[CI:DOCS] Add github-action workflow to build/push multi-arch

[cevich]

Fixes #4773

This borrows very heavily from the work done for buildah by @barthy1 -
Yulia Gaponenko [email protected]. Some changes to code and
comments made for clarity and specificity.

Ref:

• https://quay.io/repository/podman/stable?tab=tags
• https://quay.io/repository/podman/testing?tab=tags
• https://quay.io/repository/podman/upstream?tab=tags
• https://quay.io/repository/containers/podman?tab=tags

[cevich]

@barthy1 @rhatdan @TomSweeneyRedHat PTAL this is ready. I've tested the image-building part up to the point of pushing. However due to github action security, the username/password secrets are not accessible from a PR. So I'll keep an eye on this after it merges, to make sure the image push happens as intended.

[cevich]

Q: Should I migrate c/skopeo to use github actions (similar to this and c/buildah) instead of travis?

Assuming so, rather than duplicate substantially the same operations x3 repos., I'd like to make a single "composite-action". This can then be reused instead of being duplicated. It's a bit more work up-front, but will ease the maintenance burden long-term.

[rhatdan]

/approve
LGTM

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cevich, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhatdan]

@edsantiago @TomSweeneyRedHat PTAL

[cevich]

@TomSweeneyRedHat I can take care of disabling the auto-builds on quay. Do you have anything related running under cron that needs to be turned off so we don't get clashes?

[edsantiago]

I'm not qualified to review this, I know nothing about github actions, but I've done the best I can and have a few suggestions.

[edsantiago]

cat-without-args tends to raise eyebrows. Is the intention here to display those values to stdout, perhaps for an output log?

Also, I had to look up $GITHUB_ENV, so I'm not entirely sure what it is or how it works, but shouldn't this be tee -a to prevent an existing file from getting clobbered?

[cevich]

It should raise eyebrows...(unfortunately) like many other aspects, this construct is idiomatic to github-actions ☹️ That's why I dropped the docs URL comment, and I'm glad that found some use already 😃

The file never exists, the step is suppose to create it to that triggers parsing of the contents. The echo '::set-output name=foo::bar' idiom only works for a simple single-line value (because reasons). There's no other way to pass a multi-line value to subsequent actions (i.e. docker/build-push-action@v2). This is the best M$ GitHub could come up with 😖

In buildah, the matching step uses a simple here-document redirect to a file. As you guessed, that means no record of the value shows in the logs. This is/was hiding an actual bug. I only discovered it by manually doing a skopeo inspect on one of the images 😠 So I changed it here to use tee and make it show up in the logs to prevent future headaches.

TBH I'm not sure how to make this section any clearer, it's kind of broken by the workflow "language" design 😢

[cevich]

Here's an example of the log output from this section as-is.

[edsantiago]

I've tried twice to understand that, and failed. But it's not important, I don't really need to understand it. My point is: all the github examples use >> (append). In the line above, you use tee (clobber), not tee -a (append). This is inconsistent with the examples documented in github.com itself, and could potentially overwrite something important, so I wanted to make sure that your use is deliberate.

[cevich]

Thanks for taking a look @edsantiago, I implemented all your suggestions save for the stupid here-document hack 🤕

[cevich]

force-push, updated URL to be even more specific re: here-document hack.

[cevich]

force-pushed - found & fixed a comment typo.

[edsantiago]

/lgtm
/hold

Please review my concern re: clobbering the $GITHUB_ENV file. If clobbering is ok, feel free to release the hold.

[cevich]

Please review my concern re: clobbering the $GITHUB_ENV file. If clobbering is ok, feel free to release the hold.

Yes, clobbering is intentional (and required). I was about to go and beef up the commenting on this just now...but this usage really is idiomatic to github actions workflow. Everybody would need to add comments when using this method to set multi-line env. vars. Have I mentioned how stupid I think this design is?

[cevich]

Dug up more history and info. First off, this workflow "feature" is a response to a security vulnerability. Second, I confirmed $GITHUB_ENV always points at a per-step temporary file. The file is intended for this specific purpose. Though they don't seem to mention or deal with the case of a value itself containing the \n<FOO>=<BAR>\n string (pattern) 😖 So really, to be safe this file must only/always ever be used to set one value. Otherwise it would be impossible to spot this nested-token design defect. Have I mentioned how stupid I think this is?

[cevich]

/hold cancel

[cevich]

Executed first run manually against master.