Improve & rename main build-push script.

This script orchestrates running of the actual `build_push.sh` script,
on behalf of various github containers-org repos.  Rename it to better
reflect that purpose.

Change behavior WRT first argument (git repo. URL) to shallow-clone the
repo into a temporary directory.

Remove the auto-update library in anticipation of executing builds from
Cirrus-cron in this (automation_images) repo.  Given encrypted secrets
are protected by execution context and actor.

Update labeling to also annotate the images, since newer tooling prefers
annotations but older tools only support labels.

Signed-off-by: Chris Evich <cevich@redhat.com>

IMG_SFX

@@ -1 +1 @@
-20230822t185743z-f38f37d13
+20230914t194450z-f38f37d13

build-push/.install.sh

@@ -22,5 +22,4 @@ source "$AUTOMATION_LIB_PATH/common_lib.sh"
 cd $(dirname "$SCRIPT_FILEPATH") || exit 1
 # Must be installed into $AUTOMATION_LIB_PATH/../bin which is on $PATH
 cp ./bin/* $AUTOMATION_LIB_PATH/../bin/
-cp ./lib/* $AUTOMATION_LIB_PATH/
 chmod +x $AUTOMATION_LIB_PATH/../bin/*

build-push/bin/main.sh → build-push/bin/containers_build_push.sh

@@ -1,18 +1,18 @@
 #!/bin/bash
 
-# This script is not intended for humans.  It should be run by automation
-# at the branch-level in automation for the skopeo, buildah, and podman
-# repositories.  It's purpose is to produce a multi-arch container image
-# based on the contents of context subdirectory.  At runtime, $PWD is assumed
-# to be the root of the cloned git repository.
+# This script is not intended for humans.  It should be run by secure
+# (maintainer-only) cron-like automation to service the skopeo, buildah,
+# and podman repositories.  It's purpose is to produce a multi-arch container
+# image based on the contents of a repository context subdirectory from their
+# respective 'main' branches.
 #
-# The first argument to the script, should be the URL of the git repository
-# in question.  Though at this time, this is only used for labeling the
-# resulting image.
+# The first argument to the script, should be the (clone) URL of the git repository
+# in question.  This is used to both retrieve the build context, as well as label
+# the produced images.
 #
 # The second argument to this script is the relative path to the build context
-# subdirectory.  The basename of this subdirectory may indicates the
-# image flavor (i.e. `upstream`, `testing`, or `stable`). Depending
+# subdirectory.  The basename of this subdirectory may (see next paragraph)
+# indicate the image flavor (i.e. `upstream`, `testing`, or `stable`). Depending
 # on this value, the image may be pushed to multiple container registries
 # under slightly different rules (see the next option).
 #
@@ -27,8 +27,6 @@ if [[ -r "/etc/automation_environment" ]]; then
     source /etc/automation_environment  # defines AUTOMATION_LIB_PATH
     #shellcheck disable=SC1090,SC2154
     source "$AUTOMATION_LIB_PATH/common_lib.sh"
-    #shellcheck source=../lib/autoupdate.sh
-    source "$AUTOMATION_LIB_PATH/autoupdate.sh"
 else
     echo "Expecting to find automation common library installed."
     exit 1
@@ -44,10 +42,12 @@ if [[ -z $(type -P build-push.sh) ]]; then
     die "It does not appear that build-push.sh is installed properly"
 fi
 
-if ! [[ -d "$PWD/.git" ]]; then
-    die "The current directory ($PWD) does not appear to be the root of a git repo."
+if [[ -z "$1" ]]; then
+    die "Expecting a git repository URI as the first argument."
 fi
 
+req_env_vars CI CIRRUS_TASK_ID
+
 # Assume transitive debugging state for build-push.sh if set
 if [[ "$(automation_version | cut -d '.' -f 1)" -ge 4 ]]; then
     # Valid for version 4.0.0 and above only
@@ -101,29 +101,47 @@ if ((DRYRUN)); then
     warn "Operating in dry-run mode with $_DRNOPUSH"
 fi
 
