refactor(build): standardize image push with shared docker utilities

- Add openshift/scripts/utils/docker.sh with push_to_artifactory()
  and build_and_push() functions (retry 3x with 15s backoff)
- Moodle: restore --cache-to registry (removed in 5a537a8, caused
  manifest invalid errors), use push_to_artifactory for separate push
- PHP: restore --output=type=image,push=true (working pattern), wrap
  with build_and_push for retry on transient Artifactory errors
- Redis Proxy: same restore + build_and_push wrapper, extract build
  from report step into its own step

Author: warrenchristian1telus

.github/workflows/moodle.yml

@@ -121,12 +121,11 @@ jobs:
         run: |
           export BUILDKIT_PROGRESS=plain
 
-          # Build image but don't push yet
-          # Cache reads from both registry and GHA (gracefully skips missing caches)
-          # Cache writes to GHA only — registry cache is warmed in a separate non-blocking step
+          # Build image but don't push yet — scan first, then push separately
           docker buildx build \
             --cache-from type=registry,ref=${{ secrets.ARTIFACTORY_URL }}/${{ env.MOODLE_DEPLOYMENT_NAME }}:buildcache \
             --cache-from type=gha,scope=moodle-${{ github.ref_name }} \
+            --cache-to type=registry,ref=${{ secrets.ARTIFACTORY_URL }}/${{ env.MOODLE_DEPLOYMENT_NAME }}:buildcache,mode=max \
             --cache-to type=gha,scope=moodle-${{ github.ref_name }},mode=min \
             --build-arg MOODLE_URL=${{ inputs.MOODLE_URL }} \
             --build-arg MOODLE_BRANCH_VERSION=${{ inputs.MOODLE_BRANCH_VERSION }} \
@@ -187,20 +186,8 @@ jobs:
             "${{ secrets.ARTIFACTORY_URL }}/${{ env.MOODLE_DEPLOYMENT_NAME }}:${{ github.ref_name }}" \
             "$SEVERITY" \
             "$EXIT_ON_CRITICAL"      # Only push if security scan passed
-      - name: 📤 Push to Artifactory
-        run: |
-          echo "Pushing validated image to Artifactory..."
-          docker push ${{ secrets.ARTIFACTORY_URL }}/${{ env.MOODLE_DEPLOYMENT_NAME }}:${{ github.ref_name }}
 
-      # Warm registry buildcache separately so a cache push failure never blocks the build
-      - name: 🗄️ Warm Registry Build Cache
-        continue-on-error: true
+      - name: 📤 Push to Artifactory
         run: |
-          echo "Pushing build cache to Artifactory registry (non-blocking)..."
-          docker buildx build \
-            --cache-from type=gha,scope=moodle-${{ github.ref_name }} \
-            --cache-to type=registry,ref=${{ secrets.ARTIFACTORY_URL }}/${{ env.MOODLE_DEPLOYMENT_NAME }}:buildcache,mode=max \
-            --build-arg DOCKER_FROM_IMAGE=${{ secrets.ARTIFACTORY_URL }}/${{ env.PHP_DEPLOYMENT_NAME }}:${{ github.ref_name }} \
-            --output=type=cacheonly \
-            -f ${{ env.MOODLE_DOCKER_FILE_PATH }} \
-            . || echo "Warning: Registry build cache push failed — GHA cache is still available for next run"
+          source openshift/scripts/utils/docker.sh
+          push_to_artifactory "${{ secrets.ARTIFACTORY_URL }}/${{ env.MOODLE_DEPLOYMENT_NAME }}:${{ github.ref_name }}"

.github/workflows/php.yml

@@ -93,30 +93,17 @@ jobs:
           fi
           echo "======================================"
 
