ci(release): Various workflow fixes (#790)

* ci(release): Get the digest from structured output

* ci(action/publish-image): Get the digest from structured output

* chore: add --quiet to noisy cargo commands

* chore: resolve hadolint SC2086

* chore: resolve ruff lint issue

* ci(pre-commit): compare against the main branch (stackabletech/issues#616)

* ci(pre-commit): see which branches we have available to compare to

* ci(pre-commit): see which refs we have available to compare to

* ci(pre-commit): properly compare against the main branch (stackabletech/issues#616)

* ci(pre-commit): adjust fetch-depth

* ci(pre-commit): remove debug step

Author: NickLarsenNZ

.github/actions/publish-image/action.yml

@@ -63,14 +63,9 @@ runs:
       shell: bash
       run: |
         set -euo pipefail
-        # Store the output of `docker image push` into a variable, so we can
-        # parse it for the digest
-        PUSH_OUTPUT=$(docker image push "$(< bake-target-tags)" 2>&1)
-        echo "$PUSH_OUTPUT"
-        # Obtain the digest of the pushed image from the output of `docker image
-        # push`, because signing by tag is deprecated and will be removed from
-        # cosign in the future
-        DIGEST=$(echo "$PUSH_OUTPUT" | awk "/: digest: sha256:[a-f0-9]{64} size: [0-9]+$/ { print \$3 }")
+        docker image push "$(< bake-target-tags)"
+        # Obtain the digest of the image, because signing by tag is deprecated and will be removed from cosign in the future
+        DIGEST=$(docker images --digests "$(< bake-target-tags)" --format '{{.Digest}}')
         echo "DIGEST=$DIGEST" >> $GITHUB_ENV
         # Refer to image via its digest (docker.stackable.tech/stackable/airflow@sha256:0a1b2c...)
         # This generates a signature and publishes it to the registry, next to the image
@@ -99,11 +94,9 @@ runs:
         IMAGE_NAME=oci.stackable.tech/sdp/${{ inputs.product }}
         echo "image: $IMAGE_NAME"
         docker tag "$(< bake-target-tags)" "$IMAGE_NAME:$TAG_NAME"
-        # Store the output of `docker image push` into a variable, so we can parse it for the digest
-        PUSH_OUTPUT=$(docker image push "$IMAGE_NAME:$TAG_NAME" 2>&1)
-        echo "$PUSH_OUTPUT"
-        # Obtain the digest of the pushed image from the output of `docker image push`, because signing by tag is deprecated and will be removed from cosign in the future
-        DIGEST=$(echo "$PUSH_OUTPUT" | awk "/: digest: sha256:[a-f0-9]{64} size: [0-9]+$/ { print \$3 }")
+        docker image push "$(< bake-target-tags)"
+        # Obtain the digest of the image, because signing by tag is deprecated and will be removed from cosign in the future
+        DIGEST=$(docker images --digests "$(< bake-target-tags)" --format '{{.Digest}}')
         echo "DIGEST=$DIGEST" >> $GITHUB_ENV
         # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
         # This generates a signature and publishes it to the registry, next to the image

.github/workflows/pr_pre-commit.yaml

@@ -9,9 +9,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: '3.12'
       - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
         with:
-          extra_args: "" # Disable --all-files until we have time to fix druid/stackable/bin/run-druid
+          extra_args: "--from-ref ${{ github.event.pull_request.base.sha }} --to-ref ${{ github.event.pull_request.head.sha }}"

.github/workflows/release.yml

@@ -113,11 +113,9 @@ jobs:
             TAG_NAME=$(cut -d ":" -f 2 < bake-target-tags)
             echo "image: $IMAGE_NAME"
             echo "tag: $TAG_NAME"
-            # Store the output of `docker image push` into a variable, so we can parse it for the digest
-            PUSH_OUTPUT=$(docker image push "$(< bake-target-tags)" 2>&1)
-            echo "$PUSH_OUTPUT"
-            # Obtain the digest of the pushed image from the output of `docker image push`, because signing by tag is deprecated and will be removed from cosign in the future
-            DIGEST=$(echo "$PUSH_OUTPUT" | awk "/: digest: sha256:[a-f0-9]{64} size: [0-9]+$/ { print \$3 }")
+            docker image push "$(< bake-target-tags)"
+            # Obtain the digest of the image, because signing by tag is deprecated and will be removed from cosign in the future
+            DIGEST=$(docker images --digests "$(< bake-target-tags)" --format '{{.Digest}}')
             # Refer to image via its digest (docker.stackable.tech/stackable/airflow@sha256:0a1b2c...)
             # This generates a signature and publishes it to the registry, next to the image
             # Uses the keyless signing flow with Github Actions as identity provider
@@ -139,11 +137,9 @@ jobs:
             IMAGE_NAME=oci.stackable.tech/sdp/${{ matrix.product }}
             echo "image: $IMAGE_NAME"
             docker tag "$(< bake-target-tags)" "$IMAGE_NAME:$TAG_NAME"
-            # Store the output of `docker image push` into a variable, so we can parse it for the digest
-            PUSH_OUTPUT=$(docker image push "$IMAGE_NAME:$TAG_NAME" 2>&1)
-            echo "$PUSH_OUTPUT"
-            # Obtain the digest of the pushed image from the output of `docker image push`, because signing by tag is deprecated and will be removed from cosign in the future
-            DIGEST=$(echo "$PUSH_OUTPUT" | awk "/: digest: sha256:[a-f0-9]{64} size: [0-9]+$/ { print \$3 }")
+            docker image push "$IMAGE_NAME:$TAG_NAME"
+            # Obtain the digest of the image, because signing by tag is deprecated and will be removed from cosign in the future
+            DIGEST=$(docker images --digests "$(< bake-target-tags)" --format '{{.Digest}}')
             # Refer to image via its digest (oci.stackable.tech/sdp/airflow@sha256:0a1b2c...)
             # This generates a signature and publishes it to the registry, next to the image
             # Uses the keyless signing flow with Github Actions as identity provider

