Ensure Github workflow runs on docker image used by Production Distribution Build

[reta]

Description

Ensure Github workflow runs on docker image used by Production Distribution Build

Issues Resolved

Closes #3494

Is this a backport? If so, please add backport PR # and/or commits #

Testing

Tested as Github Action worflows

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[peternied]

Thanks for getting a PR out here to review, can you do a runtime comparison between main and this change? I'm curious what the impact is to our PR checks time with this change.

[peternied]

Lets use a published task not a direct repo reference

[reta]

Hm... may you share the example? (PS: this step is replicated to all repos)

[peternied]

I don't like tightly coupling these repositories together; security depends on opensearch-build, opensearch build depends on security - this is a formula to get into a broken state and have to start bypassing CI.

[peternied]

For example, here is a GitHub action that allows for multi-platform file download [1] it shouldn't be part of the security project even though it was originally written to support this project.

I have trouble adopting this level of coupling when we still have problems doing normal builds after version bumps [2]

• [1] https://github.com/peternied/download-file
• [2] [AUTO] Increment version to 1.3.15-SNAPSHOT #3829

[reta]

I am still unsure what you are suggesting, my apologies. If this is not the way we should share the workflows, no objections to change it, but to what model?

[peternied]

We should publish the workflows as github actions e.g. opensearch-project/opensearch-ci-image-by-tag@v1?

[reta]

Oh I see, thanks @peternied , @peterzhuamazon fyi ^^

[reta]

Thanks for getting a PR out here to review, can you do a runtime comparison between main and this change? I'm curious what the impact is to our PR checks time with this change.

The only change should be an usage of our (OpenSearch) image for Linux runner (instead of ubuntu-latest), the only price to be paid is for pulling the image .

[reta]

@peternied opening it up for review, if you prefer to have Githib Action (instead of referencing the workflow directly), I have no objection - please feel to close this one (and preferably open an issue for opensearch-build repo to work on that), thank you!

[peternied]

Thanks @reta I'm created an issue for OpenSearch-build to publish a GitHub action [1] that should be how we adopt that job. After this has been created, we'll be in a position to adopt this change in this repo.

• [1] Get CI Image Tag should be published as a GitHub action opensearch-build#4296