+# SCRIPT_PATH defined by automation library
+# shellcheck disable=SC2154
+CLONE_TMP=$(mktemp -p -d "tmp_${SCRIPT_PATH}_XXXX")
+trap "rm -rf '$CLONE_TMP'" EXIT
+
 ### MAIN
 
 declare -a build_args
 if [[ -n "$FLAVOR_NAME" ]]; then
     build_args=(--build-arg "FLAVOR=$FLAVOR_NAME")
 fi
 
+dbg "Cloning '$REPO_URL' into $CLONE_TMP"
+# FIXME: Use a temp. dir instead of CIRRUS_WORKING_DIR
+git clone --depth 1 "$REPO_URL" "$CLONE_TMP"
+cd "$CLONE_TMP"
+
 head_sha=$(git rev-parse HEAD)
 dbg "HEAD is $head_sha"
-# Labels to add to all images
-# N/B: These won't show up in the manifest-list itself, only it's constituents.
-lblargs="\
-    --label=org.opencontainers.image.source=$REPO_URL \
-    --label=org.opencontainers.image.revision=$head_sha \
-    --label=org.opencontainers.image.created=$(date -u --iso-8601=seconds)"
+# Labels to add to all images as per
+# https://specs.opencontainers.org/image-spec/annotations/?v=v1.0.1
+# Use both labels and annotations since some older tools only support labels
+# CIRRUS_TASK_ID provided by CI and verified non-empty earlier
+# shellcheck disable=SC2154
+for arg in "--label" "--annotation"; do
+  lblargs+="$arg=org.opencontainers.image.source='$REPO_URL' \
+            $arg=org.opencontainers.image.revision='$head_sha' \
+            $arg=org.opencontainers.image.created='$(date -u --iso-8601=seconds)' \
+            $arg=org.opencontainers.image.url='https://cirrus-ci.com/task/$CIRRUS_TASK_ID' \
+            $arg=org.opencontainers.image.documentation='${REPO_URL%.git}/tree/$CTX_SUB/README.md' \
+            $arg=org.opencontainers.image.title='$REPO_NAME $FLAVOR_NAME manifest-list for $ARCHES' \
+            $arg=org.opencontainers.image.authors='podman@lists.podman.io'"
+done
 dbg "lblargs=$lblargs"
 
 modcmdarg="tag_version.sh $FLAVOR_NAME"
 
-# For stable images, the version number of the command is needed for tagging.
+# For stable images, the version number of the command is needed for tagging and labeling.
 if [[ "$FLAVOR_NAME" == "stable" ]]; then
     # only native arch is needed to extract the version
-    dbg "Building local-arch image to extract stable version number"
+    dbg "Building temporary local-arch image to extract stable version number"
     podman build -t $REPO_FQIN "${build_args[@]}" ./$CTX_SUB
 
     case "$REPO_NAME" in
@@ -143,7 +161,8 @@ if [[ "$FLAVOR_NAME" == "stable" ]]; then
     img_cmd_version=$(awk -r -e '/^.+ version /{print $3}' <<<"$version_output")
     dbg "parsed version: $img_cmd_version"
     test -n "$img_cmd_version"
-    lblargs="$lblargs --label=org.opencontainers.image.version=$img_cmd_version"
+    lblargs+=" --label=org.opencontainers.image.version=$img_cmd_version"
+    lblargs+=" --annotation=org.opencontainers.image.version=$img_cmd_version"
     # Prevent temporary build colliding with multi-arch manifest list (built next)
     # but preserve image (by ID) for use as cache.
     dbg "Un-tagging $REPO_FQIN"

build-push/test.sh

@@ -36,7 +36,7 @@ export BUILDPUSHAUTOUPDATED=1
 
 trap "rm -rf $SRC_TMP" EXIT
 
-# main.sh expects $PWD to be a git repository.
+# main.sh expects a git repository argument
 msg "
 ##### Constructing local test repository #####"
 cd $SRC_TMP
@@ -148,7 +148,7 @@ export DRYRUN=1  # Force main.sh not to push anything
 req_env_vars ARCHES DRYRUN
 # main.sh is sensitive to 'testing' value.
 # Also confirms main.sh is on $PATH
-env A_DEBUG=1 main.sh git://testing contrib/testimage/stable
+env A_DEBUG=1 containers_build_push.sh.sh git://testing contrib/testimage/stable
 verify_built_images stable
 
 msg "