Merge https://github.com/cisagov/skeleton-docker into lineage/skeleton

# Conflicts:
#	.github/dependabot.yml
#	.github/workflows/build.yml

.github/dependabot.yml

@@ -28,6 +28,7 @@ updates:
       - dependency-name: mxschmitt/action-tmate
       - dependency-name: step-security/harden-runner
       # Managed by cisagov/skeleton-docker
+<<<<<<< HEAD
       - dependency-name: actions/download-artifact
       - dependency-name: actions/github-script
       - dependency-name: actions/upload-artifact
@@ -36,6 +37,16 @@ updates:
       - dependency-name: docker/setup-buildx-action
       - dependency-name: docker/setup-qemu-action
       - dependency-name: github/codeql-action
+=======
+      # - dependency-name: actions/download-artifact
+      # - dependency-name: actions/upload-artifact
+      # - dependency-name: docker/build-push-action
+      # - dependency-name: docker/login-action
+      # - dependency-name: docker/metadata-action
+      # - dependency-name: docker/setup-buildx-action
+      # - dependency-name: docker/setup-qemu-action
+      # - dependency-name: github/codeql-action
+>>>>>>> 7a5cddf2432f7e49c0f775066739b9464ad66332
     package-ecosystem: github-actions
     schedule:
       interval: weekly

