Factorize build jobs and make image names dynamic for parallel runs

Co-authored-by: neilime <314088+neilime@users.noreply.github.com>

Author: Copilot

.github/workflows/__test-workflow-docker-build-images.yml

@@ -17,85 +17,77 @@ jobs:
   arrange:
     name: Arrange
     runs-on: ubuntu-latest
+    outputs:
+      image-name-prefix: ${{ steps.define-image-name-prefix.outputs.prefix }}
     steps:
       - run: |
           if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
             echo "GitHub token secret is not set"
             exit 1
           fi
 
-      - name: Delete existing test packages
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - id: define-image-name-prefix
         run: |
-          # Delete ephemeral test packages before testing
-          for IMAGE_NAME in test-mono-arch-signed test-multi-arch-signed test-mono-arch-unsigned test-multi-arch-unsigned; do
-            gh api \
-              --method DELETE \
-              -H "Accept: application/vnd.github+json" \
-              -H "X-GitHub-Api-Version: 2022-11-28" \
-              /orgs/${{ github.repository_owner }}/packages/container/ci-github-container%2F"${IMAGE_NAME}" || echo "No existing ${IMAGE_NAME} package to delete"
-          done
+          # Create unique image name prefix for parallel runs
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            PREFIX="test-pr-${{ github.event.pull_request.number }}-${{ github.run_number }}"
+          else
+            PREFIX="test-${{ github.ref_name }}-${{ github.run_number }}"
+          fi
+          # Replace / with - for branch names
+          PREFIX=$(echo "$PREFIX" | sed 's/\//-/g')
+          echo "prefix=$PREFIX" >> "$GITHUB_OUTPUT"
+          echo "Using image name prefix: $PREFIX"
 
-  act-build-signed-images:
-    name: Act - Build signed images (${{ matrix.arch-type }})
+  act-build-images:
+    name: Act - Build images (${{ matrix.arch-type }}, ${{ matrix.sign && 'signed' || 'unsigned' }})
     needs: arrange
     strategy:
       fail-fast: false
       matrix:
         include:
           - arch-type: mono-arch
-            image-name: test-mono-arch-signed
+            image-name-suffix: mono-arch-signed
             platforms: '["linux/amd64"]'
             platform-count: 1
+            sign: true
+            expected-tagged-versions: 2
+            expected-untagged-versions: 2
+            expected-total-versions: 4
           - arch-type: multi-arch
-            image-name: test-multi-arch-signed
+            image-name-suffix: multi-arch-signed
             platforms: '["linux/amd64","linux/arm64"]'
             platform-count: 2
-    uses: ./.github/workflows/docker-build-images.yml
-    secrets:
-      oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
-      build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
-    with:
-      sign: true
-      images: |
-        [
-          {
-            "name": "${{ matrix.image-name }}",
-            "context": ".",
-            "dockerfile": "./tests/application/Dockerfile",
-            "build-args": { "BUILD_RUN_ID": "${{ github.run_id }}" },
-            "target": "base",
-            "platforms": ${{ matrix.platforms }},
-            "tag": "0.1.0"
-          }
-        ]
-
-  act-build-unsigned-images:
-    name: Act - Build unsigned images (${{ matrix.arch-type }})
-    needs: arrange
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
+            sign: true
+            expected-tagged-versions: 2
+            expected-untagged-versions: 3
+            expected-total-versions: 5
           - arch-type: mono-arch
-            image-name: test-mono-arch-unsigned
+            image-name-suffix: mono-arch-unsigned
             platforms: '["linux/amd64"]'
             platform-count: 1
+            sign: false
+            expected-tagged-versions: 1
+            expected-untagged-versions: 1
+            expected-total-versions: 2
           - arch-type: multi-arch
-            image-name: test-multi-arch-unsigned
+            image-name-suffix: multi-arch-unsigned
             platforms: '["linux/amd64","linux/arm64"]'
             platform-count: 2
+            sign: false
+            expected-tagged-versions: 1
+            expected-untagged-versions: 2
+            expected-total-versions: 3
     uses: ./.github/workflows/docker-build-images.yml
     secrets:
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
       build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
     with:
-      sign: false
+      sign: ${{ matrix.sign }}
       images: |
         [
           {
-            "name": "${{ matrix.image-name }}",
+            "name": "${{ needs.arrange.outputs.image-name-prefix }}-${{ matrix.image-name-suffix }}",
             "context": ".",
             "dockerfile": "./tests/application/Dockerfile",
             "build-args": { "BUILD_RUN_ID": "${{ github.run_id }}" },
@@ -105,151 +97,43 @@ jobs:
           }
         ]
 
