fix: set the same tag expiry for ALL floating tags, not just the first one published RHIDP-8270, RHIDP-8691 (#3307)

* updating build to mkae it easier to tag

* local testing

* refactor: improve tag handling in build workflow

Updated the next-build-image workflow to read tags from the metadata JSON instead of directly from the output variables. This change ensures that the manifest list is created using unique tags, enhancing the tagging process for image builds.

* refactor: enhance tag generation logic in build workflow

* feat(ci): add Quay login and permission checks to build workflow
Quay login step and a preflight check to verify push permissions.

* fix(ci): update environment variable usage in tag generation for build workflow

* testing tagging

* feat(ci): enhance Docker build workflow with annotations and improved metadata handling

* refactor: improve tag handling in build workflow

* updating tagging

* feat(ci): add Quay API expiry enforcement to build workflow

* test tagging

* ci: rollback next-build-image workflow to previous version

* test of bonus step to make sure it will get tagged

* ci: restore next-build-image workflow to state of d1b0b9f

* deleting local testing inputs, preparing for PR

* ci: add per-arch cleanup and expiry enforcement

- Add step to delete temporary per-arch images after multi-arch manifest creation
- Ensure expiry is set on all multi-arch tags via Quay API
- Clean up intermediate tags: *-amd64, *-arm64, *-{sha}-amd64, *-{sha}-arm64
- Keep only final multi-arch manifests with proper expiration

* ci: configure workflow for testing with polasudo/testing repository

- Set default REGISTRY_IMAGE to polasudo/testing for testing
- Add workflow_dispatch inputs for manual testing:
  - registry_image: specify target repository (default: polasudo/testing)
  - test_cleanup: enable/disable cleanup testing (default: true)
- Restore registry override logic for manual dispatch
- Cleanup step runs when test_cleanup=true or on automatic triggers

* fix: add CSRF token handling for secure Quay API operations

- Fetch CSRF token from /api/v1/user/ endpoint before PUT/DELETE operations
- Include X-CSRFToken header in expiry setting and tag deletion requests
- Add fallback method to get CSRF token from response headers
- Resolves HTTP 403 'CSRF token was invalid or missing' errors
- Maintains security compliance with Quay's authentication requirements

* fix: implement proper Basic Auth for Quay robot accounts

- Replace Bearer token with Basic Auth using username:token base64 encoding
- Robot accounts (polasudo+skuska) require Basic Auth, not Bearer tokens
- Add QUAY_USERNAME environment variable to cleanup step
- Improve authentication logging for robot accounts
- Should resolve HTTP 403 CSRF errors for robot account API calls

* debug: add comprehensive CSRF token debugging for robot accounts

- Add DEBUG output for API responses from /api/v1/user/
- Try multiple CSRF token field names (csrf_token, csrfToken)
- Try extracting CSRF token from response headers
- Try alternative repository API endpoint for CSRF token
- Should help identify where/how CSRF tokens are provided for robot accounts

* fix: use Docker BuildX annotations to bypass CSRF token issues

- Replace Quay API calls with docker buildx imagetools create for expiry
- Use re-annotation approach to set expiry on multi-arch tags
- Robot accounts can authenticate via Docker but not Quay CSRF APIs
- Per-arch images will expire naturally since they already have expiry set
- Avoids CSRF token authentication issues with robot accounts

* test: workaround for CSRF token issue

* feat: integrate OAuth-based Quay lifecycle management

- Add OAuth token support for API operations
- Implement Python-based expiry management for multi-arch tags
- Add per-arch tag deletion after multi-arch merge
- Maintain backward compatibility with robot accounts
- Solves 403 authentication errors for API operations

* fix: correct environment variable order for tag cleanup

- Move export statements before Python script execution
- Add debug output to show which tags are being processed
- Improve error handling for expiry API responses
- Should resolve empty tag arrays issue

* feat: add timing fixes for Quay manifest propagation

- Add 30-second wait step before cleanup to allow manifest propagation
- Add retry logic to handle race conditions in tag operations
- Should resolve empty tag arrays caused by timing issues

* cleanup wf for push to main

* remove test inputs from workflow_dispatch

* feat: add workflow_dispatch testing inputs and simplify build logic

* refactor: clean up workflow and finalize improvements

* refactor: remove redundant Quay credentials check in merge job

Author: polasudo

.github/actions/docker-build/action.yaml

@@ -90,7 +90,7 @@ runs:
         username: ${{ inputs.username }}
         password: ${{ inputs.password }}
 
-    - name: Extract metadata (tags, labels) for Docker
+    - name: Extract metadata (tags, labels, annotations) for Docker
       id: meta
       uses: docker/metadata-action@v5
       with:
@@ -200,6 +200,7 @@ runs:
         provenance: false
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
+        annotations: ${{ steps.meta.outputs.annotations }}
         platforms: ${{ inputs.platform }}
 
     - name: "Build Docker Image (Hermetic)"