opa/Dockerfile

@@ -23,7 +23,7 @@ WORKDIR /
 
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
 RUN git clone --depth 1 --branch ${BUNDLE_BUILDER_VERSION} https://github.com/stackabletech/opa-bundle-builder
-RUN cd ./opa-bundle-builder && . $HOME/.cargo/env && cargo build --release
+RUN cd ./opa-bundle-builder && . "$HOME/.cargo/env" && cargo --quiet build --release
 
 FROM stackable/image/stackable-base AS multilog-builder
 

stackable-base/Dockerfile

@@ -21,12 +21,12 @@ microdnf clean all
 rm -rf /var/cache/yum
 
 curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain "$RUST_DEFAULT_TOOLCHAIN_VERSION"
-. "$HOME/.cargo/env" && cargo install cargo-cyclonedx@"$CARGO_CYCLONEDX_CRATE_VERSION" cargo-auditable@"$CARGO_AUDITABLE_CRATE_VERSION"
+. "$HOME/.cargo/env" && cargo --quiet install cargo-cyclonedx@"$CARGO_CYCLONEDX_CRATE_VERSION" cargo-auditable@"$CARGO_AUDITABLE_CRATE_VERSION"
 
 git clone --depth 1 --branch "${CONFIG_UTILS_VERSION}" https://github.com/stackabletech/config-utils
 cd ./config-utils
 . "$HOME/.cargo/env"
-cargo auditable build --release && cargo cyclonedx --output-pattern package --all --output-cdx
+cargo auditable --quiet build --release && cargo cyclonedx --output-pattern package --all --output-cdx
 EOF
 
 # Manifest list digest because of multi architecture builds ( https://www.redhat.com/architect/pull-container-image#:~:text=A%20manifest%20list%20exists%20to,system%20on%20a%20specific%20architecture )

ubi8-rust-builder/Dockerfile

@@ -67,7 +67,7 @@ WORKDIR /
 # If you change the toolchain version here, make sure to also change the "rust_version"
 # property in operator-templating/config/rust.yaml
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_DEFAULT_TOOLCHAIN_VERSION \
- && . "$HOME/.cargo/env" && cargo install cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION
+ && . "$HOME/.cargo/env" && cargo --quiet install cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION
 
 # Build artifacts will be available in /app.
 RUN mkdir /app
@@ -77,7 +77,7 @@ COPY shared/copy_artifacts.sh /
 ONBUILD WORKDIR /src
 ONBUILD COPY . /src
 
-ONBUILD RUN . "$HOME/.cargo/env" && cargo auditable build --release --workspace && cargo cyclonedx --output-pattern package --all --output-cdx
+ONBUILD RUN . "$HOME/.cargo/env" && cargo auditable --quiet build --release --workspace && cargo cyclonedx --output-pattern package --all --output-cdx
 
 # Copy the "interesting" files into /app.
 ONBUILD RUN find /src/target/release \

ubi9-rust-builder/Dockerfile

@@ -66,7 +66,7 @@ WORKDIR /
 # If you change the toolchain version here, make sure to also change the "rust_version"
 # property in operator-templating/config/rust.yaml
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_DEFAULT_TOOLCHAIN_VERSION \
-&& . "$HOME/.cargo/env" && cargo install cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION
+&& . "$HOME/.cargo/env" && cargo --quiet install cargo-cyclonedx@$CARGO_CYCLONEDX_CRATE_VERSION cargo-auditable@$CARGO_AUDITABLE_CRATE_VERSION
 
 # Build artifacts will be available in /app.
 RUN mkdir /app
@@ -76,7 +76,7 @@ COPY shared/copy_artifacts.sh /
 ONBUILD WORKDIR /src
 ONBUILD COPY . /src
 
-ONBUILD RUN . "$HOME/.cargo/env" && cargo auditable build --release --workspace && cargo cyclonedx --output-pattern package --all --output-cdx
+ONBUILD RUN . "$HOME/.cargo/env" && cargo auditable --quiet build --release --workspace && cargo cyclonedx --output-pattern package --all --output-cdx
 
 # Copy the "interesting" files into /app.
 ONBUILD RUN find /src/target/release \