feat: generate a ClusterImageCatalog on image update

Signed-off-by: Niccolò Fei <[email protected]>

Author: NiccoloFei

.github/workflows/build.yml

@@ -47,13 +47,19 @@ jobs:
       env:
         TAGS: ${{ toJson(matrix.tags) }}
       run: |
+        # Set a default image
+        echo "BASE_IMAGE=${IMAGE_STAGING}" >> $GITHUB_ENV
+
         RESULT=""
         for tag in $(jq -r '.[]' <<< "${TAGS}")
         do
           RESULT="${RESULT},ghcr.io/${IMAGE_STAGING}:${tag}"
           # If we are running the pipeline in the main branch images are pushed in both -testing and PROD repo
           if [ "${GITHUB_REF#refs/heads/}" == main ]
           then
+            # Set prod as default image
+            echo "BASE_IMAGE=${IMAGE_RELEASE}" >> $GITHUB_ENV
+
             RESULT="${RESULT},ghcr.io/${IMAGE_RELEASE}:${tag}"
           fi
         done
@@ -103,10 +109,83 @@ jobs:
         sarif_file: snyk.sarif
 
     - name: Build and push
+      id: build
       uses: docker/build-push-action@v5
       with:
         context: ${{ matrix.dir }}
         file: ${{ matrix.file }}
         platforms: ${{ matrix.platforms }}
         push: true
         tags: ${{ env.TAGS }}
+
+    - name: Create artifact
+      run: |
+        DIGEST=ghcr.io/${{ env.BASE_IMAGE }}@${{ steps.build.outputs.digest }} \
+        MAJOR=${{ matrix.version }} \
+        yq --null-input '{
+          "apiVersion": "postgresql.cnpg.io/v1",
+          "kind": "ClusterImageCatalog",
+          "metadata": {"name":"postgresql"},
+          "spec": {
+            "images": [
+              {
+                "major": env(MAJOR),
+                "image": env(DIGEST)
+              }
+            ]
+          }
+        }' > ${{ matrix.version }}.yaml
+
+    - name: Upload artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ matrix.version }}-clusterimagecatalog.yaml
+        path: ${{ matrix.version }}.yaml
+
+  image-catalog:
+    name: Generate ClusterImageCatalog
+    runs-on: ubuntu-22.04
+    needs: build
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.REPO_GHA_PAT }}
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          pattern: '*-clusterimagecatalog.yaml'
+          path: clusterimagecatalog
+          merge-multiple: true
+
+      - name: Update ClusterImageCatalog
+        run: |
+          yq eval-all '. as $item ireduce ({}; . *+ $item )' clusterimagecatalog/*.yaml > Debian/ClusterImageCatalog.yaml
+          cat Debian/ClusterImageCatalog.yaml
+
+      - name: Temporarily disable "include administrators" branch protection
+        if: ${{ always() && github.ref == 'refs/heads/main' }}
+        id: disable_include_admins
+        uses: benjefferies/[email protected]
+        with:
+          access_token: ${{ secrets.REPO_GHA_PAT }}
+          branch: main
+          enforce_admins: false
+
+      - name: Push ClusterImageCatalog updates
+        uses: EndBug/add-and-commit@v9
+        if: ${{ github.ref == 'refs/heads/main' }}
+        with:
+          author_name: CloudNativePG Automated Updates
+          author_email: [email protected]
+          message: 'Automatic ClusterImageCatalog update'
+          add: 'Debian/ClusterImageCatalog.yaml'
+
+      - name: Enable "include administrators" branch protection
+        uses: benjefferies/[email protected]
+        if: ${{ always() && github.ref == 'refs/heads/main' }}
+        with:
+          access_token: ${{ secrets.REPO_GHA_PAT }}
+          branch: main
+          enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}