Cloudp 329235/draft releases

.github/actions/build-push-image/action.yaml

@@ -57,7 +57,8 @@ runs:
     - name: "Set up Docker Buildx"
       uses: docker/setup-buildx-action@v3
       with:
-        platforms: ${{ inputs.platforms }}
+        driver: docker-container
+        use: true
 
     # Devbox setup steps
     - name: Install devbox
@@ -99,3 +100,5 @@ runs:
         sbom: true
         push: true
         tags: ${{ inputs.tags }}
+        labels: |
+          org.opencontainers.image.revision=${{ github.sha }}

.github/actions/gen-install-scripts/Dockerfile

@@ -1,30 +1,35 @@
 FROM golang:1.24
 
 ENV KUBECTL_VERSION 1.18.12
+ENV KUSTOMIZE_VERSION 5.7.0
 ENV GO111MODULE on
 
 RUN go install github.com/mikefarah/yq/v4@latest
 
-# Install
+# Install kubectl
 RUN curl -L https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl -o /usr/bin/kubectl && \
     chmod +x /usr/bin/kubectl
 
-RUN cd /usr/local/bin &&\
-    curl -L https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh | bash
+# Install kustomize (safe, pinned, prebuilt binary)
+RUN curl -L https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_amd64.tar.gz \
+    -o /tmp/kustomize.tar.gz && \
+    tar -xzvf /tmp/kustomize.tar.gz -C /usr/local/bin && \
+    chmod +x /usr/local/bin/kustomize
 
+# Install controller-gen
 RUN CONTROLLER_GEN_TMP_DIR=$(mktemp -d) && \
     cd $CONTROLLER_GEN_TMP_DIR && \
     go mod init tmp && \
     go install sigs.k8s.io/controller-tools/cmd/[email protected] && \
     rm -rf $CONTROLLER_GEN_TMP_DIR && \
     CONTROLLER_GEN=${GOBIN}/controller-gen
 
+# Install operator-sdk
 RUN curl -LO https://github.com/operator-framework/operator-sdk/releases/download/v1.34.1/operator-sdk_linux_amd64 && \
     chmod +x operator-sdk_linux_amd64 && \
     mv operator-sdk_linux_amd64 /usr/local/bin/operator-sdk
 
-# Copies your code file from your action repository to the filesystem path `/` of the container
 COPY entrypoint.sh /home/entrypoint.sh
 RUN chmod +x /home/entrypoint.sh
-# Code file to execute when the docker container starts up (`entrypoint.sh`)
+
 ENTRYPOINT ["/home/entrypoint.sh"]

.github/actions/image2commit/action.yml

@@ -0,0 +1,42 @@
+name: image2commit
+description: Resolve full commit SHA from a promoted image tag.
+
+inputs:
+  register:
+    description: "Registry (e.g., docker.io, quay.io)"
+    required: true
+  repo:
+    description: "Repository path (e.g., andrpac/my-repo)"
+    required: true
+  image_sha:
+    description: "Short SHA or 'latest'"
+    required: true
+
+outputs:
+  commit_sha:
+    description: "Resolved full commit SHA"
+    value: ${{ steps.resolve.outputs.commit_sha }}
+runs:
+  using: "composite"
+  steps:
+    - name: Install skopeo and jq
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y skopeo jq
+
+    - name: Resolve commit SHA
+      id: resolve
+      shell: bash
+      run: |
+        chmod +x ${{ github.action_path }}/entrypoint.sh
+        full_sha=$(${{
+          github.action_path
+        }}/entrypoint.sh \
+          "${{ inputs.register }}" \
+          "${{ inputs.repo }}" \
+          "${{ inputs.image_sha }}"
+        )
+
+        echo "Raw full_sha: $full_sha"
+        echo "commit_sha=$full_sha" >> $GITHUB_OUTPUT

.github/actions/image2commit/entrypoint.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# Copyright 2025 MongoDB Inc
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script retrives the git commit sha given an image sha
+
+set -euo pipefail
+
+registry="$1"
+repo="$2"
+image_sha="$3"
+
+if [[ "$image_sha" == "latest" ]]; then
+  tag="promoted-latest"
+else
+  tag="promoted-${image_sha}"
+fi
+
+full_image="${registry}/${repo}:${tag}"
+
+sha=$(skopeo inspect "docker://${full_image}" | jq -r '.Labels["org.opencontainers.image.revision"]')
+
+if [[ -z "$sha" || "$sha" == "null" ]]; then
+  echo "Error: Could not extract commit SHA from $full_image" >&2
+  exit 1
+fi
+
+echo "$sha"

.github/actions/set-tag/action.yml

@@ -1,8 +1,18 @@
 name: 'Setup tag for docker image'
-description: 'Setup tag for docker image: branch name with commit ID'
+description: 'Generates a Docker image tag using branch name and short commit SHA.'
+inputs:
+  branch_name:
+    description: 'Branch name to use for the tag (e.g., main, feature-xyz). Optional.'
+    required: false
+  commit_sha:
+    description: 'Full commit SHA to extract the short commit ID from. Optional.'
+    required: false
+
 outputs:
   tag:
-    description: 'tag for the image'
+    description: 'Generated image tag in the format {branch-name}-{6-char-sha}'
+
 runs:
   using: 'docker'
   image: 'Dockerfile'
+  args: []

