Separate OKD build and push phases

Author: Kasturi Narra

.github/actions/build-okd/action.yaml

@@ -51,23 +51,30 @@ runs:
         set -euo pipefail
 
         cd ${GITHUB_WORKSPACE}/
+        # The 'staging' mode builds images locally AND pushes them to staging registry
+        # Staging registry is automatically derived as: $(dirname target-registry)/okd-staging
+        # This allows testing before promoting to production
         TARGET_REGISTRY="${{ inputs.target-registry }}" ./src/okd/build_images.sh \
+          staging \
           "${{ inputs.okd-version-tag }}" \
           "${{ inputs.ushift-gitref }}" \
           "${{ inputs.target-arch }}"
 
-    - name: Build MicroShift RPMs
+    - name: Build MicroShift RPMs using staging OKD images
       shell: bash
       run: |
         # See https://github.com/microshift-io/microshift/blob/main/docs/build.md
         # for more information about the build process.
 
-        # Run the RPM build process.
+        # Run the RPM build process using images from staging registry
+        # Staging registry is derived as: $(dirname target-registry)/okd-staging
         cd ${GITHUB_WORKSPACE}/
+        PRODUCTION_REGISTRY="${{ inputs.target-registry }}"
+        STAGING_REGISTRY="$(dirname "${PRODUCTION_REGISTRY}")/okd-staging"
         make rpm \
           USHIFT_GITREF="${{ inputs.ushift-gitref }}" \
           OKD_VERSION_TAG="${{ inputs.okd-version-tag }}" \
-          OKD_RELEASE_IMAGE="${{ inputs.target-registry }}/okd-release-${{ steps.detect-cpu-arch.outputs.go_arch }}" \
+          OKD_RELEASE_IMAGE_AARCH64="${STAGING_REGISTRY}/okd-release-arm64" \
           RPM_OUTDIR=/mnt/rpms
 
     - name: Build MicroShift bootc container image
@@ -97,6 +104,39 @@ runs:
         make run-healthy
         make stop
 
+    - name: Push OKD images to production registry
+      if: success()
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        cd ${GITHUB_WORKSPACE}/
+        # Only push to production if all tests passed
+        # This ensures we don't publish broken OKD images to production
+        TARGET_REGISTRY="${{ inputs.target-registry }}" ./src/okd/build_images.sh \
+          production \
+          "${{ inputs.okd-version-tag }}" \
+          "${{ inputs.ushift-gitref }}" \
+          "${{ inputs.target-arch }}"
+
+    - name: Cleanup staging registry
+      if: always()
+      shell: bash
+      continue-on-error: true
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+      run: |
+        set -euo pipefail
+
+        cd ${GITHUB_WORKSPACE}/
+        # Cleanup staging registry using the script's cleanup mode
+        # This runs on both success and failure to keep the staging registry clean
+        TARGET_REGISTRY="${{ inputs.target-registry }}" ./src/okd/build_images.sh \
+          cleanup \
+          "${{ inputs.okd-version-tag }}" \
+          "${{ inputs.ushift-gitref }}" \
+          "${{ inputs.target-arch }}"
+
     # Uncomment this to enable tmate-debug on failure
     # - name: Pause and open tmate debug session
     #   if: failure()

src/okd/build_images.sh

@@ -4,14 +4,25 @@ set -euo pipefail
 export LC_ALL=C.UTF-8
 export LANG=C.UTF-8
 
-TARGET_REGISTRY=${TARGET_REGISTRY:-ghcr.io/microshift-io/okd}
+# Production registry - must be provided via TARGET_REGISTRY environment variable
+# or defaults to the upstream registry if not specified
+PRODUCTION_REGISTRY="${TARGET_REGISTRY:-ghcr.io/microshift-io/okd}"
+# Automatically derive staging registry by appending '/okd-staging' subpath
+STAGING_REGISTRY="$(dirname "${PRODUCTION_REGISTRY}")/okd-staging"
 PULL_SECRET=${PULL_SECRET:-~/.pull-secret.json}
 
