Refactor the CI workflows and scripts to make it clearer#1219
Draft
Xynnn007 wants to merge 4 commits intoconfidential-containers:mainfrom
Draft
Refactor the CI workflows and scripts to make it clearer#1219Xynnn007 wants to merge 4 commits intoconfidential-containers:mainfrom
Xynnn007 wants to merge 4 commits intoconfidential-containers:mainfrom
Conversation
Xynnn007
force-pushed
the
combine-ci
branch
6 times, most recently
from
db0a478 to
700d245
Compare
Xynnn007
added
github_actions
There was a problem hiding this comment.
Pull request overview
Refactors the repository CI configuration to reduce duplicated runs and make it clearer which suites execute when, while also unifying build/test entrypoints via a root Makefile and consolidating staged image build/publish workflows.
Changes:
- Adds a root
Makefilewith aggregate targets for unit and e2e suites across KBS / AS / trustee-cli. - Consolidates Rust CI into a single workflow and reorganizes e2e workflows into clearer suites/templates.
- Replaces multiple staged-image build/push workflows with reusable workflows + a composite action and a manifest-publish workflow.
Reviewed changes
Copilot reviewed 31 out of 32 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Introduces top-level test/build targets used by CI and local dev. |
| .github/workflows/workflow-call-publish-staged-manifests.yml | New reusable workflow to publish multi-arch manifests from per-arch tags. |
| .github/workflows/workflow-call-kbs-e2e.yml | Refactors KBS e2e reusable workflow to separate binary build from execution via artifacts. |
| .github/workflows/workflow-call-build-staged-images.yml | New reusable workflow to build staged images per component/arch. |
| .github/workflows/test-rust-ci.yml | New consolidated Rust CI workflow (KBS/AS/trustee-cli). |
| .github/workflows/test-link-check.yml | Adjusts triggers to skip markdown-only PRs. |
| .github/workflows/test-e2e-kbs.yml | New KBS e2e suite workflow (sample/vault/docker/azure). |
| .github/workflows/test-e2e-as.yml | New AS e2e workflow calling the unified Makefile target. |
| .github/workflows/test-actionlint.yml | Adjusts triggers to skip markdown-only PRs. |
| .github/workflows/security-codeql.yml | Adds CodeQL scanning workflow. |
| .github/workflows/release-clis-to-ghcr.yml | New workflow to publish CLI artifacts via ORAS. |
| .github/workflows/build-and-push-staged-images.yml | New workflow orchestrating staged image builds + manifest publishing. |
| .github/actions/build-single-image/action.yml | New composite action to build (optionally push) a single-arch staged image. |
| .github/workflows/trustee-cli-rust.yml | Removed in favor of consolidated Rust CI. |
| .github/workflows/kbs-rust.yml | Removed in favor of consolidated Rust CI. |
| .github/workflows/as-rust.yml | Removed in favor of consolidated Rust CI. |
| .github/workflows/as-e2e.yml | Removed/replaced by test-e2e-as.yml. |
| .github/workflows/kbs-e2e-vault.yml | Removed/replaced by test-e2e-kbs.yml suite job. |
| .github/workflows/kbs-e2e-sample.yml | Removed/replaced by test-e2e-kbs.yml suite jobs. |
| .github/workflows/kbs-e2e-azure-vtpm.yml | Removed/replaced by test-e2e-kbs.yml (manual dispatch jobs). |
| .github/workflows/kbs-docker-e2e.yml | Removed/replaced by test-e2e-kbs.yml docker job. |
| .github/workflows/kbs-docker-build.yml | Removed/replaced by staged image build workflow. |
| .github/workflows/as-docker-build.yml | Removed/replaced by staged image build workflow. |
| .github/workflows/push-trustee-cli-to-ghcr.yml | Removed/replaced by release-clis-to-ghcr.yml. |
| .github/workflows/push-kbs-image-to-ghcr.yml | Removed/replaced by staged image workflow + manifest publish. |
| .github/workflows/push-kbs-client-to-ghcr.yml | Removed/replaced by release-clis-to-ghcr.yml. |
| .github/workflows/push-kbs-client-image-to-ghcr.yml | Removed/replaced by staged image workflow + manifest publish. |
| .github/workflows/push-as-image-to-ghcr.yml | Removed/replaced by staged image workflow + manifest publish. |
| .github/workflows/build-trustee-cli.yml | Removed/replaced by staged image workflow patterns. |
| .github/workflows/build-kbs-image.yml | Removed/replaced by workflow-call-build-staged-images.yml. |
| .github/workflows/build-kbs-client-image.yml | Removed/replaced by workflow-call-build-staged-images.yml. |
| .github/workflows/build-as-image.yml | Removed/replaced by workflow-call-build-staged-images.yml. |
Comments suppressed due to low confidence (2)
.github/workflows/workflow-call-kbs-e2e.yml:112
make test-kbs-e2einvokes the root Makefile target, which currently depends onkbs-e2e-build(i.e., rebuilds binaries). At this point the job has only extractedMakefile+kbs/testfromtest.tar.gz, so the rebuild is likely to fail becausekbs/test'sbinstarget expects the full repo sources (Cargo workspace,kbs/Makefile, etc.). Use a run-only target (e.g.,make -C kbs/test install-dependencies && make -C kbs/test e2e-test) or introduce a separate root target that runs e2e without rebuilding and call that here.
