Merge pull request #165 from morri-son/enhance-controller-release

Enhance controller release

Author: morri-son

.github/scripts/compute-version.js

@@ -10,19 +10,20 @@
  *
  * Rules:
  * - Tag refs (matching tagPrefix pattern): Extract version from tag name
- * - Branch/other refs: Generate pseudo-version (0.0.0-<sanitized-ref>)
+ * - Branch/other refs: Generate unique pseudo-version
+ *   (0.0.0-<sanitized-ref>.<yyyymmddHHMMSS>.<shortsha>)
  *
  * @param {string} ref - Git ref (branch name, tag name, or other ref)
  * @param {string} tagPrefix - Tag prefix pattern (e.g., "cli/v" or "bindings/go/helm/v")
+ * @param {{ now?: Date, gitSha?: string }} [options] - Optional deterministic inputs for testing or overrides
  * @returns {string} Computed version string
  *
  * @example
  * computeVersion("cli/v1.2.3", "cli/v") // returns "1.2.3"
  * computeVersion("bindings/go/helm/v2.0.0-alpha1", "bindings/go/helm/v") // returns "2.0.0-alpha1"
- * computeVersion("main", "cli/v") // returns "0.0.0-main"
- * computeVersion("releases/v0.1", "cli/v") // returns "0.0.0-releases-v0.1"
+ * computeVersion("main", "cli/v", { now: new Date("2026-03-03T12:34:56Z"), gitSha: "abcdef1234567890" }) // returns "0.0.0-main.20260303123456.abcdef123456"
  */
-export function computeVersion(ref, tagPrefix) {
+export function computeVersion(ref, tagPrefix, options = {}) {
     if (!ref) {
         throw new Error("ref is required");
     }
@@ -43,12 +44,49 @@ export function computeVersion(ref, tagPrefix) {
         return ref.replace(tagPrefix, "");
     } else {
         // Convert ref to semver-safe pseudo version
-        // Replace slashes and other problematic chars with hyphens
-        const sanitized = ref.replace(/[\/+#?_^%$]/g, "-").toLocaleLowerCase();
-        return `0.0.0-${sanitized}`;
+        // using current timestamp and git SHA for uniqueness
+        const timestamp = toUtcCompactTimestamp(options.now ?? new Date());
+        const sanitizedRef = sanitizePrereleaseIdentifier(ref) || "ref";
+        const shortSha = normalizeSha(options.gitSha ?? "unknown") || "unknown";
+
+        return `0.0.0-${sanitizedRef}.${timestamp}.${shortSha}`;
     }
 }
 
+/**
+ * Convert a value into a semver-safe prerelease identifier segment.
+ *
+ * @param {string} value
+ * @returns {string}
+ */
+function sanitizePrereleaseIdentifier(value) {
+    return value
+        .toLocaleLowerCase()
+        .replace(/[^0-9a-z.-]/g, "-")
+        .replace(/-+/g, "-")
+        .replace(/^-|-$/g, "");
+}
+
+/**
+ * Format a Date as UTC timestamp (yyyymmddHHMMSS).
+ *
+ * @param {Date} date
+ * @returns {string}
+ */
+function toUtcCompactTimestamp(date) {
+    return date.toISOString().replace(/[-:TZ.]/g, "").slice(0, 14);
+}
+
+/**
+ * Normalize a git SHA to lower-case hex and trim to 12 chars.
+ *
+ * @param {string} sha
+ * @returns {string}
+ */
+function normalizeSha(sha) {
+    return sha.toLocaleLowerCase().replace(/[^0-9a-f]/g, "").slice(0, 12);
+}
+
 /**
  * Escape special regex characters in a string.
  *
@@ -71,6 +109,7 @@ function escapeRegex(str) {
 export default async function computeVersionAction({ core }) {
     const ref = process.env.REF;
     const tagPrefix = process.env.TAG_PREFIX;
+    const gitSha = process.env.GITHUB_SHA;
 
     if (!ref) {
         core.setFailed("REF environment variable is required");
@@ -83,7 +122,7 @@ export default async function computeVersionAction({ core }) {
     }
 
     try {
-        const version = computeVersion(ref, tagPrefix);
+        const version = computeVersion(ref, tagPrefix, { gitSha });
 
         core.exportVariable("VERSION", version);
         core.setOutput("version", version);

