Improve and modernise the CI workflow#3153
Merged
guusdk merged 10 commits intoigniterealtime:mainfrom Mar 4, 2026
Merged
Conversation
…build-and-push-docker' The publish-maven and build-and-push-docker jobs list many required jobs (aioxmpp, connectivity, etc.) but omit the integration job entirely. This means you could publish a build that failed its integration test suite.
This job depends only on build, not on any test jobs. A broken or failing build could still produce and upload a .deb artifact, which is potentially misleading. It should depend on the same gate as the publish jobs.
By applying concurrency configuration, multiple pushes in quick successino will prevent queuing up redundant full CI runs.
This job only reads source files checked out from the repo and runs a shell script. It never uses the compiled distribution or Maven artifacts. The needs: [build, ...] dependency forces it to wait unnecessarily. Removing the build dependency (keeping should-do-database-tests and check_branch) would let it run earlier in parallel.
The aioxmpp test uses a clone of an unpinned external repository (aioxmpp's). There's no need to pull the full history.
Previously, the Docker image was built independently in both the `integration` job (locally via `load: true`) and the `build-and-push-docker` job, meaning the image was built twice per CI run with no guarantee both builds produced identical output. Introduce a new `build-docker` job that builds the image once after `build` completes, pushes it to GHCR tagged as `ci-<sha>`, and exposes the image tag and digest as job outputs. The `integration` job now depends on `build-docker` and pulls the pre-built image rather than building locally. The `build-and-push-docker` job likewise pulls the same ephemeral image, retags it with final production tags via `docker/metadata-action`, and pushes those. The attestation step now references the digest from `build-docker` rather than a fresh build, ensuring provenance is accurate. A cleanup step removes the ephemeral `ci-*` tag from GHCR after the final tags are pushed.
The earlier fix for reusing Docker images used GHCR as the intermediary, which fails for pull requests from forks due to insufficient registry permissions. Instead, build the image once in a dedicated `build-docker` job, save it to a gzip-compressed tar archive via `docker save`, and share it as a workflow artifact with a 1-day retention. Downstream jobs (`integration` and `publish-docker`) download and restore the image via `docker load`, requiring no registry access at build or test time.
Member
Author
|
The original solution for sharing Docker images between steps relied on GHCR, which would not be available on forks. I've now switched to an approach that shares the docker image as an artifact (using docker save / docker load). |
This is mainly done to perform cache-busting for the Docker-image build inside CI.
A recent code change in aioxmpp seems to have broken this test. Exclude it for the time being. See https://codeberg.org/jssfr/aioxmpp/pulls/417 for details.
Separate the cache-from and cache-to keys in the build-docker job so that each commit writes a fresh cache entry (keyed by SHA) while still reading from the stable hash-based cache to reuse Maven dependency layers. Also expand the cache key hash to include the Dockerfile and entrypoint.sh, ensuring that changes to any of these files correctly bust the cache.
Fishbowler
approved these changes
Mar 4, 2026
Member
Fishbowler
left a comment
Fishbowler
left a comment
There was a problem hiding this comment.
LGTM. I've reviewed this commit-by-commit, and nothing looks wild or scary. I'd bet there's more we could do, but this looks like a great step forwards.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR addresses a number of issues identified in the existing CI workflow, ranging from correctness problems to inefficiencies and maintenance concerns. Each change has been made in a separate, focused commit. Please refer to the individual commit messages for a detailed explanation of each.
Changes include: