chore: fix issues with image name

Author: rjaegers

…er/cpp/devcontainer-metadata-vscode.json …container/cpp/devcontainer-metadata.json.devcontainer/cpp/devcontainer-metadata-vscode.json renamed to .devcontainer/cpp/devcontainer-metadata.json .devcontainer/cpp/devcontainer-metadata-vscode.json renamed to .devcontainer/cpp/devcontainer-metadata.json

@@ -30,6 +30,7 @@ jobs:
       packages: write
       pull-requests: write
     with:
+      devcontainer-metadata: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
       dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
       image-name: ${{ github.repository }}-${{ matrix.flavor }}
 

…r/rust/devcontainer-metadata-vscode.json …ontainer/rust/devcontainer-metadata.json.devcontainer/rust/devcontainer-metadata-vscode.json renamed to .devcontainer/rust/devcontainer-metadata.json .devcontainer/rust/devcontainer-metadata-vscode.json renamed to .devcontainer/rust/devcontainer-metadata.json

@@ -9,11 +9,15 @@ on:
         required: true
         type: string
       image-name:
-        description: "Name of the Docker image to build"
+        description: "Name of the Docker image to build, without registry or tag. E.g. 'my-image' or 'my-org/my-image'"
         required: true
         type: string
+      devcontainer-metadata:
+        description: "Path to a JSON file containing devcontainer metadata to add as a label to the built image"
+        required: false
+        type: string
       registry:
-        description: "Docker registry to push built containers to"
+        description: "Docker registry to push built containers to, DOCKER_USERNAME and DOCKER_PASSWORD secrets must be set if not using GitHub Container Registry"
         required: false
         type: string
         default: "ghcr.io"
@@ -25,8 +29,8 @@ on:
         required: false
         type: string
         default: '{"runner": ["ubuntu-latest", "ubuntu-24.04-arm"]}'
-      merge-runner:
-        description: "Runner label for the merge-image job"
+      default-runner:
+        description: "Runner label for the non-build jobs"
         required: false
         type: string
         default: ubuntu-latest
@@ -38,19 +42,49 @@ on:
         description: "Password or token for Docker login, if not provided the GITHUB_TOKEN will be used"
         required: false
 
-permissions:
-  contents: read
-
-env:
-  REGISTRY: ${{ inputs.registry }}
-  FULLY_QUALIFIED_IMAGE_NAME: ${{ inputs.registry }}/${{ inputs.image-name }}
+permissions: {}
 
 jobs:
+  sanitize-inputs:
+    runs-on: ${{ inputs.default-runner }}
+    outputs:
+      image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }}
+      fully-qualified-image-name: ${{ inputs.registry }}/${{ steps.sanitize-image-name.outputs.sanitized-image-name }}
+      image-basename: ${{ steps.sanitize-image-name.outputs.sanitized-basename }}
+    steps:
+      - name: Sanitize image name
+        id: sanitize-image-name
+        env:
+          IMAGE_NAME: ${{ inputs.image-name }}
+        run: |
+          set -Eeuo pipefail
+
+          # Split all image name components (on '/') and sanitize each component independently.
+          # Rules: lowercase; allowed chars a-z0-9._- ; collapse invalid sequences to single '-'; trim leading/trailing '-'.
+          IFS='/' read -r -a PARTS <<< "$IMAGE_NAME"
+          SANITIZED_PARTS=()
+
+          for PART in "${PARTS[@]}"; do
+            SANITIZED_PART=$(echo "$PART" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g' | sed -E 's/^-+|-+$//g')
+            if [ -z "$SANITIZED_PART" ]; then
+              echo "Invalid or empty component after sanitization in image component: '$PART', please correct your image name: '$IMAGE_NAME'" >&2
+              exit 1
+            fi
+            SANITIZED_PARTS+=("$SANITIZED_PART")
+          done
+
+          SANITIZED_IMAGE_NAME=$(IFS='/'; echo "${SANITIZED_PARTS[*]}")
+          SANITIZED_BASENAME=${SANITIZED_PARTS[-1]}
+          echo "sanitized-image-name=$SANITIZED_IMAGE_NAME" >> "$GITHUB_OUTPUT"
+          echo "sanitized-basename=$SANITIZED_BASENAME" >> "$GITHUB_OUTPUT"
+
   build-push:
     strategy:
       matrix: ${{ fromJson(inputs.build-matrix) }}
     runs-on: ${{ matrix.runner }}
+    needs: sanitize-inputs
     permissions:
+      contents: read
       packages: write
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -66,15 +100,15 @@ jobs:
           USERNAME: ${{ secrets.DOCKER_USERNAME || github.actor }}
           PASSWORD: ${{ secrets.DOCKER_PASSWORD || secrets.GITHUB_TOKEN }}
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ inputs.registry }}
           username: ${{ env.USERNAME }}
           password: ${{ env.PASSWORD }}
       - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
         env:
           DOCKER_METADATA_SET_OUTPUT_ENV: false
         id: metadata
         with:
-          images: ${{ env.FULLY_QUALIFIED_IMAGE_NAME }}
+          images: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
       # Generate image LABEL for devcontainer.metadata
       # the sed expression is a workaround for quotes being eaten in arrays (e.g. ["x", "y", "z"] -> ["x",y,"z"])
       - run: echo "metadata=$(jq -cj '[.]' ".devcontainer/${CONTAINER_FLAVOR}/devcontainer-metadata-vscode.json" | sed 's/,"/, "/g')" >> "$GITHUB_OUTPUT"
@@ -90,7 +124,7 @@ jobs:
         with:
           file: ${{ inputs.dockerfile }}
           push: true
-          tags: ${{ env.FULLY_QUALIFIED_IMAGE_NAME }}
+          tags: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
           labels: |
             ${{ steps.metadata.outputs.labels }}
             devcontainer.metadata=${{ steps.devcontainer-metadata.outputs.metadata }}
@@ -107,13 +141,13 @@ jobs:
           RUNNER_TEMP: ${{ runner.temp }}
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: digests-${{ inputs.image-name }}-${{ steps.devcontainer-arch.outputs.arch }}
+          name: digests-${{ needs.sanitize-inputs.outputs.image-basename }}-${{ steps.devcontainer-arch.outputs.arch }}
           path: ${{ runner.temp }}/digests/*
           if-no-files-found: error
           retention-days: 1
 
