pulp · gerrod3 · Aug 5, 2025
diff --git a/.github/actions/base_images/action.yml b/.github/actions/base_images/action.yml
@@ -1,116 +1,69 @@
 ---
 name: Build Base Images
 description: Build the base images (pulp/base & pulp/pulp-ci-centos9) if needed
-# Both ARM64 & x86-64 versions of each are built
-# Use hashFiles(base_image_files, pulp-ci_image_files) as the key to the cache
+# Use hashFiles(base_image_files, pulp-ci_image_files) for rebuild check
+inputs:
+  image_variants:
+    description: "Whether build is nightly or stable, nightly never rebuilds"
+    default: "stable"
+    required: true
 outputs:
-  base_cache_key:
-    value: ${{ steps.hash_key.outputs.base_cache_key }}
-    description: "The cache key the built images were uploaded to."
   rebuilt_images:
-    value: ${{ env.BUILD_IMAGES }}
-    description: "The images that were rebuilt or empty"
+    value: ${{ steps.rebuild_needed.outputs.build }}
+    description: "true/false if the base images were rebuilt"
 
 runs:
   using: "composite"
   steps:
     - uses: actions/checkout@v4
 
     - name: Calculate base images hash
-      id: hash_key
       run: |
         hash=${{ hashFiles('images/Containerfile.core.base', 'images/pulp_ci_centos/Containerfile', 'images/assets/**', 'images/s6_assets/**') }}
         echo "base image hash is ${hash}"
-        echo "base_cache_key=${hash}" >> $GITHUB_OUTPUT
+        echo "HASH=${hash}" >> $GITHUB_ENV
       shell: bash
 
-    - name: Restore previously cached images
-      id: cache
-      uses: actions/cache/restore@v3
-      with:
-        key: base-images=${{ steps.hash_key.outputs.base_cache_key }}
-        path: base-images.tar.gz
+    - name: Set up oras
+      uses: oras-project/setup-oras@v1
 
-    - name: Extract images if cached
-      if: steps.cache.outputs.cache-hit == 'true'
+    - name: Check for updates on base images
+      id: rebuild_needed
       run: |
-        echo "Base Images were in cache"
-        podman load -i base-images.tar.gz
-      shell: bash
-
-    - name: Check for updates on cached images
-      if: steps.cache.outputs.cache-hit == 'true'
-      run: |
-        # Enable running/building ARM64 images: https://github.com/multiarch/qemu-user-static
-        sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p yes
-        IMAGES=()
-        for ARCH in arm64 amd64; do
-          echo "Checking if rebuild needed for base:${ARCH} & pulp-ci-centos9:${ARCH}"
-          if ! podman run --pull=never pulp/base:ci-${ARCH} bash -c "dnf check-upgrade"; then
-            echo "Rebuild needed for base:${ARCH} & pulp-ci-centos9:${ARCH}"
-            IMAGES+=("base:${ARCH}" "pulp-ci-centos9:${ARCH}")
-          elif ! podman run --pull=never pulp/pulp-ci-centos9:ci-${ARCH} bash -c "dnf check-upgrade"; then
-            echo "Rebuild needed for just pulp-ci-centos9:${ARCH}"
-            IMAGES+=("pulp-ci-centos9:${ARCH}")
-          fi
-        done
-        if [ ${#IMAGES[@]} -eq 0 ]; then
-          echo "No rebuilds needed :)"
+        if [[ "${{ inputs.image_variants }}" == "nightly" ]]; then
+          build=false
         else
-          echo "BUILD_IMAGES=[$(echo ${IMAGES[@]@Q} | sed 's/ /, /g')]" >> $GITHUB_ENV
+          branch=${{ github.base_ref || github.ref_name }}
+          config=$(oras manifest fetch-config --platform linux/amd64 ghcr.io/pulp/pulp-ci-centos9:${branch} | jq -r '.config.Labels')
+          latest_hash=$(echo "${config}" | jq -r '."org.pulp.basefiles-hash"')
+          build=true
+          if [[ "${latest_hash}" == "${HASH}" ]]; then
+            if podman run ghcr.io/pulp/pulp-ci-centos9:${branch} bash -c "dnf check-upgrade"; then
+              echo "No base images rebuild needed :)"
+              build=false
+            fi
+          fi
         fi
+        echo "build=${build}" >> "$GITHUB_OUTPUT"
+        echo "Going to rebuild: ${build}"
       shell: bash
 
