🐛 fix multi-arch build issues

[pranavgaikwad]

Summary by CodeRabbit

• Chores
  • Updated build workflow to enhance pull request validation and conditional image publishing for main and release branches.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions workflow configuration updated to add pull request triggers for main and release branches, introduce a publish parameter with conditional logic based on event type, and restrict the image analyzer job to push events only.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration .github/workflows/image-build.yaml	Added pull_request triggers for main and release-* branches; introduced publish parameter (false for pull requests, true otherwise); added conditional to run build_image_analyzer job only on push events

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A workflow refined, so precise and so neat,
Pull requests now trigger, no longer bittersweet,
With conditionals wise, the analyzer stands guard,
Publishing only when pushes aren't hard! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title ':bug: fix multi-arch build issues' is directly related to the changeset which modifies the image-build workflow to fix multi-architecture build problems.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3a997c4 and 058dbed.

📒 Files selected for processing (1)

• .github/workflows/image-build.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: JDT.LS Integration Tests (Phase 2)
• GitHub Check: image-build / build (arm64)
• GitHub Check: image-build / build (amd64)
• GitHub Check: image-build / build (ppc64le)
• GitHub Check: image-build / build (s390x)
• GitHub Check: Build tackle2-addon-analyzer

🔇 Additional comments (4)

.github/workflows/image-build.yaml (4)

5-8: LGTM! Enabling PR build testing.

Adding pull_request triggers allows testing multi-arch builds on PRs without publishing, which is appropriate for validating the build fixes before merging.

---

37-37: LGTM! Correctly restricting downstream rebuild to push events.

The conditional ensures that the analyzer rebuild is only triggered on actual pushes (merges, tags), not on PR builds. This prevents unnecessary downstream builds during testing.

---

5-8: Clarify the QEMU/tar issue fix and secrets handling for fork PRs.

The workflow disables publishing for PRs (line 28), but this doesn't address the underlying QEMU/tar multi-arch build issue. Additionally, secrets are passed unconditionally to the reusable workflow (lines 29-31), which could cause unexpected behavior or failures when fork PRs attempt to build—even with publish=false.

Questions:

1. What is the root cause fix for the QEMU/tar interaction issue? Disabling publish avoids the problem, but does that address it permanently?
2. Should secrets be passed only when publish=true? Fork PRs won't have access to these secrets, and passing them unconditionally may cause workflow failures.
3. Are there Dockerfile or build configuration changes that actually resolve the multi-arch build problem, or is disabling publish a temporary workaround?

Also applies to: 28-28, 37-37

---

28-28: Use a boolean expression instead of string literals for the publish parameter.

The expression ${{ github.event_name == 'pull_request' && 'false' || 'true' }} returns string values 'false' and 'true'. In GitHub Actions, any non-empty string—including 'false'—is truthy, which can cause unexpected behavior if the reusable workflow uses this value in a boolean context.

Use a proper boolean expression instead:

publish: ${{ github.event_name != 'pull_request' }}

This returns actual boolean values, which is safer and more idiomatic for GitHub Actions.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/image-build.yaml:
- Line 22: The workflow references an external action
"pranavgaikwad/release-tools/.github/workflows/build-push-images.yaml@feat/makePushOptional"
which may be inaccessible or transient; verify that the fork and branch exist
and are publicly accessible, and if the feature was merged upstream update the
uses entry to "konveyor/release-tools@main" (or the appropriate stable branch)
in the .github/workflows/image-build.yaml replace the current uses string,
otherwise add a comment in the workflow documenting that this is a temporary
fork/branch with a timeline and include a pointer to the audited action code (or
vendor it into the repo) so reviewers can inspect it.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 29a8cfa and c48e64b.

📒 Files selected for processing (1)

• .github/workflows/image-build.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: JDT.LS Integration Tests (Phase 2)
• GitHub Check: Build tackle2-addon-analyzer

🔇 Additional comments (3)

.github/workflows/image-build.yaml (3)

5-8: LGTM! Pull request trigger enables build validation.

Adding the pull_request trigger allows multi-arch builds to be tested on PRs before merging, which aligns with the PR objectives. Combined with the conditional publish logic on Line 28, this enables dry-run builds.

---

37-37: LGTM! Correctly prevents downstream triggers on PRs.