.github/workflows/build.yml

@@ -45,12 +45,15 @@ env:
   IMAGE_NAME: cisagov/example
 >>>>>>> 0d48ebd47a28a887868ea3093e675e95f3843561
   PIP_CACHE_DIR: ~/.cache/pip
+<<<<<<< HEAD
   # Not all these platforms can be built in the six hour time limit
   # imposed by GitHub Actions, so we remove the three most obscure
   # platforms.
   # PLATFORMS: "linux/amd64,linux/arm/v6,linux/arm/v7,\
   # linux/arm64,linux/ppc64le,linux/s390x"
   PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm64"
+=======
+>>>>>>> 7a5cddf2432f7e49c0f775066739b9464ad66332
   PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
   RUN_TMATE: ${{ secrets.RUN_TMATE }}
   TERRAFORM_DOCS_REPO_BRANCH_NAME: improvement/support_atx_closed_markdown_headers
@@ -202,54 +205,13 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
   prepare:
-    # Calculates and publishes outputs that are used by other jobs.
-    #
-    # Outputs:
-    #   created:
-    #     The current date-time in RFC3339 format.
-    #   repometa:
-    #     The json metadata describing this repository.
-    #   source_version:
-    #     The source version as reported by the `bump-version show` command.
-    #   tags:
-    #     A comma separated list of Docker tags to be applied to the images on
-    #     Docker Hub.  The tags will vary depending on:
-    #     - The event that triggered the build.
-    #     - The branch the build is based upon.
-    #     - The git tag the build is based upon.
-    #
-    #     When a build is based on a git tag of the form `v*.*.*` the image will
-    #     be tagged on Docker Hub with multiple levels of version specificity.
-    #     For example, a git tag of `v1.2.3+a` will generate Docker tags of
-    #     `:1.2.3_a`, `:1.2.3`, `:1.2`, `:1`, and `:latest`.
-    #
-    #     Builds targeting the default branch will be tagged with `:edge`.
-    #
-    #     Builds from other branches will be tagged with the branch name. Solidi
-    #     (`/` characters - commonly known as slashes) in branch names are
-    #     replaced with hyphen-minuses (`-` characters) in the Docker tag.  For
-    #     more information about the solidus see these links:
-    #       * https://www.compart.com/en/unicode/U+002F
-    #       * https://en.wikipedia.org/wiki/Slash_(punctuation)#Encoding
-    #
-    #     Builds triggered by a push event are tagged with a short hash in the
-    #     form: sha-12345678
-    #
-    #     Builds triggered by a pull request are tagged with the pull request
-    #     number in the form pr-123.
-    #
-    #     Builds triggered using the GitHub GUI (workflow_dispatch) are tagged
-    #     with the value specified by the user.
-    #
-    #     Scheduled builds are tagged with `:nightly`.
+    # Generate Docker image metadata using the docker/metadata-action GitHub Action.
     name: Prepare build variables
     needs:
       - diagnostics
     outputs:
-      created: ${{ steps.prep.outputs.created }}
-      repometa: ${{ steps.repo.outputs.result }}
-      source_version: ${{ steps.prep.outputs.source_version }}
-      tags: ${{ steps.prep.outputs.tags }}
+      labels: ${{ steps.generate-metadata.outputs.labels }}
+      tags: ${{ steps.generate-metadata.outputs.tags }}
     permissions:
       # actions/checkout needs this to fetch code
       contents: read
@@ -265,53 +227,24 @@ jobs:
         with:
           egress-policy: audit
       - uses: actions/checkout@v4
-      - name: Gather repository metadata
-        id: repo
-        uses: actions/github-script@v7
+      - id: generate-metadata
+        name: Generate Docker image metadata
+        uses: docker/metadata-action@v5
         with:
-          script: |
-            const repo = await github.rest.repos.get(context.repo)
-            return repo.data
-      - name: Calculate output values
-        id: prep
-        run: |
-          VERSION=noop
-          SEMVER="^v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-((0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*)(\.(0|[1-9][0-9]*|[0-9]*[a-zA-Z-][0-9a-zA-Z-]*))*))?(\+([0-9a-zA-Z-]+(\.[0-9a-zA-Z-]+)*))?$"
-          if [ "${{ github.event_name }}" = "schedule" ]; then
-            VERSION=nightly
-          elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            VERSION=${{ github.event.inputs.image-tag }}
-          elif [[ $GITHUB_REF == refs/tags/* ]]; then
-            VERSION=${GITHUB_REF#refs/tags/}
-          elif [[ $GITHUB_REF == refs/heads/* ]]; then
-            VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g')
-            if [ "${{ github.event.repository.default_branch }}" = "$VERSION" ];
-              then
-              VERSION=edge
-            fi
-          elif [[ $GITHUB_REF == refs/pull/* ]]; then
-            VERSION=pr-${{ github.event.number }}
-          fi
-          if [[ $VERSION =~ $SEMVER ]]; then
-            VERSION_NO_V=${VERSION#v}
-            MAJOR="${BASH_REMATCH[1]}"
-            MINOR="${BASH_REMATCH[2]}"
-            PATCH="${BASH_REMATCH[3]}"
-            TAGS="${IMAGE_NAME}:${VERSION_NO_V//+/_},${IMAGE_NAME}:${MAJOR}.${MINOR}.${PATCH},${IMAGE_NAME}:${MAJOR}.${MINOR},${IMAGE_NAME}:${MAJOR},${IMAGE_NAME}:latest"
-          else
-            TAGS="${IMAGE_NAME}:${VERSION}"
-          fi
-          if [ "${{ github.event_name }}" = "push" ]; then
-            TAGS="${TAGS},${IMAGE_NAME}:sha-${GITHUB_SHA::8}"
-          fi
-          for i in ${TAGS//,/ }
-          do
-            TAGS="${TAGS},ghcr.io/${i}"
-          done
-          echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
-          echo "source_version=$(./bump-version show)" >> $GITHUB_OUTPUT