.github/scripts/compute-version.test.js

@@ -25,20 +25,29 @@ assert.strictEqual(
 );
 
 assert.strictEqual(
-    computeVersion("main", "cli/v"),
-    "0.0.0-main",
-    "CLI main branch should create pseudo version"
+    computeVersion("main", "cli/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-main.20260303123456.abcdef123456",
+    "CLI main branch should create unique pseudo version"
 );
 
 assert.strictEqual(
-    computeVersion("releases/v0.1", "cli/v"),
-    "0.0.0-releases-v0.1",
+    computeVersion("releases/v0.1", "cli/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-releases-v0.1.20260303123456.abcdef123456",
     "CLI release branch should create pseudo version"
 );
 
 assert.strictEqual(
-    computeVersion("feature/my-branch", "cli/v"),
-    "0.0.0-feature-my-branch",
+    computeVersion("feature/my-branch", "cli/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-feature-my-branch.20260303123456.abcdef123456",
     "CLI feature branch should sanitize slashes"
 );
 
@@ -60,14 +69,20 @@ assert.strictEqual(
 );
 
 assert.strictEqual(
-    computeVersion("main", "bindings/go/helm/v"),
-    "0.0.0-main",
+    computeVersion("main", "bindings/go/helm/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-main.20260303123456.abcdef123456",
     "Helm plugin main branch should create pseudo version"
 );
 
 assert.strictEqual(
-    computeVersion("feat/new-feature", "bindings/go/helm/v"),
-    "0.0.0-feat-new-feature",
+    computeVersion("feat/new-feature", "bindings/go/helm/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-feat-new-feature.20260303123456.abcdef123456",
     "Helm plugin feature branch should sanitize slashes"
 );
 
@@ -95,27 +110,39 @@ assert.strictEqual(
 );
 
 assert.strictEqual(
-    computeVersion("pr/123/merge", "cli/v"),
-    "0.0.0-pr-123-merge",
+    computeVersion("pr/123/merge", "cli/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-pr-123-merge.20260303123456.abcdef123456",
     "PR refs should be sanitized"
 );
 
 assert.strictEqual(
-    computeVersion("refs/heads/main", "cli/v"),
-    "0.0.0-refs-heads-main",
+    computeVersion("refs/heads/main", "cli/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-refs-heads-main.20260303123456.abcdef123456",
     "Full ref paths should be sanitized"
 );
 
 // Special characters in branch names
 assert.strictEqual(
-    computeVersion("feature/issue#123", "cli/v"),
-    "0.0.0-feature-issue-123",
+    computeVersion("feature/issue#123", "cli/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-feature-issue-123.20260303123456.abcdef123456",
     "Branch with # should be preserved"
 );
 
 assert.strictEqual(
-    computeVersion("hotfix/v1.2.3-fix", "cli/v"),
-    "0.0.0-hotfix-v1.2.3-fix",
+    computeVersion("hotfix/v1.2.3-fix", "cli/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-hotfix-v1.2.3-fix.20260303123456.abcdef123456",
     "Branch that looks like version should not be treated as tag"
 );
 
@@ -170,14 +197,20 @@ console.log("Testing regex escaping for security...");
 
 // These should NOT match as tags even though they contain regex special chars
 assert.strictEqual(
-    computeVersion("cli.*v1.2.3", "cli/v"),
-    "0.0.0-cli.*v1.2.3",
+    computeVersion("cli.*v1.2.3", "cli/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-cli.-v1.2.3.20260303123456.abcdef123456",
     "Ref with regex chars should not match tag pattern"
 );
 
 assert.strictEqual(
-    computeVersion("v1.2.3", "cli/v"),
-    "0.0.0-v1.2.3",
+    computeVersion("v1.2.3", "cli/v", {
+        now: new Date("2026-03-03T12:34:56Z"),
+        gitSha: "abcdef1234567890",
+    }),
+    "0.0.0-v1.2.3.20260303123456.abcdef123456",
     "Ref without correct prefix should not match"
 );
 
@@ -193,6 +226,17 @@ const result1a = computeVersion(ref1, prefix1);
 const result1b = computeVersion(ref1, prefix1);
 assert.strictEqual(result1a, result1b, "Same inputs should produce same output");
 
+// Same non-tag input should produce same output when deterministic options are provided
+const branchResultA = computeVersion("main", "cli/v", {
+    now: new Date("2026-03-03T12:34:56Z"),
+    gitSha: "abcdef1234567890",
+});
+const branchResultB = computeVersion("main", "cli/v", {
+    now: new Date("2026-03-03T12:34:56Z"),
+    gitSha: "abcdef1234567890",
+});
+assert.strictEqual(branchResultA, branchResultB, "Deterministic inputs should produce same output");
+
 // Different prefixes should not interfere
 assert.notStrictEqual(
     computeVersion("cli/v1.2.3", "cli/v"),

