Skip to content

ci: replace inline build with shared reusable workflow#16

Merged
kphunter merged 2 commits into
mainfrom
devin/1777140244-use-reusable-oci-build
Apr 25, 2026
Merged

ci: replace inline build with shared reusable workflow#16
kphunter merged 2 commits into
mainfrom
devin/1777140244-use-reusable-oci-build

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Apr 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Replaces the monolithic inline build job in ci.yaml (checkout, change detection, version computation, Docker build/push, Cosign signing, Trivy scanning — ~210 lines) with a single call to the org-level reusable workflow bcit-tlu/.github/.github/workflows/oci-build.yaml@main, matching the pattern established in hriv's ci.yaml.

Before → After

Aspect Before After
Build job Inline (210 lines) uses: bcit-tlu/.github/.github/workflows/oci-build.yaml@main
Job name build build-haproxy-operator
Change detection Custom inline Handled by reusable workflow
Version computation Custom inline (with bump-minor-pre-major) Handled by reusable workflow
Docker build/push Inline docker/build-push-action Handled by reusable workflow
Cosign signing Inline Handled by reusable workflow
Trivy scanning Inline (PR table + main SARIF) Handled by reusable workflow

Unchanged:

  • go-test quality gate (repo-specific)
  • helm-lint (independent parallel job)
  • All other workflows (release-please.yaml, helm-publish.yaml, release-retag.yaml, pr-title-lint.yaml)
  • Image tag contract (sha-<fullsha> + <ver>-rc.<ts>.<short>)

Review & Testing Checklist for Human

  • Update branch protection — Required status check renamed from build to build-haproxy-operator (also check if build / build or similar naming was used)
  • Verify reusable workflow accessbcit-tlu/.github must allow workflow calls from this repo (org-level Actions setting)
  • After merge, verify first main push — confirm build-haproxy-operator runs via the reusable workflow and produces the expected sha-<sha> + rc tags

Notes

  • The reusable workflow's version computation does NOT implement bump-minor-pre-major for the RC tag prefix (it always bumps major for breaking changes). This is acceptable because RC tags are informational/sorting only — actual releases use release-please which respects the bump-minor-pre-major config.
  • REGISTRY env var removed from workflow level (the reusable workflow defines its own).
  • The !cancelled() + quality-gate-check pattern was removed in favor of a simple needs: [go-test] chain, matching hriv's approach.
  • actions: read permission retained for codeql-action/upload-sarif on private repos.

Link to Devin session: https://app.devin.ai/sessions/616a3e66529e458fbcfc0b6cca2703a7
Requested by: @kphunter


Open in Devin Review

Replace the monolithic inline build job (checkout, change detection,
version computation, Docker build/push, Cosign signing, Trivy scanning)
with a single call to the org-level reusable workflow
(bcit-tlu/.github oci-build.yaml), matching hriv's ci.yaml structure.

- go-test and helm-lint quality gates stay inline (repo-specific).
- Build job renamed: build → build-haproxy-operator (required status
  check must be updated in branch protection).
- tag_prefix='v' for single-component repo.
- Removed REGISTRY env var (handled by reusable workflow).
- Removed !cancelled() + quality-gate check pattern — the reusable
  workflow is a simple needs-chain, which is what hriv uses.

Co-Authored-By: kyle_hunter@bcit.ca <kyle_hunter@bcit.ca>
@devin-ai-integration

Copy link
Copy Markdown
Contributor Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

devin-ai-integration[bot]

This comment was marked as resolved.

Co-Authored-By: kyle_hunter@bcit.ca <kyle_hunter@bcit.ca>
devin-ai-integration[bot]

This comment was marked as resolved.

devin-ai-integration[bot]

This comment was marked as resolved.

@kphunter kphunter merged commit 89c75d2 into main Apr 25, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant