redhat-developer · gashcrumb · Jun 18, 2026
diff --git a/.github/workflows/export-dynamic.yaml b/.github/workflows/export-dynamic.yaml
diff --git a/.github/workflows/export-workspaces-as-dynamic.yaml b/.github/workflows/export-workspaces-as-dynamic.yaml
@@ -19,13 +19,13 @@ on:
         default: ''
 
       janus-cli-version:
-        description: Version of the janus-idp/cli package.
+        description: Version of @red-hat-developer-hub/cli (legacy input name; defaults to versions.json cli).
         type: string
         required: false
         default: ''
 
       cli-package:
-        description: Alternative CLI package to use for plugin export instead of @janus-idp/cli.
+        description: npm package for plugin export (@red-hat-developer-hub/cli).
         type: string
         required: false
         default: ""
@@ -74,6 +74,44 @@ on:
         type: string
         required: false
 
+      force-export:
+        description: >
+          Export all plugins even when unchanged since last-publish-commit.
+          Recommended for fork smoke tests (with publish-container true).
+        type: boolean
+        required: false
+        default: false
+
+      skip-metadata-validation:
+        description: >
+          Skip catalog metadata validation. When false, validation runs in compile
+          and a gate job fails the workflow after OCI publish.
+        type: boolean
+        required: false
+        default: false
+
+      export-builder-ghcr-image:
+        description: >
+          ghcr.io image base for export-builder (without `:ubi9-node<N>` tag).
+          Default is the upstream Red Hat image; fork smoke tests should override.
+        type: string
+        required: false
+        default: ghcr.io/redhat-developer/rhdh-plugin-export-utils/export-builder
+
+      export-utils-repository:
+        description: >
+          Repository containing export-utils scripts (publish job checkout).
+          Defaults to upstream; fork smoke tests should pass owner/name of the fork repo.
+        type: string
+        required: false
+        default: redhat-developer/rhdh-plugin-export-utils
+
+      export-utils-ref:
+        description: Git ref of export-utils for publish script checkout and same-repo workflow calls
+        type: string
+        required: false
+        default: main
+
     outputs:
       published-exports:
         value: '${{ jobs.export.outputs.published-exports }}'
@@ -92,7 +130,7 @@ on:
       metadata-validation-error-count:
         description: Number of metadata validation errors found
         value: '${{ jobs.export.outputs.metadata-validation-error-count }}'
-        
+
 jobs:
   prepare:
     runs-on: ubuntu-latest
@@ -103,6 +141,8 @@ jobs:
       janus-cli-version: ${{ steps.set-env-vars.outputs.JANUS_CLI_VERSION }}
       cli-package: ${{ steps.set-env-vars.outputs.CLI_PACKAGE }}
       backstage-version: ${{ steps.set-env-vars.outputs.BACKSTAGE_VERSION }}
+      export-builder-image: ${{ steps.set-env-vars.outputs.EXPORT_BUILDER_IMAGE }}
+      cli-caller: ${{ steps.set-env-vars.outputs.CLI_CALLER }}
       workspaces: ${{ steps.gather-workspaces.outputs.workspaces }}
       overlay-repo-ref: ${{ steps.set-overlay-repo-ref.outputs.OVERLAY_REPO_REF }}
       overlay-repo: ${{ steps.set-overlay-repo.outputs.OVERLAY_REPO }}
@@ -123,24 +163,27 @@ jobs:
         id: set-overlay-repo-ref
         env:
           INPUT_OVERLAY_BRANCH: ${{ inputs.overlay-branch }}
+          HEAD_REF: ${{ github.head_ref }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
           if [[ "${INPUT_OVERLAY_BRANCH}" != "" ]]
           then
             echo "OVERLAY_REPO_REF=${INPUT_OVERLAY_BRANCH}" >> $GITHUB_OUTPUT
           else
-            echo "OVERLAY_REPO_REF=${{ github.head_ref || github.ref_name }}" >> $GITHUB_OUTPUT
+            echo "OVERLAY_REPO_REF=${HEAD_REF:-${REF_NAME}}" >> $GITHUB_OUTPUT
           fi
 
