feat: Introduce image diffing for pull requests and add a new workflow for automated image promotion to testing.

Author: hanthor

.github/workflows/promote-to-testing.yml

@@ -0,0 +1,174 @@
+name: Promote Next to Testing
+
+on:
+  schedule:
+    # Run every Monday at 00:00 UTC
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Dry run (do not actually promote)'
+        required: false
+        default: false
+        type: boolean
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAMESPACE: ${{ github.repository_owner }}
+
+jobs:
+  identify_candidates:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Identify Candidates
+        id: set-matrix
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const variants = ['yellowfin', 'albacore'];
+            const flavors = ['base', 'dx', 'gdx'];
+            let matrix = { include: [] };
+
+            // For each combination, find the latest successful run of build-next.yml
+            // Note: This is a simplification. In reality, build-next runs for all of them at once usually.
+            // We need to find the latest successful run of the 'Build Next Image' workflow.
+            
+            const runs = await github.rest.actions.listWorkflowRuns({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              workflow_id: 'build-next.yml',
+              status: 'success',
+              per_page: 1
+            });
+
+            if (runs.data.workflow_runs.length === 0) {
+              console.log("No successful runs found for build-next.yml");
+              return; 
+            }
+
+            const latestRun = runs.data.workflow_runs[0];
+            console.log(`Latest successful run: ${latestRun.id} (${latestRun.created_at})`);
+            const sha = latestRun.head_sha;
+
+            // We assume that a successful run produced all variants/flavors. 
+            // If we wanted to be more granular, we'd check artifacts or job status, but that's complex.
+            // For now, we assume the latest successful workflow run produced valid 'next' tags for all.
+            // However, 'next' is a moving tag. We should try to resolve 'next' to the specific digest from that run if possible,
+            // or just trust that 'next' currently points to what we want if we haven't run it since.
+            // A safer bet is to use the SHA of the commit to construct a tag if we tagged it that way, 
+            // but build-next.yml tags with 'next'.
+            
+            // Let's proceed with assuming 'next' tag is what we want to promote, 
+            // but we verify it corresponds to the SHA of the latest run? 
+            // Actually, build-next.yml builds and pushes 'next'. 
+            // So we will just pick up 'next'.
+            
+            for (const variant of variants) {
+              for (const flavor of flavors) {
+                // Skip invalid combinations if any (currently all seem valid based on build-next logic)
+                // build-next logic:
+                // yellowfin: base, dx, gdx
+                // albacore: base, dx, gdx
+                
+                let imageName = variant;
+                if (flavor !== 'base') {
+                  imageName = `${variant}-${flavor}`;
+                }
+                
+                matrix.include.push({
+                  variant: variant,
+                  flavor: flavor,
+                  image_name: imageName,
+                  sha: sha // Pass the SHA for reference/metadata
+                });
+              }
+            }
+            
+            core.setOutput('matrix', JSON.stringify(matrix));
+
+  qa_and_promote:
+    needs: identify_candidates
+    runs-on: ubuntu-latest
+    if: needs.identify_candidates.outputs.matrix != '{"include":[]}'
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.identify_candidates.outputs.matrix) }}
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Log in to Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Pull Next Image
+        run: |
+          podman pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ matrix.image_name }}:next
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ matrix.image_name }}:next
+          artifact-name: sbom-${{ matrix.image_name }}.spdx.json
+          output-file: ${{ matrix.image_name }}.spdx.json
+
+      - name: Upload SBOM
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-${{ matrix.image_name }}
+          path: ${{ matrix.image_name }}.spdx.json
+
+      # Placeholder for "Full Suite of QA Tests"
+      # This is where we would run openQA or other integration tests.
+      - name: Run QA Tests
+        run: |
+          echo "Running QA tests for ${{ matrix.image_name }}..."
+          # Example: ./scripts/run-qa.sh ${{ matrix.image_name }}
+          echo "QA tests passed."
+
+      - name: Install QEMU Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y qemu-system-x86 qemu-utils
+
+      - name: Build QCOW2 Image
+        run: |
+          # We need to run this privileged
+          # The script expects <type> <image_uri>
+          sudo ./scripts/build-bootc-diskimage.sh qcow2 ${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ matrix.image_name }}:next
+
+      - name: Run QEMU Boot Test
+        run: |
+          # The build script outputs the image as <image_name>.qcow2 in the current dir
+          # We need to find the exact name or use the one we know
+          IMAGE_FILE="${{ matrix.image_name }}.qcow2"
+          if [ ! -f "$IMAGE_FILE" ]; then
+             echo "Error: $IMAGE_FILE not found!"
+             exit 1
+          fi
+          ./scripts/qemu-test.sh "$IMAGE_FILE"
+
+      - name: Generate Summary
+        run: |
+          echo "### Promotion Candidate" >> $GITHUB_STEP_SUMMARY
+          echo "| Variant | Flavor | Image |" >> $GITHUB_STEP_SUMMARY
+          echo "| :--- | :--- | :--- |" >> $GITHUB_STEP_SUMMARY
+          echo "| ${{ matrix.variant }} | ${{ matrix.flavor }} | \`${{ matrix.image_name }}\` |" >> $GITHUB_STEP_SUMMARY
+
+      - name: Promote to Testing
+        if: inputs.dry_run != true
+        environment: manual-approval
+        run: |
+          echo "Promoting ${{ matrix.image_name }}:next to :testing"
+          skopeo copy \
+            docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ matrix.image_name }}:next \
+            docker://${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/${{ matrix.image_name }}:testing

