Skip to content

ci: pin rockcraft to latest/candidate channel for all versions#59

Merged
ktsakalozos-canonical merged 12 commits into
mainfrom
switch-rockcraft-latest-edge
Jul 3, 2026
Merged

ci: pin rockcraft to latest/candidate channel for all versions#59
ktsakalozos-canonical merged 12 commits into
mainfrom
switch-rockcraft-latest-edge

Conversation

@ktsakalozos-canonical

@ktsakalozos-canonical ktsakalozos-canonical commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Replace the repo-wide rockcraft revision pin (3494/3547) with a per-version, per-rock X.Y.Z/<rock>/.rockcraft-version.yaml selecting the latest/candidate channel for all 9 versions.
  • Remove the now-dead root .rockcraft-version.yaml and the rockcraft-revisions input in pull_request.yaml.

Why

The shared build workflow's rockcraft resolution only walks the rock directory and its immediate parent, so the repo-root .rockcraft-version.yaml was never consulted for nested rocks — they silently fell through to the rockcraft-revisions workflow input. Placing the file in each rock directory makes the channel selection effective.

The pinned rockcraft revision was producing a deterministic FIPS build failure in the 1.16.3 build:

E: Packages were downgraded and -y was used without --allow-downgrades.

(FIPS overlay wanting the FIPS-certified, lower-versioned libgcrypt20 vs the newer noble-archive version). Moving to latest/candidate is expected to pick up newer rockcraft handling of the FIPS apt-overlay and resolve this.

Notes

  • The 1.17.12 static variants keep their existing latest/stable + pro-features: disabled overrides (unchanged).
  • No pro-features key is set in the new files, so they inherit fips-updates from the workflow.

Replace the repo-wide rockcraft revision pin (3494/3547) with a
per-version .rockcraft-version.yaml selecting the latest/edge channel.

The build workflow's rockcraft resolution only walks the rock dir and
its immediate parent, so the repo-root .rockcraft-version.yaml was never
consulted for nested rocks; those fell through to the rockcraft-revisions
workflow input. Placing the file at each X.Y.Z/ dir makes the channel
selection effective. The latest/edge rockcraft is expected to resolve the
FIPS libgcrypt20 apt-downgrade failure in the 1.16.3 build.

The 1.17.12 static variants keep their latest/stable + pro-features:
disabled overrides.
@ktsakalozos-canonical ktsakalozos-canonical requested a review from a team as a code owner June 24, 2026 13:25
The build workflow's PR change-detection keys off hashFiles(rockPath/**)
and the **/rockcraft.yaml path filter. The parent-level X.Y.Z/
.rockcraft-version.yaml files were outside each rock dir, so they changed
neither signal and every rock was treated as unchanged -- build-rocks,
run-tests and the multiarch manifest were all skipped.

Move the latest/edge selection into each rock directory (next to
rockcraft.yaml -- the workflow's documented priority-1 location). This
changes each rock's content hash so the rocks are rebuilt and validated,
and keeps channel resolution correct.

The 1.17.12 static variants keep their own latest/stable +
pro-features: disabled overrides.
Switch the non-static .rockcraft-version.yaml files from latest/edge to
latest/candidate. The static 1.17.12 variants keep latest/stable +
pro-features: disabled.
@ktsakalozos-canonical ktsakalozos-canonical changed the title ci: pin rockcraft to latest/edge channel for all versions ci: pin rockcraft to latest/candidate channel for all versions Jun 27, 2026
@ktsakalozos-canonical

Copy link
Copy Markdown
Contributor Author

Depends on canonical/k8s-workflows#60

@ktsakalozos-canonical ktsakalozos-canonical marked this pull request as draft June 29, 2026 12:33
ktsakalozos-canonical and others added 6 commits June 29, 2026 15:36
latest/stable is the build_rocks workflow default, so per-rock files
that only set that channel are unnecessary. Static variants keep their
pro-features: disabled overrides.
The debug-wrapper part installed `dlv@latest`, which now resolves to
delve v1.27.0 requiring Go >= 1.25. Rocks built with go/1.24-fips fail
with GOTOOLCHAIN=local. Pin to v1.26.3, the latest delve release that
still supports Go 1.24 (and is forward-compatible with Go 1.25).
The debug-wrapper part installed `dlv@latest`, which now resolves to
delve v1.27.0 requiring Go >= 1.25. Rocks built with go/1.24-fips fail
with GOTOOLCHAIN=local. Pin to v1.26.3, the latest delve release that
still supports Go 1.24 (and is forward-compatible with Go 1.25).
@ktsakalozos-canonical ktsakalozos-canonical marked this pull request as ready for review July 3, 2026 07:00
@ktsakalozos-canonical ktsakalozos-canonical merged commit 9c2a63f into main Jul 3, 2026
72 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants