From 5f2beca32fa71e3c4a0128195aa4b4ad2f4a6d32 Mon Sep 17 00:00:00 2001 From: Techassi Date: Wed, 20 May 2026 13:19:54 +0200 Subject: [PATCH 1/2] ci: Add quay.io to reusable workflow --- .github/workflows/reusable_build_image.yaml | 33 +++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/.github/workflows/reusable_build_image.yaml b/.github/workflows/reusable_build_image.yaml index c07ebf81d..f425ffe3b 100644 --- a/.github/workflows/reusable_build_image.yaml +++ b/.github/workflows/reusable_build_image.yaml @@ -30,6 +30,9 @@ on: harbor-robot-secret: description: The secret for the Harbor robot user used to push images and manifest required: true + quay-robot-secret: + description: The secret for the Quay.io robot user used to push images and manifest + required: true slack-token: description: The Slack token used to post failure notifications required: true @@ -128,6 +131,22 @@ jobs: image-repository: ${{ inputs.registry-namespace }}/${{ inputs.image-name || inputs.product-name }} image-manifest-tag: ${{ steps.build.outputs.image-manifest-tag }} source-image-uri: localhost/${{ inputs.registry-namespace }}/${{ inputs.product-name }}:${{ steps.build.outputs.image-manifest-tag }} + + - name: Publish Container Image on quay.io + uses: stackabletech/actions/publish-image@8a8085be0a8cec3d24ad3970e602d65be487da6a # v0.14.1 + with: + image-registry-uri: quay.io + image-registry-username: stackable+robot_${{ inputs.registry-namespace }}_github_action_build + image-registry-password: ${{ secrets.quay-robot-secret }} + # NOTE (@NickLarsenNZ): This fallback is just for now so we can support both repo level + # image folders that go under the sdp namespace AND nested image folders that contain the + # namespace (for example precommit/hadoop). + # In future, we probably want to encode this information in the boil config metadata per + # registry so we don't have to do such gymnastics in the workflow. + image-repository: stackable/${{ inputs.registry-namespace }}/${{ inputs.image-name || inputs.product-name }} + image-manifest-tag: ${{ steps.build.outputs.image-manifest-tag }} + source-image-uri: localhost/${{ inputs.registry-namespace }}/${{ inputs.product-name }}:${{ steps.build.outputs.image-manifest-tag }} + publish_manifests: name: Build/Publish ${{ matrix.versions }} Manifests needs: [generate_version_dimension, build] @@ -159,6 +178,20 @@ jobs: image-repository: ${{ inputs.registry-namespace }}/${{ inputs.image-name || inputs.product-name }} image-index-manifest-tag: ${{ matrix.versions }}-stackable${{ inputs.sdp-version }} + - name: Publish and Sign Image Index Manifest to quay.io + uses: stackabletech/actions/publish-image-index-manifest@8a8085be0a8cec3d24ad3970e602d65be487da6a # v0.14.1 + with: + image-registry-uri: quay.io + image-registry-username: stackable+robot_${{ inputs.registry-namespace }}_github_action_build + image-registry-password: ${{ secrets.quay-robot-secret }} + # NOTE (@NickLarsenNZ): This fallback is just for now so we can support both repo level + # image folders that go under the sdp namespace AND nested image folders that contain the + # namespace (for example precommit/hadoop). + # In future, we probably want to encode this information in the boil config metadata per + # registry so we don't have to do such gymnastics in the workflow. + image-repository: stackable/${{ inputs.registry-namespace }}/${{ inputs.image-name || inputs.product-name }} + image-index-manifest-tag: ${{ matrix.versions }}-stackable${{ inputs.sdp-version }} + notify: name: Failure Notification needs: [generate_version_dimension, build, publish_manifests] From 624b5cc944cbd6101acc04e375f7c8a014e4a282 Mon Sep 