.github/actions/set-tag/entrypoint.sh

@@ -13,17 +13,31 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
-#set -eou pipefail
+set -eou pipefail
 
 git config --global --add safe.directory /github/workspace
 
-# Setup tag name
-commit_id=$(git rev-parse --short HEAD)
-branch_name=${GITHUB_HEAD_REF-}
-if [ -z "${branch_name}" ]; then
-    branch_name=$(echo "$GITHUB_REF" | awk -F'/' '{print $3}')
+# Get the full commit hash and shorten to 6 characters
+full_commit_sha="${INPUT_COMMIT_SHA:-}"
+if [ -z "$full_commit_sha" ]; then
+  full_commit_sha=$(git rev-parse HEAD)
+fi
+commit_id=$(echo "$full_commit_sha" | cut -c1-6)
+
+# Get the full branch name
+branch_name="${INPUT_BRANCH_NAME:-}"
+if [ -z "$branch_name" ]; then
+  if [ -n "$GITHUB_HEAD_REF" ]; then
+    branch_name="$GITHUB_HEAD_REF"
+  else
+    branch_name="${GITHUB_REF#refs/heads/}"
+  fi
 fi
-branch_name=$(echo "${branch_name}" | awk '{print substr($0, 1, 15)}' | sed 's/\//-/g; s/\./-/g')
+
+# Replace / and . with -
+# Then truncate to 15 characters
+branch_name=$(echo "$branch_name" | sed 's/[\/\.]/-/g' | awk '{print substr($0, 1, 15)}')
+
+# Create tag as {branch_name}-{6-digit-commit} 
 tag="${branch_name}-${commit_id}"
-echo "tag=$tag" >> "$GITHUB_OUTPUT"
+echo "tag=${tag}" >> "$GITHUB_OUTPUT"

.github/workflows/cloud-tests-filter.yml

@@ -55,7 +55,7 @@ jobs:
             ACTOR: ${{ github.actor }}
           run: |
             # Evaluate whether or not cloud tests should run
-            RUN_CLOUD_TESTS='false'
+            RUN_CLOUD_TESTS='true'
             # Scheduled runs on default branch always run all tests
             if [ "${EVENT}" == "schedule" ];then
               RUN_CLOUD_TESTS='true'

.github/workflows/cloud-tests.yml

@@ -13,31 +13,15 @@ jobs:
     runs-on: ubuntu-latest
     if: |
       github.event_name == 'workflow_dispatch' ||
-      github.event_name == 'merge_group' ||
+      github.event_name == 'schedule' ||
       github.ref == 'refs/heads/main' ||
       (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]') ||
       contains(github.event.pull_request.labels.*.name, 'safe-to-test')
     steps:
-      - name: allowed message
+      - name: allowed messager
         run: echo "Allowed to run"
 
-  int-tests:
-    needs: allowed
-    uses: ./.github/workflows/test-int.yml
-    secrets: inherit
-
   e2e-tests:
     needs: allowed
     uses: ./.github/workflows/test-e2e.yml
     secrets: inherit
-
-  test-e2e-gov:
-    needs:
-      - allowed
-    uses: ./.github/workflows/test-e2e-gov.yml
-    secrets: inherit
-
-  openshift-upgrade-test:
-    needs: allowed
-    uses: ./.github/workflows/openshift-upgrade-test.yaml
-    secrets: inherit

.github/workflows/promote-image.yml

@@ -0,0 +1,77 @@
+name: Promote Image
+
+on:
+  workflow_run:
+    workflows: ["Test"]
+    types: [completed]
+
+jobs:
+  promote-image:
+    runs-on: ubuntu-latest
+    environment: release
+    if: |
+      github.event.workflow_run.head_branch == 'main' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'schedule'
+    env:
+      GHCR_REPO: ghcr.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease
+      DOCKER_REPO: docker.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease
+      QUAY_REPO: quay.io/andrpac/mongodb-atlas-kubernetes-operator-prerelease
+    steps:
+      - name: Checkout PR commit
+        uses: actions/checkout@v4
+
+      - name: Log in to the GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Login to Docker registry
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Log in to Quay registry
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_PASSWORD }}
+
+      - name: Prepare image tag
+        id: set_tag
+        uses: ./.github/actions/set-tag
+        with:
+          branch_name: ${{ github.event.workflow_run.head_branch }}
+          commit_sha: ${{ github.event.workflow_run.head_sha }}
+
+      - name: Prepare tag for promoted image
+        id: promoted_tag
+        run: |
+          RAW_TAG="${{ steps.set_tag.outputs.tag }}"
+          COMMIT_SHA="${RAW_TAG##*-}"
+          echo "tag=promoted-${COMMIT_SHA}" >> $GITHUB_OUTPUT
+
+      - name: Move image to Docker Hub
+        run: ./scripts/move-image.sh
+        env:
+          IMAGE_SRC_REPO: ${{ env.GHCR_REPO }}
+          IMAGE_DEST_REPO: ${{ env.DOCKER_REPO }}
+          IMAGE_SRC_TAG: ${{ steps.set_tag.outputs.tag }}
+          IMAGE_DEST_TAG: ${{ steps.promoted_tag.outputs.tag }}
+          ALIAS_ENABLED: true
+          ALIAS_TAG: promoted-latest
+
+      - name: Move image to Quay
+        run: ./scripts/move-image.sh
+        env:
+          IMAGE_SRC_REPO: ${{ env.GHCR_REPO }}
+          IMAGE_DEST_REPO: ${{ env.QUAY_REPO }}
+          IMAGE_SRC_TAG: ${{ steps.set_tag.outputs.tag }}
+          IMAGE_DEST_TAG: ${{ steps.promoted_tag.outputs.tag }}
+          ALIAS_ENABLED: true
+          ALIAS_TAG: promoted-latest