Separate OKD build and push phases

Kasturi Narra · Kasturi Narra · commit 846b22d9dc49 · 2025-11-27T16:40:42.000+05:30
diff --git a/.github/actions/build-okd/action.yaml b/.github/actions/build-okd/action.yaml
@@ -45,29 +45,31 @@ runs:
       with:
         token: ${{ inputs.token }}
 
-    - name: Build OKD images
+    - name: Build OKD images and push to staging
       shell: bash
       run: |
         set -euo pipefail
 
         cd ${GITHUB_WORKSPACE}/
-        TARGET_REGISTRY="${{ inputs.target-registry }}" ./src/okd/build_images.sh \
+        # Build images locally and push to staging registry for testing
+        ./src/okd/build_images.sh \
+          build \
           "${{ inputs.okd-version-tag }}" \
           "${{ inputs.ushift-branch }}" \
           "${{ inputs.target-arch }}"
 
-    - name: Build MicroShift RPMs
+    - name: Build MicroShift RPMs using staging OKD images
       shell: bash
       run: |
         # See https://github.com/microshift-io/microshift/blob/main/docs/build.md
         # for more information about the build process.
 
-        # Run the RPM build process.
+        # Run the RPM build process using images from staging registry
         cd ${GITHUB_WORKSPACE}/
         make rpm \
           USHIFT_BRANCH="${{ inputs.ushift-branch }}" \
           OKD_VERSION_TAG="${{ inputs.okd-version-tag }}" \
-          OKD_RELEASE_IMAGE="${{ inputs.target-registry }}/okd-release-${{ steps.detect-cpu-arch.outputs.go_arch }}" \
+          OKD_RELEASE_IMAGE="ghcr.io/microshift-io/okd-staging/okd-release-${{ steps.detect-cpu-arch.outputs.go_arch }}" \
           RPM_OUTDIR=/mnt/rpms
 
     - name: Build MicroShift bootc container image
@@ -97,6 +99,30 @@ runs:
         make run-healthy
         make stop
 
+    - name: Push OKD images to production registry
+      if: success()
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        cd ${GITHUB_WORKSPACE}/
+        # Only push to production if all tests passed
+        # This ensures we don't publish broken OKD images to production
+        ./src/okd/build_images.sh \
+          push \
+          "${{ inputs.okd-version-tag }}" \
+          "${{ inputs.ushift-branch }}" \
+          "${{ inputs.target-arch }}"
+
+    - name: Cleanup staging registry on failure
+      if: failure()
+      shell: bash
+      continue-on-error: true
+      run: |
+        echo "Build or tests failed - staging images were not promoted to production"
+        echo "Staging registry may contain untested images for version ${{ inputs.okd-version-tag }}"
+        echo "These will be overwritten on the next build attempt"
+
     # Uncomment this to enable tmate-debug on failure
     # - name: Pause and open tmate debug session
     #   if: failure()
diff --git a/src/okd/build_images.sh b/src/okd/build_images.sh
@@ -11,7 +11,12 @@ WORKDIR=$(mktemp -d /tmp/okd-build-images-XXXXXX)
 trap 'cd ; rm -rf "${WORKDIR}"' EXIT
 
 usage() {
-  echo "Usage: $(basename "$0") <okd-version> <ocp-branch> <target-arch>"
+  echo "Usage: $(basename "$0") <mode> <okd-version> <ocp-branch> <target-arch>"
+  echo "  mode:        Operation mode - 'build' or 'push'"
+  echo "               'build' - Build OKD images locally and push to staging registry"
+  echo "                         (${STAGING_REGISTRY})"
+  echo "               'push'  - Push previously built images to production registry"
+  echo "                         (${PRODUCTION_REGISTRY})"
   echo "  okd-version: The version of OKD to build (see https://amd64.origin.releases.ci.openshift.org/)"
   echo "  ocp-branch:  The branch of OCP to build (e.g. release-4.19)"
   echo "  target-arch: The architecture of the target images (amd64 or arm64)"
@@ -317,14 +322,20 @@ create_new_okd_release() {
 #
 # Main
 #
-if [[ $# -ne 3 ]]; then
+if [[ $# -ne 4 ]]; then
   usage
 fi
 