.github/workflows/test-link-check.yml:8- This link-check workflow now skips PRs that only touch
*.md. Since lychee is primarily validating links in documentation and repo text, this change can let broken links in markdown land without CI signal. Consider keeping link-check enabled for markdown-only changes even if heavier suites are skipped.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| workflow_call: | ||
| inputs: | ||
| image_group: | ||
| description: "Which image set to build: kbs | as | kbs-client | all" |
Our CI surface had grown organically and it was hard to tell which tests ran when, with some e2e paths even executing twice and docs-only changes still triggering heavy jobs. This change separates KBS e2e build from execution, unifies Azure and sample flows under a single suite, and makes test workflows consistently skip documentation-only pull requests so that failures are easier to reason about and CI capacity is spent only where it provides signal. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Previously each component maintained its own bespoke build-and-push workflow, which duplicated logic, obscured the overall release story, and made it harder to evolve the container layout in a coordinated way. By introducing reusable staged-image templates and a single matrix-driven pipeline for both core services and CLIs, we make GHCR publishing more predictable, easier to audit, and better aligned with how downstream consumers think about Trustee artifacts. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
The repository carried a large set of narrowly scoped workflows that each targeted a single binary or service, which made the CI surface area noisy and hid the fact that we now have unified staged-image and CLI pipelines. Removing these legacy jobs reduces cognitive overhead for contributors and reviewers, and encourages future changes to be made through the shared, better-documented workflows instead of ad-hoc copies. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
Actionlint complained because the single-image builder was authored as a composite action but stored under workflows and referenced by its YAML file path, which violates how GitHub expects local actions to be structured. Moving it into .github/actions with a conventional action.yml entrypoint and updating callers to use the directory path aligns with the official model so that linters and runners agree on how the staged-image pipeline is wired. Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
There was a problem hiding this comment.
Pull request overview
This PR restructures CI by consolidating Rust/unit suites under a single workflow, refactoring KBS/AS e2e workflows into clearer build/run paths, and unifying staged image build/publish logic to reduce duplication and avoid running heavy jobs on docs-only PRs.
Changes:
- Introduces a root
Makefileas the common entrypoint for unit and e2e test suites across components. - Replaces multiple component-specific workflows with consolidated Rust CI + e2e suite workflows (KBS + AS), and adds CodeQL scanning.
- Refactors staged image build/push into reusable workflows and a composite action, with a separate manifest-publish workflow.
Reviewed changes
Copilot reviewed 31 out of 32 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| Makefile | Adds aggregated unit/e2e make targets used by workflows. |
| .github/workflows/workflow-call-publish-staged-manifests.yml | New reusable workflow to publish multi-arch manifests from per-arch tags. |
| .github/workflows/workflow-call-kbs-e2e.yml | Refactors KBS e2e into build-binaries + run stages with archived test artifacts. |
| .github/workflows/workflow-call-build-staged-images.yml | New reusable workflow to build staged images by group across arches. |
| .github/workflows/trustee-cli-rust.yml | Removes legacy Trustee CLI Rust CI workflow (superseded by consolidated Rust CI). |
| .github/workflows/test-rust-ci.yml | New consolidated Rust CI workflow for KBS/AS/Trustee CLI unit checks. |
| .github/workflows/test-link-check.yml | Updates link-check triggers to skip docs-only PRs. |
| .github/workflows/test-e2e-kbs.yml | New KBS e2e “suite” orchestrating sample, vault, docker-compose, and manual Azure runs. |
| .github/workflows/test-e2e-as.yml | New AS e2e workflow invoking root Makefile target. |
| .github/workflows/test-actionlint.yml | Adjusts Actionlint trigger to skip docs-only PRs. |
| .github/workflows/security-codeql.yml | Adds CodeQL scanning workflow for Rust. |
| .github/workflows/release-clis-to-ghcr.yml | New workflow to build/push CLI artifacts to GHCR via ORAS. |
| .github/workflows/push-trustee-cli-to-ghcr.yml | Removes legacy trustee-cli push workflow (replaced by new CLI release workflow). |
| .github/workflows/push-kbs-image-to-ghcr.yml | Removes legacy KBS image push workflow (replaced by staged images workflow + manifest publisher). |
