chore: split-off image name sanitization

Author: rjaegers

.github/workflows/wc-build-push-test.yml

@@ -42,8 +42,7 @@ jobs:
     needs: build-push
     uses: ./.github/workflows/wc-integration-test.yml
     with:
-      fully-qualified-image-name: ${{ needs.build-push.outputs.fully-qualified-image-name }}
-      image-basename: ${{ needs.build-push.outputs.image-basename }}
+      image-name: ${{ github.repository }}-${{ matrix.flavor }}
       test-file: test/${{ matrix.flavor }}/integration.bats
       runner-labels: ${{ matrix.runner }}
 

.github/workflows/wc-build-push.yml

@@ -34,16 +34,6 @@ on:
         required: false
         type: string
         default: ubuntu-latest
-    outputs:
-      image-basename:
-        description: "The sanitized base name of the image (without registry or tag)"
-        value: ${{ jobs.sanitize-inputs.outputs.image-basename }}
-      image-name:
-        description: "The sanitized name of the image (without registry or tag)"
-        value: ${{ jobs.sanitize-inputs.outputs.image-name }}
-      fully-qualified-image-name:
-        description: "The fully qualified name of the image including registry (but without tag)"
-        value: ${{ jobs.sanitize-inputs.outputs.fully-qualified-image-name }}
     secrets:
       DOCKER_USERNAME:
         description: "User name for Docker login, if not provided the GitHub actor will be used"
@@ -55,44 +45,18 @@ on:
 permissions: {}
 
 jobs:
-  sanitize-inputs:
-    runs-on: ${{ inputs.default-runner }}
-    outputs:
-      image-basename: ${{ steps.sanitize-image-name.outputs.sanitized-basename }}
-      image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }}
-      fully-qualified-image-name: ${{ inputs.registry }}/${{ steps.sanitize-image-name.outputs.sanitized-image-name }}
-    steps:
-      - name: Sanitize image name
-        id: sanitize-image-name
-        env:
-          IMAGE_NAME: ${{ inputs.image-name }}
-        run: |
-          set -Eeuo pipefail
-
-          # Split all image name components (on '/') and sanitize each component independently.
-          # Rules: lowercase; allowed chars a-z0-9._- ; collapse invalid sequences to single '-'; trim leading/trailing '-'.
-          IFS='/' read -r -a PARTS <<< "$IMAGE_NAME"
-          SANITIZED_PARTS=()
-
-          for PART in "${PARTS[@]}"; do
-            SANITIZED_PART=$(echo "$PART" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g' | sed -E 's/^-+|-+$//g')
-            if [ -z "$SANITIZED_PART" ]; then
-              echo "Invalid or empty component after sanitization in image component: '$PART', please correct your image name: '$IMAGE_NAME'" >&2
-              exit 1
-            fi
-            SANITIZED_PARTS+=("$SANITIZED_PART")
-          done
-
-          SANITIZED_IMAGE_NAME=$(IFS='/'; echo "${SANITIZED_PARTS[*]}")
-          SANITIZED_BASENAME=${SANITIZED_PARTS[-1]}
-          echo "sanitized-image-name=$SANITIZED_IMAGE_NAME" >> "$GITHUB_OUTPUT"
-          echo "sanitized-basename=$SANITIZED_BASENAME" >> "$GITHUB_OUTPUT"
+  sanitize-image-name:
+    uses: ./.github/workflows/wc-sanitize-image-name.yml
+    with:
+      image-name: ${{ inputs.image-name }}
+      registry: ${{ inputs.registry }}
+      runner-labels: ${{ inputs.default-runner }}
 
