ISSUE-114: Separate OKD build and push phases

.github/actions/build-okd/action.yaml

@@ -25,52 +25,77 @@ inputs:
   token:
     description: Token for the GitHub Container Registry
     required: true
+  cleanup-staging:
+    description: Only run staging registry cleanup (skip build/test/push steps)
+    required: false
+    default: 'false'
 
 runs:
   using: "composite"
   steps:
     - name: Detect the CPU architecture
+      if: ${{ inputs.cleanup-staging != 'true' }}
       id: detect-cpu-arch
       uses: ./.github/actions/arch
 
     - name: Collect debug information before the build
-      if: always()
+      if: ${{ always() && inputs.cleanup-staging != 'true' }}
       uses: ./.github/actions/debug-info
 
     - name: Prepare the build and run environment
+      if: ${{ inputs.cleanup-staging != 'true' }}
       uses: ./.github/actions/prebuild
 
     - name: Login to GitHub Container Registry
+      if: ${{ inputs.cleanup-staging != 'true' }}
       uses: ./.github/actions/podman-login
       with:
         token: ${{ inputs.token }}
 
     - name: Build OKD images
+      if: ${{ inputs.cleanup-staging != 'true' }}
       shell: bash
       run: |
         set -euo pipefail
 
         cd ${GITHUB_WORKSPACE}/
+        # The 'staging' mode builds images locally AND pushes them to staging registry
+        # Staging registry is automatically derived as: $(dirname target-registry)/okd-staging
+        # This allows testing before promoting to production
         TARGET_REGISTRY="${{ inputs.target-registry }}" ./src/okd/build_images.sh \
+          staging \
           "${{ inputs.okd-version-tag }}" \
           "${{ inputs.ushift-gitref }}" \
           "${{ inputs.target-arch }}"
 
-    - name: Build MicroShift RPMs
+    - name: Build MicroShift RPMs using staging OKD images
+      if: ${{ inputs.cleanup-staging != 'true' }}
       shell: bash
       run: |
         # See https://github.com/microshift-io/microshift/blob/main/docs/build.md
         # for more information about the build process.
 
-        # Run the RPM build process.
+        # Run the RPM build process using images from staging registry
+        # Staging registry is derived as: $(dirname target-registry)/okd-staging
         cd ${GITHUB_WORKSPACE}/
+        PRODUCTION_REGISTRY="${{ inputs.target-registry }}"
+        STAGING_REGISTRY="$(dirname "${PRODUCTION_REGISTRY}")/okd-staging"
+
+        # Set the correct architecture-specific variable for staging override
+        if [ "${{ steps.detect-cpu-arch.outputs.go_arch }}" = "arm64" ]; then
+          OKD_OVERRIDE="OKD_RELEASE_IMAGE_AARCH64=${STAGING_REGISTRY}/okd-release-arm64"
+        else
+          OKD_OVERRIDE="OKD_RELEASE_IMAGE_X86_64=${STAGING_REGISTRY}/okd-release-amd64"
+        fi
+
         make rpm \
           USHIFT_GITREF="${{ inputs.ushift-gitref }}" \
           OKD_VERSION_TAG="${{ inputs.okd-version-tag }}" \
-          OKD_RELEASE_IMAGE="${{ inputs.target-registry }}/okd-release-${{ steps.detect-cpu-arch.outputs.go_arch }}" \
+          "${OKD_OVERRIDE}" \
           RPM_OUTDIR=/mnt/rpms
 
     - name: Build MicroShift bootc container image
+      if: ${{ inputs.cleanup-staging != 'true' }}
       shell: bash
       run: |
         # See https://github.com/microshift-io/microshift/blob/main/docs/build.md
@@ -84,6 +109,7 @@ runs:
           BOOTC_IMAGE_TAG="${{ inputs.bootc-image-tag }}" \
 
     - name: Run a test to verify that MicroShift is functioning properly
+      if: ${{ inputs.cleanup-staging != 'true' }}
       shell: bash
       run: |
         # See https://github.com/microshift-io/microshift/blob/main/docs/run.md
@@ -97,15 +123,75 @@ runs:
         make run-healthy
         make stop
 