       - name: Set overlay_repo
         id: set-overlay-repo
         env:
           INPUT_OVERLAY_REPO: ${{ inputs.overlay-repo }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
         run: |
           if [[ "${INPUT_OVERLAY_REPO}" != "" ]]
           then
             echo "OVERLAY_REPO=${INPUT_OVERLAY_REPO}" >> $GITHUB_OUTPUT
           else
-            echo "OVERLAY_REPO=${{ github.repository }}" >> $GITHUB_OUTPUT
+            echo "OVERLAY_REPO=${GITHUB_REPOSITORY}" >> $GITHUB_OUTPUT
           fi
 
       - name: Checkout overlay repository
@@ -156,21 +199,52 @@ jobs:
           INPUT_NODE_VERSION: ${{ inputs.node-version }}
           INPUT_JANUS_CLI_VERSION: ${{ inputs.janus-cli-version }}
           INPUT_CLI_PACKAGE: ${{ inputs.cli-package }}
+          EXPORT_BUILDER_GHCR_IMAGE: ${{ inputs.export-builder-ghcr-image }}
         run: |
           versions=$(cat versions.json)
 
           NODE_VERSION=$(echo ${versions} | jq -r "if (\"${INPUT_NODE_VERSION}\" == \"\") then (.node // \"20.x\") else \"${INPUT_NODE_VERSION}\" end")
           echo "NODE_VERSION=${NODE_VERSION}" >> $GITHUB_OUTPUT
 
-          JANUS_CLI_VERSION=$(echo ${versions} | jq -r "if (\"${INPUT_JANUS_CLI_VERSION}\" == \"\") then (.cli // \"^3.0.0\") else \"${INPUT_JANUS_CLI_VERSION}\" end")
+          JANUS_CLI_VERSION=$(echo ${versions} | jq -r "if (\"${INPUT_JANUS_CLI_VERSION}\" == \"\") then (.cli // \"^1.8.5\") else \"${INPUT_JANUS_CLI_VERSION}\" end")
           echo "JANUS_CLI_VERSION=$JANUS_CLI_VERSION" >> $GITHUB_OUTPUT
 
-          CLI_PACKAGE=$(echo ${versions} | jq -r "if (\"${INPUT_CLI_PACKAGE}\" == \"\") then (.\"cliPackage\" // \"@janus-idp/cli\") else \"${INPUT_CLI_PACKAGE}\" end")
+          CLI_PACKAGE=$(echo ${versions} | jq -r "if (\"${INPUT_CLI_PACKAGE}\" == \"\") then (.\"cliPackage\" // \"@red-hat-developer-hub/cli\") else \"${INPUT_CLI_PACKAGE}\" end")
           echo "CLI_PACKAGE=$CLI_PACKAGE" >> $GITHUB_OUTPUT
 
           BACKSTAGE_VERSION=$(echo ${versions} | jq -r ".backstage")
           echo "BACKSTAGE_VERSION=$BACKSTAGE_VERSION" >> $GITHUB_OUTPUT
 
+          node_major=$(echo "${NODE_VERSION}" | cut -d. -f1)
+          EXPORT_BUILDER_IMAGE="${EXPORT_BUILDER_GHCR_IMAGE}:ubi9-node${node_major}"
+          echo "EXPORT_BUILDER_IMAGE=${EXPORT_BUILDER_IMAGE}" >> $GITHUB_OUTPUT
+
+          CLI_CALLER="/opt/rhdh-cli/${JANUS_CLI_VERSION}/bin/rhdh-cli"
+          echo "CLI_CALLER=${CLI_CALLER}" >> $GITHUB_OUTPUT
+
+      - name: Log export toolchain
+        env:
+          NODE_VERSION: ${{ steps.set-env-vars.outputs.NODE_VERSION }}
+          CLI_PACKAGE: ${{ steps.set-env-vars.outputs.CLI_PACKAGE }}
+          JANUS_CLI_VERSION: ${{ steps.set-env-vars.outputs.JANUS_CLI_VERSION }}
+          EXPORT_BUILDER_IMAGE: ${{ steps.set-env-vars.outputs.EXPORT_BUILDER_IMAGE }}
+          CLI_CALLER: ${{ steps.set-env-vars.outputs.CLI_CALLER }}
+          BUILDER_GHCR_BASE: ${{ inputs.export-builder-ghcr-image }}
+        run: |
+          cat >> "$GITHUB_STEP_SUMMARY" <<EOF
+          ### Export toolchain
+
+          | Setting | Value |
+          |---------|-------|
+          | Node (versions.json) | \`${NODE_VERSION}\` |
+          | CLI | \`${CLI_PACKAGE}@${JANUS_CLI_VERSION}\` |
+          | Builder image | \`${EXPORT_BUILDER_IMAGE}\` |
+          | CLI in image | \`${CLI_CALLER}\` |
+
+          Builder base: \`${BUILDER_GHCR_BASE}\` (tag \`ubi9-node<major>\`).
+          Rebuild via [\`publish-export-builder.yaml\`](https://github.com/redhat-developer/rhdh-plugin-export-utils/blob/main/.github/workflows/publish-export-builder.yaml) when \`versions.json\` \`node\` or \`cli\` changes.
+          EOF
+
       - name: Install semver
         run: npm install semver -g
 