   build-push:
     strategy:
       matrix: ${{ fromJson(inputs.build-matrix) }}
     runs-on: ${{ matrix.runner }}
-    needs: sanitize-inputs
+    needs: sanitize-image-name
     permissions:
       contents: read
       packages: write
@@ -118,7 +82,7 @@ jobs:
           DOCKER_METADATA_SET_OUTPUT_ENV: false
         id: metadata
         with:
-          images: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
+          images: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}
       # Generate image LABEL for devcontainer.metadata
       # the sed expression is a workaround for quotes being eaten in arrays (e.g. ["x", "y", "z"] -> ["x",y,"z"])
       - run: echo "metadata=$(jq -cj '[.]' ".devcontainer/${CONTAINER_FLAVOR}/devcontainer-metadata-vscode.json" | sed 's/,"/, "/g')" >> "$GITHUB_OUTPUT"
@@ -134,7 +98,7 @@ jobs:
         with:
           file: ${{ inputs.dockerfile }}
           push: true
-          tags: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
+          tags: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}
           labels: |
             ${{ steps.metadata.outputs.labels }}
             devcontainer.metadata=${{ steps.devcontainer-metadata.outputs.metadata }}
@@ -151,7 +115,7 @@ jobs:
           RUNNER_TEMP: ${{ runner.temp }}
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: digests-${{ needs.sanitize-inputs.outputs.image-basename }}-${{ steps.devcontainer-arch.outputs.arch }}
+          name: digests-${{ needs.sanitize-image-name.outputs.image-basename }}-${{ steps.devcontainer-arch.outputs.arch }}
           path: ${{ runner.temp }}/digests/*
           if-no-files-found: error
           retention-days: 1
@@ -160,7 +124,7 @@ jobs:
     runs-on: ${{ inputs.default-runner }}
     needs:
       - build-push
-      - sanitize-inputs
+      - sanitize-image-name
     permissions:
       actions: read
       attestations: write
@@ -181,7 +145,7 @@ jobs:
       - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           path: ${{ runner.temp }}/digests
-          pattern: digests-${{ needs.sanitize-inputs.outputs.image-basename }}-*
+          pattern: digests-${{ needs.sanitize-image-name.outputs.image-basename }}-*
           merge-multiple: true
       - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
@@ -198,7 +162,7 @@ jobs:
           DOCKER_METADATA_ANNOTATIONS_LEVELS: index
           DOCKER_METADATA_SET_OUTPUT_ENV: false
         with:
-          images: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
+          images: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}
           # Generate Docker tags based on the following events/attributes.
           # To prevent unnecessary image builds we simulate the `type=edge` tag
           # with `type=raw,value=edge,enable=...` which only enables the tag
@@ -230,7 +194,7 @@ jobs:
           print(' '.join(command))
           subprocess.run(command, check=True)
         env:
-          FULLY_QUALIFIED_IMAGE_NAME: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
+          FULLY_QUALIFIED_IMAGE_NAME: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}
           METADATA_JSON: ${{ steps.metadata.outputs.json }}
         shell: python
         working-directory: ${{ runner.temp }}/digests
@@ -241,44 +205,44 @@ jobs:
           output=$(docker buildx imagetools inspect "${CONTAINER}" --format '{{json .}}')
           echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT"
         env:
-          CONTAINER: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}:${{ steps.metadata.outputs.version }}
+          CONTAINER: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}:${{ steps.metadata.outputs.version }}
       - run: |
           set -Eeuo pipefail
           wget -O diffoci https://github.com/reproducible-containers/diffoci/releases/download/v0.1.7/diffoci-v0.1.7.linux-amd64
           chmod +x diffoci
           ./diffoci diff --semantic --report-file=container-diff.json "${FROM_CONTAINER}" "${TO_CONTAINER}" || true
         env:
-          FROM_CONTAINER: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}:edge
-          TO_CONTAINER: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}:${{ steps.metadata.outputs.version }}
+          FROM_CONTAINER: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}:edge
+          TO_CONTAINER: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}:${{ steps.metadata.outputs.version }}
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: container-diff-${{ needs.sanitize-inputs.outputs.image-basename }}
+          name: container-diff-${{ needs.sanitize-image-name.outputs.image-basename }}
           path: container-diff.json
           retention-days: 10
       - uses: ./.github/actions/container-size-diff
         id: container-size-diff
         with:
-          from-container: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}:edge
-          to-container: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}:${{ steps.metadata.outputs.version }}
+          from-container: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}:edge
+          to-container: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}:${{ steps.metadata.outputs.version }}
       - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
         with:
-          header: container-size-diff-${{ needs.sanitize-inputs.outputs.image-basename }}
+          header: container-size-diff-${{ needs.sanitize-image-name.outputs.image-basename }}
           message: |
             ${{ steps.container-size-diff.outputs.size-diff-markdown }}
       - uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6
         with:
-          image: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}@${{ steps.inspect-manifest.outputs.digest }}
+          image: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}@${{ steps.inspect-manifest.outputs.digest }}
           dependency-snapshot: true
       - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         with:
-          subject-name: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
+          subject-name: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}
           subject-digest: ${{ steps.inspect-manifest.outputs.digest }}
           show-summary: false
           push-to-registry: true
       - name: Verify attestation
         run: gh attestation verify --repo "${GH_REPO}" "oci://${FULLY_QUALIFIED_IMAGE_NAME}@${DIGEST}"
         env:
           DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
-          FULLY_QUALIFIED_IMAGE_NAME: ${{ needs.sanitize-inputs.outputs.fully-qualified-image-name }}
+          FULLY_QUALIFIED_IMAGE_NAME: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}
           GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ github.token }}

