feat: create release pipeline

Author: andrpac

.github/actions/build-push-image/action.yaml

@@ -99,3 +99,5 @@ runs:
         sbom: true
         push: true
         tags: ${{ inputs.tags }}
+        labels: |
+          org.opencontainers.image.revision=${{ github.sha }}

.github/actions/image2commit/action.yml

@@ -0,0 +1,42 @@
+name: image2commit
+description: Resolve full commit SHA from a promoted image tag.
+
+inputs:
+  register:
+    description: "Registry (e.g., docker.io, quay.io)"
+    required: true
+  repo:
+    description: "Repository path (e.g., andrpac/my-repo)"
+    required: true
+  image_sha:
+    description: "Short SHA or 'latest'"
+    required: true
+
+outputs:
+  commit_sha:
+    description: "Resolved full commit SHA"
+    value: ${{ steps.resolve.outputs.commit_sha }}
+runs:
+  using: "composite"
+  steps:
+    - name: Install skopeo and jq
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y skopeo jq
+
+    - name: Resolve commit SHA
+      id: resolve
+      shell: bash
+      run: |
+        chmod +x ${{ github.action_path }}/entrypoint.sh
+        full_sha=$(${{
+          github.action_path
+        }}/entrypoint.sh \
+          "${{ inputs.register }}" \
+          "${{ inputs.repo }}" \
+          "${{ inputs.image_sha }}"
+        )
+
+        echo "Raw full_sha: $full_sha"
+        echo "commit_sha=$full_sha" >> $GITHUB_OUTPUT

.github/actions/image2commit/entrypoint.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script retrives the git commit sha given an image sha
+
+set -euo pipefail
+
+registry="$1"
+repo="$2"
+image_sha="$3"
+
+if [[ "$image_sha" == "latest" ]]; then
+  tag="promoted-latest"
+else
+  tag="promoted-${image_sha}"
+fi
+
+full_image="${registry}/${repo}:${tag}"
+
+sha=$(skopeo inspect "docker://${full_image}" | jq -r '.Labels["org.opencontainers.image.revision"]')
+
+if [[ -z "$sha" || "$sha" == "null" ]]; then
+  echo "Error: Could not extract commit SHA from $full_image" >&2
+  exit 1
+fi
+
+echo "$sha"

.github/workflows/promote-image.yml

@@ -4,15 +4,14 @@ on:
   workflow_run:
     workflows: ["Test"]
     types: [completed]
+  push:
+    branches:
+      - '**'
 
 jobs:
   promote-image:
     runs-on: ubuntu-latest
     environment: release
-    if: |
-      github.event.workflow_run.head_branch == 'main' &&
-      github.event.workflow_run.conclusion == 'success' &&
-      github.event.workflow_run.event == 'schedule'
     env:
       GHCR_REPO: ghcr.io/mongodb/mongodb-atlas-kubernetes-operator-prerelease
       DOCKER_REPO: docker.io/mongodb/mongodb-atlas-kubernetes-operator-prerelease
@@ -21,43 +20,33 @@ jobs:
       - name: Checkout PR commit
         uses: actions/checkout@v4
 
-      # Note, we have to be careful how we retrive the image. The event that pushed 
-      # the image to the ghcr.io repo was mainly a push/schedule that passed all the
-      # tests. This event has access to github.ref_name. However, the workflow_run
-      # event does not have access github.ref_name set up. 
-      # 
-      # Therefore, we need to manually specify the branch as main
-      - name: Prepare image tag
-        id: set_tag
-        uses: ./.github/actions/set-tag
-        with:
-          branch_name: ${{ github.event.workflow_run.head_branch }}
-          commit_sha: ${{ github.event.workflow_run.head_sha }}
-
       - name: Log in to the GitHub Container Registry
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Pull unofficial image from GitHub Container Registry
-        run: |
-          docker pull ${{ env.GHCR_REPO }}:${{ steps.set_tag.outputs.tag }}
-
       - name: Login to Docker registry
         uses: docker/login-action@v3
         with:
           registry: docker.io
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-            
+      
       - name: Log in to Quay registry
         uses: docker/login-action@v3
         with:
           registry: quay.io
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
+
+      - name: Prepare image tag
+        id: set_tag
+        uses: ./.github/actions/set-tag
+        with:
+          branch_name: ${{ github.event.workflow_run.head_branch }}
+          commit_sha: ${{ github.event.workflow_run.head_sha }}
 
       - name: Prepare tag for promoted image
         id: promoted_tag
@@ -73,6 +62,8 @@ jobs:
           IMAGE_DEST_REPO: ${{ env.DOCKER_REPO }}
           IMAGE_SRC_TAG: ${{ steps.set_tag.outputs.tag }}
           IMAGE_DEST_TAG: ${{ steps.promoted_tag.outputs.tag }}
+          ALIAS_ENABLED: true
+          ALIAS_TAG: promoted-latest
 
       - name: Move image to Quay
         run: ./scripts/move-image.sh
@@ -81,3 +72,5 @@ jobs:
           IMAGE_DEST_REPO: ${{ env.QUAY_REPO }}
           IMAGE_SRC_TAG: ${{ steps.set_tag.outputs.tag }}
           IMAGE_DEST_TAG: ${{ steps.promoted_tag.outputs.tag }}
+          ALIAS_ENABLED: true
+          ALIAS_TAG: promoted-latest

.github/workflows/release-branch.yml

@@ -1,7 +1,7 @@
-# Create Release Branch
+# DEPRECATED: Create Release Branch
 # TODO after GitHub add permission for action-bot to commit to the protected branches - please merge release-* workflow into one
 
-name: Create Release Branch
+name: "[Deprecated] Create Release Branch"
 
 on:
   workflow_dispatch: