ISSUE-114: Separate OKD build and push phases

.github/actions/build-okd/action.yaml

@@ -45,29 +45,46 @@ runs:
       with:
         token: ${{ inputs.token }}
 
-    - name: Build OKD images
+    - name: Build and push OKD images to staging registry
       shell: bash
       run: |
         set -euo pipefail
 
         cd ${GITHUB_WORKSPACE}/
+        # The 'staging' mode builds images locally AND pushes them to staging registry
+        # Staging registry is automatically derived as: $(dirname target-registry)/okd-staging
+        # This allows testing before promoting to production
         TARGET_REGISTRY="${{ inputs.target-registry }}" ./src/okd/build_images.sh \
+          staging \
           "${{ inputs.okd-version-tag }}" \
           "${{ inputs.ushift-gitref }}" \
           "${{ inputs.target-arch }}"
 
-    - name: Build MicroShift RPMs
+    - name: Build MicroShift RPMs using staging OKD images
       shell: bash
       run: |
         # See https://github.com/microshift-io/microshift/blob/main/docs/build.md
         # for more information about the build process.
 
-        # Run the RPM build process.
+        # Run the RPM build process using images from staging registry
+        # Staging registry is derived as: $(dirname target-registry)/okd-staging
         cd ${GITHUB_WORKSPACE}/
+        PRODUCTION_REGISTRY="${{ inputs.target-registry }}"
+        STAGING_REGISTRY="$(dirname "${PRODUCTION_REGISTRY}")/okd-staging"
+
+        # Set the correct architecture-specific variable for staging override
+        if [ "${{ inputs.target-arch }}" = "arm64" ]; then
+          OKD_OVERRIDE="OKD_RELEASE_IMAGE_AARCH64=${STAGING_REGISTRY}/okd-release-arm64"
+        elif [ "${{ inputs.target-arch }}" = "amd64" ]; then
+          OKD_OVERRIDE="OKD_RELEASE_IMAGE_X86_64=${STAGING_REGISTRY}/okd-release-amd64"
+        else
+          echo "ERROR: Unsupported target-arch: ${{ inputs.target-arch }}" ; exit 1
+        fi
+
         make rpm \
           USHIFT_GITREF="${{ inputs.ushift-gitref }}" \
           OKD_VERSION_TAG="${{ inputs.okd-version-tag }}" \
-          OKD_RELEASE_IMAGE="${{ inputs.target-registry }}/okd-release-${{ steps.detect-cpu-arch.outputs.go_arch }}" \
+          "${OKD_OVERRIDE}" \
           RPM_OUTDIR=/mnt/rpms
 
     - name: Build MicroShift bootc container image
@@ -97,6 +114,21 @@ runs:
         make run-healthy
         make stop
 
+    - name: Push OKD images to production registry
+      if: success()
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        cd ${GITHUB_WORKSPACE}/
+        # Only push to production if all tests passed
+        # This ensures we don't publish broken OKD images to production
+        TARGET_REGISTRY="${{ inputs.target-registry }}" ./src/okd/build_images.sh \
+          production \
+          "${{ inputs.okd-version-tag }}" \
+          "${{ inputs.ushift-gitref }}" \
+          "${{ inputs.target-arch }}"
+
     # Uncomment this to enable tmate-debug on failure
     # - name: Pause and open tmate debug session
     #   if: failure()

.github/actions/cleanup-okd/action.yaml

@@ -0,0 +1,57 @@
+name: cleanup-okd-staging
+description: Cleanup staging OKD images from the container registry
+
+inputs:
+  okd-version-tag:
+    description: OKD version tag from https://quay.io/repository/okd/scos-release?tab=tags
+    required: true
+  token:
+    description: Token for the GitHub Container Registry
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Cleanup staging registry
+      shell: bash
+      continue-on-error: true
+      env:
+        GH_TOKEN: ${{ inputs.token }}
+      run: |
+        set -euo pipefail
+
+        # GitHub Container Registry cleanup using gh CLI
+        # Deletes known staging packages
+        echo "Cleaning up staging packages..."
+
+        OWNER="${{ github.repository_owner }}"
+
+        # Detect if owner is an organization or user account
+        if gh api "/orgs/${OWNER}" --silent 2>/dev/null; then
+          OWNER_TYPE="orgs"
+          echo "Detected organization: ${OWNER}"
+        else
+          OWNER_TYPE="users"
+          echo "Detected user account: ${OWNER}"
+        fi
+
+        # Get list of staging packages from the build script
+        cd "${GITHUB_WORKSPACE}"
+        mapfile -t packages < <(./src/okd/build_images.sh list-packages "${{ inputs.okd-version-tag }}")
+
+        # Delete each package
+        for package in "${packages[@]}"; do
+          # URL-encode package name (replace / with %2F)
+          encoded_package="${package//\//%2F}"
+
+          echo "Deleting package: ${package}"
+          # Use appropriate endpoint based on owner type
+          if gh api --method DELETE "/${OWNER_TYPE}/${OWNER}/packages/container/${encoded_package}" \
+             -H "Accept: application/vnd.github+json" 2>&1; then
+            echo "  ✓ Deleted successfully"
+          else
+            echo "  ⚠ Failed to delete (may not exist or already deleted)"
+          fi
+        done
+
+        echo "Staging registry cleanup completed"

