Move configuration around

- more convenient changes
- root BUILD is tied to individual image config
- add check to see if any diffs in build config occur (tag:rule)

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

.github/workflows/config-diff.yaml

@@ -0,0 +1,116 @@
+name: Config Check
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: ["main"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  pull-requests: write
+  
+jobs:
+  diff:
+    runs-on: distroless-ci-large-ubuntu-22.04
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: "1.25"
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/bazel-repo
+          key: bazel-cache-deps-ci2-${{ github.sha }}
+          restore-keys: |
+            bazel-cache-deps-ci2-${{ github.sha }}
+            bazel-cache-deps-ci2-
+
+      - name: Checkout PR Branch
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          path: pr_branch
+
+      - name: Build :sign_and_push.query for PR
+        run: |
+          cd pr_branch
+          bazel build :sign_and_push.query
+          cp bazel-bin/sign_and_push_query ../pr_query_output.txt
+          cd ..
+
+      - name: Checkout main Branch
+        uses: actions/checkout@v5
+        with:
+          ref: main
+          path: main_branch
+
+      - name: Build :sign_and_push.query for main
+        run: |
+          cd main_branch
+          bazel build :sign_and_push.query
+          cp bazel-bin/sign_and_push_query ../main_query_output.txt
+          cd ..
+
+      - name: Diff the query outputs
+        id: diff
+        run: |
+          # diff may exit with non-zero
+          DIFF_OUTPUT=$(diff -u main_query_output.txt pr_query_output.txt) || true
+          
+          if [ -z "$DIFF_OUTPUT" ]; then
+            echo "HAS_DIFF=false" >> $GITHUB_ENV
+          else
+            echo "HAS_DIFF=true" >> $GITHUB_ENV
+            echo "$DIFF_OUTPUT" > diff_output.txt
+            echo "changed_build<<EOF" >> $GITHUB_OUTPUT
+            echo "$DIFF_OUTPUT" >> $GITHUB_OUTPUT
+            echo "EOF" >> $GITHUB_OUTPUT
+          fi
+
+      - uses: actions/upload-artifact@v5
+        id: report
+        with:
+          name: "Report"
+          path: ./diff_output.txt
+
+      - uses: peter-evans/find-comment@v4
+        id: fc
+        if: ${{ !github.event.pull_request.head.repo.fork }}
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: "github-actions[bot]"
+          body-includes: 🌳 🔧 Config Check
+
+      - name: Report diff
+        if: ${{ !github.event.pull_request.head.repo.fork && env.HAS_DIFF }}
+        uses: peter-evans/create-or-update-comment@v5
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            🌳 🔧 Config Check
+
+            This pull request has modified the root BUILD
+
+            ```diff
+            ${{steps.diff.outputs.changed_build}}
+            ```
+
+            You can check the details in the report [here](${{steps.report.outputs.artifact-url}})
+          edit-mode: replace
+
+      - name: Report no diff
+        if: ${{ !github.event.pull_request.head.repo.fork && !steps.diff.outputs.changed_targets }}
+        uses: peter-evans/create-or-update-comment@v5
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          body: |
+            🌳 🔧 Config Check
+
+            This pull request has not modified the root BUILD
+          edit-mode: replace