From 9a4f1e34bc00c7379b1daaac34e8b538ab0c47e3 Mon Sep 17 00:00:00 2001
From: Benjamin Sherman <benjamin@holyarmy.org>
Date: Thu, 14 Mar 2024 09:19:43 -0500
Subject: [PATCH] chore(ci): fix version inspection handling and add retry
 (#126)

Fixed a bug with the skopeo version inspection and ensure that it will now fail jobs if the result is invalid.
Added retry logic to version inspection, pulling base image, pushing to ghcr.
---
 .github/workflows/reusable-build.yml | 113 +++++++++++++++++++++------
 1 file changed, 87 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml
index 07bbe6d..0859880 100644
--- a/.github/workflows/reusable-build.yml
+++ b/.github/workflows/reusable-build.yml
@@ -7,7 +7,7 @@ on:
         required: true
         type: string
 env:
-    IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
 
 jobs:
   workflow_info:
@@ -34,20 +34,37 @@ jobs:
     name: Get Stream Info
     runs-on: ubuntu-latest
     outputs:
-      linux: ${{ steps.fetch.outputs.linux }}
-      version: ${{ steps.fetch.outputs.version }}
+      linux: ${{ fromJSON(steps.fetch.outputs.outputs).linux }}
+      version: ${{ fromJSON(steps.fetch.outputs.outputs).version }}
     steps:
       - name: Fetch CoreOS stream versions
         id: fetch
-        run: |
-          skopeo inspect docker://quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json
-          linux=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
-          echo "linux=$linux" >> $GITHUB_OUTPUT
-          version=$(jq -r '.["Labels"]["version"]' inspect.json)
-          echo "version=$version" >> $GITHUB_OUTPUT
+        uses: Wandalen/wretry.action@v1.4.5
+        with:
+          attempt_limit: 3
+          attempt_delay: 15000
+          command: |
+            set -eo pipefail
+
+            skopeo inspect docker://quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }} > inspect.json
+
+            linux=$(jq -r '.["Labels"]["ostree.linux"]' inspect.json)
+            if [ -z "$linux" ] || [ "null" = "$linux" ]; then
+                echo "inspected linux version must not be empty or null"
+                exit 1
+            fi
+
+            version=$(jq -r '.["Labels"]["org.opencontainers.image.version"]' inspect.json)
+            if [ -z "$version" ] || [ "null" = "$version" ]; then
+                echo "inspected image version must not be empty or null"
+                exit 1
+            fi
+
+            echo "linux=$linux" >> $GITHUB_OUTPUT
+            echo "version=$version" >> $GITHUB_OUTPUT
       - name: Echo outputs
         run: |
-          echo "${{ toJSON(steps.fetch.outputs) }}"
+          echo "${{ steps.fetch.outputs.outputs }}"
 
   build_fcos:
     name: fedora-coreos
@@ -79,6 +96,14 @@ jobs:
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      - name: Verify version
+        shell: bash
+        run: |
+          if [ -z "${{ matrix.image_version }}" ] || [ "null" = "${{ matrix.image_version }}" ]; then
+              echo "matrix.image_version must not be empty or null"
+              exit 1
+          fi
+
       - name: Generate tags
         id: generate-tags
         shell: bash
@@ -129,6 +154,16 @@ jobs:
             org.opencontainers.image.title=${{ matrix.image_name }}
             org.opencontainers.image.version=${{ matrix.image_version }}
 
+      - name: Pull base image
+        uses: Wandalen/wretry.action@v1.4.5
+        with:
+          attempt_limit: 3
+          attempt_delay: 15000
+          command: |
+            # pull the base image used for FROM in containerfile so
+            # we can retry on that unfortunately common failure case
+            podman pull quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }}
+
       # Build image using Buildah action
       - name: Build Image
         id: build_image
@@ -158,20 +193,24 @@ jobs:
 
       # Push the image to GHCR (Image Registry)
       - name: Push To GHCR
-        uses: redhat-actions/push-to-registry@v2
+        uses: Wandalen/wretry.action@v1.4.5
         id: push
         if: github.event_name != 'pull_request'
         env:
           REGISTRY_USER: ${{ github.actor }}
           REGISTRY_PASSWORD: ${{ github.token }}
         with:
-          image: ${{ steps.build_image.outputs.image }}
-          tags: ${{ steps.build_image.outputs.tags }}
-          registry: ${{ steps.registry_case.outputs.lowercase }}
-          username: ${{ env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
+          action: redhat-actions/push-to-registry@v2
+          attempt_limit: 3
+          attempt_delay: 15000
+          with: |
+            image: ${{ steps.build_image.outputs.image }}
+            tags: ${{ steps.build_image.outputs.tags }}
+            registry: ${{ steps.registry_case.outputs.lowercase }}
+            username: ${{ env.REGISTRY_USER }}
+            password: ${{ env.REGISTRY_PASSWORD }}
+            extra-args: |
+              --disable-content-trust
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3
@@ -237,6 +276,14 @@ jobs:
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
 
+      - name: Verify version
+        shell: bash
+        run: |
+          if [ -z "${{ matrix.image_version }}" ] || [ "null" = "${{ matrix.image_version }}" ]; then
+              echo "matrix.image_version must not be empty or null"
+              exit 1
+          fi
+
       - name: Generate tags
         id: generate-tags
         shell: bash
@@ -291,6 +338,16 @@ jobs:
             org.opencontainers.image.title=${{ matrix.image_base }}${{ matrix.image_suffix }}
             org.opencontainers.image.version=${{ matrix.image_version }}
 
+      - name: Pull base image
+        uses: Wandalen/wretry.action@v1.4.5
+        with:
+          attempt_limit: 3
+          attempt_delay: 15000
+          command: |
+            # pull the base image used for FROM in containerfile so
+            # we can retry on that unfortunately common failure case
+            podman pull quay.io/fedora/fedora-coreos:${{ inputs.coreos_version }}
+
       # Build image using Buildah action
       - name: Build Image
         id: build_image
@@ -322,20 +379,24 @@ jobs:
 
       # Push the image to GHCR (Image Registry)
       - name: Push To GHCR
-        uses: redhat-actions/push-to-registry@v2
+        uses: Wandalen/wretry.action@v1.4.5
         id: push
         if: github.event_name != 'pull_request'
         env:
           REGISTRY_USER: ${{ github.actor }}
           REGISTRY_PASSWORD: ${{ github.token }}
         with:
-          image: ${{ steps.build_image.outputs.image }}
-          tags: ${{ steps.build_image.outputs.tags }}
-          registry: ${{ steps.registry_case.outputs.lowercase }}
-          username: ${{ env.REGISTRY_USER }}
-          password: ${{ env.REGISTRY_PASSWORD }}
-          extra-args: |
-            --disable-content-trust
+          action: redhat-actions/push-to-registry@v2
+          attempt_limit: 3
+          attempt_delay: 15000
+          with: |
+            image: ${{ steps.build_image.outputs.image }}
+            tags: ${{ steps.build_image.outputs.tags }}
+            registry: ${{ steps.registry_case.outputs.lowercase }}
+            username: ${{ env.REGISTRY_USER }}
+            password: ${{ env.REGISTRY_PASSWORD }}
+            extra-args: |
+              --disable-content-trust
 
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v3