registry credentials optional

README.md

@@ -22,6 +22,26 @@ Builds and optionally pushes OCI container images to `registry.noctrl.eu` using
 
 See [podman-build-publish README](./podman-build-publish/README.md) for full documentation.
 
+### Podman Manifest Publish
+
+Creates and pushes OCI multi-arch manifest tags to `registry.noctrl.eu` using
+Podman with isolated storage context.
+
+**Location:** [`./podman-manifest-publish`](./podman-manifest-publish)
+
+**Use in workflows:**
+```yaml
+- uses: https://gitea.noctrl.eu/noctrl/actions/podman-manifest-publish@v1
+  with:
+    image-name: noctrl/myapp
+    manifest-tag: v1.2.3
+    source-tags: |
+      v1.2.3-tmp-123-amd64
+      v1.2.3-tmp-123-arm64
+```
+
+See [podman-manifest-publish README](./podman-manifest-publish/README.md) for full documentation.
+
 ## Usage
 
 Reference actions by absolute URL in your workflow:

podman-build-publish/README.md

@@ -1,53 +0,0 @@
-# Podman Build And Publish Action
-
-Composite action that builds and pushes OCI images with Podman to `registry.noctrl.eu`.
-
-## Inputs
-
-- `image-name` (required): repository path, for example `noctrl/gitea-runner`
-- `tags` (required): newline, comma, or space separated tags
-- `context` (optional, default `.`): build context
-- `containerfile` (optional, default `Containerfile`): containerfile path
-- `build-args` (optional): newline-separated `KEY=VALUE`
-- `registry-username` (required): registry login username
-- `registry-password` (required): registry login password
-
-## Caller Secrets
-
-Define these secrets in the calling repository and pass them to the action inputs:
-- `REGISTRY_USERNAME`: registry authentication username
-- `REGISTRY_PASSWORD`: registry authentication password
-
-The action uses fixed Podman defaults matching the runner workflows:
-- root: `${RUNNER_TEMP}/podman-root`
-- runroot: `${RUNNER_TEMP}/podman-runroot`
-- storage driver: `vfs`
-- build isolation: `chroot`
-- registry: `registry.noctrl.eu` (hardcoded)
-
-## Example
-
-```yaml
-jobs:
-  build-and-push:
-    runs-on: [linux, build]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Build and push image
-        uses: https://gitea.noctrl.eu/noctrl/actions/podman-build-publish@v1
-        with:
-          image-name: noctrl/gitea-runner
-          tags: |
-            latest
-            sha-${{ github.sha }}
-          context: .
-          containerfile: Containerfile
-          build-args: |
-            ACT_RUNNER_VERSION=0.2.11
-          registry-username: ${{ secrets.REGISTRY_USERNAME }}
-          registry-password: ${{ secrets.REGISTRY_PASSWORD }}
-```
-
-> **Note:** Composite actions should receive credentials through inputs. Keep secrets in the caller repo and pass them via `with:` as shown above.

podman-build-publish/action.yaml

@@ -12,10 +12,10 @@ inputs:
     required: true
   registry-username:
     description: Registry username for login.
-    required: true
+    required: false
   registry-password:
     description: Registry password for login.
-    required: true
+    required: false
   context:
     description: Build context path.
     required: false
@@ -30,6 +30,12 @@ inputs:
       Example: "ACT_RUNNER_VERSION=0.2.11"
     required: false
     default: ""
+  push:
+    description: |
+      Whether to push tags to the registry after build.
+      Set to "false" for build-only verification workflows.
+    required: false
+    default: "true"
 
 runs:
   using: composite
@@ -50,10 +56,16 @@ runs:
         fi
 
     - id: login
+      if: ${{ inputs.push != 'false' }}
       shell: bash
       run: |
         set -euo pipefail
 