@@ -182,8 +256,10 @@ jobs:
           OVERLAY_REPO: ${{ steps.set-overlay-repo.outputs.OVERLAY_REPO }}
           OVERLAY_REPO_REF: ${{ steps.set-overlay-repo-ref.outputs.OVERLAY_REPO_REF }}
           TARGET_BACKSTAGE_VERSION: ${{ steps.set-env-vars.outputs.BACKSTAGE_VERSION }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          HEAD_REF: ${{ github.head_ref }}
         run: |
-          if [[ "${OVERLAY_REPO}" != "${{ github.repository }}" ]]; then
+          if [[ "${OVERLAY_REPO}" != "${GITHUB_REPOSITORY}" ]]; then
             echo "Exporting overlay workspaces from branch \`${OVERLAY_REPO_REF}\` of repository \`${OVERLAY_REPO}\`"
           else
             echo "Exporting overlay workspaces from branch \`${OVERLAY_REPO_REF}\`"
@@ -194,9 +270,9 @@ jobs:
           if [[ "${INPUT_WORKSPACE_PATH}" != "" ]]
           then
             workspacePath="${INPUT_WORKSPACE_PATH}"
-          elif [[ "${{ github.head_ref }}" == "workspaces/"* ]]
+          elif [[ -n "${HEAD_REF}" && "${HEAD_REF}" == workspaces/* ]]
           then
-            workspacePath="$(echo '${{ github.head_ref }}' | sed -e 's:workspaces/[^_]*__\(.*\)$:workspaces/\1:')"
+            workspacePath="$(echo "${HEAD_REF}" | sed -e 's:workspaces/[^_]*__\(.*\)$:workspaces/\1:')"
           fi
 
           json=$(
@@ -250,7 +326,7 @@ jobs:
   export:
     name: Export ${{ matrix.workspace.overlay-root }}
     needs: prepare
-    uses: redhat-developer/rhdh-plugin-export-utils/.github/workflows/export-dynamic.yaml@main
+    uses: ./.github/workflows/export-dynamic.yaml
     strategy:
       fail-fast: false
       matrix:
@@ -274,7 +350,13 @@ jobs:
       computed-image-tag-prefix: ${{ matrix.workspace.computed-image-tag-prefix }}
       target-backstage-version: ${{ needs.prepare.outputs.backstage-version }}
       last-publish-commit: ${{ inputs.last-publish-commit }}
-      image-registry-user: ${{ inputs.image-registry-user }}
+      force-export: ${{ inputs.force-export }}
+      skip-metadata-validation: ${{ inputs.skip-metadata-validation }}
+      image-registry-user: ${{ inputs.image-registry-user != '' && inputs.image-registry-user || github.actor }}
+      export-builder-image: ${{ needs.prepare.outputs.export-builder-image }}
+      cli-caller: ${{ needs.prepare.outputs.cli-caller }}
+      export-utils-repository: ${{ inputs.export-utils-repository }}
+      export-utils-ref: ${{ inputs.export-utils-ref }}
 
