CI: Generate RPM diff and auto-publish GitHub Release

[unixtech-06]

Closes #60

Add RPM diff generation and GitHub Release automation to CI

• Detect previous dated image tags with skopeo and compare RPM lists
• Generate Markdown changelog (Added / Updated / Removed) per platform
• Publish combined RPM diff as GitHub Release with attached artifacts
• Mark release as pre-release when pushing to testing registries

[alexiri]

Great work!

For the atomic-desktop images, this changelog is generated by the rechunker, which is very useful. One of the things it does is attach the full package list (ie. your rpm_lists/.../*.txt) as a label to the container image itself. You can see it here, for example:

skopeo inspect docker://quay.io/almalinuxorg/atomic-desktop-gnome:10 | jq '.Labels["dev.hhd.rechunk.info"]'

How about doing this instead? This is kind of like a poor man's SBOM, and since it's tied to the image it makes it much easier for you to get the information of the previous released image and it also makes the information available for other future uses.

[alexiri]

How about skipping the sections altogether if there are no packages in that category?

[unixtech-06]

Thanks for the suggestion
I’ve updated the changelog generation so that it now skips any Added / Updated / Removed section when the count is zero

[alexiri]

Why not just use the current ${VMJ} tag, which should always be the latest released tag?

[unixtech-06]

Thanks for pointing this out
I had overlooked that the ${VMJ} tag is always kept up to date with the latest release
I’ve updated the workflow to simply use ${VMJ} as the comparison base instead of scanning dated tags

[alexiri]

This makes it impossible for the workflow to run the first time, when there's no previous tag. Not too relevant now that it exists, but still...

[unixtech-06]

updated the step so the workflow won’t fail on the very first run when there’s no previous tag

[unixtech-06]

Great work!

For the atomic-desktop images, this changelog is generated by the rechunker, which is very useful. One of the things it does is attach the full package list (ie. your rpm_lists/.../*.txt) as a label to the container image itself. You can see it here, for example:

skopeo inspect docker://quay.io/almalinuxorg/atomic-desktop-gnome:10 | jq '.Labels["dev.hhd.rechunk.info"]'

How about doing this instead? This is kind of like a poor man's SBOM, and since it's tied to the image it makes it much easier for you to get the information of the previous released image and it also makes the information available for other future uses.

I agree that this approach makes perfect sense.

Here’s what I’m thinking:

• For each platform, generate a rechunker-style JSON that includes the full RPM list, its SHA256, and metadata such as built_at and prev_tag.
• Compress the JSON with gzip + base64 and store it in an environment variable RCHUNK_INFO_LABEL.
• During the final image push step, add the label as follows:
  dev.hhd.rechunk.info=${{ env.RCHUNK_INFO_LABEL }} (specified in docker/build-push-action@v5 under labels:).
• The label can be verified in the same way as the atomic-desktop images:

  skopeo inspect docker://<registry>/<repo>:<tag> \
    | jq -r '.Labels["dev.hhd.rechunk.info"]' \
    | base64 -d | gzip -d | jq .

[alexiri]

dev.hdd.rechunk.info isn't a standardized label or anything, and given the format is different maybe we shouldn't use the same label. How about org.almalinux.sbom? Reference: https://github.com/opencontainers/image-spec/blob/main/annotations.md

[unixtech-06]

That sounds good
I'll use org.almalinux.sbom instead.

[alexiri]

Suggested change

	# Compress and encode JSON into a single-line lable payload
	# Compress and encode JSON into a single-line label payload

[alexiri]

Suggested change

	${{ env.LABLE_KEY }}=${{ env.RCHUNK_INFO_LABEL }}
	${{ env.LABEL_KEY }}=${{ env.RCHUNK_INFO_LABEL }}

[alexiri]

You don't need to run the previous image and extract the list of packages again, now that it's attached as a label you could just get it from there. If you use crane, you can even get the label without having to pull the image!

[unixtech-06]

I'll switch to using crane.
It seems that crane isn’t included in the default ubuntu-latest runner image, so I’ll add installation steps for it as well.
https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2404-Readme.md

[alexiri]

I understand wanting to reduce the size of this data, but making it binary makes it a bit less useful. It adds an extra couple of steps to be able to read and use it. There's no limit to the value size (as far as I can tell), so why not just store the json directly?

[unixtech-06]

I’ll change it to store the JSON directly in the label instead of encoding it.

[alexiri]

This looks great! Are you running it anywhere so we can verify everything works as expected and looks good?

[unixtech-06]

This looks great! Are you running it anywhere so we can verify everything works as expected and looks good?

I'll try it out in my own repository by creating a new branch for testing.

[unixtech-06]

The workflow ran successfully and generated the changelog correctly.
The result is available here:
https://github.com/unixtech-06/container-images/releases/tag/v20251010

[alexiri]

Hi @unixtech-06, please take a look at this conversation: https://chat.almalinux.org/almalinux/pl/yuun4ire5jbibxtid1mfubgzfy

Now would be a great opportunity to standardize on the same SBOM format for all AlmaLinux images!

[unixtech-06]

Hi @unixtech-06, please take a look at this conversation: https://chat.almalinux.org/almalinux/pl/yuun4ire5jbibxtid1mfubgzfy

Now would be a great opportunity to standardize on the same SBOM format for all AlmaLinux images!

Sorry, I was mistaken earlier.

After thinking about it, the current rpm-based implementation doesn’t work for micro anyway since it doesn’t include the rpm command.
So for now, I think it’s fine to generate SBOMs for the other container images (excluding micro) by mounting their rootfs externally and using this script.

[alexiri]

@javihernandez, what do you think, good to go with the SBOM?

[javihernandez]

@javihernandez, what do you think, good to go with the SBOM?

Hey, currently, the sbom tools are not part of the cloud images pipelines, its inclusion in the gcp images pipelines is being finalized as part of AlmaLinux/cloud-images#266.

In any case, yes, I think that we can proceed with the SBOM tools approach. For that, @unixtech-06 needs to:

1. Create a PR with the rpm bindings fallback changes in https://github.com/AlmaLinux/cloud-images-sbom-tools
2. Update this PR accordingly. Please check the GCP images PR above for inspiration on how to include the tools into the container images pipeline(s)