| .github/workflows/push-kbs-client-to-ghcr.yml | Removes legacy kbs-client push workflow (replaced by new CLI release workflow). |
| .github/workflows/push-kbs-client-image-to-ghcr.yml | Removes legacy kbs-client-image push workflow (replaced by staged images workflow). |
| .github/workflows/push-as-image-to-ghcr.yml | Removes legacy AS/RVPS push workflow (replaced by staged images workflow + manifest publisher). |
| .github/workflows/kbs-rust.yml | Removes legacy KBS Rust CI workflow (superseded by consolidated Rust CI). |
| .github/workflows/kbs-e2e-vault.yml | Removes legacy KBS vault e2e workflow (covered by new KBS e2e suite). |
| .github/workflows/kbs-e2e-sample.yml | Removes legacy KBS sample e2e workflow (covered by new KBS e2e suite). |
| .github/workflows/kbs-e2e-azure-vtpm.yml | Removes legacy Azure vTPM KBS e2e workflow (covered by new KBS e2e suite). |
| .github/workflows/kbs-docker-e2e.yml | Removes legacy KBS docker-compose e2e workflow (covered by new KBS e2e suite). |
| .github/workflows/kbs-docker-build.yml | Removes legacy KBS docker build workflow (covered by staged images workflow). |
| .github/workflows/build-trustee-cli.yml | Removes legacy reusable build workflow (superseded by staged images composite action and/or CLI release workflow). |
| .github/workflows/build-kbs-image.yml | Removes legacy reusable KBS image build workflow (superseded by staged images workflow + composite action). |
| .github/workflows/build-kbs-client-image.yml | Removes legacy reusable KBS client image build workflow (superseded by staged images workflow + composite action). |
| .github/workflows/build-as-image.yml | Removes legacy reusable AS/RVPS image build workflow (superseded by staged images workflow + composite action). |
| .github/workflows/build-and-push-staged-images.yml | New top-level staged images workflow for PR build checks and push publishing. |
| .github/workflows/as-rust.yml | Removes legacy AS Rust CI workflow (superseded by consolidated Rust CI). |
| .github/workflows/as-e2e.yml | Removes legacy AS e2e workflow (replaced by new AS e2e workflow invoking root Makefile). |
| .github/workflows/as-docker-build.yml | Removes legacy AS docker build workflow (covered by staged images workflow). |
| .github/actions/build-single-image/action.yml | New composite action to build (and optionally push) a single-arch staged image. |
Comments suppressed due to low confidence (2)
.github/workflows/workflow-call-kbs-e2e.yml:112
make test-kbs-e2ewill invoke the top-leveltest-kbs-e2etarget, which currently pulls in the build step (kbs-e2e-build) and re-runsinstall-dev-dependenciesduring the test job. This reintroduces the duplicated/expensive setup the refactor is trying to avoid and can break when only the archivedkbs/testartifacts are present. Prefer calling a run-only target here (or invokingmake -C kbs/test e2e-test) and keep build/setup exclusively inbuild-binaries.
.github/workflows/test-link-check.yml:8- This workflow skips on PRs that only change
*.md, but the job runslycheeagainst the repo (including Markdown). Withpaths-ignore: '**/*.md', Markdown-only doc changes won’t get link validation, which is typically when link checking is most valuable. Consider removing this ignore (or narrowing it to truly non-doc changes) so doc link regressions are still caught.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+124
to
+127
| ~/.cargo/registry/cache/ | ||
| target/ | ||
| key: rust-${{ runner.arch }}-${{ env.OS_VERSION }}-${{ hashFiles('./Cargo.lock') }} | ||
|
|
Comment on lines
+15
to
+19
| secrets: | ||
| GHCR_TOKEN: | ||
| description: 'GitHub token for GHCR' | ||
| required: false | ||
|
|
Comment on lines
+34
to
+38
| kbs-e2e-build: | ||
| $(MAKE) -C kbs/test install-dev-dependencies | ||
| $(MAKE) -C kbs/test bins TEST_FEATURES="$(TEST_FEATURES)" | ||
|
|
||
| test-kbs-e2e: kbs-e2e-build |
Comment on lines
+52
to
+56
| openssl genpkey -algorithm ed25519 > kbs/config/private.key | ||
| openssl pkey -in kbs/config/private.key -pubout -out kbs/config/public.pub | ||
| docker compose build --build-arg BUILDPLATFORM="$${BUILD_PLATFORM:-linux/amd64}" --build-arg ARCH="$${TARGET_ARCH:-x86_64}" --build-arg VERIFIER="$${VERIFIER:-all-verifier}" | ||
| docker compose up -d | ||
| cd target/release && \ |
Comment on lines
+81
to
+84
| ~/.cargo/registry/cache/ | ||
| target/ | ||
| key: rust-${{ runner.arch }}-${{ env.OS_VERSION }}-${{ hashFiles('./Cargo.lock') }} | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Our CI surface had grown organically and it was hard to tell which tests ran when, with some e2e paths even executing twice and docs-only changes still triggering heavy jobs. This change separates KBS e2e build from execution, unifies different flows under a single suite, and makes test workflows consistently skip documentation-only pull requests
so that failures are easier to reason about and CI capacity is spent only where it provides signal.
The same logic also applies for the image building process. See concrete commit message.