+        if [[ -z "${{ inputs.registry-username }}" || -z "${{ inputs.registry-password }}" ]]; then
+          echo "ERROR: registry-username and registry-password are required when push is enabled" >&2
+          exit 1
+        fi
+
         podman_args=(
           --root "${RUNNER_TEMP}/podman-root"
           --runroot "${RUNNER_TEMP}/podman-runroot"
@@ -94,7 +106,8 @@ runs:
         build_cmd+=("${{ inputs.context }}")
         "${build_cmd[@]}"
 
-    - id: push
+    - if: ${{ inputs.push != 'false' }}
+      id: push
       shell: bash
       run: |
         set -euo pipefail

podman-manifest-publish/action.yaml

@@ -0,0 +1,87 @@
+name: Podman Manifest Publish
+description: Create and push OCI multi-arch manifests with Podman to registry.noctrl.eu.
+
+inputs:
+  image-name:
+    description: Repository/image name path, for example noctrl/gitea-runner
+    required: true
+  manifest-tag:
+    description: Final manifest tag to publish, for example v1.2.3
+    required: true
+  source-tags:
+    description: |
+      Source image tags to include in the manifest.
+      Supports newline, comma, or space separated values.
+      Example: "v1.2.3-tmp-123-amd64\nv1.2.3-tmp-123-arm64"
+    required: true
+  registry-username:
+    description: Registry username for login.
+    required: true
+  registry-password:
+    description: Registry password for login.
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - id: initialize
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        rm -rf "${RUNNER_TEMP}/podman-root" "${RUNNER_TEMP}/podman-runroot"
+        mkdir -p "${RUNNER_TEMP}/podman-root" "${RUNNER_TEMP}/podman-runroot"
+
+        mapfile -t source_tags < <(printf '%s\n' "${{ inputs.source-tags }}" | tr ', ' '\n\n' | sed '/^$/d')
+        if [[ ${#source_tags[@]} -eq 0 ]]; then
+          echo "ERROR: no tags resolved from inputs.source-tags" >&2
+          exit 1
+        fi
+
+    - id: login
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        podman_args=(
+          --root "${RUNNER_TEMP}/podman-root"
+          --runroot "${RUNNER_TEMP}/podman-runroot"
+          --storage-driver vfs
+        )
+
+        echo "Logging in to registry: registry.noctrl.eu"
+        echo "${{ inputs.registry-password }}" | podman "${podman_args[@]}" login registry.noctrl.eu -u "${{ inputs.registry-username }}" --password-stdin
+
+    - id: publish-manifest
+      shell: bash
+      run: |
+        set -euo pipefail
+
+        podman_args=(
+          --root "${RUNNER_TEMP}/podman-root"
+          --runroot "${RUNNER_TEMP}/podman-runroot"
+          --storage-driver vfs
+        )
+
+        image_base="registry.noctrl.eu/${{ inputs.image-name }}"
+        target_ref="docker://${image_base}:${{ inputs.manifest-tag }}"
+        manifest_name="manifest-${{ github.run_id }}-${{ github.job }}"
+
+        cleanup() {
+          podman "${podman_args[@]}" manifest rm "${manifest_name}" >/dev/null 2>&1 || true
+        }
+        trap cleanup EXIT
+
+        echo "Creating manifest ${target_ref} from tags:"
+        podman "${podman_args[@]}" manifest create "${manifest_name}"
+
+        while IFS= read -r tag; do
+          [[ -z "${tag}" ]] && continue
+          source_ref="docker://${image_base}:${tag}"
+          echo "  ${source_ref}"
+          podman "${podman_args[@]}" manifest add "${manifest_name}" "${source_ref}"
+        done < <(printf '%s\n' "${{ inputs.source-tags }}" | tr ', ' '\n\n' | sed '/^$/d')
+
+        podman "${podman_args[@]}" manifest push --all "${manifest_name}" "${target_ref}"
+        podman "${podman_args[@]}" manifest rm "${manifest_name}"
+        trap - EXIT