credentials required

README.md

@@ -22,6 +22,26 @@ Builds and optionally pushes OCI container images to `registry.noctrl.eu` using
 
 See [podman-build-publish README](./podman-build-publish/README.md) for full documentation.
 
+### Podman Manifest Publish
+
+Creates and pushes OCI multi-arch manifest tags to `registry.noctrl.eu` using
+Podman with isolated storage context.
+
+**Location:** [`./podman-manifest-publish`](./podman-manifest-publish)
+
+**Use in workflows:**
+```yaml
+- uses: https://gitea.noctrl.eu/noctrl/actions/podman-manifest-publish@v1
+  with:
+    image-name: noctrl/myapp
+    manifest-tag: v1.2.3
+    source-tags: |
+      v1.2.3-tmp-123-amd64
+      v1.2.3-tmp-123-arm64
+```
+
+See [podman-manifest-publish README](./podman-manifest-publish/README.md) for full documentation.
+
 ## Usage
 
 Reference actions by absolute URL in your workflow:

podman-build-publish/README.md

@@ -1,53 +0,0 @@
-# Podman Build And Publish Action
-
-Composite action that builds and pushes OCI images with Podman to `registry.noctrl.eu`.
-
-## Inputs
-
-- `image-name` (required): repository path, for example `noctrl/gitea-runner`
-- `tags` (required): newline, comma, or space separated tags
-- `context` (optional, default `.`): build context
-- `containerfile` (optional, default `Containerfile`): containerfile path
-- `build-args` (optional): newline-separated `KEY=VALUE`
-- `registry-username` (required): registry login username
-- `registry-password` (required): registry login password
-
-## Caller Secrets
-
-Define these secrets in the calling repository and pass them to the action inputs:
-- `REGISTRY_USERNAME`: registry authentication username
-- `REGISTRY_PASSWORD`: registry authentication password
-
-The action uses fixed Podman defaults matching the runner workflows:
-- root: `${RUNNER_TEMP}/podman-root`
-- runroot: `${RUNNER_TEMP}/podman-runroot`
-- storage driver: `vfs`
-- build isolation: `chroot`
-- registry: `registry.noctrl.eu` (hardcoded)
-
-## Example
-
-```yaml
-jobs:
-  build-and-push:
-    runs-on: [linux, build]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Build and push image
-        uses: https://gitea.noctrl.eu/noctrl/actions/podman-build-publish@v1
-        with:
-          image-name: noctrl/gitea-runner
-          tags: |
-            latest
-            sha-${{ github.sha }}
-          context: .
-          containerfile: Containerfile
-          build-args: |
-            ACT_RUNNER_VERSION=0.2.11
-          registry-username: ${{ secrets.REGISTRY_USERNAME }}
-          registry-password: ${{ secrets.REGISTRY_PASSWORD }}
-```
-
-> **Note:** Composite actions should receive credentials through inputs. Keep secrets in the caller repo and pass them via `with:` as shown above.

podman-build-publish/action.yaml

@@ -5,17 +5,18 @@ inputs:
   image-name:
     description: Repository/image name path, for example noctrl/gitea-runner
     required: true
-  tags:
-    description: |
-      Tags to apply and push. Supports newline, comma, or space separated values.
-      Example: "latest\nsha-abc123"
-    required: true
   registry-username:
     description: Registry username for login.
     required: true
   registry-password:
     description: Registry password for login.
     required: true
+  tags:
+    description: |
+      Tags to apply and push. Supports newline, comma, or space separated values.
+      Example: "latest\nsha-abc123"
+    required: false
+    default: latest
   context:
     description: Build context path.
     required: false
@@ -30,6 +31,12 @@ inputs:
       Example: "ACT_RUNNER_VERSION=0.2.11"
     required: false
     default: ""
+  push:
+    description: |
+      Whether to push tags to the registry after build.
+      Set to "false" for build-only verification workflows.
+    required: false
+    default: "true"
 
 runs:
   using: composite
@@ -39,29 +46,16 @@ runs:
       run: |
         set -euo pipefail
 
-        # Fixed Podman storage paths — re-derived in each step to avoid
-        # relying on GITHUB_ENV propagation between composite action steps.
-        podman_root="${RUNNER_TEMP}/podman-root"
-        podman_runroot="${RUNNER_TEMP}/podman-runroot"
+        rm -rf "${RUNNER_TEMP}/podman-root" "${RUNNER_TEMP}/podman-runroot"
+        mkdir -p "${RUNNER_TEMP}/podman-root" "${RUNNER_TEMP}/podman-runroot"
 
-        rm -rf "${podman_root}" "${podman_runroot}"
-        mkdir -p "${podman_root}" "${podman_runroot}"
-
-        # Export only input-derived values that cannot be recomputed later.
-        {
-          echo "IMAGE_BASE=registry.noctrl.eu/${{ inputs.image-name }}"
-        } >> "${GITHUB_ENV}"
-
-        # Parse and validate tags
+        # Validate tags early so failures are caught before build starts
         mapfile -t tags < <(printf '%s\n' "${{ inputs.tags }}" | tr ', ' '\n\n' | sed '/^$/d')
         if [[ ${#tags[@]} -eq 0 ]]; then
           echo "ERROR: no tags resolved from inputs.tags" >&2
           exit 1
         fi
 