     secrets:
       image-registry-password: ${{ secrets.image-registry-password }}

diff --git a/.github/workflows/publish-export-builder.yaml b/.github/workflows/publish-export-builder.yaml
@@ -0,0 +1,146 @@
+name: Publish export builder image
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - build/**
+      - scripts/generate-export-builder-config.sh
+      - .github/workflows/publish-export-builder.yaml
+  schedule:
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+    inputs:
+      overlay-branches:
+        description: Comma-separated overlay branches to read versions.json from
+        required: false
+        default: main,release-1.10,release-1.9
+
+# ghcr.io/${{ github.repository }}/export-builder — same image family as EXPORT_BUILDER_GHCR_IMAGE
+# in export-workspaces-as-dynamic.yaml (hardcoded there because reusable workflows use caller context).
+env:
+  EXPORT_BUILDER_IMAGE_NAME: export-builder
+
+jobs:
+  generate-config:
+    name: Generate builder config
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    outputs:
+      node-majors: ${{ steps.generate.outputs.node-majors }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Generate export-builder manifests
+        id: generate
+        env:
+          GH_TOKEN: ${{ github.token }}
+          OVERLAY_BRANCHES: ${{ inputs.overlay-branches || 'main,release-1.10,release-1.9' }}
+        run: |
+          bash scripts/generate-export-builder-config.sh
+          node_majors=$(jq -c '.nodeMajors' build/generated/builder-matrix.json)
+          echo "node-majors=${node_majors}" >> "$GITHUB_OUTPUT"
+
+  publish:
+    name: Build export-builder ubi9-node${{ matrix.node-major }}
+    needs: generate-config
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        node-major: ${{ fromJSON(needs.generate-config.outputs.node-majors) }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Restore generated builder config
+        env:
+          GH_TOKEN: ${{ github.token }}
+          OVERLAY_BRANCHES: ${{ inputs.overlay-branches || 'main,release-1.10,release-1.9' }}
+        run: |
+          bash scripts/generate-export-builder-config.sh
+
+      - name: Set Node.js base image
+        id: node-base
+        env:
+          NODE_MAJOR: ${{ matrix.node-major }}
+        run: |
+          case "${NODE_MAJOR}" in
+            22)
+              echo "image=registry.access.redhat.com/ubi9/nodejs-22:latest" >> "$GITHUB_OUTPUT"
+              ;;
+            24)
+              echo "image=registry.access.redhat.com/ubi9/nodejs-24:1781010361@sha256:1938804c6eb623798504f7940bac7f09ca18766f62ce8b80353514a839e58426" >> "$GITHUB_OUTPUT"
+              ;;
+            *)
+              echo "Unsupported node major: ${NODE_MAJOR}" >&2
+              exit 1
+              ;;
+          esac
+
+      - name: Log in to ghcr.io
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build export builder image
+        id: build
+        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
+        with:
+          image: ${{ env.EXPORT_BUILDER_IMAGE_NAME }}
+          tags: |
+            ghcr.io/${{ github.repository }}/${{ env.EXPORT_BUILDER_IMAGE_NAME }}:ubi9-node${{ matrix.node-major }}
+            ghcr.io/${{ github.repository }}/${{ env.EXPORT_BUILDER_IMAGE_NAME }}:${{ github.sha }}-node${{ matrix.node-major }}
+          containerfiles: build/containerfiles/export-builder.Containerfile
+          build-args: |
+            NODE_MAJOR=${{ matrix.node-major }}
+            NODEJS_BASE_IMAGE=${{ steps.node-base.outputs.image }}
+
+      - name: Push export builder image
+        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2.8
+        with:
+          image: ${{ steps.build.outputs.image }}
+          tags: ${{ steps.build.outputs.tags }}
+          registry: ghcr.io/${{ github.repository }}
+
+  publish-ubi9-alias:
+    name: Tag ubi9 alias to ubi9-node24
+    needs:
+      - generate-config
+      - publish
+    if: contains(fromJSON(needs.generate-config.outputs.node-majors), 24)
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Install buildah
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y -qq buildah
+
+      - name: Log in to ghcr.io
+        uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1.7
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Retag ubi9-node24 as ubi9
+        env:
+          GHCR_REPO: ghcr.io/${{ github.repository }}/${{ env.EXPORT_BUILDER_IMAGE_NAME }}
+        run: |
+          src="${GHCR_REPO}:ubi9-node24"
+          dst="${GHCR_REPO}:ubi9"
+          buildah pull "${src}"
+          buildah tag "${src}" "${dst}"
+          buildah push "${dst}"