hack: allow supplying custom OCI_TAG during persist

Author: anokfireball

.github/actions/test/integration/build/action.yml

@@ -103,6 +103,7 @@ runs:
         PASSWORD=$(openssl passwd "password")
         echo "PASSWORD=$PASSWORD" >> $GITHUB_ENV
         sed -i "s|PASSWORD_GOES_HERE|$PASSWORD|g" ./.github/actions/test/integration/build/dev-user-butane.yaml
+        sed -i "s|TAG_GOES_HERE|${{ inputs.image_tag }}|g" ./.github/actions/test/integration/build/dev-user-butane.yaml
         butane --pretty --strict ./.github/actions/test/integration/build/dev-user-butane.yaml > "/opt/${TAG}.ign"
 
     - name: Download ubuntu cloud image

.github/actions/test/integration/build/dev-user-butane.yaml

@@ -50,12 +50,14 @@ storage:
     contents:
       inline: |
         NON_HUGEPAGES_PM=1000
-  # pull the image from GHCR instead of keppel
   - path: /opt/persist/gl-oci.conf
     mode: 0644
     contents:
       inline: |
+        # pull the image from GHCR instead of keppel
         OCI_REPO=ghcr.io/gardenlinux/gardenlinux-ccloud
+        # point to a custom tag to download for the persist step
+        OCI_TAG=TAG_GOES_HERE
   # Enable unlimited core dumps for all systemd services
   - path: /etc/systemd/system.conf.d/10-core.conf
     mode: 0644

.github/workflows/dev.yml

@@ -21,9 +21,18 @@ jobs:
         with:
           submodules: recursive
 
-      - name: use VERSION file to support dev build on rel-branch
+      - name: Derive version
         id: version
-        run: echo "VERSION=$(cat VERSION)" >> $GITHUB_OUTPUT
+        run: |
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            # could also use another valid output instead of MAJOR.MINOR.PATCH
+            # https://github.com/gardenlinux/gardenlinux/blob/d6f26762652a6c3f5b9e79dedeadcc4a61b0a7db/bin/garden-version#L146-L152
+            # would also make deletion "easy" since the format for PR images is fixed and unique
+            # we pull by the additional tag, bootstrap happens via the version inside the image
+            echo "VERSION=today" >> $GITHUB_OUTPUT
+          else
+            echo "VERSION=$(cat VERSION)" >> $GITHUB_OUTPUT
+          fi
 
   build:
     needs: [set_version]
@@ -67,7 +76,6 @@ jobs:
       version: ${{ needs.set_version.outputs.VERSION }}
       upload_version: ${{ needs.meta.outputs.UPLOAD_VERSION }}
       flavor_filter: '--include-only "metal-sci_usi-amd64"'
-      additional_semver_tag: false
     secrets: inherit
 
   test:
@@ -76,4 +84,8 @@ jobs:
     if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.event.action != 'closed' }}
     uses: ./.github/workflows/test.yml
     with:
-      image_tag: "pr-${{ github.event.pull_request.number }}-metal-sci_usi-amd64-${{ needs.set_version.outputs.VERSION }}-${{ needs.meta.outputs.COMMIT_SHA }}-amd64"
+      image_tag: "${{ needs.meta.outputs.UPLOAD_VERSION }}-metal-sci-usi-amd64-${{ needs.meta.outputs.COMMIT_SHA }}-amd64"
+
+# TODO on PR close, clean up everything in form of
+# oras repo tags ghcr.io/gardenlinux/gardenlinux-ccloud | grep -v -E '^[0-9]{4}\.[0-9]+.*$'
+# oras repo tags ghcr.io/gardenlinux/gardenlinux-ccloud | grep -E '^PREFIX$'

