ci: overhaul CI pipeline — release workflow, traceability labels, and quality gates#65
Closed
oguzkaganozt wants to merge 6 commits into
Closed
ci: overhaul CI pipeline — release workflow, traceability labels, and quality gates#65oguzkaganozt wants to merge 6 commits into
oguzkaganozt wants to merge 6 commits into
Conversation
Autoware-synced releases are no longer needed; OpenADKit now follows its own versioning independently.
- setup-docker: restrict trigger to setup.sh path changes only, update checkout to v6 - deploy-docs: pin dependency versions via docs/requirements.txt - build-all-images: add free-disk-space step to build-common and build-components stages
- lint: shellcheck on PRs for .sh files (non-blocking, error severity only) - scan: Trivy image scan after builds + weekly schedule, results to GitHub Security tab - build-all-images: notify-failure job creates a GitHub issue on scheduled build failures
- notify-failure: add prepare to needs, remove non-existent ci-failure label - scan: use repository_owner instead of actor for stable GHCR login
- build-all-images: embed build-tag and run-id as OCI labels in all bake targets - build-all-images: add summarize job to surface build_tag in job summary after successful builds - release: new workflow_dispatch-only workflow with validate → release-images → release-github stages - validates semver format, build_tag format, branch, tag uniqueness, registry existence - promotes 28 images via imagetools create (no rebuild) - resolves git SHA from run_id via GitHub API - creates git tag pointing to exact built commit, then GitHub Release with auto changelog
Collaborator
Author
|
Please review @youtalk @mitsudome-r |
There was a problem hiding this comment.
Pull request overview
This PR overhauls the repository’s GitHub Actions CI/release automation by introducing a manual semver promotion-based release workflow, adding image traceability labels, and adding new CI quality/scanning workflows while reducing runner disk pressure in heavy image build jobs.
Changes:
- Add a manual
releaseworkflow that validates and promotes a specific immutablebuild_tagto a semver tag and creates a GitHub Release. - Add Trivy-based image scanning via a new
scan-imagesworkflow, plus a new ShellChecklintworkflow and docs dependency pinning viadocs/requirements.txt. - Update
build-all-imagesto free disk space earlier and attach OCI traceability labels to builds; tightensetup-dockerPR triggering tosetup.shchanges.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
docs/requirements.txt |
New pinned-ish MkDocs dependency set for reproducible docs builds. |
.github/workflows/deploy-docs.yaml |
Switch docs install step to pip install -r docs/requirements.txt. |
.github/workflows/lint.yaml |
New ShellCheck workflow for .sh files. |
.github/workflows/setup-docker.yaml |
Restrict PR trigger to setup.sh changes. |
.github/workflows/build-all-images.yaml |
Add disk cleanup step earlier; add OCI traceability labels; add summary and scheduled failure issue creation. |
.github/workflows/scan.yaml |
New Trivy scan workflow triggered by workflow_run, schedule, or manual dispatch. |
.github/workflows/release.yaml |
New manual promotion workflow: validate build_tag, retag images to semver, create git tag + GitHub release. |
.github/workflows/release-all-images.yaml |
Remove previous Autoware-synced scheduled release workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| workflow_dispatch: | ||
| pull_request: | ||
| paths: | ||
| - 'setup.sh' |
| build_tag="${build_date}-${{ github.event.workflow_run.id }}-${{ github.event.workflow_run.run_attempt }}" | ||
| echo "image_ref=${{ env.IMAGE_PREFIX_COMPONENT }}:${{ matrix.target }}-${{ matrix.ros-distro }}-${build_tag}" >> "$GITHUB_OUTPUT" | ||
| else | ||
| echo "image_ref=${{ env.IMAGE_PREFIX_COMPONENT }}:${{ matrix.target }}-${{ matrix.ros-distro }}" >> "$GITHUB_OUTPUT" |
Comment on lines
+36
to
+43
| run_started_at="${{ github.event.workflow_run.run_started_at }}" | ||
| if [ -z "$run_started_at" ]; then | ||
| run_started_at="${{ github.event.workflow_run.created_at }}" | ||
| fi | ||
|
|
||
| build_date=$(date -u -d "$run_started_at" +%Y%m%d) | ||
| build_tag="${build_date}-${{ github.event.workflow_run.id }}-${{ github.event.workflow_run.run_attempt }}" | ||
| echo "image_ref=${{ env.IMAGE_PREFIX_COMPONENT }}:${{ matrix.target }}-${{ matrix.ros-distro }}-${build_tag}" >> "$GITHUB_OUTPUT" |
Comment on lines
+10
to
+12
| runs-on: ubuntu-latest | ||
| continue-on-error: true | ||
| steps: |
Collaborator
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
build-tag,run-id) to built images.setup-dockertosetup.shchanges only.CI Pipeline
Release Pipeline
Validation
build-all-imagesrun behindbuild_tag.workflow_runscans use immutablebuild_tagimage refs.