Add normalization to docker-bake action (#744)

athackst · web-flow · commit 6811ff608e6b · 2026-03-27T07:28:53.000Z
diff --git a/.github/actions/docker-bake/README.md b/.github/actions/docker-bake/README.md
@@ -7,6 +7,8 @@ Builds per-platform images from `templates.yml` using `docker buildx bake`, uplo
 - Authenticates to Docker Hub and/or GHCR when credentials are supplied.
 - Runs `docker/bake-action@v6` to build or push the image targets.
 - Reuses BuildKit cache from GHCR when credentials are provided (while still priming the GitHub Actions cache as a fallback).
+  - Registry cache export is enabled only when `push=true`.
+  - GHCR cache/image namespace parts are normalized for valid registry references.
 - Persists the bake metadata as an artifact so the merge job can create multi-arch manifests.
 
 ## Inputs
diff --git a/.github/actions/docker-bake/action.yml b/.github/actions/docker-bake/action.yml
@@ -13,22 +13,22 @@ inputs:
     required: false
     default: ""
   docker-username: 
-    description: "dockerhub username"
+    description: "Docker Hub username"
     default: ""
     required: false
   docker-password:
-    description: "dockerhub password"
+    description: "Docker Hub password"
     required: false
   ghcr-username:
-    description: "ghcr username"
+    description: "GHCR username"
     default: ""
     required: false
   ghcr-password:
-    description: "ghcr password"
+    description: "GHCR password"
     default: ""
     required: false
   push:
-    description: "Push digests to repo"
+    description: "Push digests to registry"
     default: "true"
     required: false
 
@@ -55,19 +55,47 @@ runs:
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
+    - name: Normalize registry ref parts
+      id: refs
+      shell: bash
+      run: |
+        set -euo pipefail
+        ghcr_login_user="${{ inputs.ghcr-username }}"
+        if [[ -z "$ghcr_login_user" ]]; then
+          ghcr_login_user="${{ github.actor }}"
+        fi
+
+        ghcr_owner="${{ inputs.ghcr-username }}"
+        # Dependabot usernames include brackets (e.g. dependabot[bot]) which are
+        # invalid in image/cache references; fall back to repo owner namespace.
+        if [[ -z "$ghcr_owner" || "$ghcr_owner" == *"["* || "$ghcr_owner" == *"]"* ]]; then
+          ghcr_owner="${{ github.repository_owner }}"
+        fi
+        ghcr_owner="$(printf '%s' "$ghcr_owner" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g; s/^-+//; s/-+$//')"
+        if [[ -z "$ghcr_owner" ]]; then
+          ghcr_owner="$(printf '%s' "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g; s/^-+//; s/-+$//')"
+        fi
+
+        family="${{ inputs.family }}"
+        distro="${{ inputs.distro }}"
+        echo "ghcr_login_user=$ghcr_login_user" >> "$GITHUB_OUTPUT"
+        echo "ghcr_owner=$ghcr_owner" >> "$GITHUB_OUTPUT"
+        echo "family=${family,,}" >> "$GITHUB_OUTPUT"
+        echo "distro=${distro,,}" >> "$GITHUB_OUTPUT"
+
     - name: Login to Docker Hub
-      if: ${{ inputs.docker-password }}
+      if: ${{ inputs.docker-username && inputs.docker-password }}
       uses: docker/login-action@v3
       with:
         username: ${{ inputs.docker-username }}
         password: ${{ inputs.docker-password }}
 
     - name: Log in to GHCR
-      if: ${{ inputs.ghcr-password }}
+      if: ${{ inputs.ghcr-password && steps.refs.outputs.ghcr_login_user }}
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
-        username: ${{ inputs.ghcr-username }}
+        username: ${{ steps.refs.outputs.ghcr_login_user }}
         password: ${{ inputs.ghcr-password }}
 
     - name: Set up Python
@@ -94,18 +122,6 @@ runs:
         key="${plat//\//-}"
         echo "platform_key=$key" >> "$GITHUB_OUTPUT"
 