.github/workflows/upload_oci.yml

@@ -8,9 +8,6 @@ on:
       upload_version:
         type: string
         default: ""
-      additional_semver_tag:
-        type: boolean
-        default: true
       flavor_filter:
         type: string
         default: '--exclude "bare-*"'
@@ -71,19 +68,17 @@ jobs:
             --dir "${CNAME}" \
             --container "ghcr.io/${{ github.repository }}" \
             --arch ${{ matrix.arch }} \
-            --version ${{ inputs.upload_version || inputs.version }} \
+            --version ${{ inputs.version }} \
             --cname "${CNAME}" \
             --cosign_file digest.txt \
             --manifest_file "oci_manifest_entry_${CNAME}.json"
       - name: Add additional semver tag
-        if: ${{ inputs.additional_semver_tag }}
         run: |
           echo ${{ secrets.GITHUB_TOKEN }} | oras login -u ${{ github.repository_owner }} --password-stdin ghcr.io
-          UPLOAD_VER="${{ inputs.upload_version || inputs.version }}"
           CNAME2=${CNAME//_/-}
           CNAME2=${CNAME2//-${{ inputs.version }}/}
-          echo "Adding additional tag: ${UPLOAD_VER}-${CNAME2}-${{ matrix.arch }}"
-          oras tag ghcr.io/${{ github.repository }}:${UPLOAD_VER}-${CNAME}-${{ matrix.arch }} ${UPLOAD_VER}-${CNAME2}-${{ matrix.arch }}
+          echo "Adding additional tag: ${{ inputs.upload_version || inputs.version }}-${CNAME2}-${{ matrix.arch }}"
+          oras tag ghcr.io/${{ github.repository }}:${{ inputs.version }}-${CNAME}-${{ matrix.arch }} ${{ inputs.upload_version || inputs.version }}-${CNAME2}-${{ matrix.arch }}
       - uses: actions/cache/save@5a3ec84eff668545956fd18022155c47e93e2684 # [email protected]
         with:
           path: oci_manifest_entry_${{ env.CNAME }}.json

features/_usi/initrd.include/usr/bin/persist

@@ -62,20 +62,19 @@ if [ ! -f "$OS_RELEASE_FILE" ]; then
   echo "File not found '$OS_RELEASE_FILE', exiting"
   exit 1
 fi
-
-# source optional config file
-[ -f /sysroot/opt/persist/gl-oci.conf ] && . /sysroot/opt/persist/gl-oci.conf
-OCI_REPO="${OCI_REPO:-keppel.global.cloud.sap/ccloud-ghcr-io-mirror/gardenlinux/gardenlinux-ccloud}"
-OCI_ARCH="${OCI_ARCH:-amd64}"
-
 # source os-release file
 . "$OS_RELEASE_FILE"
 
 # oras needs a proper HOME variable
 export HOME=/root
 
+# source optional config file
+[ -f /sysroot/opt/persist/gl-oci.conf ] && . /sysroot/opt/persist/gl-oci.conf
+OCI_REPO="${OCI_REPO:-keppel.global.cloud.sap/ccloud-ghcr-io-mirror/gardenlinux/gardenlinux-ccloud}"
+OCI_ARCH="${OCI_ARCH:-amd64}"
+
 # setup OCI_TAG, UKI_SHA and fetch UKI
-OCI_TAG="$GARDENLINUX_VERSION-$VARIANT_ID-$GARDENLINUX_COMMIT_ID-$OCI_ARCH"
+OCI_TAG=${OCI_TAG:-"$GARDENLINUX_VERSION-$VARIANT_ID-$GARDENLINUX_COMMIT_ID-$OCI_ARCH"}
 OCI_TAG=${OCI_TAG//_/-} # replace underscores with dashes
 UKI_SHA=$(oras manifest fetch "$OCI_REPO:${OCI_TAG}" | jq -r '.layers[] | select(.mediaType=="application/io.gardenlinux.uki") | .digest')
 oras blob fetch "$OCI_REPO@$UKI_SHA" -o "$esp_dir/EFI/Linux/uki.efi"