.github/workflows/wc-integration-test.yml

@@ -4,10 +4,7 @@ name: Integration Test
 on:
   workflow_call:
     inputs:
-      fully-qualified-image-name:
-        required: false
-        type: string
-      image-basename:
+      image-name:
         required: true
         type: string
       test-file:
@@ -17,12 +14,25 @@ on:
         description: "Runner to use for the job, will be passed to `runs-on`"
         required: true
         type: string
+      registry:
+        description: "Docker registry to push built containers to, DOCKER_USERNAME and DOCKER_PASSWORD secrets must be set if not using GitHub Container Registry"
+        required: false
+        type: string
+        default: "ghcr.io"
 
 permissions: {}
 
 jobs:
+  sanitize-image-name:
+    uses: ./.github/workflows/wc-sanitize-image-name.yml
+    with:
+      image-name: ${{ inputs.image-name }}
+      registry: ${{ inputs.registry }}
+      runner-labels: ${{ inputs.runner-labels }}
+
   determine-container:
     runs-on: ${{ inputs.runner-labels }}
+    needs: sanitize-image-name
     outputs:
       container: ${{ steps.set-container.outputs.container }}
       runner-arch: ${{ steps.runner-arch.outputs.arch }}
@@ -35,17 +45,19 @@ jobs:
         id: runner-arch
       - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
-          path: ${{ runner.temp }}/digests-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
-          pattern: digests-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
+          path: ${{ runner.temp }}/digests-${{ needs.sanitize-image-name.outputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
+          pattern: digests-${{ needs.sanitize-image-name.outputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
       - run: echo "container=$(printf "${FULLY_QUALIFIED_IMAGE_NAME}@sha256:%s " *)" >> "$GITHUB_OUTPUT"
-        working-directory: ${{ runner.temp }}/digests-${{ inputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
+        working-directory: ${{ runner.temp }}/digests-${{ needs.sanitize-image-name.outputs.image-basename }}-${{ steps.runner-arch.outputs.arch }}
         env:
-          FULLY_QUALIFIED_IMAGE_NAME: ${{ inputs.fully-qualified-image-name }}
+          FULLY_QUALIFIED_IMAGE_NAME: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}
           GH_REPO: ${{ github.repository }}
         id: set-container
 