.github/workflows/cli.yml

@@ -17,6 +17,8 @@ on:
     paths:
       - 'cli/**'
       - '.github/workflows/cli.yml'
+      - '.github/workflows/cli-release.yml'
+      - '.github/workflows/publish-ocm-component-version.yml'
   workflow_call:
     inputs:
       artifact_name:
@@ -144,7 +146,8 @@ jobs:
           # OCI layout files
           path: |
             ${{ env.LOCATION }}/tmp/bin/ocm-*    
-            ${{ env.LOCATION }}/tmp/oci/*      
+            ${{ env.LOCATION }}/tmp/oci/*
+            ${{ env.LOCATION }}/tmp/component-constructor.yaml
 
   publish:
     name: Publish and Attest
@@ -207,3 +210,71 @@ jobs:
           subject-digest: ${{ steps.digest.outputs.digest }}
           subject-name: ${{ env.TARGET_REPO }}
           push-to-registry: true
+
+      # Reuse generated constructor from build artifacts, normalize file paths, and patch only image access
+      - name: Generate OCM component constructor
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          TARGET_CONSTRUCTOR="ocm-publish/cli-component-constructor.yaml"
+
+          echo "Verifying downloaded CLI binaries..."
+          shopt -s nullglob
+          files=(bin/ocm-*)
+          (( ${#files[@]} > 0 )) || { echo "❌ No CLI binaries found under ./bin"; ls -la; exit 1; }
+          
+          CONSTRUCTOR_SOURCE="$(find . -type f -name component-constructor.yaml | head -n 1)"
+          test -n "${CONSTRUCTOR_SOURCE}" || { echo "❌ component-constructor.yaml not found in downloaded artifacts"; ls -la; exit 1; }
+          echo "✅ Required artifacts are present"
+          
+          mkdir -p ocm-publish
+          cp "${CONSTRUCTOR_SOURCE}" "${TARGET_CONSTRUCTOR}"
+
+          IMAGE_REF="${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/cli:${TAG}"
+          export IMAGE_REF
+
+          yq -e '.resources[] | select(.name == "image")' "${TARGET_CONSTRUCTOR}" >/dev/null
+
+          yq -i '
+            (.resources[] | select(.name == "cli" and .input.type == "file") | .input.path) |= ("bin/" + (split("/") | .[-1])) |
+            (.resources[] | select(.name == "image") | .type) = "ociImage" |
+            (.resources[] | select(.name == "image") | .version) = env(TAG) |
+            (.resources[] | select(.name == "image") | .access.type) = "ociArtifact" |
+            (.resources[] | select(.name == "image") | .access.imageReference) = env(IMAGE_REF) |
+            del(.resources[] | select(.name == "image") | .relation) |
+            del(.resources[] | select(.name == "image") | .input)
+          ' "${TARGET_CONSTRUCTOR}"
+
+          yq -e '.resources[] | select(.name == "image") | .access.imageReference == env(IMAGE_REF)' "${TARGET_CONSTRUCTOR}" >/dev/null
+
+      - name: Upload component constructor as artifact
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
+        with:
+          name: cli-constructor-artifact
+          if-no-files-found: error
+          path: ocm-publish/cli-component-constructor.yaml
+
+  publish-component:
+    name: Publish Component Version
+    needs: [build, publish]
+    if: ${{ needs.build.outputs.should_push_oci_image == 'true' }}
+    uses: ./.github/workflows/publish-ocm-component-version.yml
+    secrets: inherit
+    with:
+      constructor_artifact_name: cli-constructor-artifact
+      constructor_filename: cli-component-constructor.yaml
+      build_artifact_name: ${{ needs.build.outputs.artifact_name }}
+      ocm_repository: ghcr.io/${{ github.repository_owner }}
+
+  status-check:
+    name: Status Check
+    runs-on: ubuntu-latest
+    needs: [publish, publish-component]
+    if: always()
+    steps:
+      - name: Fail if OCM publish did not succeed
+        if: ${{ needs.publish.result == 'success' && needs.publish-component.result != 'success' }}
+        run: |
+          echo "::error::OCM component publish did not pass (result: ${{ needs.publish-component.result }})"
+          exit 1