.github/workflows/release-okd.yaml

@@ -31,6 +31,11 @@ jobs:
     name: Build OKD release images for ARM
     if: github.event_name != 'schedule' || github.repository == 'microshift-io/microshift'
     runs-on: ubuntu-24.04-arm
+    # Export the detected OKD version as a job output so the cleanup job can use
+    # the same version. This prevents version mismatches if the build fails before
+    # version detection completes.
+    outputs:
+      okd-version-tag: ${{ steps.set-version.outputs.okd-version-tag }}
     steps:
       - name: Check out MicroShift upstream repository
         uses: actions/checkout@v4
@@ -43,11 +48,37 @@ jobs:
         with:
           check-amd64: "true"
 
+      # Determine which OKD version to use (user-specified OR auto-detected) and
+      # capture it as a step output so it can be exported as a job output.
+      # This ensures the cleanup job uses the exact same version as the build job,
+      # preventing cleanup from targeting wrong staging images.
+      - name: Set OKD version for reuse
+        id: set-version
+        run: |
+          VERSION="${{ env.OKD_VERSION_TAG != 'latest' && env.OKD_VERSION_TAG || steps.detect-okd-version.outputs.okd-version-tag }}"
+          echo "okd-version-tag=${VERSION}" >> $GITHUB_OUTPUT
+          echo "Using OKD version: ${VERSION}"
+
       - name: Run the OKD release images build action
         uses: ./.github/actions/build-okd
         with:
           ushift-gitref: ${{ env.USHIFT_GITREF }}
-          okd-version-tag: ${{ env.OKD_VERSION_TAG != 'latest' && env.OKD_VERSION_TAG || steps.detect-okd-version.outputs.okd-version-tag }}
+          okd-version-tag: ${{ steps.set-version.outputs.okd-version-tag }}
           target-arch: arm64
           target-registry: ${{ env.OKD_TARGET_REGISTRY }}
           token: ${{ secrets.GITHUB_TOKEN }}
+
+  cleanup-staging:
+    name: Cleanup staging registry
+    needs: build-okd-release
+    if: (success() || failure()) && needs.build-okd-release.outputs.okd-version-tag != ''
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out MicroShift upstream repository
+        uses: actions/checkout@v4
+
+      - name: Run cleanup of staging OKD images
+        uses: ./.github/actions/cleanup-okd
+        with:
+          okd-version-tag: ${{ needs.build-okd-release.outputs.okd-version-tag }}
+          token: ${{ secrets.GITHUB_TOKEN }}

Makefile

@@ -29,14 +29,9 @@ EXPOSE_KUBEAPI_PORT ?= 1
 
 # Internal variables
 SHELL := /bin/bash
-# Override the default OKD_RELEASE_IMAGE variable based on the architecture
+# OKD release image URLs for different architectures
 OKD_RELEASE_IMAGE_X86_64 ?= quay.io/okd/scos-release
 OKD_RELEASE_IMAGE_AARCH64 ?= ghcr.io/microshift-io/okd/okd-release-arm64
-ifeq ($(ARCH),aarch64)
-OKD_RELEASE_IMAGE ?= $(OKD_RELEASE_IMAGE_AARCH64)
-else
-OKD_RELEASE_IMAGE ?= $(OKD_RELEASE_IMAGE_X86_64)
-endif
 
 RPM_IMAGE := microshift-okd-rpm
 USHIFT_IMAGE := microshift-okd