17 00:00:00 2001 From: Techassi Date: Wed, 20 May 2026 13:23:10 +0200 Subject: [PATCH 2/2] ci: Add input for quay.io robot secret --- .github/workflows/build_airflow.yaml | 1 + .github/workflows/build_druid.yaml | 1 + .github/workflows/build_hadoop.yaml | 1 + .github/workflows/build_hbase.yaml | 1 + .github/workflows/build_hive.yaml | 1 + .github/workflows/build_java-base.yaml | 1 + .github/workflows/build_java-devel.yaml | 1 + .github/workflows/build_kafka-testing-tools.yaml | 1 + .github/workflows/build_kafka.yaml | 1 + .github/workflows/build_krb5.yaml | 1 + .github/workflows/build_nifi.yaml | 1 + .github/workflows/build_omid.yaml | 1 + .github/workflows/build_opa.yaml | 1 + .github/workflows/build_opensearch.yaml | 1 + .github/workflows/build_opensearch_dashboards.yaml | 1 + .github/workflows/build_spark-k8s.yaml | 1 + .github/workflows/build_stackable-base.yaml | 1 + .github/workflows/build_superset.yaml | 1 + .github/workflows/build_testing-tools.yaml | 1 + .github/workflows/build_tools.yaml | 1 + .github/workflows/build_trino-cli.yaml | 1 + .github/workflows/build_trino.yaml | 1 + .github/workflows/build_vector.yaml | 1 + .github/workflows/build_zookeeper.yaml | 1 + 24 files changed, 24 insertions(+) diff --git a/.github/workflows/build_airflow.yaml b/.github/workflows/build_airflow.yaml index 3c052be00..30340053d 100644 --- a/.github/workflows/build_airflow.yaml +++ b/.github/workflows/build_airflow.yaml @@ -30,6 +30,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_druid.yaml b/.github/workflows/build_druid.yaml index 713422310..e06452bb7 100644 --- a/.github/workflows/build_druid.yaml +++ b/.github/workflows/build_druid.yaml @@ -32,6 +32,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_hadoop.yaml b/.github/workflows/build_hadoop.yaml index b2c47f02c..9725ef4bf 100644 --- a/.github/workflows/build_hadoop.yaml +++ b/.github/workflows/build_hadoop.yaml @@ -32,6 +32,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_hbase.yaml b/.github/workflows/build_hbase.yaml index 9d5022e78..75105c4f3 100644 --- a/.github/workflows/build_hbase.yaml +++ b/.github/workflows/build_hbase.yaml @@ -33,6 +33,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_hive.yaml b/.github/workflows/build_hive.yaml index 8a5b4e02a..01c6b96d0 100644 --- a/.github/workflows/build_hive.yaml +++ b/.github/workflows/build_hive.yaml @@ -33,6 +33,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_java-base.yaml b/.github/workflows/build_java-base.yaml index 5ec426eab..dbb56540e 100644 --- a/.github/workflows/build_java-base.yaml +++ b/.github/workflows/build_java-base.yaml @@ -28,6 +28,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_java-devel.yaml b/.github/workflows/build_java-devel.yaml index 852ea27f8..bafdb05ba 100644 --- a/.github/workflows/build_java-devel.yaml +++ b/.github/workflows/build_java-devel.yaml @@ -28,6 +28,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_kafka-testing-tools.yaml b/.github/workflows/build_kafka-testing-tools.yaml index 2f86355b5..b559048c4 100644 --- a/.github/workflows/build_kafka-testing-tools.yaml +++ b/.github/workflows/build_kafka-testing-tools.yaml @@ -32,6 +32,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_kafka.yaml b/.github/workflows/build_kafka.yaml index 1877c28d9..a8b2bdf3d 100644 --- a/.github/workflows/build_kafka.yaml +++ b/.github/workflows/build_kafka.yaml @@ -33,6 +33,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_krb5.yaml b/.github/workflows/build_krb5.yaml index 7ce72f738..d19e8439f 100644 --- a/.github/workflows/build_krb5.yaml +++ b/.github/workflows/build_krb5.yaml @@ -28,6 +28,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_nifi.yaml