-      # Build PHP Image
-      - name: 🛠️ Build PHP Image
+      # Build and push PHP Image to Artifactory (with retry)
+      - name: 🛠️ Build and Push PHP Image
         run: |
+          source openshift/scripts/utils/docker.sh
           export BUILDKIT_PROGRESS=plain
-          docker buildx build \
-            --cache-from type=gha,scope=php \
-            --cache-to type=gha,scope=php,mode=max \
-            --build-arg DOCKER_FROM_IMAGE=${{ secrets.ARTIFACTORY_URL }}/${{ env.PHP_IMAGE }} \
-            --tag ${{ secrets.ARTIFACTORY_URL }}/${{ env.PHP_DEPLOYMENT_NAME }}:${{ github.ref_name }} \
-            --load \
-            -f ${{ env.PHP_DOCKER_FILE_PATH }} .
-
-      # Push PHP Image to Artifactory (with retry for transient registry errors)
-      - name: 📤 Push PHP Image to Artifactory
-        run: |
-          IMAGE="${{ secrets.ARTIFACTORY_URL }}/${{ env.PHP_DEPLOYMENT_NAME }}:${{ github.ref_name }}"
-          for attempt in 1 2 3; do
-            echo "🔄 Push attempt $attempt/3"
-            if docker push "$IMAGE"; then
-              echo "✅ Push succeeded on attempt $attempt"
-              exit 0
-            fi
-            echo "⚠️ Push failed on attempt $attempt"
-            [ "$attempt" -lt 3 ] && echo "⏳ Waiting 15s before retry..." && sleep 15
-          done
-          echo "❌ Push failed after 3 attempts"
-          exit 1
+          build_and_push "php:${{ github.ref_name }}" \
+            docker buildx build \
+              --cache-from type=gha,scope=php \
+              --cache-to type=gha,scope=php,mode=max \
+              --build-arg DOCKER_FROM_IMAGE=${{ secrets.ARTIFACTORY_URL }}/${{ env.PHP_IMAGE }} \
+              --tag ${{ secrets.ARTIFACTORY_URL }}/${{ env.PHP_DEPLOYMENT_NAME }}:${{ github.ref_name }} \
+              --output=type=image,push=true \
+              --push \
+              -f ${{ env.PHP_DOCKER_FILE_PATH }} .

.github/workflows/redis-proxy.yml

@@ -132,29 +132,16 @@ jobs:
           fi
           echo "=============================================="
 
-      # Build Redis Proxy Image
-      - name: 🛠️ Build Redis Proxy Image
+      # Build and push Redis Proxy Image to Artifactory (with retry)
+      - name: 🛠️ Build and Push Redis Proxy Image
         run: |
+          source openshift/scripts/utils/docker.sh
           export BUILDKIT_PROGRESS=plain
-          docker buildx build \
-            --build-arg GOLANG_FROM_IMAGE=${{ secrets.ARTIFACTORY_URL }}/${{ env.GOLANG_IMAGE }} \
-            --build-arg UBUNTU_FROM_IMAGE=${{ secrets.ARTIFACTORY_URL }}/${{ env.UBUNTU_IMAGE }} \
-            --tag ${{ secrets.ARTIFACTORY_URL }}/${{ env.REDIS_PROXY_NAME }}:${{ github.ref_name }} \
-            --load \
-            -f ./Redis.Proxy.Dockerfile .
-
-      # Push Redis Proxy Image to Artifactory (with retry for transient registry errors)
-      - name: 📤 Push Redis Proxy Image to Artifactory
-        run: |
-          IMAGE="${{ secrets.ARTIFACTORY_URL }}/${{ env.REDIS_PROXY_NAME }}:${{ github.ref_name }}"
-          for attempt in 1 2 3; do
-            echo "🔄 Push attempt $attempt/3"
-            if docker push "$IMAGE"; then
-              echo "✅ Push succeeded on attempt $attempt"
-              exit 0
-            fi
-            echo "⚠️ Push failed on attempt $attempt"
-            [ "$attempt" -lt 3 ] && echo "⏳ Waiting 15s before retry..." && sleep 15
-          done
-          echo "❌ Push failed after 3 attempts"
-          exit 1
+          build_and_push "redis-proxy:${{ github.ref_name }}" \
+            docker buildx build \
+              --build-arg GOLANG_FROM_IMAGE=${{ secrets.ARTIFACTORY_URL }}/${{ env.GOLANG_IMAGE }} \
+              --build-arg UBUNTU_FROM_IMAGE=${{ secrets.ARTIFACTORY_URL }}/${{ env.UBUNTU_IMAGE }} \
+              --tag ${{ secrets.ARTIFACTORY_URL }}/${{ env.REDIS_PROXY_NAME }}:${{ github.ref_name }} \
+              --output=type=image,push=true \
+              --push \
+              -f ./Redis.Proxy.Dockerfile .

