chore(ci, build): add support for KONFLUX Dockerfile builds in Makefile and tests

.github/actions/playwright-test/action.yml

@@ -0,0 +1,121 @@
+---
+name: 'Playwright Browser Tests'
+description: |
+  Run Playwright browser tests for workbench images.
+
+  Features:
+  - Runs Playwright tests inside the official Microsoft Playwright container
+  - Uses Podman to run the test container with proper isolation
+  - Supports testcontainers for container orchestration
+  - Uploads test reports as artifacts on pull requests
+
+  Requirements:
+  - Podman must be installed and running
+  - The workbench image must be available in the local Podman storage
+  - tests/browser directory must contain the Playwright test configuration
+
+inputs:
+  test-target:
+    description: 'The workbench image to test (full image reference).'
+    required: true
+  podman-socket:
+    description: 'Path to Podman socket'
+    required: false
+    default: '/var/run/podman/podman.sock'
+  playwright-version:
+    description: 'Version of the Playwright container to use (e.g., v1.58.1-noble). If not provided, extracted from package.json5'
+    required: false
+    default: ''
+  working-directory:
+    description: 'Directory containing the Playwright tests'
+    required: false
+    default: 'tests/browser'
+  upload-report:
+    description: 'Whether to upload the Playwright report as an artifact'
+    required: false
+    default: 'false'
+  artifact-name:
+    description: 'Name for the uploaded artifact (required if upload-report is true)'
+    required: false
+    default: 'playwright-report'
+  artifact-retention-days:
+    description: 'Number of days to retain the artifact'
+    required: false
+    default: '30'
+
+outputs:
+  outcome:
+    description: 'The outcome of the Playwright tests (success or failure)'
+    value: ${{ steps.playwright.outcome }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Determine Playwright version
+      id: playwright-version
+      shell: bash
+      run: |
+        if [[ -n "${INPUT_PLAYWRIGHT_VERSION}" ]]; then
+          echo "version=${INPUT_PLAYWRIGHT_VERSION}" >> "$GITHUB_OUTPUT"
+        else
+          # Extract version from package.json5 (single source of truth)
+          # package.json5 has: "@playwright/test": "=1.58.1"
+          # Container tag format is: v1.58.1-noble
+          PKG_VERSION=$(grep -oP '"@playwright/test":\s*"=?\K[0-9.]+' "${WORKING_DIRECTORY}/package.json5")
+          if [[ -z "$PKG_VERSION" ]]; then
+            echo "::error::Failed to extract Playwright version from package.json5"
+            exit 1
+          fi
+          echo "version=v${PKG_VERSION}-noble" >> "$GITHUB_OUTPUT"
+          echo "Extracted Playwright version: v${PKG_VERSION}-noble"
+        fi
+      env:
+        INPUT_PLAYWRIGHT_VERSION: ${{ inputs.playwright-version }}
+        WORKING_DIRECTORY: ${{ inputs.working-directory }}
+
+    - name: Run Playwright tests
+      id: playwright
+      shell: bash
+      # --ipc=host because Microsoft says so in Playwright docs
+      # --net=host because testcontainers connects to the Reaper container's exposed port
+      # we need to pass through the relevant environment variables
+      #  DEBUG configures Node.js debuggers, sets different verbosity as needed
+      #  CI=true is set on every CI nowadays
+      #  PODMAN_SOCK should be mounted to /var/run/docker.sock, other likely mounting locations may not exist (mkdir -p)
+      #  TEST_TARGET is the workbench image the test will run
+      # --volume(s) let us access docker socket and not clobber host's node_modules
+      run: |
+        podman run \
+          --interactive --rm \
+          --ipc=host \
+          --net=host \
+          --env "CI=true" \
+          --env "NPM_CONFIG_fund=false" \
+          --env "DEBUG=testcontainers:*" \
+          --env "PODMAN_SOCK=/var/run/docker.sock" \
+          --env "TEST_TARGET" \
+          --volume "${PODMAN_SOCKET}":/var/run/docker.sock \
+          --volume "${PWD}":/mnt \
+          --volume /mnt/node_modules \
+          "mcr.microsoft.com/playwright:${PLAYWRIGHT_VERSION}" \
+          /bin/bash <<EOF
+            set -Eeuxo pipefail
+            cd /mnt
+            npm install -g pnpm && pnpm install
+            pnpm exec playwright test
+            exit 0
+        EOF
+      working-directory: ${{ inputs.working-directory }}
+      env:
+        # Only set TEST_TARGET if provided, otherwise playwright.config.ts uses its default
+        TEST_TARGET: ${{ inputs.test-target || '' }}
+        PODMAN_SOCKET: ${{ inputs.podman-socket }}
+        PLAYWRIGHT_VERSION: ${{ steps.playwright-version.outputs.version }}
+
+    - name: Upload Playwright report
+      if: ${{ !cancelled() && inputs.upload-report == 'true' }}
+      uses: actions/upload-artifact@v6
+      with:
+        name: ${{ inputs.artifact-name }}
+        path: ${{ inputs.working-directory }}/playwright-report/
+        retention-days: ${{ inputs.artifact-retention-days }}