-          echo "tags=${TAGS}" >> $GITHUB_OUTPUT
-          echo tags=${TAGS}
+          images: |
+            ${{ env.IMAGE_NAME }}
+            ghcr.io/${{ env.IMAGE_NAME }}
+          tags: |
+            type=edge
+            type=raw,event=workflow_dispatch,value=${{ github.event.inputs.image-tag }}
+            type=ref,event=branch
+            type=ref,event=pr
+            type=ref,event=tag
+            type=schedule
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{version}}
+            type=sha
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: github.event.inputs.remote-shell == 'true' || env.RUN_TMATE
@@ -361,29 +294,7 @@ jobs:
           cache-to: type=local,dest=${{ env.BUILDX_CACHE_DIR }}
           context: .
           file: ./Dockerfile
-          labels: "\
-            org.opencontainers.image.created=${{
-              needs.prepare.outputs.created }}
-
-            org.opencontainers.image.description=${{
-              fromJson(needs.prepare.outputs.repometa).description }}
-
-            org.opencontainers.image.licenses=${{
-              fromJson(needs.prepare.outputs.repometa).license.spdx_id }}
-
-            org.opencontainers.image.revision=${{ github.sha }}
-
-            org.opencontainers.image.source=${{
-              fromJson(needs.prepare.outputs.repometa).clone_url }}
-
-            org.opencontainers.image.title=${{
-              fromJson(needs.prepare.outputs.repometa).name }}
-
-            org.opencontainers.image.url=${{
-              fromJson(needs.prepare.outputs.repometa).html_url }}
-
-            org.opencontainers.image.version=${{
-              needs.prepare.outputs.source_version }}"
+          labels: ${{ needs.prepare.outputs.labels }}
           outputs: type=docker,dest=dist/image.tar
           # Uncomment the following option if you are building an image for use
           # on Google Cloud Run or AWS Lambda. The current default image output
@@ -461,12 +372,12 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
   build-push-all:
-    # Builds the final set of images for each of the platforms listed in
-    # PLATFORMS environment variable.  These images are tagged with the Docker
-    # tags calculated in the "prepare" job and pushed to Docker Hub and the
-    # GitHub Container Registry.  The contents of README.md are pushed as the
-    # image's description to Docker Hub.  This job is skipped when the
-    # triggering event is a pull request.
+    # Builds the final set of images for each of the platforms specified in the
+    # "platforms" input for the docker/build-push-action Action.  These images
+    # are tagged with the Docker tags calculated in the "prepare" job and
+    # pushed to Docker Hub and the GitHub Container Registry.  The contents of
+    # README.md are pushed as the image's description to Docker Hub.  This job
+    # is skipped when the triggering event is a pull request.
     if: github.event_name != 'pull_request'
     name: Build and push all platforms
     needs:
@@ -527,30 +438,14 @@ jobs:
           cache-to: type=local,dest=${{ env.BUILDX_CACHE_DIR }}
           context: .
           file: ./Dockerfile-x
-          labels: "\
-            org.opencontainers.image.created=${{
-              needs.prepare.outputs.created }}
-
-            org.opencontainers.image.description=${{
-              fromJson(needs.prepare.outputs.repometa).description }}
-
-            org.opencontainers.image.licenses=${{
-              fromJson(needs.prepare.outputs.repometa).license.spdx_id }}
-
-            org.opencontainers.image.revision=${{ github.sha }}
-
-            org.opencontainers.image.source=${{
-              fromJson(needs.prepare.outputs.repometa).clone_url }}
-
-            org.opencontainers.image.title=${{
-              fromJson(needs.prepare.outputs.repometa).name }}
-
-            org.opencontainers.image.url=${{
-              fromJson(needs.prepare.outputs.repometa).html_url }}
-
-            org.opencontainers.image.version=${{
-              needs.prepare.outputs.source_version }}"
-          platforms: ${{ env.PLATFORMS }}
+          labels: ${{ needs.prepare.outputs.labels }}
+          platforms: |
+            linux/amd64
+            linux/arm/v6
+            linux/arm/v7
+            linux/arm64
+            linux/ppc64le
+            linux/s390x
           # Uncomment the following option if you are building an image for use
           # on Google Cloud Run or AWS Lambda. The current default image output
           # is unable to run on either. Please see the following issue for more

bump-version

@@ -125,7 +125,7 @@ if [ -n "$label" ] && [ "$with_prerelease" = false ] && [[ ! " ${commands_with_l
   invalid_option "Setting the label is only allowed for the following commands: ${commands_with_label[*]}"
 fi
 
-if [ "$with_prerelease" = true ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then
+if [ "$with_prerelease" = true ] && [ -n "$bump_part" ] && [[ ! " ${commands_with_prerelease[*]} " =~ [[:space:]]${bump_part}[[:space:]] ]]; then
   invalid_option "Changing the prerelease is only allowed in conjunction with the following commands: ${commands_with_prerelease[*]}"
 fi
 

tests/container_test.py

@@ -141,6 +141,9 @@ def test_log_version(dockerc, project_version, version_container):
     ), f"Container version output to log does not match project version file {VERSION_FILE}"
 
 
+@pytest.mark.skipif(
+    RELEASE_TAG in [None, ""], reason="this is not a release (RELEASE_TAG not set)"
+)
 def test_container_version_label_matches(project_version, version_container):
     """Verify the container version label is the correct version."""
     assert (