ci: OPS-980: Add operator build and push per-commit

[dillon-cullinan]

Overview:

• Fixes TARGETARCH in operator Dockerfile, this variable is set automatically by docker buildx, hard-coding the variable made invocations of --platform linux/arm64 build with linux/amd64 instead, resulting in incorrect images.
• Adds workflow job to build the dynamo operator image, and push to ACR.

Summary by CodeRabbit

• Chores
  • CI workflow expanded to build and publish the operator container image for multiple architectures (amd64, arm64), improving multi-platform coverage.
  • Workflow runs only when relevant code changes are detected, reducing unnecessary executions.
  • Docker build now honors the provided target architecture (no default), ensuring accurate platform-specific builds and clearer build logs.

[coderabbitai]

Walkthrough

Adds an operator build-and-push job to the backend container validation workflow with a two-architecture matrix, and updates the operator Dockerfile to rely on externally provided TARGETARCH (no default). No other logic changes noted.

Changes

Cohort / File(s)	Summary
CI workflow: operator build/publish .github/workflows/container-validation-backends.yml	Introduces an operator job triggered on code changes with a 2-item matrix (linux/amd64 on m5-2xlarge, linux/arm64 on r8g-4xlarge). Steps: checkout, setup Buildx, build operator image, tag and push via docker-tag-push to AWS/Azure with platform-specific tags. Other jobs unchanged.
Operator Dockerfile: arch arg handling deploy/cloud/operator/Dockerfile	Removes default for ARG TARGETARCH; build now prints TARGETOS/TARGETARCH from external input. No other Dockerfile steps changed.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer/PR
  participant GH as GitHub Actions
  participant BX as Docker Buildx
  participant REG as Registries (AWS/Azure)

  Dev->>GH: Push/PR triggers workflow
  GH->>GH: Detect code changes
  alt operator job matrix (amd64, arm64)
    GH->>GH: Checkout repo
    GH->>BX: Setup Buildx (platform = linux/${arch})
    GH->>BX: docker build deploy/cloud/operator (TARGETOS/TARGETARCH set)
    BX-->>GH: Operator image for platform
    GH->>REG: Tag & push (ai-dynamo/dynamo:operator-${arch})
    REG-->>GH: Push result
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I hopped through matrices, two arches in the breeze,
Built boxes with Buildx, as simple as you please.
No defaults to burrow—envs guide where I tread,
I tag, I push, I carrot the thread.
Two clouds wave back—“Well shipped,” they said. 🥕🚀

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description only includes the Overview section and is missing the required Details, Where should the reviewer start, and Related Issues sections specified in the repository template, leaving out key information about the change scope, file pointers, and issue linkage.	Please expand the description to include the Details, Where should the reviewer start, and Related Issues sections as outlined in the template, specifying what was changed, which files to review, and the related issue references.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title clearly and concisely summarizes the main CI change by indicating that an operator build and push will run per commit and references the relevant OPS-980 ticket, making it immediately clear to reviewers what the primary update is.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deploy/cloud/operator/Dockerfile (1)

44-48: ARG scope bug: TARGETOS/TARGETARCH not defined in builder stage

RUN ... GOOS=${TARGETOS} GOARCH=${TARGETARCH} ... expands to empty unless these ARGs are re-declared in this stage. Builds may target wrong arch or fail.

Apply one of the fixes:

Option A (re-declare in builder):

 FROM base AS builder

+ARG TARGETOS
+ARG TARGETARCH
+
 # Build the binary
 RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o manager ./cmd/main.go

Option B (hoist ARGs global so all stages see them):

-# Base stage - Common setup for all stages
-FROM golang:1.24 AS base
-
-# Docker buildx automatically provides these
-ARG TARGETOS=linux
-ARG TARGETARCH
+# Docker buildx automatically provides these
+ARG TARGETOS=linux
+ARG TARGETARCH
+
+# Base stage - Common setup for all stages
+FROM golang:1.24 AS base
+
+# Make them visible in this stage too (optional but explicit)
+ARG TARGETOS
+ARG TARGETARCH

🧹 Nitpick comments (4)

deploy/cloud/operator/Dockerfile (2)

47-47: Improve local dev ergonomics with safe fallbacks

If someone builds without buildx, fall back to go env so GOOS/GOARCH resolve correctly.

-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o manager ./cmd/main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-$(go env GOOS)} GOARCH=${TARGETARCH:-$(go env GOARCH)} go build -o manager ./cmd/main.go

---

8-12: Also declare TARGETPLATFORM for clarity (optional)

Expose TARGETPLATFORM and log it; helps diagnostics in multi-arch builds.

-# Docker buildx automatically provides these
-ARG TARGETOS=linux
-ARG TARGETARCH
+# Docker buildx automatically provides these
+ARG TARGETPLATFORM
+ARG TARGETOS=linux
+ARG TARGETARCH
 
-RUN echo "Building for ${TARGETOS}/${TARGETARCH}"
+RUN echo "Building for ${TARGETPLATFORM:-${TARGETOS}/${TARGETARCH}}"

.github/workflows/container-validation-backends.yml (2)

63-74: Action metadata warning: docker-tag-push missing name (actionlint)

Static analysis flagged the composite action metadata missing name. Fixing it avoids CI lint failures.

Please update .github/actions/docker-tag-push/action.yml to include:

name: Docker Tag and Push

If you want, I can scan the repo and open a PR to patch it.

---

40-51: Optional: tighten change filter to operator path

If has_code_changes is broad, the operator job may run unnecessarily. Consider using a path-specific filter (e.g., deploy/cloud/operator/**) to gate this job.

Would you like a patch to extend .github/filters.yaml and wire it here?

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c4130e and 1a5dd6e.

📒 Files selected for processing (2)

• .github/workflows/container-validation-backends.yml (1 hunks)
• deploy/cloud/operator/Dockerfile (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.8)

.github/workflows/container-validation-backends.yml

63-63: name is required in action metadata "/home/jailuser/git/.github/actions/docker-tag-push/action.yml"

(action)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build and Test - dynamo