 WORKDIR=$(mktemp -d /tmp/okd-build-images-XXXXXX)
 trap 'cd ; rm -rf "${WORKDIR}"' EXIT
 
 usage() {
-  echo "Usage: $(basename "$0") <okd-version> <ocp-branch> <target-arch>"
+  echo "Usage: $(basename "$0") <mode> <okd-version> <ocp-branch> <target-arch>"
+  echo "  mode:        Operation mode - 'staging', 'production', or 'cleanup'"
+  echo "               'staging'    - Build OKD images locally and push to staging registry"
+  echo "                              (${STAGING_REGISTRY})"
+  echo "               'production' - Push previously built images to production registry"
+  echo "                              (${PRODUCTION_REGISTRY})"
+  echo "               'cleanup'    - Delete images from staging registry"
+  echo "                              (${STAGING_REGISTRY})"
   echo "  okd-version: The version of OKD to build (see https://amd64.origin.releases.ci.openshift.org/)"
   echo "  ocp-branch:  The branch of OCP to build (e.g. release-4.19)"
   echo "  target-arch: The architecture of the target images (amd64 or arm64)"
@@ -320,17 +331,164 @@ create_new_okd_release() {
       # "ovn-kubernetes-microshift=${images_sha[ovn-kubernetes-microshift]}" \
 }
 
+# Build OKD images locally and populate images_sha array
+build_okd_images() {
+  echo "Building OKD images locally..."
+  create_images
+
+  for key in "${!images[@]}" ; do
+    # Skip haproxy-router for non-ARM64 architectures (see TODO at line 99)
+    # haproxy28 package implementation for amd64 is not yet available
+    if [ "${TARGET_ARCH}" != "arm64" ] && [ "${key}" = "haproxy-router" ] ; then
+      continue
+    fi
+    images_sha["${key}"]="${images[$key]}"
+  done
+
+  echo "Build completed successfully"
+}
+
+# Push images and manifests to registry, then create OKD release
+push_okd_images() {
+  echo "Pushing images to registry: ${TARGET_REGISTRY}"
+  push_image_manifests
+  create_new_okd_release
+  echo "Push completed successfully"
+  echo "OKD release image published to: ${OKD_RELEASE_IMAGE}"
+}
+
+# Retag staging images to production names
+retag_staging_to_production() {
+  local staging_image
+  local production_image
+
+  echo "Re-tagging staging images to production names..."
+
+  for key in "${!images[@]}" ; do
+    # Skip haproxy-router for non-ARM64 architectures (see TODO at line 99)
+    # haproxy28 package implementation for amd64 is not yet available
+    if [ "${TARGET_ARCH}" != "arm64" ] && [ "${key}" = "haproxy-router" ] ; then
+      continue
+    fi
+
+    production_image="${images[$key]}"
+    staging_image="${production_image/${PRODUCTION_REGISTRY}/${STAGING_REGISTRY}}"
+
+    if ! podman image exists "${staging_image}" ; then
+      echo "ERROR: Local staging image ${staging_image} not found."
+      echo "Run staging build first: $0 staging ${OKD_VERSION} ${OCP_BRANCH} ${TARGET_ARCH}"
+      exit 1
+    fi
+
+    echo "Re-tagging ${staging_image} to ${production_image}"
+    podman tag "${staging_image}" "${production_image}"
+    images_sha["${key}"]="${production_image}"
+  done
+}
+
+# Staging mode: build images locally and push to staging registry
+push_staging() {
+  check_podman_login
+  check_release_image_exists
+  build_okd_images
+  push_okd_images
+  echo ""
+  echo "Images built and pushed to staging registry: ${STAGING_REGISTRY}"
+  echo "OKD release image available at: ${OKD_RELEASE_IMAGE}"
+  echo "After successful testing, push to production with:"
+  echo "  $0 production ${OKD_VERSION} ${OCP_BRANCH} ${TARGET_ARCH}"
+}
+
+# Production mode: retag staging images and push to production registry
+push_production() {
+  check_podman_login
+  check_release_image_exists
+  retag_staging_to_production
+  push_okd_images
+}
+
+# Delete entire package from GHCR using GitHub CLI
+delete_ghcr_package() {
+  local image="$1"
+  local owner package
+
+  # Parse: ghcr.io/owner/package/subpath:tag -> extract owner and package (without tag)
+  owner=$(echo "${image}" | cut -d'/' -f2)
+  package=$(echo "${image}" | cut -d'/' -f3- | cut -d':' -f1)
+
+  # URL-encode package path (replace / with %2F)
+  package="${package//\//%2F}"
+
+  echo "  Deleting package: ${owner}/${package//%2F//}"
+
+  # Delete the entire package (all versions)
+  local error_msg
+  if error_msg=$(gh api --method DELETE "/users/${owner}/packages/container/${package}" -H "Accept: application/vnd.github+json" 2>&1); then
+    echo "    ✓ Package deleted"
+  else
+    # Handle known errors
+    if echo "${error_msg}" | grep -q "Not Found"; then
+      echo "    ✓ Already deleted"
+    else
+      echo "    WARNING: Failed to delete package"
+      echo "    Error: ${error_msg}"
+    fi
+  fi
+}
+
+# Cleanup mode: delete images from staging registry
+cleanup_staging() {
+  echo "Cleaning up staging registry images for version ${OKD_VERSION}..."
+
+  # Track deleted packages to avoid duplicates
+  declare -A deleted_packages
+
+  for key in "${!images[@]}" ; do
+    # Skip haproxy-router for non-ARM64 architectures (see TODO at line 99)
+    if [ "${TARGET_ARCH}" != "arm64" ] && [ "${key}" = "haproxy-router" ] ; then
+      continue
+    fi
+
+    # Extract package name (without tag)
+    local package_name="${images[$key]%%:*}"
+
+    # Skip if already deleted
+    if [ -n "${deleted_packages[$package_name]:-}" ]; then
+      echo "  Skipping ${package_name} (already deleted)"
+      continue
+    fi
+
+    # Delete the entire package (all versions including manifest and arch-specific)
+    delete_ghcr_package "${images[$key]}"
+    deleted_packages[$package_name]=1
+  done
+
+  # Delete the OKD release image package
+  local release_package="${OKD_RELEASE_IMAGE%%:*}"
+  if [ -z "${deleted_packages[$release_package]:-}" ]; then
+    delete_ghcr_package "${OKD_RELEASE_IMAGE}"
+  fi
+
+  echo "Staging registry cleanup completed"
+}
+
 #
 # Main
 #
-if [[ $# -ne 3 ]]; then
+if [[ $# -ne 4 ]]; then
   usage
 fi
 