-OKD_VERSION="$1"
-OCP_BRANCH="$2"
-TARGET_ARCH="$3"
-OKD_RELEASE_IMAGE="${TARGET_REGISTRY}/okd-release-${TARGET_ARCH}:${OKD_VERSION}"
+MODE="$1"
+OKD_VERSION="$2"
+OCP_BRANCH="$3"
+TARGET_ARCH="$4"
+
+# Validate mode
+if [[ "${MODE}" != "build" ]] && [[ "${MODE}" != "push" ]]; then
+  echo "ERROR: Invalid mode '${MODE}'. Must be 'build' or 'push'"
+  usage
+fi
 
 # Determine the alternate architecture
 case "${TARGET_ARCH}" in
@@ -340,6 +351,17 @@ case "${TARGET_ARCH}" in
     ;;
 esac
 
+# Set registry based on mode
+if [[ "${MODE}" == "build" ]]; then
+  # For build mode, we build locally and then push to staging
+  TARGET_REGISTRY="${STAGING_REGISTRY}"
+elif [[ "${MODE}" == "push" ]]; then
+  # For push mode, we push to production
+  TARGET_REGISTRY="${PRODUCTION_REGISTRY}"
+fi
+
+OKD_RELEASE_IMAGE="${TARGET_REGISTRY}/okd-release-${TARGET_ARCH}:${OKD_VERSION}"
+
 # Populate associative arrays with image names and tags
 declare -A images
 declare -A images_sha
@@ -362,10 +384,61 @@ images=(
 
 # Check the prerequisites
 check_prereqs
-check_podman_login
-check_release_image_exists
-# Create and push images
-create_images
-push_image_manifests
-# Create a new OKD release
-create_new_okd_release
+
+# Execute based on mode
+if [[ "${MODE}" == "build" ]]; then
+  # Build mode: Build images locally and push to staging registry
+  create_images
+
+  # Populate images_sha array from local images
+  for key in "${!images[@]}" ; do
+    # Skip haproxy-router for non-ARM64 architectures (see TODO at line 93)
+    # haproxy28 package implementation for amd64 is not yet available
+    if [ "${TARGET_ARCH}" != "arm64" ] && [ "${key}" = "haproxy-router" ] ; then
+      continue
+    fi
+    images_sha["${key}"]="${images[$key]}"
+  done
+
+  # Push images to staging registry
+  push_image_manifests
+
+  # Create the OKD release image in staging registry
+  create_new_okd_release
+
+  echo ""
+  echo "Build completed successfully"
+  echo "Images built and pushed to staging registry: ${STAGING_REGISTRY}"
+  echo "OKD release image available at: ${OKD_RELEASE_IMAGE}"
+  echo "After successful testing, push to production with:"
+  echo "  $0 push ${OKD_VERSION} ${OCP_BRANCH} ${TARGET_ARCH}"
+
+elif [[ "${MODE}" == "push" ]]; then
+  # Push mode: Push previously built images to production registry
+  # This should only be done after successful testing with staging images
+  # Note: Assumes podman login was already done externally (e.g., by CI/CD workflow)
+
+  # Verify all local images exist and populate images_sha array
+  for key in "${!images[@]}" ; do
+    # Skip haproxy-router for non-ARM64 architectures (see TODO at line 93)
+    # haproxy28 package implementation for amd64 is not yet available
+    if [ "${TARGET_ARCH}" != "arm64" ] && [ "${key}" = "haproxy-router" ] ; then
+      continue
+    fi
+
+    # Check if local image exists
+    if ! podman image exists "${images[$key]}" ; then
+      echo "ERROR: Local image ${images[$key]} not found."
+      echo "Run build first: $0 build ${OKD_VERSION} ${OCP_BRANCH} ${TARGET_ARCH}"
+      exit 1
+    fi
+
+    # Populate images_sha array with local image reference
+    images_sha["${key}"]="${images[$key]}"
+  done
+
+  push_image_manifests
+  create_new_okd_release
+  echo "Push to production completed successfully"
+  echo "OKD release image published to: ${OKD_RELEASE_IMAGE}"
+fi
