Bump every GitHub Action in the repository to its latest major
version, addressing the upcoming Node.js 20 deprecation. Several
of the old versions (checkout v4, cache v4, setup-node v4,
labeler v5) use the Node 20 runtime which GitHub is deprecating.
The new versions use Node 22.
- actions/checkout v4/v5 to v6
- actions/upload-artifact v4 to v7
- actions/download-artifact v4 to v8
- actions/cache, cache/restore, cache/save v4 to v5
- actions/setup-node v4 to v6
- actions/setup-python v5 to v6
- actions/github-script v7/v8 to v9
- actions/labeler v5 to v6
- peter-evans/find-comment v3 to v4
- dorny/paths-filter v3 to v4
- codecov/codecov-action v4 to v6
- docker/setup-buildx-action v3 to v4
- docker/build-push-action v6 to v7
- tj-actions/changed-files v46 to v47
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The current workflow_dispatch path builds whatever HEAD of the dispatch ref
is, labels the resulting image with px4_version, and publishes. That's
fine for rebuilding current state but it cannot rebuild the exact commit
a release tag points to, because the dispatch loads the workflow file
from one ref and implicitly checks out the same ref for the build.
This matters for release recovery. When the v1.17.0-rc2 tag push failed
to publish containers back on 2026-03-13 (the v1 GHA cache protocol
removal in RunsOn v2.12.0), the tag was not re-pushed, so the only way
to publish rc2 containers now is via workflow_dispatch. Without this
change, a dispatch against release/1.17 builds release/1.17 HEAD and
labels it v1.17.0-rc2, which produces a container whose contents do not
match the rc2 tag's actual code. That is not a faithful recovery.
Add a build_ref input that controls only the checkout ref, defaulting
to empty which falls back to github.ref (preserving current behavior
for both push events and dispatches that omit the input). With this,
a release recovery looks like:
gh workflow run dev_container.yml --repo PX4/PX4-Autopilot \
--ref release/1.17 \
-f px4_version=v1.17.0-rc2 \
-f build_ref=v1.17.0-rc2 \
-f deploy_to_registry=true
The workflow loads from release/1.17 HEAD (which has the cache fix
from 39b0568 and the hardening from d74db56a), but the build uses
Tools/setup/Dockerfile from the rc2 tag. The published image has
rc2 contents under the rc2 label, as if the original tag push had
worked.
All three actions/checkout steps (setup, build, deploy) take the same
ref expression so every job sees a consistent workspace. Non-dispatch
events (push, PR) evaluate github.event.inputs.build_ref to empty and
fall back to github.ref exactly as before.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Three related fixes to prevent a repeat of the v1.17.0-rc2 incident, where a
post-push GHA cache-export 404 failed the arm64 build after both registry
pushes had already succeeded, fail-fast cancelled amd64, and the deploy job
was skipped, leaving the registries with only a partial arm64 publish and no
multi-arch manifest.
- Mark cache export as non-fatal via ignore-error=true on cache-to. A
successful registry push should never be undone by a cache-layer flake.
This alone would have let rc2 publish correctly.
- Decouple the deploy job from the build job's exit code. Change its if:
gate to !cancelled() + setup success only, and promote the existing
"Verify Images Exist Before Creating Manifest" step from a warning into
a hard precondition. Deploy now runs whenever both per-arch tags actually
exist in the registries, which is its real precondition, and fails loudly
if a tag is missing.
- Bump every action to the current major (runs-on/action v2,
actions/checkout v5, docker/login-action v4, docker/setup-buildx-action v4,
docker/build-push-action v7, docker/metadata-action v6). This gets the
workflow off Node 20 before GitHub's June 2 2026 forced runtime switch
and keeps runs-on/action on the same major as the runs-on platform.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
RunsOn v2.12.0 (March 6, 2026) removed v1 cache toolkit support,
causing the buildx GHA cache proxy to return 404 for v1 endpoints.
This has broken container builds on main since March 12.
Removing the explicit version=1 parameter lets buildkit auto-detect
the v2 protocol, which is the only version now supported by both
GitHub (since April 2025) and RunsOn.
First build after this change will have a cold cache.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
* Tone down the performance of some runners from 8cpu+ down to 4cpu+
* Improve and document caching on PX4 builds with an improved ccache key strategy
* Review and document artifact upload logic for binaries uploaded to S3 and github
releases
* Future Improvement, introduce runners configuration file so we can
control more precesily which instances are allocated.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
* Add vitepress tree
* Update existing workflows so they dont trigger on changes in the docs path
* Add nojekyll, package.json, LICENCE etc
* Add crowdin docs upload/download scripts
* Add docs flaw checker workflows
* Used docs prefix for docs workflows
* Crowdin obvious fixes
* ci: docs move to self hosted runner
runs on a beefy server for faster builds
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
* ci: don't run build action for docs or ci changes
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
* ci: update runners
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
* Add docs/en
* Add docs assets and scripts
* Fix up editlinks to point to PX4 sources
* Download just the translations that are supported
* Add translation sources for zh, uk, ko
* Update latest tranlsation and uorb graphs
* update vitepress to latest
---------
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Co-authored-by: Ramon Roche <mrpollo@gmail.com>
Docker hub is rate limiting our API access, as a result tests are
failing for no apparent reason. This change will decrease the API calls
by at least 80%
We have applied for an Open Source account with greater API limits, I
will come back to this and update as necessary when and if they grant us
access to their program.
Make sure we always have a { branch name } container tag in addition to
a { branch name + date } tag. This way we have a rolling { branch name }
of the main and release branches
when this is workflow triggered by a tag push event, then it tags the
image in multiple ways eg:
"image.name": "ghcr.io/px4/px4-dev:v1.16.0-alpha1,ghcr.io/px4/px4-dev:latest"
Having multiple names messes up the exectuion of the next step in the
chain since we depend on its name to complete the testing
Ramon Roche
Hamish Willee