.github/workflows/build-notebooks-TEMPLATE.yaml

@@ -28,6 +28,11 @@ name: Build & Publish Notebook Servers (TEMPLATE)
         default: false
         description: "add RHEL subscription from github secret"
         type: boolean
+      konflux:
+        required: false
+        default: false
+        description: "build from Dockerfile.konflux.* instead of Dockerfile.*"
+        type: boolean
       PLATFORM_RUNNERS:
         required: false
         # language=json
@@ -127,14 +132,19 @@ jobs:
           printf "${PWD}/entitlement:/etc/pki/entitlement\n${PWD}/consumer:/etc/pki/consumer\n" | sudo tee /usr/share/containers/mounts.conf
 
           mkdir -p $HOME/.config/containers/
-          sudo cp ${PWD}/ci/secrets/pull-secret.json $HOME/.config/containers/auth.json
+
+          # Don't use sudo here.
+          # With CONTAINER_HOST set, podman is a remote client that forwards auth to the
+          # rootful server during builds. Credentials must be readable by the runner user.
+          cp ${PWD}/ci/secrets/pull-secret.json $HOME/.config/containers/auth.json
         env:
           SUBSCRIPTION_ORG: ${{ secrets.SUBSCRIPTION_ORG }}
           SUBSCRIPTION_ACTIVATION_KEY: ${{ secrets.SUBSCRIPTION_ACTIVATION_KEY }}
 
       # for bin/buildinputs in scripts/sandbox.py
       - uses: actions/setup-go@v6
         with:
+          go-version: "stable"
           cache-dependency-path: "scripts/buildinputs/go.sum"
 
       - run: sudo apt-get update
@@ -259,6 +269,7 @@ jobs:
           CONTAINER_BUILD_CACHE_ARGS: "${{ steps.extra-container-build-args.outputs.CONTAINER_BUILD_CACHE_ARGS }}"
           # We don't have access to image registry for PRs, so disable pushing
           PUSH_IMAGES: "${{ (fromJson(inputs.github).event_name == 'pull_request' || fromJson(inputs.github).event_name == 'pull_request_target') && 'no' || 'yes' }}"
+          KONFLUX: "${{ inputs.konflux && 'yes' || 'no' }}"
 
       - name: "Show podman images information"
         run: podman images --digests
@@ -426,6 +437,7 @@ jobs:
       - uses: actions/setup-go@v6
         if: ${{ !cancelled() && steps.make-target.outcome == 'success' }}
         with:
+          go-version-file: "scripts/check-payload/go.mod"
           cache-dependency-path: "scripts/check-payload/go.sum"
         env:
           GOPATH: ${{ steps.check-payload-vars.outputs.GOPATH }}
@@ -477,44 +489,12 @@ jobs:
       # not enough to install playwright; running playwright in podman uses the space we have
       - name: Run Playwright tests
         if: ${{ !cancelled() && contains(inputs.target, 'codeserver') && steps.make-target.outcome == 'success' }}
-        # --ipc=host because Microsoft says so in Playwright docs
-        # --net=host because testcontainers connects to the Reaper container's exposed port
-        # we need to pass through the relevant environment variables
-        #  DEBUG configures Node.js debuggers, sets different verbosity as needed
-        #  CI=true is set on every CI nowadays
-        #  PODMAN_SOCK should be mounted to /var/run/docker.sock, other likely mounting locations may not exist (mkdir -p)
-        #  TEST_TARGET is the workbench image the test will run
-        # --volume(s) let us access docker socket and not clobber host's node_modules
-        run: |
-          podman run \
-            --interactive --rm \
-            --ipc=host \
-            --net=host \
-            --env "CI=true" \
-            --env "NPM_CONFIG_fund=false" \
-            --env "DEBUG=testcontainers:*" \
-            --env "PODMAN_SOCK=/var/run/docker.sock" \
-            --env "TEST_TARGET" \
-            --volume ${PODMAN_SOCK}:/var/run/docker.sock \
-            --volume ${PWD}:/mnt \
-            --volume /mnt/node_modules \
-            mcr.microsoft.com/playwright:v1.53.1-noble \
-            /bin/bash <<EOF
-              set -Eeuxo pipefail
-              cd /mnt
-              npm install -g pnpm && pnpm install
-              pnpm exec playwright test
-              exit 0
-          EOF
-        working-directory: tests/browser
-        env:
-          TEST_TARGET: "${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}"
-      - uses: actions/upload-artifact@v6
-        if: ${{ !cancelled() && fromJson(inputs.github).event_name == 'pull_request' && contains(inputs.target, 'codeserver') }}
+        uses: ./.github/actions/playwright-test
         with:
-          name: "${{ inputs.target }}_${{ steps.calculated_vars.outputs.SANITIZED_PLATFORM }}_playwright-report"
-          path: tests/browser/playwright-report/
-          retention-days: 30
+          test-target: ${{ steps.calculated_vars.outputs.OUTPUT_IMAGE }}
+          podman-socket: /var/run/podman/podman.sock
+          upload-report: ${{ fromJson(inputs.github).event_name == 'pull_request' }}
+          artifact-name: "${{ inputs.target }}_${{ steps.calculated_vars.outputs.SANITIZED_PLATFORM }}_playwright-report"
 