-        # Export tags as newline-separated string for subsequent steps
-        (IFS=$'\n'; echo "IMAGE_TAGS=${tags[*]}") >> "${GITHUB_ENV}"
-
     - id: login
       shell: bash
       run: |
@@ -87,6 +81,7 @@ runs:
           --storage-driver vfs
         )
 
+        image_base="registry.noctrl.eu/${{ inputs.image-name }}"
         build_cmd=(podman "${podman_args[@]}" build --isolation chroot -f "${{ inputs.containerfile }}")
 
         # Add build args
@@ -99,14 +94,15 @@ runs:
         echo "Building image with tags:"
         while IFS= read -r tag; do
           [[ -z "${tag}" ]] && continue
-          echo "  ${IMAGE_BASE}:${tag}"
-          build_cmd+=(-t "${IMAGE_BASE}:${tag}")
-        done <<< "${IMAGE_TAGS}"
+          echo "  ${image_base}:${tag}"
+          build_cmd+=(-t "${image_base}:${tag}")
+        done < <(printf '%s\n' "${{ inputs.tags }}" | tr ', ' '\n\n' | sed '/^$/d')
 
         build_cmd+=("${{ inputs.context }}")
         "${build_cmd[@]}"
 
-    - id: push
+    - if: ${{ inputs.push != 'false' }}
+      id: push
       shell: bash
       run: |
         set -euo pipefail
@@ -117,9 +113,11 @@ runs:
           --storage-driver vfs
         )
 
+        image_base="registry.noctrl.eu/${{ inputs.image-name }}"
+
         echo "Pushing image tags:"
         while IFS= read -r tag; do
           [[ -z "${tag}" ]] && continue
-          echo "  ${IMAGE_BASE}:${tag}"
-          podman "${podman_args[@]}" push "${IMAGE_BASE}:${tag}"
-        done <<< "${IMAGE_TAGS}"
+          echo "  ${image_base}:${tag}"
+          podman "${podman_args[@]}" push "${image_base}:${tag}"
+        done < <(printf '%s\n' "${{ inputs.tags }}" | tr ', ' '\n\n' | sed '/^$/d')

podman-manifest-publish/action.yaml

@@ -0,0 +1,87 @@
+name: Podman Manifest Publish
+description: Create and push OCI multi-arch manifests with Podman to registry.noctrl.eu.
+
+inputs:
+  image-name:
+    description: Repository/image name path, for example noctrl/gitea-runner
+    required: true
+  manifest-tag:
+    description: Final manifest tag to publish, for example v1.2.3
+    required: true
+  source-tags:
+    description: |
+      Source image tags to include in the manifest.
+      Supports newline, comma, or space separated values.
+      Example: "v1.2.3-tmp-123-amd64\nv1.2.3-tmp-123-arm64"
+    required: true
+  registry-username:
+    description: Registry username for login.
+    required: true
+  registry-password:
+    description: Registry password for login.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - id: initialize
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        rm -rf "${RUNNER_TEMP}/podman-root" "${RUNNER_TEMP}/podman-runroot"
+        mkdir -p "${RUNNER_TEMP}/podman-root" "${RUNNER_TEMP}/podman-runroot"
+
+        mapfile -t source_tags < <(printf '%s\n' "${{ inputs.source-tags }}" | tr ', ' '\n\n' | sed '/^$/d')
+        if [[ ${#source_tags[@]} -eq 0 ]]; then
+          echo "ERROR: no tags resolved from inputs.source-tags" >&2
+          exit 1
+        fi
+
+    - id: login
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        podman_args=(
+          --root "${RUNNER_TEMP}/podman-root"
+          --runroot "${RUNNER_TEMP}/podman-runroot"
+          --storage-driver vfs
+        )
+
+        echo "Logging in to registry: registry.noctrl.eu"
+        echo "${{ inputs.registry-password }}" | podman "${podman_args[@]}" login registry.noctrl.eu -u "${{ inputs.registry-username }}" --password-stdin
+
+    - id: publish-manifest
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        podman_args=(
+          --root "${RUNNER_TEMP}/podman-root"
+          --runroot "${RUNNER_TEMP}/podman-runroot"
+          --storage-driver vfs
+        )
+
+        image_base="registry.noctrl.eu/${{ inputs.image-name }}"
+        target_ref="docker://${image_base}:${{ inputs.manifest-tag }}"
+        manifest_name="manifest-${{ github.run_id }}-${{ github.job }}"
+
+        cleanup() {
+          podman "${podman_args[@]}" manifest rm "${manifest_name}" >/dev/null 2>&1 || true
+        }
+        trap cleanup EXIT
+
+        echo "Creating manifest ${target_ref} from tags:"
+        podman "${podman_args[@]}" manifest create "${manifest_name}"
+
+        while IFS= read -r tag; do
+          [[ -z "${tag}" ]] && continue
+          source_ref="docker://${image_base}:${tag}"
+          echo "  ${source_ref}"
+          podman "${podman_args[@]}" manifest add "${manifest_name}" "${source_ref}"
+        done < <(printf '%s\n' "${{ inputs.source-tags }}" | tr ', ' '\n\n' | sed '/^$/d')
+
+        podman "${podman_args[@]}" manifest push --all "${manifest_name}" "${target_ref}"
+        podman "${podman_args[@]}" manifest rm "${manifest_name}"
+        trap - EXIT