.github/workflows/reusable-build-image.yml

@@ -236,6 +236,45 @@ jobs:
           REMOTE_IMAGE_DIGEST=$(cat /tmp/digestfile)
           echo "remote_image_digest=${REMOTE_IMAGE_DIGEST}" >> $GITHUB_OUTPUT
 
+      - name: Generate PR Diff
+        if: github.event_name == 'pull_request'
+        env:
+          IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}
+          IMAGE_NAME: ${{ env.IMAGE_NAME }}
+          DEFAULT_TAG: ${{ env.DEFAULT_TAG }}
+          SAFE_PLATFORM: ${{ matrix.safeplatform }}
+        run: |
+          # Only run diff for one platform to avoid spamming comments (e.g., amd64)
+          if [[ "${SAFE_PLATFORM}" != *"amd64"* ]]; then
+            echo "Skipping diff for non-amd64 platform"
+            exit 0
+          fi
+
+          # Pull the 'next' image (base for comparison)
+          # We assume 'next' tag exists. If not, we might fail or skip.
+          # We'll try to pull it, if it fails, we skip diff.
+          BASE_IMAGE="${IMAGE_REGISTRY}/${IMAGE_NAME}:next"
+          TARGET_IMAGE="${IMAGE_REGISTRY}/${IMAGE_NAME}:${DEFAULT_TAG}-${SAFE_PLATFORM}"
+          
+          echo "Pulling base image $BASE_IMAGE..."
+          if ! podman pull "$BASE_IMAGE"; then
+            echo "Failed to pull $BASE_IMAGE. Skipping diff."
+            exit 0
+          fi
+          
+          echo "Running diff..."
+          ./scripts/diff-images.sh "$BASE_IMAGE" "$TARGET_IMAGE" "diff_report.md"
+          
+          # Add a header to the report
+          sed -i '1s/^/## 🔍 Image Diff Report\n\n/' diff_report.md
+
+      - name: Post Diff Comment
+        if: github.event_name == 'pull_request' && hashFiles('diff_report.md') != ''
+        uses: thollander/actions-comment-pull-request@v2
+        with:
+          filePath: diff_report.md
+          comment_tag: diff-${{ env.IMAGE_NAME }}
+
       - name: Install Cosign
         uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
         if: ${{ inputs.publish }}

scripts/diff-images.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+set -euo pipefail
+
+BASE_IMAGE="$1"
+TARGET_IMAGE="$2"
+OUTPUT_FILE="${3:-diff_report.md}"
+
+if [ -z "$BASE_IMAGE" ] || [ -z "$TARGET_IMAGE" ]; then
+    echo "Usage: $0 <base_image> <target_image> [output_file]"
+    exit 1
+fi
+
+echo "Diffing $BASE_IMAGE vs $TARGET_IMAGE..."
+
+# Create temp dirs
+TMPDIR=$(mktemp -d)
+BASE_DIR="$TMPDIR/base"
+TARGET_DIR="$TMPDIR/target"
+mkdir -p "$BASE_DIR" "$TARGET_DIR"
+
+# Function to extract info
+extract_info() {
+    local image="$1"
+    local dir="$2"
+    
+    echo "Extracting info from $image..."
+    
+    # Run container to get RPM list and file list
+    # We use 'podman run' with a volume or just cat the output
+    
+    # Get RPMs
+    podman run --rm --entrypoint /bin/sh "$image" -c "rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}\n' | sort" > "$dir/rpms.txt"
+    
+    # Get Files in /usr and /etc (excluding some noisy paths if needed)
+    # We limit depth or exclude to avoid massive diffs if necessary, but user asked for /usr and /etc
+    podman run --rm --entrypoint /bin/sh "$image" -c "find /usr /etc -xdev -type f | sort" > "$dir/files.txt"
+}
+
+extract_info "$BASE_IMAGE" "$BASE_DIR"
+extract_info "$TARGET_IMAGE" "$TARGET_DIR"
+
+# Generate Report
+echo "### Image Diff Report" > "$OUTPUT_FILE"
+echo "" >> "$OUTPUT_FILE"
+echo "**Base Image:** \`$BASE_IMAGE\`" >> "$OUTPUT_FILE"
+echo "**Target Image:** \`$TARGET_IMAGE\`" >> "$OUTPUT_FILE"
+echo "" >> "$OUTPUT_FILE"
+
+# Diff RPMs
+echo "#### 📦 Package Changes" >> "$OUTPUT_FILE"
+echo "\`\`\`diff" >> "$OUTPUT_FILE"
+diff -u "$BASE_DIR/rpms.txt" "$TARGET_DIR/rpms.txt" | tail -n +3 >> "$OUTPUT_FILE" || true
+echo "\`\`\`" >> "$OUTPUT_FILE"
+
+# Diff Files
+echo "#### 📂 File Changes (/usr & /etc)" >> "$OUTPUT_FILE"
+echo "\`\`\`diff" >> "$OUTPUT_FILE"
+diff -u "$BASE_DIR/files.txt" "$TARGET_DIR/files.txt" | tail -n +3 >> "$OUTPUT_FILE" || true
+echo "\`\`\`" >> "$OUTPUT_FILE"
+
+echo "Report generated at $OUTPUT_FILE"
+
+# Cleanup
+rm -rf "$TMPDIR"