-    - name: Normalize registry ref parts
-      id: refs
-      shell: bash
-      run: |
-        set -euo pipefail
-        ghcr_owner="${{ inputs.ghcr-username }}"
-        family="${{ inputs.family }}"
-        distro="${{ inputs.distro }}"
-        echo "ghcr_owner=${ghcr_owner,,}" >> "$GITHUB_OUTPUT"
-        echo "family=${family,,}" >> "$GITHUB_OUTPUT"
-        echo "distro=${distro,,}" >> "$GITHUB_OUTPUT"
-
     - name: Compute bake variables
       id: gen
       shell: bash
@@ -115,9 +131,9 @@ runs:
              --family "${{ inputs.family }}"
              --distro "${{ inputs.distro }}"
              --platform "${{ steps.detect.outputs.platform }}"
-             ${{ inputs.ghcr-password && format('--ghcr-username "{0}"', inputs.ghcr-username) || '' }}
+             ${{ inputs.ghcr-password && format('--ghcr-username "{0}"', steps.refs.outputs.ghcr_owner) || '' }}
              ${{ inputs.docker-password && format('--docker-username "{0}"', inputs.docker-username) || '' }}
-             --digest
+             ${{ inputs.push == 'true' && '--digest' || '' }}
         )
         output=$("${cmd[@]}")
         echo "$output"
@@ -133,7 +149,7 @@ runs:
           ${{ steps.gen.outputs.release }}-*.platform=${{ steps.detect.outputs.platform }}
           *.cache-to=type=gha,mode=max,scope=${{ steps.gen.outputs.group }}
           *.cache-from=type=gha,scope=${{ steps.gen.outputs.group }}
-          ${{ (inputs.push && inputs.ghcr-password && steps.refs.outputs.ghcr_owner) && format('*.cache-to=type=registry,ref=ghcr.io/{0}/{1}:{2}-{3}-buildcache,mode=max', steps.refs.outputs.ghcr_owner, steps.refs.outputs.family, steps.refs.outputs.distro, steps.detect.outputs.platform_key) || '' }}
+          ${{ (inputs.push == 'true' && inputs.ghcr-password && steps.refs.outputs.ghcr_owner) && format('*.cache-to=type=registry,ref=ghcr.io/{0}/{1}:{2}-{3}-buildcache,mode=max', steps.refs.outputs.ghcr_owner, steps.refs.outputs.family, steps.refs.outputs.distro, steps.detect.outputs.platform_key) || '' }}
           ${{ (inputs.ghcr-password && steps.refs.outputs.ghcr_owner) && format('*.cache-from=type=registry,ref=ghcr.io/{0}/{1}:{2}-{3}-buildcache', steps.refs.outputs.ghcr_owner, steps.refs.outputs.family, steps.refs.outputs.distro, steps.detect.outputs.platform_key) || '' }}
           ${{ steps.gen.outputs.set_lines }}
 
diff --git a/.github/actions/docker-merge/merge_manifests.py b/.github/actions/docker-merge/merge_manifests.py
@@ -220,9 +220,19 @@ def main() -> int:
     args = parse_args()
     metadata_paths = resolve_metadata_paths(args.metadata_list)
     target_map = collect_targets(metadata_paths)
-    release_targets = ensure_release_targets(
-        args.family, args.distro, target_map
-    )
+    try:
+        release_targets = ensure_release_targets(
+            args.family, args.distro, target_map
+        )
+    except ValueError:
+        if args.dry_run:
+            print(
+                "[merge] No release targets found in metadata during dry-run; "
+                "skipping manifest merge."
+            )
+            write_output("created_tags", "{}")
+            return 0
+        raise
 
     created_tags: Dict[str, List[str]] = {}
     prefix = f"{args.family}-{args.distro}-"
@@ -255,6 +265,13 @@ def main() -> int:
         created_tags[stage_name] = tags
 
     if not created_tags:
+        if args.dry_run:
+            print(
+                "[merge] No mergeable digest refs found during dry-run; "
+                "skipping manifest creation."
+            )
+            write_output("created_tags", "{}")
+            return 0
         raise ValueError("No manifests were created.")
 
     write_output("created_tags", json.dumps(created_tags))
diff --git a/.github/actions/docker-merge/tests/test_merge_manifests.py b/.github/actions/docker-merge/tests/test_merge_manifests.py
@@ -5,9 +5,11 @@
 
 import importlib.util
 import json
+import os
 import tempfile
 import unittest
 from pathlib import Path
+from unittest.mock import patch
 
 
 def load_module():
@@ -139,6 +141,40 @@ def test_collect_targets_with_real_metadata_fixtures(self):
             },
         )
 
+    def test_main_dry_run_succeeds_when_release_targets_missing(self):
+        payload = {
+            "other-release-base": {
+                "image.name": "ghcr.io/acme/other:base",
+                "containerimage.digest": "sha256:abc",
+            }
+        }
+        metadata_path = self._write_metadata(payload)
+
+        with tempfile.NamedTemporaryFile("w", delete=False) as out:
+            output_path = out.name
+        self.addCleanup(lambda: os.path.exists(output_path) and os.unlink(output_path))
+
+        argv = [
+            "merge_manifests.py",
+            "--family",
+            "gz",
+            "--distro",
+            "harmonic-cuda",
+            "--metadata-list",
+            str(metadata_path),
+            "--gh-owner",
+            "athackst",
+            "--dry-run",
+        ]
+        with patch("sys.argv", argv), patch.dict(
+            os.environ, {"GITHUB_OUTPUT": output_path}, clear=False
+        ):
+            exit_code = MERGE_MODULE.main()
+
+        self.assertEqual(exit_code, 0)
+        output_text = Path(output_path).read_text(encoding="utf-8")
+        self.assertIn("created_tags={}", output_text)
+
 
 if __name__ == "__main__":
     unittest.main()