openshift/scripts/utils/docker.sh

@@ -0,0 +1,106 @@
+#!/bin/bash
+# =============================================================================
+# Docker Build & Push Utilities
+# Standardized functions for building and pushing Docker images to Artifactory
+#
+# Usage:
+#   source openshift/scripts/utils/docker.sh
+#   push_to_artifactory "registry.example.com/my-image:tag"
+#   build_and_push "docker buildx build ... --push" "registry.example.com/my-image:tag"
+#
+# See also:
+#   - optimize-image-push.sh — base image mirroring (Docker Hub → Artifactory)
+#   - docker-security.sh     — vulnerability scanning before push
+# =============================================================================
+
+_DOCKER_UTILS_SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+if [[ -f "$_DOCKER_UTILS_SCRIPT_DIR/openshift.sh" ]]; then
+  source "$_DOCKER_UTILS_SCRIPT_DIR/openshift.sh"
+else
+  log_info()    { echo "ℹ️  $*" >&2; }
+  log_warn()    { echo "⚠️  $*" >&2; }
+  log_error()   { echo "❌ $*" >&2; }
+  log_success() { echo "✅ $*" >&2; }
+fi
+
+# =============================================================================
+# push_to_artifactory — Push a local Docker image to Artifactory with retry
+#
+# For images built with --output=type=docker (loaded into Docker daemon).
+# Retries handle transient Artifactory errors like "upload must be restarted".
+#
+# Arguments:
+#   $1  — Full image reference (e.g., registry.example.com/project/image:tag)
+#   $2  — Max retry attempts (default: 3)
+#   $3  — Backoff delay in seconds (default: 15)
+#
+# Returns:
+#   0 on success, 1 after all retries exhausted
+# =============================================================================
+push_to_artifactory() {
+  local image="${1:?push_to_artifactory: image reference required}"
+  local max_attempts="${2:-3}"
+  local backoff="${3:-15}"
+
+  log_info "Pushing image to Artifactory: ${image}"
+
+  for attempt in $(seq 1 "$max_attempts"); do
+    log_info "Push attempt ${attempt}/${max_attempts}"
+
+    if docker push "$image" 2>&1; then
+      log_success "Push succeeded on attempt ${attempt}"
+      return 0
+    fi
+
+    log_warn "Push failed on attempt ${attempt}"
+    if [[ "$attempt" -lt "$max_attempts" ]]; then
+      log_info "Waiting ${backoff}s before retry..."
+      sleep "$backoff"
+    fi
+  done
+
+  log_error "Push failed after ${max_attempts} attempts: ${image}"
+  return 1
+}
+
+# =============================================================================
+# build_and_push — Run a docker buildx build command with inline --push, with retry
+#
+# For builds that use --output=type=image,push=true (BuildKit pushes directly).
+# On transient push failure, retries the full build+push command.
+# BuildKit layer caching ensures rebuilds are near-instant.
+#
+# Arguments:
+#   $1  — Image name (for logging only)
+#   $2+ — The full docker buildx build command and arguments
+#
+# Returns:
+#   0 on success, 1 after all retries exhausted
+# =============================================================================
+build_and_push() {
+  local image_name="${1:?build_and_push: image name required}"
+  shift
+  local max_attempts=3
+  local backoff=15
+
+  log_info "Building and pushing: ${image_name}"
+
+  for attempt in $(seq 1 "$max_attempts"); do
+    log_info "Build+push attempt ${attempt}/${max_attempts}"
+
+    if "$@" 2>&1; then
+      log_success "Build+push succeeded on attempt ${attempt}"
+      return 0
+    fi
+
+    log_warn "Build+push failed on attempt ${attempt}"
+    if [[ "$attempt" -lt "$max_attempts" ]]; then
+      log_info "Waiting ${backoff}s before retry (cached layers make rebuild fast)..."
+      sleep "$backoff"
+    fi
+  done
+
+  log_error "Build+push failed after ${max_attempts} attempts: ${image_name}"
+  return 1
+}