   merge-image:
-    runs-on: ${{ inputs.merge-runner }}
+    runs-on: ${{ inputs.default-runner }}
     needs: build-push
     permissions:
       actions: read
@@ -135,15 +169,15 @@ jobs:
       - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           path: ${{ runner.temp }}/digests
-          pattern: digests-${{ inputs.image-name }}-*
+          pattern: digests-${{ needs.sanitize-inputs.outputs.image-basename }}-*
           merge-multiple: true
       - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         env:
           USERNAME: ${{ secrets.DOCKER_USERNAME || github.actor }}
           PASSWORD: ${{ secrets.DOCKER_PASSWORD || secrets.GITHUB_TOKEN }}
         with:
-          registry: ${{ env.REGISTRY }}
+          registry: ${{ inputs.registry }}
           username: ${{ env.USERNAME }}
           password: ${{ env.PASSWORD }}
       - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
@@ -152,7 +186,7 @@ jobs:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: index
           DOCKER_METADATA_SET_OUTPUT_ENV: false
         with:
-          images: ${{ env.FULLY_QUALIFIED_IMAGE_NAME }}
+          images: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
           # Generate Docker tags based on the following events/attributes.
           # To prevent unnecessary image builds we simulate the `type=edge` tag
           # with `type=raw,value=edge,enable=...` which only enables the tag
@@ -165,6 +199,8 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
       - name: Create manifest list and push
+        env:
+          FULLY_QUALIFIED_IMAGE_NAME: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
         run: |
           import os
           import json
@@ -189,6 +225,8 @@ jobs:
         working-directory: ${{ runner.temp }}/digests
       - name: Inspect manifest and extract digest
         id: inspect-manifest
+        env:
+          FULLY_QUALIFIED_IMAGE_NAME: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
         run: |
           set -Eeuo pipefail
           output=$(docker buildx imagetools inspect "${FULLY_QUALIFIED_IMAGE_NAME}:${CONTAINER_VERSION}" --format '{{json .}}')
@@ -201,35 +239,35 @@ jobs:
           chmod +x diffoci
           ./diffoci diff --semantic --report-file=container-diff.json "${FROM_CONTAINER}" "${TO_CONTAINER}" || true
         env:
-          FROM_CONTAINER: ${{ env.FULLY_QUALIFIED_IMAGE_NAME }}:edge
-          TO_CONTAINER: ${{ env.FULLY_QUALIFIED_IMAGE_NAME }}:${{ steps.metadata.outputs.version }}
+          FROM_CONTAINER: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}:edge
+          TO_CONTAINER: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}:${{ steps.metadata.outputs.version }}
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: container-diff-${{ inputs.image-name }}
+          name: container-diff-${{ needs.sanitize-inputs.outputs.image-basedname }}
           path: container-diff.json
           retention-days: 10
       - uses: ./.github/actions/container-size-diff
         id: container-size-diff
         with:
-          from-container: ${{ env.FULLY_QUALIFIED_IMAGE_NAME }}:edge
-          to-container: ${{ env.FULLY_QUALIFIED_IMAGE_NAME }}:${{ steps.metadata.outputs.version }}
+          from-container: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}:edge
+          to-container: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}:${{ steps.metadata.outputs.version }}
       - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
         with:
-          header: container-size-diff-${{ inputs.flavor }}
+          header: container-size-diff-${{ needs.sanitize-inputs.outputs.image-basename }}
           message: |
             ${{ steps.container-size-diff.outputs.size-diff-markdown }}
       - uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
         with:
-          image: ${{ env.FULLY_QUALIFIED_IMAGE_NAME }}@${{ steps.inspect-manifest.outputs.digest }}
+          image: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}@${{ steps.inspect-manifest.outputs.digest }}
           dependency-snapshot: true
       - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         with:
-          subject-name: ${{ env.FULLY_QUALIFIED_IMAGE_NAME }}
+          subject-name: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
           subject-digest: ${{ steps.inspect-manifest.outputs.digest }}
           show-summary: false
           push-to-registry: true
       - name: Verify attestation
-        run: gh attestation verify --repo "${GH_REPO}" "oci://${FULLY_QUALIFIED_IMAGE_NAME}@${DIGEST}"
+        run: gh attestation verify --repo "${GH_REPO}" "oci://${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}@${DIGEST}"
         env:
           DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
           GH_REPO: ${{ github.repository }}