test: include label inside promotion step

Author: andrpac

.github/actions/build-push-image/action.yaml

@@ -100,3 +100,5 @@ runs:
         sbom: true
         push: true
         tags: ${{ inputs.tags }}
+        labels: |
+          org.opencontainers.image.revision=${{ github.sha }}

.github/actions/image2commit/action.yml

@@ -0,0 +1,40 @@
+name: image2commit
+description: Resolve full commit SHA from a promoted image tag.
+
+inputs:
+  register:
+    description: "Registry (e.g., docker.io, quay.io)"
+    required: true
+  repo:
+    description: "Repository path (e.g., andrpac/my-repo)"
+    required: true
+  image_sha:
+    description: "Short SHA or 'latest'"
+    required: true
+
+outputs:
+  commit_sha:
+    description: "Resolved full commit SHA"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install skopeo and jq
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y skopeo jq
+
+    - name: Resolve commit SHA
+      id: resolve
+      shell: bash
+      run: |
+        chmod +x ${{ github.action_path }}/entrypoint.sh
+        full_sha=$(${{
+          github.action_path
+        }}/entrypoint.sh \
+          "${{ inputs.register }}" \
+          "${{ inputs.repo }}" \
+          "${{ inputs.image_sha }}"
+        )
+        echo "commit_sha=$full_sha" >> $GITHUB_OUTPUT

.github/actions/image2commit/entrypoint.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script retrives the git commit sha given an image sha
+
+set -euo pipefail
+
+registry="$1"
+repo="$2"
+image_sha="$3"
+
+if [[ "$image_sha" == "latest" ]]; then
+  tag="promoted-latest"
+else
+  tag="promoted-${image_sha}"
+fi
+
+full_image="${registry}/${repo}:${tag}"
+
+sha=$(skopeo inspect "docker://${full_image}" | jq -r '.Labels["org.opencontainers.image.revision"]')
+
+if [[ -z "$sha" || "$sha" == "null" ]]; then
+  echo "Error: Could not extract commit SHA from $full_image" >&2
+  exit 1
+fi
+
+echo "$sha"

.github/workflows/promote-image.yml

@@ -42,12 +42,6 @@ jobs:
           username: ${{ secrets.QUAY_USERNAME }}
           password: ${{ secrets.QUAY_PASSWORD }}
 
-      # Note, we have to be careful how we retrive the image. The event that pushed 
-      # the image to the ghcr.io repo was mainly a push/schedule that passed all the
-      # tests. This event has access to github.ref_name. However, the workflow_run
-      # event does not have access github.ref_name set up. 
-      # 
-      # Therefore, we need to manually specify the branch as main
       - name: Prepare image tag
         id: set_tag
         uses: ./.github/actions/set-tag
@@ -69,6 +63,8 @@ jobs:
           IMAGE_DEST_REPO: ${{ env.DOCKER_REPO }}
           IMAGE_SRC_TAG: ${{ steps.set_tag.outputs.tag }}
           IMAGE_DEST_TAG: ${{ steps.promoted_tag.outputs.tag }}
+          ALIAS_ENABLED: true
+          ALIAS_TAG: promoted-latest
 
       - name: Move image to Quay
         run: ./scripts/move-image.sh
@@ -77,3 +73,5 @@ jobs:
           IMAGE_DEST_REPO: ${{ env.QUAY_REPO }}
           IMAGE_SRC_TAG: ${{ steps.set_tag.outputs.tag }}
           IMAGE_DEST_TAG: ${{ steps.promoted_tag.outputs.tag }}
+          ALIAS_ENABLED: true
+          ALIAS_TAG: promoted-latest

.github/workflows/release-image.yml

@@ -4,26 +4,156 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: "Release version (e.g., 1.2.3)"
+        description: "Release version"
         required: true
         type: string
       authors:
-        description: "Comma-separated list of the release authors' emails (e.g. [email protected],[email protected])"
+        description: "Comma-separated list of author emails"
         required: true
         type: string
-      commit_sha:
-        description: "Commit SHA to use for the image (e.g. 7c2a91 or latest)"
+      image_sha:
+        description: "6-digit commit SHA used for the promoted image (e.g. 3e79a3 or 'latest')"
         required: false
         default: "latest"
         type: string
 