-    - name: Set images to build on cache miss
-      if: steps.cache.outputs.cache-hit != 'true'
+    - name: Download base images if no rebuild needed
+      if: steps.rebuild_needed.outputs.build == 'false'
       run: |
-        echo "BUILD_IMAGES=['base:arm64', 'base:amd64', 'pulp-ci-centos9:arm64', 'pulp-ci-centos9:amd64']" >> $GITHUB_ENV
-        sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p yes
+        echo "Downloading base images"
+        branch=${{ github.base_ref || github.ref_name }}
+        podman pull ghcr.io/pulp/base:${branch}
+        podman pull ghcr.io/pulp/pulp-ci-centos9:${branch}
+        podman tag ghcr.io/pulp/base:${branch} pulp/base:ci
+        podman tag ghcr.io/pulp/pulp-ci-centos9:${branch} pulp/pulp-ci-centos9:ci
       shell: bash
 
     - name: Build images
-      if: env.BUILD_IMAGES
+      if: steps.rebuild_needed.outputs.build == 'true'
       run: |
-        IMAGES=(${{ join(fromJSON(env.BUILD_IMAGES), ' ') }})
-        echo "Going to build images: ${IMAGES[@]}"
         podman version
         buildah version
-        for IMAGE in "${IMAGES[@]}"; do
-          echo "Building image ${IMAGE}"
-          ARCH=${IMAGE##*:}
-          case $IMAGE in
-            base:*)
-              podman build --platform "linux/${ARCH}" --format docker --file images/Containerfile.core.base --tag "pulp/base:ci-${ARCH}" .
-              ;;
-            pulp-ci-centos9:*)
-              podman build --platform "linux/${ARCH}" --format docker --file images/pulp_ci_centos/Containerfile --tag "pulp/pulp-ci-centos9:ci-${ARCH}" --build-arg FROM_TAG="ci-${ARCH}" .
-              ;;
-          esac
-        done
+        podman build --format docker --file images/Containerfile.core.base --tag "pulp/base:ci" --label "org.pulp.basefiles-hash=${HASH}" .
+        podman build --format docker --file images/pulp_ci_centos/Containerfile --tag "pulp/pulp-ci-centos9:ci" --build-arg FROM_TAG="ci" .
       shell: bash
-    # we use the docker format (default), even though it may not be the fastest,
-    # because it supports saving both images at once.
-    # However, it seems to export the common layers twice.
-    # We should look into whether its possible to export just pulp-ci-centos,
-    # and tag the base image manually.
-    - name: Save podman images to tarball
-      if: env.BUILD_IMAGES
-      run: |
-        rm -f base-images.tar.gz
-        podman save -m -o base-images.tar pulp/base:ci-arm64 pulp/base:ci-amd64 pulp/pulp-ci-centos9:ci-arm64 pulp/pulp-ci-centos9:ci-amd64
-        gzip base-images.tar
-      shell: bash
-
-    - name: Clear cache for next upload
-      if: env.BUILD_IMAGES && steps.cache.outputs.cache-hit == 'true' && github.event_name != 'pull_request'
-      run: |
-        echo "Deleting existing cache for ${{ steps.hash_key.outputs.base_cache_key }}"
-        gh cache delete "base-images=${{ steps.hash_key.outputs.base_cache_key }}" -R ${{ github.repository }}
-      shell: bash
-
-    - name: Cache podman images
-      if: env.BUILD_IMAGES
-      uses: actions/cache/save@v3
-      with:
-        key: base-images=${{ steps.hash_key.outputs.base_cache_key }}
-        path: base-images.tar.gz
diff --git a/.github/actions/build_image/action.yml b/.github/actions/build_image/action.yml
@@ -9,15 +9,12 @@ inputs:
   image_name:
     description: 'Name of the image to be built'
     required: true
-  image_cache_key:
-    description: 'The key value used to store the base images in the cache'
-    required: true
   latest_ui:
     description: 'Use the latest pulp-ui when building the image'
     default: 'false'
     required: false
-  built_base_images:
-    description: 'A JSON list of the base-images that were freshly rebuilt prior'
+  rebuilt_base_images:
+    description: 'true/false if the base images were rebuilt prior'
     required: true
 outputs:
   app_version:
@@ -47,17 +44,6 @@ runs:
     - name: Set up oras
       uses: oras-project/setup-oras@v1
 
