Merge jammy#601
Merged
Merged
Conversation
* Add job to ensure expected GCP integration network is created
Why
---
The bats and test-stemcells-ipv4 jobs assume a GCP subnetwork named
stemcell-builder-integration-<subnet_int> exists in the bosh-concourse
VPC, with a /24 at 10.100.<subnet_int>.0/24, private Google access, and
IPV4_ONLY stack type. They also require a matching ingress firewall rule
(all-protocol, source CIDR → tags test-stemcells-bats/bat) so that
compilation VMs and BAT deployment VMs can reach the BOSH director's
NATS server. Until now both resources had to be created and maintained
out of band; their absence caused consistent compilation-VM agent
timeouts (builds 466–475).
What
----
* ci/tasks/gcp/ensure-integration-network.sh
- Authenticates via GCP_JSON_KEY service account.
- Derives SUBNET_NAME and SUBNET_CIDR from SUBNET_INT.
- Captures stderr via mktemp temp file (cleaned up by trap on EXIT)
so that gcloud failures are classified: "was not found" → create the
resource; anything else → print the error and exit non-zero. This
prevents auth/permission/transient API errors from being silently
misinterpreted as "resource missing".
- Subnetwork: single gcloud describe call captures exit code (for
existence) and attributes (for drift detection). Validates network,
ipCidrRange, privateIpGoogleAccess, and stackType; exits non-zero
with a clear diff on any mismatch.
- Firewall rule: same stderr-capture pattern. Validates network,
direction, allowed[0].IPProtocol (must be "all"), sourceRanges[0],
and disabled (must be False) in one describe call. Validates
targetTags in a second describe call, sorting both sides before
comparison to be order-insensitive. Both 'test-stemcells-bats' and
'bat' tags are required, mirroring the existing
stemcell-builder-integration-22 rule.
* ci/tasks/gcp/ensure-integration-network.yml
- Concourse task definition. All params (GCP_JSON_KEY, GCP_PROJECT_ID,
GCP_REGION, GCP_NETWORK_NAME, SUBNET_INT) are required; no defaults,
values are provided explicitly by the pipeline.
* ci/pipelines/builder.yml
- New infrastructure group containing the new job.
- New job ensure-integration-network:
* serial: true, manual trigger only.
* Gets bosh-stemcells-ci and bosh-integration-image, then runs the
task with GCP_REGION=europe-north2 and
GCP_NETWORK_NAME=bosh-concourse passed explicitly.
* No passed: constraint on existing jobs; run on demand when the
subnet/firewall needs to be created or reconciled.
Verification
------------
* ytt -f ci/pipelines/builder.yml -f ci/pipelines/vars.yml renders
successfully.
* fly validate-pipeline -c <rendered> reports "looks good".
Co-authored-by: Cursor <cursoragent@cursor.com>
* Apply suggestions from code review
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Harden firewall existence check and validation in ensure-integration-network
---------
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ned Petrov <nedd.petrov@gmail.com>
- make all stemcell `put` actions parallel
Contributor
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
ystros
previously approved these changes
May 29, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR forward-merges Jammy-related pipeline and image metadata updates, adding infrastructure provisioning for GCP integration test networking and migrating stemcell OCI publishing toward registry-image.
Changes:
- Updates the Ubuntu Jammy metalink to version
1064.0.0. - Adds a manual
ensure-integration-networkConcourse job and GCP task for subnet/firewall provisioning. - Refactors publisher steps to parallelize publication work and build/push GHCR stemcell images via
oci-build-taskandregistry-image.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
image-metalinks/ubuntu-jammy/ubuntu-jammy.meta4 |
Updates Jammy OS image and USN log hashes, sizes, version, and published timestamp. |
ci/tasks/gcp/ensure-integration-network.yml |
Defines the new Concourse task contract for integration network provisioning. |
ci/tasks/gcp/ensure-integration-network.sh |
Adds idempotent GCP subnet and firewall validation/creation logic. |
ci/pipelines/builder.yml |
Adds an infrastructure group and manual ensure-integration-network job. |
ci/pipelines/publisher.yml |
Refactors publishing flow and replaces deprecated Docker image publishing with OCI build plus registry-image. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merging forward from Jammy