 permissions:
   contents: write
   pull-requests: write
-      
+     
 jobs:
+
+  # Note, the first step is necessary for getting the exact commit from the passed in image_sha
+  # This is because, the release-image step should exactly check out that exact commit
+  image2commit:
+    name: Resolve Commit SHA from Image
+    runs-on: ubuntu-latest
+    outputs:
+      commit_sha: ${{ steps.resolve.outputs.commit_sha }}
+
+    steps:
+      - name: Log in to Docker registry
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Run image2commit
+        id: resolve
+        uses: ./.github/actions/image2commit
+        with:
+          register: docker.io
+          repo: andrpac/mongodb-atlas-kubernetes-operator-prerelease
+          image_sha: ${{ github.event.inputs.image_sha }}
+
+  check-commit:
+    name: Check resolved commit
+    runs-on: ubuntu-latest
+    needs: image2commit
+    steps:
+      - name: Echo resolved commit
+        run: |
+          echo "Resolved commit: ${{ needs.image2commit.outputs.commit_sha }}"
+
+  prepare-environment:
+    name: Set up Environment Variables
+    runs-on: ubuntu-latest
+    if: false
+    environment: release
+
+    outputs:
+      # Inputs
+      version:                        ${{ steps.setup.outputs.version }}
+      authors:                        ${{ steps.setup.outputs.authors }}
+      commit_sha:                     ${{ steps.setup.outputs.commit_sha }}
+
+      # Release related
+      release_commit:                 ${{ steps.setup.outputs.release_commit }}
+      release_branch:                 ${{ steps.setup.outputs.release_branch }}
+
+      # Tags
+      promoted_tag:                   ${{ steps.setup.outputs.promoted_tag }}
+      release_tag:                    ${{ steps.setup.outputs.release_tag }}
+      certified_tag:                  ${{ steps.setup.outputs.certified_tag }}
+
+      # Repos
+      docker_prerelease_repo:         ${{ steps.setup.outputs.docker_prerelease_repo }}
+      docker_release_repo:            ${{ steps.setup.outputs.docker_release_repo }}
+      docker_signature_repo:          ${{ steps.setup.outputs.docker_signature_repo }}
+      quay_prerelease_repo:           ${{ steps.setup.outputs.quay_prerelease_repo }}
+      quay_release_repo:              ${{ steps.setup.outputs.quay_release_repo }}
+
+      # Image URLs
+      docker_image_url:               ${{ steps.setup.outputs.docker_image_url }}
+      quay_image_url:                 ${{ steps.setup.outputs.quay_image_url }}
+      quay_certified_image_url:       ${{ steps.setup.outputs.quay_certified_image_url }}
+
+    steps:
+      - name: Log in to Docker registry
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Resolve inputs
+        id: inputs
+        run: |
+          echo "version=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
+          echo "authors=${{ github.event.inputs.authors }}" >> $GITHUB_OUTPUT
+          echo "image_sha=${{ github.event.inputs.image_sha }}" >> $GITHUB_OUTPUT
+
+      - name: Resolve commit SHA from image
+        id: image2commit
+        uses: ./.github/actions/image2commit
+        with:
+          image_sha: ${{ steps.inputs.outputs.image_sha }}
+          repo: docker.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease
+
+      - name: Set derived environment variables
+        id: setup
+        run: |
+          version="${{ steps.inputs.outputs.version }}"
+          authors="${{ steps.inputs.outputs.authors }}"
+          sha="${{ steps.image2commit.outputs.commit_sha }}"
+
+          docker_prerelease_repo="docker.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease"
+          docker_release_repo="docker.io/andrpac/mongodb-atlas-kubernetes-operator"
+          docker_signature_repo="docker.io/andrpac/signatures"
+          quay_prerelease_repo="quay.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease"
+          quay_release_repo="quay.io/andrpac/mongodb-atlas-kubernetes-operator"
+
+          short_sha="${sha:0:6}"
+          promoted_tag="promoted-${short_sha}"
+
+          release_tag="$version"
+          certified_tag="certified-${version}"
+          release_branch="new-release/${version}"
+          docker_image_url="${docker_release_repo}:${release_tag}"
+          quay_image_url="${quay_release_repo}:${release_tag}"
+          quay_certified_image_url="${quay_release_repo}:${certified_tag}"
+
+          echo "version=$version"                                   >> $GITHUB_OUTPUT
+          echo "authors=$authors"                                   >> $GITHUB_OUTPUT
+          echo "commit_sha=${{ steps.inputs.outputs.image_sha }}"   >> $GITHUB_OUTPUT
+          echo "release_commit=$sha"                                >> $GITHUB_OUTPUT
+          echo "release_branch=$release_branch"                     >> $GITHUB_OUTPUT
+          echo "promoted_tag=$promoted_tag"                         >> $GITHUB_OUTPUT
+          echo "release_tag=$release_tag"                           >> $GITHUB_OUTPUT
+          echo "certified_tag=$certified_tag"                       >> $GITHUB_OUTPUT
+          echo "docker_prerelease_repo=$docker_prerelease_repo"     >> $GITHUB_OUTPUT
+          echo "docker_release_repo=$docker_release_repo"           >> $GITHUB_OUTPUT
+          echo "docker_signature_repo=$docker_signature_repo"       >> $GITHUB_OUTPUT
+          echo "quay_prerelease_repo=$quay_prerelease_repo"         >> $GITHUB_OUTPUT
+          echo "quay_release_repo=$quay_release_repo"               >> $GITHUB_OUTPUT
+          echo "docker_image_url=$docker_image_url"                 >> $GITHUB_OUTPUT
+          echo "quay_image_url=$quay_image_url"                     >> $GITHUB_OUTPUT
+          echo "quay_certified_image_url=$quay_certified_image_url" >> $GITHUB_OUTPUT
+
   release-image:
     runs-on: ubuntu-latest
+    if: false
     environment: release
     env:
       VERSION: ${{ github.event.inputs.version }}