       # endregion
 

.github/workflows/build-notebooks-pr-aipcc.yaml

@@ -62,6 +62,7 @@ jobs:
 
       - uses: actions/setup-go@v6
         with:
+          go-version: "stable"
           cache-dependency-path: "**/*.sum"
 
       - name: Determine targets to build based on changed files
@@ -94,4 +95,5 @@ jobs:
       platform: "${{ matrix.platform }}"
       # rhds/notebooks builds from AIPCC base images that are RHEL-based
       subscription: ${{ true }}
+      konflux: ${{ true }}
     secrets: inherit

.github/workflows/build-notebooks-pr-rhel.yaml

@@ -60,6 +60,7 @@ jobs:
 
       - uses: actions/setup-go@v6
         with:
+          go-version: "stable"
           cache-dependency-path: "**/*.sum"
 
       - name: Determine targets to build based on changed files

.github/workflows/build-notebooks-pr.yaml

@@ -34,6 +34,7 @@ jobs:
 
       - uses: actions/setup-go@v6
         with:
+          go-version: "stable"
           cache-dependency-path: "**/*.sum"
 
       - name: Determine targets to build based on changed files

.github/workflows/build-notebooks-push.yaml

@@ -9,6 +9,15 @@
       # In fact, skip the build if there are only changes in manifests and nowhere else
       - manifests/**
   "workflow_dispatch":
+    inputs:
+      "odh":
+        description: "Build Dockerfile.*"
+        type: boolean
+        default: false
+      "rhds":
+        description: "Build Dockerfile.konflux.* (requires subscription)"
+        type: boolean
+        default: false
   "schedule":
     - "cron": "0 2 * * *"
 
@@ -33,6 +42,7 @@ jobs:
 
       - uses: actions/setup-go@v6
         with:
+          go-version: "stable"
           cache-dependency-path: "**/*.sum"
 
       - name: Determine targets to build (we want to build everything on push)
@@ -51,12 +61,28 @@ jobs:
       fail-fast: false
       matrix: "${{ fromJson(needs.gen.outputs.matrix) }}"
     uses: ./.github/workflows/build-notebooks-TEMPLATE.yaml
-    if: ${{ fromJson(needs.gen.outputs.has_jobs) }}
+    if: ${{ (inputs.odh || (github.event_name != 'workflow_dispatch' && github.repository != 'red-hat-data-services/notebooks')) && fromJson(needs.gen.outputs.has_jobs) }}
+    with:
+      target: "${{ matrix.target }}"
+      python: "${{ matrix.python }}"
+      github: "${{ toJSON(github) }}"
+      platform: "${{ matrix.platform }}"
+      subscription: "${{ matrix.subscription }}"
+    secrets: inherit
+
+  build-aipcc:
+    needs: ["gen"]
+    strategy:
+      fail-fast: false
+      matrix: "${{ fromJson(needs.gen.outputs.matrix) }}"
+    uses: ./.github/workflows/build-notebooks-TEMPLATE.yaml
+    if: ${{ (inputs.rhds || (github.event_name != 'workflow_dispatch' && github.repository == 'red-hat-data-services/notebooks')) && fromJson(needs.gen.outputs.has_jobs) }}
     with:
       target: "${{ matrix.target }}"
       python: "${{ matrix.python }}"
       github: "${{ toJSON(github) }}"
       platform: "${{ matrix.platform }}"
       # rhds/notebooks builds from AIPCC base images that are RHEL-based
-      subscription: "${{ matrix.subscription || (github.repository == 'red-hat-data-services/notebooks') }}"
+      subscription: ${{ true }}
+      konflux: ${{ true }}
     secrets: inherit