Add automated image workflows with retention

- Scheduled builds: weekly (controller), quarterly (blank, iPXE)
- Timestamp-only versions: build-YYYYMMDD-HHMMSS
- Auto-cleanup: keep last 4 releases

Fix iPXE workflow kernel permissions for libguestfs

Add kernel permission fix step to allow libguestfs supermin
to access kernel files in GitHub Actions runners.

Assisted-By: Claude (claude-4.5-sonnet)
Signed-off-by: Harald Jensås <hjensas@redhat.com>

Author: hjensas

.github/workflows/build-blank-image.yml

@@ -4,10 +4,10 @@ name: Build Blank Image
 "on":
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., v1.0.0)'
-        required: true
+
+  # Run quarterly on the 1st day of Jan/Apr/Jul/Oct at 00:00 UTC
+  schedule:
+    - cron: '0 0 1 1,4,7,10 *'
 
 jobs:
   build-image:
@@ -45,7 +45,8 @@ jobs:
       - name: 4. Rename Image with Release Tag
         id: release_tag
         run: |
-          RELEASE_TAG="${{ inputs.release_tag }}"
+          # Generate timestamp-based tag
+          RELEASE_TAG="build-$(date +%Y%m%d-%H%M%S)"
           echo "release_tag=$RELEASE_TAG" >> $GITHUB_OUTPUT
           echo "Release tag: $RELEASE_TAG"
 
@@ -70,6 +71,7 @@ jobs:
 
             - **Format**: qcow2
             - **Size**: 1MB
+            - **Build type**: ${{ github.event_name == 'schedule' && 'Scheduled (quarterly)' || 'Manual' }}
             - **Purpose**: Minimal blank disk image for virtual baremetal nodes with Redfish virtual BMC
 
             ## Usage
@@ -161,3 +163,25 @@ jobs:
           echo "https://github.com/${{ github.repository }}/releases/download/latest-blank/blank-image-latest.qcow2"
         env:
           GH_TOKEN: ${{ github.token }}
+
+      - name: 8. Cleanup Old Releases (Keep Last 4)
+        run: |
+          echo "Cleaning up old builds, keeping last 4..."
+
+          # Get all releases with 'build-' prefix, sort by creation date (newest first)
+          # Skip the first 4 (keep them), delete the rest
+          OLD_RELEASES=$(gh release list --limit 100 --json tagName,createdAt --repo ${{ github.repository }} \
+            | jq -r '.[] | select(.tagName | startswith("build-")) | .tagName' \
+            | sort -r \
+            | tail -n +5)
+
+          if [ -n "$OLD_RELEASES" ]; then
+            echo "Deleting old releases:"
+            echo "$OLD_RELEASES"
+            echo "$OLD_RELEASES" | xargs -I {} gh release delete {} --yes --cleanup-tag --repo ${{ github.repository }}
+            echo "Cleanup complete"
+          else
+            echo "No old releases to delete (fewer than 5 total)"
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}

.github/workflows/build-controller-image.yml

@@ -4,10 +4,10 @@ name: Build HotStack Controller Image
 "on":
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., v1.0.0)'
-        required: true
+
+  # Run weekly on Mondays at 00:00 UTC
+  schedule:
+    - cron: '0 0 * * 1'
 
 jobs:
   build-image:
@@ -53,7 +53,13 @@ jobs:
       - name: 5. Rename Image with Release Tag
         id: release_tag
         run: |
-          RELEASE_TAG="${{ inputs.release_tag }}"
+          if [ "${{ github.event_name }}" == "schedule" ] || [ -z "${{ inputs.release_tag }}" ]; then
+            # Scheduled run or no tag provided: generate timestamp-based tag
+            RELEASE_TAG="build-$(date +%Y%m%d-%H%M%S)"
+          else
+            # Manual run with tag provided: use provided tag
+            RELEASE_TAG="${{ inputs.release_tag }}"
+          fi
           echo "release_tag=$RELEASE_TAG" >> $GITHUB_OUTPUT
           echo "Release tag: $RELEASE_TAG"
 