-OKD_VERSION="$1"
-OCP_BRANCH="$2"
-TARGET_ARCH="$3"
-OKD_RELEASE_IMAGE="${TARGET_REGISTRY}/okd-release-${TARGET_ARCH}:${OKD_VERSION}"
+MODE="$1"
+OKD_VERSION="$2"
+OCP_BRANCH="$3"
+TARGET_ARCH="$4"
+
+# Validate mode
+if [[ "${MODE}" != "staging" ]] && [[ "${MODE}" != "production" ]] && [[ "${MODE}" != "cleanup" ]]; then
+  echo "ERROR: Invalid mode '${MODE}'. Must be 'staging', 'production', or 'cleanup'"
+  usage
+fi
 
 # Determine the alternate architecture
 case "${TARGET_ARCH}" in
@@ -346,6 +504,15 @@ case "${TARGET_ARCH}" in
     ;;
 esac
 
+# Set target registry based on mode
+if [[ "${MODE}" == "staging" ]] || [[ "${MODE}" == "cleanup" ]]; then
+  TARGET_REGISTRY="${STAGING_REGISTRY}"
+elif [[ "${MODE}" == "production" ]]; then
+  TARGET_REGISTRY="${PRODUCTION_REGISTRY}"
+fi
+
+OKD_RELEASE_IMAGE="${TARGET_REGISTRY}/okd-release-${TARGET_ARCH}:${OKD_VERSION}"
+
 # Populate associative arrays with image names and tags
 declare -A images
 declare -A images_sha
@@ -368,10 +535,11 @@ images=(
 
 # Check the prerequisites
 check_prereqs
-check_podman_login
-check_release_image_exists
-# Create and push images
-create_images
-push_image_manifests
-# Create a new OKD release
-create_new_okd_release
+# Execute based on mode
+if [[ "${MODE}" == "staging" ]]; then
+  push_staging
+elif [[ "${MODE}" == "production" ]]; then
+  push_production
+elif [[ "${MODE}" == "cleanup" ]]; then
+  cleanup_staging
+fi