-    - name: Restore podman images from cache
-      uses: actions/cache/restore@v4
-      with:
-        key: base-images=${{ inputs.image_cache_key }}
-        path: base-images.tar.gz
-
-    - name: Load podman images from tarball
-      run: |
-        podman load -i base-images.tar.gz
-      shell: bash
-
     - name: Find latest ui version
       if: inputs.latest_ui != 'false'
       run: |
@@ -79,7 +65,7 @@ runs:
         # 2. Base images were rebuilt
         # 3. New pulp versions were released
         build=true
-        if [[ "${{ github.event_name }}" != "pull_request" && "${{ inputs.image_variant }}" != "nightly" && -z "${{ inputs.built_base_images }}" ]]; then
+        if [[ "${{ github.event_name }}" != "pull_request" && "${{ inputs.image_variant }}" != "nightly" && "${{ inputs.rebuilt_base_images }}" == "false" ]]; then
           # Fetch the latest plugin versions from the last published built image
           branch=${{ github.base_ref || github.ref_name }}
           config=$(oras manifest fetch-config --platform linux/amd64 ghcr.io/pulp/${{ inputs.image_name }}:${branch} | jq -r '.config.Labels')
@@ -99,25 +85,21 @@ runs:
       run: |
         podman version
         buildah version
-        sudo podman run --rm --privileged multiarch/qemu-user-static --reset -p yes
-        for ARCH in arm64 amd64
-        do
-          if [[ "${{ inputs.image_name }}" == "pulp-minimal" ]]; then
-            base_image=$(echo ${{ inputs.image_name }} | cut -d '-' -f1)
-            podman build --platform linux/${ARCH} --format docker --pull=false --file images/${{ inputs.image_name }}/${{ inputs.image_variant }}/Containerfile.core --tag pulp/${{ inputs.image_name }}:ci-${ARCH} --build-arg FROM_TAG=ci-${ARCH} .
-            podman build --platform linux/${ARCH} --format docker --pull=false --file images/${{ inputs.image_name }}/${{ inputs.image_variant }}/Containerfile.webserver --tag pulp/${base_image}-web:ci-${ARCH} --build-arg FROM_TAG=ci-${ARCH} .
-          else
-            podman build --platform linux/${ARCH} --format docker --pull=false --file images/${{ inputs.image_name }}/${{ inputs.image_variant }}/Containerfile --tag pulp/${{ inputs.image_name }}:ci-${ARCH} --build-arg FROM_TAG=ci-${ARCH} ${{ env.BUILD_UI_ARG }} .
-          fi
-        done
+        if [[ "${{ inputs.image_name }}" == "pulp-minimal" ]]; then
+          base_image=$(echo ${{ inputs.image_name }} | cut -d '-' -f1)
+          podman build --format docker --pull=false --file images/${{ inputs.image_name }}/${{ inputs.image_variant }}/Containerfile.core --tag pulp/${{ inputs.image_name }}:ci --build-arg FROM_TAG=ci .
+          podman build --format docker --pull=false --file images/${{ inputs.image_name }}/${{ inputs.image_variant }}/Containerfile.webserver --tag pulp/${base_image}-web:ci --build-arg FROM_TAG=ci .
+        else
+          podman build --format docker --pull=false --file images/${{ inputs.image_name }}/${{ inputs.image_variant }}/Containerfile --tag pulp/${{ inputs.image_name }}:ci --build-arg FROM_TAG=ci ${{ env.BUILD_UI_ARG }} .
+        fi
         podman images -a
       shell: bash
 
     - name: Set version and branch image tags
       id: image_version_branch
       run: |
         if [[ "${{ steps.rebuild_needed.outputs.build }}" == "true" ]]; then
-          app_version=$(podman run --pull=never pulp/${{ inputs.image_name }}:ci-amd64 bash -c "pip show pulpcore | sed -n -e 's/Version: //p'")
+          app_version=$(podman run --pull=never pulp/${{ inputs.image_name }}:ci bash -c "pip show pulpcore | sed -n -e 's/Version: //p'")
         else
           app_version=$(grep pulpcore versions.freeze | sed -n -e 's/pulpcore==//p')
         fi
@@ -132,16 +114,13 @@ runs:
     - name: Label image with metadata
       if: steps.rebuild_needed.outputs.build == 'true'
       run: |
-        packages=$(podman run --pull=never pulp/${{ inputs.image_name }}:ci-amd64 bash -c "pip list --format json")
+        packages=$(podman run --pull=never pulp/${{ inputs.image_name }}:ci bash -c "pip list --format json")
         plugin_versions=$(echo $packages | jq -r '.[] | select(.name | contains("pulp")) | .name + "==" + .version')
-        postgres=$(podman run --pull=never pulp/${{ inputs.image_name }}:ci-amd64 bash -c "postgres --version | sed -n -e 's/postgres (PostgreSQL) //p'")
-        python_version=$(podman run --pull=never pulp/${{ inputs.image_name }}:ci-amd64 bash -c "python3 --version | sed -n -e 's/Python //p'")
+        postgres=$(podman run --pull=never pulp/${{ inputs.image_name }}:ci bash -c "postgres --version | sed -n -e 's/postgres (PostgreSQL) //p'")
+        python_version=$(podman run --pull=never pulp/${{ inputs.image_name }}:ci bash -c "python3 --version | sed -n -e 's/Python //p'")
         files_hash="${{ hashFiles(format('images/{0}/{1}/**', inputs.image_name, inputs.image_variant), 'images/Containerfile.core.base', 'images/pulp_ci_centos/Containerfile', 'images/assets/**', 'images/s6_assets/**') }}"
 