b/.github/workflows/build_nifi.yaml index a817492ac..6e3090ecc 100644 --- a/.github/workflows/build_nifi.yaml +++ b/.github/workflows/build_nifi.yaml @@ -32,6 +32,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_omid.yaml b/.github/workflows/build_omid.yaml index aec935d9b..3bb06244b 100644 --- a/.github/workflows/build_omid.yaml +++ b/.github/workflows/build_omid.yaml @@ -32,6 +32,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_opa.yaml b/.github/workflows/build_opa.yaml index 74543102c..cd7d2f356 100644 --- a/.github/workflows/build_opa.yaml +++ b/.github/workflows/build_opa.yaml @@ -30,6 +30,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_opensearch.yaml b/.github/workflows/build_opensearch.yaml index 4269d1f1f..6d1e927e9 100644 --- a/.github/workflows/build_opensearch.yaml +++ b/.github/workflows/build_opensearch.yaml @@ -33,6 +33,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_opensearch_dashboards.yaml b/.github/workflows/build_opensearch_dashboards.yaml index d385f96ff..be0396b8e 100644 --- a/.github/workflows/build_opensearch_dashboards.yaml +++ b/.github/workflows/build_opensearch_dashboards.yaml @@ -31,6 +31,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_spark-k8s.yaml b/.github/workflows/build_spark-k8s.yaml index 07f095414..6e0c69278 100644 --- a/.github/workflows/build_spark-k8s.yaml +++ b/.github/workflows/build_spark-k8s.yaml @@ -33,6 +33,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_stackable-base.yaml b/.github/workflows/build_stackable-base.yaml index f16a8cf3b..422f468ff 100644 --- a/.github/workflows/build_stackable-base.yaml +++ b/.github/workflows/build_stackable-base.yaml @@ -29,6 +29,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_superset.yaml b/.github/workflows/build_superset.yaml index e9ef07ba7..94d1b750c 100644 --- a/.github/workflows/build_superset.yaml +++ b/.github/workflows/build_superset.yaml @@ -30,6 +30,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_testing-tools.yaml b/.github/workflows/build_testing-tools.yaml index 80071a2ca..be9395cbc 100644 --- a/.github/workflows/build_testing-tools.yaml +++ b/.github/workflows/build_testing-tools.yaml @@ -36,6 +36,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_tools.yaml b/.github/workflows/build_tools.yaml index c3ebe89e9..d7a47f34c 100644 --- a/.github/workflows/build_tools.yaml +++ b/.github/workflows/build_tools.yaml @@ -29,6 +29,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_trino-cli.yaml b/.github/workflows/build_trino-cli.yaml index c0bc70c84..7558ef57d 100644 --- a/.github/workflows/build_trino-cli.yaml +++ b/.github/workflows/build_trino-cli.yaml @@ -31,6 +31,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_trino.yaml b/.github/workflows/build_trino.yaml index c00bc619f..559f0ffe7 100644 --- a/.github/workflows/build_trino.yaml +++ b/.github/workflows/build_trino.yaml @@ -32,6 +32,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_vector.yaml b/.github/workflows/build_vector.yaml index b59e187db..c963b7093 100644 --- a/.github/workflows/build_vector.yaml +++ b/.github/workflows/build_vector.yaml @@ -28,6 +28,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write diff --git a/.github/workflows/build_zookeeper.yaml b/.github/workflows/build_zookeeper.yaml index 356744cec..8f93b5f83 100644 --- a/.github/workflows/build_zookeeper.yaml +++ b/.github/workflows/build_zookeeper.yaml @@ -32,6 +32,7 @@ jobs: uses: ./.github/workflows/reusable_build_image.yaml secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} + quay-robot-secret: ${{ secrets.QUAY_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} permissions: id-token: write