.github/workflows/test-e2e.yml

@@ -18,8 +18,8 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - id: compute
-        name: Compute K8s Matrix
+      - name: Compute K8s matrix/versions for testing
+        id: compute
         run: |
           matrix='["v1.30.10-kind"]'
           if [ "${{ github.ref }}" == "refs/heads/main" ]; then
@@ -37,21 +37,25 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha || github.sha }}
-
-      - id: set_tag
+      
+      - name: Prepare image tag
+        id: set_tag
         uses: ./.github/actions/set-tag
-
-      - id: set_image_url
+      
+      - name: Prepare image url for GitHub Container Registry
+        id: set_image_url
         run: |
           echo "image_url=${REPO}:${{ steps.set_tag.outputs.tag }}" >> "$GITHUB_OUTPUT"
 
-      - run: |
-          echo "${{ secrets.GITHUB_TOKEN }}" \
-          | docker login ghcr.io \
-              -u ${{ github.actor }} \
-              --password-stdin
-
-      - uses: ./.github/actions/build-push-image
+      - name: Log in to the GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: Build and push image to GitHub Container Registry
+        uses: ./.github/actions/build-push-image
         with:
           file: fast.Dockerfile
           repository: ${{ env.REPO }}
@@ -75,13 +79,15 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - uses: jetify-com/[email protected]
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+      
+      - name: Install devbox
+        uses: jetify-com/[email protected]
         with:
           enable-cache: 'true'
 
-      - uses: ./.github/actions/gen-install-scripts
+      - name: Generate kustomized all-in-one install configs
+        uses: ./.github/actions/gen-install-scripts
         with:
           ENV: dev
           VERSION: dev
@@ -92,7 +98,7 @@ jobs:
           echo "k8s_version=$(echo '${{ matrix.k8s }}' | awk -F '-' '{print $1}')" >> $GITHUB_OUTPUT
           echo "k8s_platform=$(echo '${{ matrix.k8s }}' | awk -F '-' '{print $2}')" >> $GITHUB_OUTPUT
 
-      - name: Setup kind cluster if needed
+      - name: Setup kind cluster
         if: ${{ steps.extract.outputs.k8s_platform == 'kind' }}
         uses: helm/[email protected]
         with:
@@ -102,9 +108,14 @@ jobs:
           cluster_name: ${{ matrix.test }}-${{ matrix.k8s }}
           wait: 180s
 
-      - run: devbox run -- kubectl version
-      - run: devbox run -- kubectl apply -f deploy/crds
-      - run: devbox run -- ./scripts/launch-ci-e2e.sh
+      - name: Print Kubernetes version
+        run: devbox run -- kubectl version
+
+      - name: Apply CRDs
+        run: devbox run -- kubectl apply -f deploy/crds
+
+      - name: Run CI E2E tests
+        run: devbox run -- ./scripts/launch-ci-e2e.sh
         env:
           TEST_NAME: ${{ matrix.test }}
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -118,7 +129,8 @@ jobs:
           DATADOG_KEY: ${{ secrets.DATADOG_KEY }}
           PAGER_DUTY_SERVICE_KEY: ${{ secrets.PAGER_DUTY_SERVICE_KEY }}
 
-      - if: ${{ failure() }}
+      - name: Upload logs on failure
+        if: ${{ failure() }}
         uses: actions/upload-artifact@v4
         with:
           name: logs