-        for ARCH in arm64 amd64
-        do
-          tag="pulp/${{ inputs.image_name }}:ci-${ARCH}"
-          echo "FROM ${tag}" | podman build --pull=false --platform linux/${ARCH} --format docker --label "org.pulp.plugins=${plugin_versions}" --label "org.pulp.postgres-version=${postgres}" --label "org.pulp.python-version=${python_version}" --label "org.pulp.containerfiles-hash=${files_hash}" --tag ${tag} -
-        done
-        podman image inspect pulp/${{ inputs.image_name }}:ci-amd64 --format='{{ .Config.Labels }}'
+        tag="pulp/${{ inputs.image_name }}:ci"
+        echo "FROM ${tag}" | podman build --pull=false --format docker --label "org.pulp.plugins=${plugin_versions}" --label "org.pulp.postgres-version=${postgres}" --label "org.pulp.python-version=${python_version}" --label "org.pulp.containerfiles-hash=${files_hash}" --tag ${tag} -
+        podman image inspect ${tag} --format='{{ .Config.Labels }}'
       shell: bash
diff --git a/.github/actions/test_image/action.yml b/.github/actions/test_image/action.yml
@@ -23,7 +23,7 @@ runs:
       if: inputs.image_name == 'pulp'
       run: |
         # 3.73 has postgres 13 rather than 16
-        images/s6_assets/test.sh "pulp/${{ inputs.image_name }}:ci-amd64" http "quay.io/pulp/pulp:3.73"
+        images/s6_assets/test.sh "pulp/${{ inputs.image_name }}:ci" http "quay.io/pulp/pulp:3.73"
         podman stop pulp
         podman rm pulp
       shell: bash
@@ -32,5 +32,5 @@ runs:
       if: inputs.image_name == 'pulp-minimal'
       run: |
         base_image=$(echo ${{ inputs.image_name }} | cut -d '-' -f1)
-        images/compose/test.sh "${{ inputs.image_name }}:ci-amd64" "${base_image}-web:ci-amd64" "compose.yml"
+        images/compose/test.sh "${{ inputs.image_name }}:ci" "${base_image}-web:ci" "compose.yml"
       shell: bash
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -53,48 +53,51 @@ jobs:
           done
         shell: bash
 
-  base-images:
-    runs-on: ubuntu-latest
-    outputs:
-      base_cache_key: "${{ steps.build_base_images.outputs.base_cache_key }}"
-      rebuilt_images: "${{ steps.build_base_images.outputs.rebuilt_images }}"
+  build-and-test-images:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+
+    runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
 
       - name: Build base images
         id: build_base_images
         uses: "./.github/actions/base_images"
 
-  app-images:
-    needs: base-images
-    runs-on: ubuntu-latest
-    outputs:
-      app_version: ${{ steps.build_image.outputs.app_version }}
-      app_branch: ${{ steps.build_image.outputs.app_branch }}
-    strategy:
-      fail-fast: false
-      matrix:
-        image_name:
-          - pulp-minimal
-          - pulp
-    steps:
-      - uses: actions/checkout@v4
+      - name: Build pulp-minimal image
+        id: build_pulp_minimal_image
+        uses: "./.github/actions/build_image"
+        with:
+          image_name: "pulp-minimal"
+          image_variant: "stable"
+          latest_ui: ${{ github.base_ref == 'latest' }}
+          rebuilt_base_images: ${{ steps.build_base_images.outputs.rebuilt_images }}
 
-      - name: Build App Image
-        id: build_image
+      - name: Build pulp image
+        id: build_pulp_image
         uses: "./.github/actions/build_image"
         with:
-          image_name: ${{ matrix.image_name }}
+          image_name: "pulp"
           image_variant: "stable"
-          image_cache_key: ${{ needs.base-images.outputs.base_cache_key }}
           latest_ui: ${{ github.base_ref == 'latest' }}
-          built_base_images: ${{ needs.base-images.outputs.rebuilt_images }}
+          rebuilt_base_images: ${{ steps.build_base_images.outputs.rebuilt_images }}
+
+      - name: Test pulp-minimal image
+        uses: "./.github/actions/test_image"
+        with:
+          image_name: "pulp-minimal"
+          app_branch: ${{ steps.build_pulp_minimal_image.outputs.app_branch }}
 
-      - name: Test App Image
+      - name: Test pulp image
         uses: "./.github/actions/test_image"
         with:
-          image_name: ${{ matrix.image_name }}
-          app_branch: ${{ steps.build_image.outputs.app_branch }}
+          image_name: "pulp"
+          app_branch: ${{ steps.build_pulp_image.outputs.app_branch }}
 
       - name: Logs
         if: always()