The condition ensures that the analyzer rebuild is only triggered on actual pushes, not on pull requests. This is the correct behavior - PRs should only validate the build without triggering downstream actions.

---

28-28: Verify the publish parameter uses string comparison in the called workflow.

The conditional expression evaluates to string 'false' or 'true' rather than boolean values. In GitHub Actions, a non-empty string like 'false' is truthy, which means the called workflow must use string comparison (inputs.publish == 'true') or convert the value with fromJson() to properly handle the false case.

If the external workflow (build-push-images.yaml in the fork) checks the parameter as a boolean directly (e.g., if: ${{ inputs.publish }}), images will be published even on pull requests.

To fix, either:

• Use fromJson(): publish: ${{ github.event_name == 'pull_request' && false || true }}
• Verify the called workflow uses string comparison: if: ${{ inputs.publish == 'true' }}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/image-build.yaml:
- Line 22: The workflow references a personal fork and feature branch via the
`uses:
pranavgaikwad/release-tools/.github/workflows/build-push-images.yaml@feat/makePushOptional`
line; replace this with the official repository and a stable ref (e.g.,
`konveyor/release-tools@main` or a specific tag/commit) so the workflow executes
reviewed, immutable code, and ensure the `feat/makePushOptional` changes are
merged upstream into `konveyor/release-tools` (and referenced by the upstream
tag/commit) before removing any merge holds or deploying to production branches.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c48e64b and 67e76ec.

📒 Files selected for processing (1)

• .github/workflows/image-build.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: JDT.LS Integration Tests (Phase 2)
• GitHub Check: Build tackle2-addon-analyzer

🔇 Additional comments (3)

.github/workflows/image-build.yaml (3)

5-8: LGTM! Good addition for PR validation.

Adding pull_request triggers enables build validation on PRs before merging, which is a good practice. The branch patterns correctly match the existing push triggers.

---

37-37: LGTM! Correct conditional for downstream triggers.

The if: github.event_name == 'push' condition correctly ensures that the downstream rebuild of analyzer-lsp only occurs for actual pushes (merged PRs or direct commits), not for PR builds. This prevents unnecessary downstream builds during PR review.

---

28-28: The publish parameter in the called workflow (build-push-images.yaml@feat/makePushOptional) explicitly defines type: string with a default value of "true". The current implementation correctly provides string values 'false' and 'true', which is the expected type. No changes are needed.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @Dockerfile:
- Around line 2-8: The tar extraction in the Dockerfile RUN block is failing on
multi-arch builds due to non-portable tar flags; update the RUN sequence that
downloads /tmp/jdtls.tar.gz and extracts into /tmp/jdtls to use a simplified,
portable tar invocation (remove -v, --no-same-owner and --no-same-permissions)
while preserving the staging step that copies /tmp/jdtls/* to /jdtls and the
subsequent chmod on /jdtls/bin/jdtls so permissions are set explicitly after
extraction.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 67e76ec and 291613a.

📒 Files selected for processing (1)

• Dockerfile

🧰 Additional context used

🪛 GitHub Actions: Multiple Architecture Image Build

Dockerfile

[error] 1-1: Image build failed during RUN curl -s -o /tmp/jdtls.tar.gz https://download.eclipse.org/jdtls/milestones/1.51.0/jdt-language-server-1.51.0-202510022025.tar.gz && mkdir -p /tmp/jdtls && tar -xvf /tmp/jdtls.tar.gz -C /tmp/jdtls --no-same-owner --no-same-permissions && mkdir -p /jdtls && cp -r /tmp/jdtls/* /jdtls/ && chmod 755 /jdtls/bin/jdtls && rm -rf /tmp/jdtls.tar.gz /tmp/jdtls: Exiting with failure status due to previous errors. tar: bin/jdtls: Cannot open: Invalid argument (and many similar tar errors). Buildah exited with code 2.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: JDT.LS Integration Tests (Phase 2)
• GitHub Check: Build tackle2-addon-analyzer

[jmontleon]

This is likely due to an interaction between a new version of tar in the ubi9 image, qemu-user-static. There's something else involved as well since no one has had success reproducing it outside of github runners so far.

https://gitlab.com/qemu-project/qemu/-/issues/3262