@@ -79,6 +85,7 @@ jobs:
             - **Base**: CentOS Stream 9
             - **Build Tool**: diskimage-builder (DIB)
             - **Format**: qcow2
+            - **Build type**: ${{ github.event_name == 'schedule' && 'Scheduled (weekly)' || (inputs.release_tag == '' && 'Manual (auto-versioned)' || 'Manual (versioned)') }}
             - **Packages**: bash-completion, bind-utils, butane, dnsmasq, git,
               haproxy, httpd, httpd-tools, make, nfs-utils, nmstate, podman,
               tcpdump, tmux, vim-enhanced
@@ -162,3 +169,25 @@ jobs:
           echo "https://github.com/${{ github.repository }}/releases/download/latest-controller/controller-latest.qcow2"
         env:
           GH_TOKEN: ${{ github.token }}
+
+      - name: 9. Cleanup Old Releases (Keep Last 4)
+        run: |
+          echo "Cleaning up old builds, keeping last 4..."
+
+          # Get all releases with 'build-' prefix, sort by creation date (newest first)
+          # Skip the first 4 (keep them), delete the rest
+          OLD_RELEASES=$(gh release list --limit 100 --json tagName,createdAt --repo ${{ github.repository }} \
+            | jq -r '.[] | select(.tagName | startswith("build-")) | .tagName' \
+            | sort -r \
+            | tail -n +5)
+
+          if [ -n "$OLD_RELEASES" ]; then
+            echo "Deleting old releases:"
+            echo "$OLD_RELEASES"
+            echo "$OLD_RELEASES" | xargs -I {} gh release delete {} --yes --cleanup-tag --repo ${{ github.repository }}
+            echo "Cleanup complete"
+          else
+            echo "No old releases to delete (fewer than 5 total)"
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}

.github/workflows/build-ipxe-images.yml

@@ -4,10 +4,10 @@ name: Build iPXE Images
 "on":
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
-    inputs:
-      release_tag:
-        description: 'Release tag (e.g., v1.0.0)'
-        required: true
+
+  # Run quarterly on the 1st day of Jan/Apr/Jul/Oct at 00:00 UTC
+  schedule:
+    - cron: '0 0 1 1,4,7,10 *'
 
 jobs:
   build-image:
@@ -33,6 +33,12 @@ jobs:
             libguestfs-tools
           echo "System dependencies installed"
 
+      - name: Fix Kernel Permissions for libguestfs
+        run: |
+          echo "Setting kernel file permissions for libguestfs..."
+          sudo chmod -R a+rX /boot
+          echo "Kernel permissions updated"
+
       - name: Build iPXE Images
         run: |
           echo "Building iPXE images using ipxe/Makefile..."
@@ -45,7 +51,8 @@ jobs:
       - name: Create Release Tag and Rename Images
         id: release_tag
         run: |
-          RELEASE_TAG="${{ inputs.release_tag }}"
+          # Generate timestamp-based tag
+          RELEASE_TAG="build-$(date +%Y%m%d-%H%M%S)"
           echo "release_tag=$RELEASE_TAG" >> $GITHUB_OUTPUT
           echo "Release tag: $RELEASE_TAG"
 
@@ -75,6 +82,7 @@ jobs:
 
             - **ipxe-efi-${{ steps.release_tag.outputs.release_tag }}.img** - UEFI boot image
             - **ipxe-bios-${{ steps.release_tag.outputs.release_tag }}.img** - BIOS boot image (USB)
+            - **Build type**: ${{ github.event_name == 'schedule' && 'Scheduled (quarterly)' || 'Manual' }}
 
             ## Usage
 
@@ -172,3 +180,25 @@ jobs:
           echo "https://github.com/${{ github.repository }}/releases/download/latest-ipxe/ipxe-bios-latest.img"
         env:
           GH_TOKEN: ${{ github.token }}
+
+      - name: Cleanup Old Releases (Keep Last 4)
+        run: |
+          echo "Cleaning up old builds, keeping last 4..."
+
+          # Get all releases with 'build-' prefix, sort by creation date (newest first)
+          # Skip the first 4 (keep them), delete the rest
+          OLD_RELEASES=$(gh release list --limit 100 --json tagName,createdAt --repo ${{ github.repository }} \
+            | jq -r '.[] | select(.tagName | startswith("build-")) | .tagName' \
+            | sort -r \
+            | tail -n +5)
+
+          if [ -n "$OLD_RELEASES" ]; then
+            echo "Deleting old releases:"
+            echo "$OLD_RELEASES"
+            echo "$OLD_RELEASES" | xargs -I {} gh release delete {} --yes --cleanup-tag --repo ${{ github.repository }}
+            echo "Cleanup complete"
+          else
+            echo "No old releases to delete (fewer than 5 total)"
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}