+    - name: Push OKD images to production registry
+      if: ${{ success() && inputs.cleanup-staging != 'true' }}
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        cd ${GITHUB_WORKSPACE}/
+        # Only push to production if all tests passed
+        # This ensures we don't publish broken OKD images to production
+        TARGET_REGISTRY="${{ inputs.target-registry }}" ./src/okd/build_images.sh \
+          production \
+          "${{ inputs.okd-version-tag }}" \
+          "${{ inputs.ushift-gitref }}" \
+          "${{ inputs.target-arch }}"
+
+    - name: Cleanup staging registry
+      if: ${{ inputs.cleanup-staging == 'true' }}
+      shell: bash
+      continue-on-error: true
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+      run: |
+        set -euo pipefail
+
+        # GitHub Container Registry cleanup using gh CLI
+        # Deletes known staging packages
+        echo "Cleaning up staging packages..."
+
+        OWNER="${{ github.repository_owner }}"
+
+        # Detect if owner is an organization or user account
+        if gh api "/orgs/${OWNER}" --silent 2>/dev/null; then
+          OWNER_TYPE="orgs"
+          echo "Detected organization: ${OWNER}"
+        else
+          OWNER_TYPE="users"
+          echo "Detected user account: ${OWNER}"
+        fi
+
+        # Get list of staging packages from the build script
+        cd ${GITHUB_WORKSPACE}/
+        mapfile -t packages < <(./src/okd/build_images.sh list-packages "${{ inputs.okd-version-tag }}")
+
+        # Delete each package
+        for package in "${packages[@]}"; do
+          # URL-encode package name (replace / with %2F)
+          encoded_package="${package//\//%2F}"
+
+          echo "Deleting package: ${package}"
+          # Use appropriate endpoint based on owner type
+          if gh api --method DELETE "/${OWNER_TYPE}/${OWNER}/packages/container/${encoded_package}" \
+             -H "Accept: application/vnd.github+json" 2>&1; then
+            echo "  ✓ Deleted successfully"
+          else
+            echo "  ⚠ Failed to delete (may not exist or already deleted)"
+          fi
+        done
+
+        echo "Staging registry cleanup completed"
+
     # Uncomment this to enable tmate-debug on failure
     # - name: Pause and open tmate debug session
     #   if: failure()
     #   uses: ./.github/actions/tmate-debug
 
     - name: Collect debug information after the build
-      if: always()
+      if: ${{ always() && inputs.cleanup-staging != 'true' }}
       uses: ./.github/actions/debug-info
 
     - name: Collect MicroShift container sos-report on failure
-      if: failure()
+      if: ${{ failure() && inputs.cleanup-staging != 'true' }}
       uses: ./.github/actions/sos-report

.github/workflows/release-okd.yaml

@@ -30,6 +30,11 @@ jobs:
   build-okd-release:
     name: Build OKD release images for ARM
     runs-on: ubuntu-24.04-arm
+    # Export the detected OKD version as a job output so the cleanup job can use
+    # the same version. This prevents version mismatches if the build fails before
+    # version detection completes.
+    outputs:
+      okd-version-tag: ${{ steps.set-version.outputs.okd-version-tag }}
     steps:
       - name: Check out MicroShift upstream repository
         uses: actions/checkout@v4
@@ -42,11 +47,41 @@ jobs:
         with:
           check-amd64: "true"
 
+      # Determine which OKD version to use (user-specified OR auto-detected) and
+      # capture it as a step output so it can be exported as a job output.
+      # This ensures the cleanup job uses the exact same version as the build job,
+      # preventing cleanup from targeting wrong staging images.
+      - name: Set OKD version for reuse
+        id: set-version
+        run: |
+          VERSION="${{ env.OKD_VERSION_TAG != 'latest' && env.OKD_VERSION_TAG || steps.detect-okd-version.outputs.okd-version-tag }}"
+          echo "okd-version-tag=${VERSION}" >> $GITHUB_OUTPUT
+          echo "Using OKD version: ${VERSION}"
+
       - name: Run the OKD release images build action
         uses: ./.github/actions/build-okd
         with:
           ushift-gitref: ${{ env.USHIFT_GITREF }}
-          okd-version-tag: ${{ env.OKD_VERSION_TAG != 'latest' && env.OKD_VERSION_TAG || steps.detect-okd-version.outputs.okd-version-tag }}
+          okd-version-tag: ${{ steps.set-version.outputs.okd-version-tag }}
+          target-arch: arm64
+          target-registry: ${{ env.OKD_TARGET_REGISTRY }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  cleanup-staging:
+    name: Cleanup staging registry
+    needs: build-okd-release
+    if: success() || failure()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out MicroShift upstream repository
+        uses: actions/checkout@v4
+
+      - name: Run cleanup of staging OKD images
+        uses: ./.github/actions/build-okd
+        with:
+          ushift-gitref: ${{ env.USHIFT_GITREF }}
+          okd-version-tag: ${{ needs.build-okd-release.outputs.okd-version-tag }}
           target-arch: arm64
           target-registry: ${{ env.OKD_TARGET_REGISTRY }}
           token: ${{ secrets.GITHUB_TOKEN }}
+          cleanup-staging: 'true'

Makefile

@@ -29,14 +29,9 @@ EXPOSE_KUBEAPI_PORT ?= 1
 
 # Internal variables
 SHELL := /bin/bash
-# Override the default OKD_RELEASE_IMAGE variable based on the architecture
+# OKD release image URLs for different architectures
 OKD_RELEASE_IMAGE_X86_64 ?= quay.io/okd/scos-release
 OKD_RELEASE_IMAGE_AARCH64 ?= ghcr.io/microshift-io/okd/okd-release-arm64
-ifeq ($(ARCH),aarch64)
-OKD_RELEASE_IMAGE ?= $(OKD_RELEASE_IMAGE_AARCH64)
-else
-OKD_RELEASE_IMAGE ?= $(OKD_RELEASE_IMAGE_X86_64)
-endif
 
 RPM_IMAGE := microshift-okd-rpm
 USHIFT_IMAGE := microshift-okd