   run-test:
-    needs: determine-container
+    needs:
+      - determine-container
+      - sanitize-image-name
     runs-on: ${{ inputs.runner-labels }}
     container: ${{ needs.determine-container.outputs.container }}
     permissions:
@@ -66,11 +78,11 @@ jobs:
             xwin-cache-${{ needs.determine-container.outputs.runner-arch }}
       - run: bats --formatter junit "${TEST_FILE}" | tee "test-report-${IMAGE_BASENAME}-${RUNNER_ARCH}.xml"
         env:
-          IMAGE_BASENAME: ${{ inputs.image-basename }}
+          IMAGE_BASENAME: ${{ needs.sanitize-image-name.outputs.image-basename }}
           TEST_FILE: ${{ inputs.test-file }}
           RUNNER_ARCH: ${{ needs.determine-container.outputs.runner-arch }}
       - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: always()
         with:
-          name: test-results-integration-${{ inputs.image-basename }}-${{ needs.determine-container.outputs.runner-arch }}
+          name: test-results-integration-${{ needs.sanitize-image-name.outputs.image-basename }}-${{ needs.determine-container.outputs.runner-arch }}
           path: test-report-*.xml

.github/workflows/wc-sanitize-image-name.yml

@@ -0,0 +1,70 @@
+---
+name: Sanitize Image Name
+
+on:
+  workflow_call:
+    inputs:
+      image-name:
+        description: "Name of the Docker image to build, without registry or tag. E.g. 'my-image' or 'my-org/my-image'"
+        required: true
+        type: string
+      registry:
+        description: "Container registry to push the image to, e.g. ghcr.io"
+        required: false
+        type: string
+        default: "ghcr.io"
+      runner-labels:
+        description: "Runner to use for the job, will be passed to `runs-on`"
+        required: false
+        type: string
+        default: "ubuntu-latest"
+    outputs:
+      image-basename:
+        description: "The sanitized base name of the image (without registry or tag)"
+        value: ${{ jobs.sanitize-inputs.outputs.image-basename }}
+      image-name:
+        description: "The sanitized name of the image (without registry or tag)"
+        value: ${{ jobs.sanitize-inputs.outputs.image-name }}
+      fully-qualified-image-name:
+        description: "The fully qualified name of the image including registry (but without tag)"
+        value: ${{ jobs.sanitize-inputs.outputs.fully-qualified-image-name }}
+
+permissions: {}
+
+jobs:
+  sanitize-inputs:
+    runs-on: ${{ inputs.runner-labels }}
+    outputs:
+      image-basename: ${{ steps.sanitize-image-name.outputs.sanitized-basename }}
+      image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }}
+      fully-qualified-image-name: ${{ inputs.registry }}/${{ steps.sanitize-image-name.outputs.sanitized-image-name }}
+    steps:
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          disable-sudo: true
+          egress-policy: audit
+      - name: Sanitize image name
+        id: sanitize-image-name
+        env:
+          IMAGE_NAME: ${{ inputs.image-name }}
+        run: |
+          set -Eeuo pipefail
+
+          # Split all image name components (on '/') and sanitize each component independently.
+          # Rules: lowercase; allowed chars a-z0-9._- ; collapse invalid sequences to single '-'; trim leading/trailing '-'.
+          IFS='/' read -r -a PARTS <<< "$IMAGE_NAME"
+          SANITIZED_PARTS=()
+
+          for PART in "${PARTS[@]}"; do
+            SANITIZED_PART=$(echo "$PART" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g' | sed -E 's/^-+|-+$//g')
+            if [ -z "$SANITIZED_PART" ]; then
+              echo "Invalid or empty component after sanitization in image component: '$PART', please correct your image name: '$IMAGE_NAME'" >&2
+              exit 1
+            fi
+            SANITIZED_PARTS+=("$SANITIZED_PART")
+          done
+
+          SANITIZED_IMAGE_NAME=$(IFS='/'; echo "${SANITIZED_PARTS[*]}")
+          SANITIZED_BASENAME=${SANITIZED_PARTS[-1]}
+          echo "sanitized-image-name=$SANITIZED_IMAGE_NAME" >> "$GITHUB_OUTPUT"
+          echo "sanitized-basename=$SANITIZED_BASENAME" >> "$GITHUB_OUTPUT"