
+ARG ROX_IMAGE_FLAVOR
+ENV ROX_IMAGE_FLAVOR=${ROX_IMAGE_FLAVOR}
+
+ARG TARGET_ARCH
+COPY bin/linux_${TARGET_ARCH}/stackrox-operator /usr/local/bin/
+
+# The following are numeric uid and gid of `nobody` user in UBI.
+# We can't use symbolic names because otherwise k8s will fail to start the pod with an error like this:
+# Error: container has runAsNonRoot and image has non-numeric user (nobody), cannot verify user is non-root (pod: "stackrox-operator-controller-manager-75bc744454-bkbjr_stackrox-operator-system(49874aae-2695-4d3a-afd3-8723914d2af5)", container: manager)
+USER 65534:65534
+
+ENTRYPOINT ["/usr/local/bin/stackrox-operator"]
@@ -0,0 +1 @@
+!/bin/linux_*/stackrox-operator