-  assert-signed-images:
-    name: Assert - Signed images (${{ matrix.arch-type }})
-    needs: act-build-signed-images
+  assert-images:
+    name: Assert - Images (${{ matrix.arch-type }}, ${{ matrix.sign && 'signed' || 'unsigned' }})
+    needs: [arrange, act-build-images]
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         include:
           - arch-type: mono-arch
-            image-name: test-mono-arch-signed
+            image-name-suffix: mono-arch-signed
             platform-count: 1
             platforms: '["linux/amd64"]'
+            sign: true
             expected-tagged-versions: 2
             expected-untagged-versions: 2
             expected-total-versions: 4
           - arch-type: multi-arch
-            image-name: test-multi-arch-signed
+            image-name-suffix: multi-arch-signed
             platform-count: 2
             platforms: '["linux/amd64","linux/arm64"]'
+            sign: true
             expected-tagged-versions: 2
             expected-untagged-versions: 3
             expected-total-versions: 5
-    steps:
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ github.token }}
-
-      - name: Verify image exists
-        env:
-          IMAGE_NAME: ${{ matrix.image-name }}
-          IMAGE_TAG: 0.1.0
-        run: |
-          docker pull ghcr.io/hoverkraft-tech/ci-github-container/"${IMAGE_NAME}":"${IMAGE_TAG}"
-
-      - name: Verify package has correct number of versions
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          IMAGE_NAME: ${{ matrix.image-name }}
-          EXPECTED_TOTAL_VERSIONS: ${{ matrix.expected-total-versions }}
-          EXPECTED_TAGGED_VERSIONS: ${{ matrix.expected-tagged-versions }}
-          EXPECTED_UNTAGGED_VERSIONS: ${{ matrix.expected-untagged-versions }}
-        run: |
-          # Get all versions
-          versions=$(gh api \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            /orgs/${{ github.repository_owner }}/packages/container/ci-github-container%2F"${IMAGE_NAME}"/versions)
-
-          total_count=$(echo "$versions" | jq '. | length')
-          tagged_count=$(echo "$versions" | jq '[.[] | select(.metadata.container.tags | length > 0)] | length')
-          untagged_count=$(echo "$versions" | jq '[.[] | select(.metadata.container.tags | length == 0)] | length')
-
-          echo "Found $total_count total versions ($tagged_count tagged, $untagged_count untagged)"
-          echo "Expected $EXPECTED_TOTAL_VERSIONS total versions ($EXPECTED_TAGGED_VERSIONS tagged, $EXPECTED_UNTAGGED_VERSIONS untagged)"
-
-          if [ "$total_count" -ne "$EXPECTED_TOTAL_VERSIONS" ]; then
-            echo "ERROR: Expected $EXPECTED_TOTAL_VERSIONS total versions, but found $total_count"
-            exit 1
-          fi
-
-          if [ "$tagged_count" -ne "$EXPECTED_TAGGED_VERSIONS" ]; then
-            echo "ERROR: Expected $EXPECTED_TAGGED_VERSIONS tagged versions, but found $tagged_count"
-            exit 1
-          fi
-
-          if [ "$untagged_count" -ne "$EXPECTED_UNTAGGED_VERSIONS" ]; then
-            echo "ERROR: Expected $EXPECTED_UNTAGGED_VERSIONS untagged versions, but found $untagged_count"
-            exit 1
-          fi
-
-          echo "✓ Package version counts are correct"
-
-      - name: Verify image manifest and platforms
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        env:
-          IMAGE_NAME: ${{ matrix.image-name }}
-          IMAGE_TAG: "0.1.0"
-          EXPECTED_PLATFORMS: ${{ matrix.platforms }}
-          EXPECTED_PLATFORM_COUNT: ${{ matrix.platform-count }}
-        with:
-          script: |
-            const assert = require("assert");
-            const imageName = process.env.IMAGE_NAME;
-            const imageTag = process.env.IMAGE_TAG;
-            const image = `ghcr.io/hoverkraft-tech/ci-github-container/${imageName}:${imageTag}`;
-
-            const { exitCode, stdout, stderr } = await exec.getExecOutput('docker', ['manifest', 'inspect', '-v', image]);
-
-            if (exitCode !== 0 || stderr) {
-              throw new Error(`Failed to inspect manifest for image: ${image}: ${stderr || stdout}`);
-            }
-
-            const manifest = JSON.parse(stdout);
-            const expectedPlatformCount = parseInt(process.env.EXPECTED_PLATFORM_COUNT);
-
-            assert.equal(manifest.length, expectedPlatformCount, `Expected ${expectedPlatformCount} platforms, got: ${manifest.length}`);
-
-            const expectedPlatforms = JSON.parse(process.env.EXPECTED_PLATFORMS);
-            expectedPlatforms.forEach(platformStr => {
-              const [os, arch] = platformStr.split('/');
-              const platformExists = manifest.some(
-                platform => (
-                  platform?.Descriptor?.platform?.architecture === arch &&
-                  platform?.Descriptor?.platform?.os === os
-                )
-              );
-
-              assert(platformExists, `Expected platform not found: ${platformStr}`);
-            });
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-
-      - name: Verify image signature
-        env:
-          IMAGE_NAME: ${{ matrix.image-name }}
-          IMAGE_TAG: 0.1.0
-        run: |
-          cosign verify \
-            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --certificate-identity-regexp https://github.com/hoverkraft-tech/ci-github-container \
-            ghcr.io/hoverkraft-tech/ci-github-container/"${IMAGE_NAME}":"${IMAGE_TAG}"
-
-  assert-unsigned-images:
-    name: Assert - Unsigned images (${{ matrix.arch-type }})
-    needs: act-build-unsigned-images
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
           - arch-type: mono-arch
-            image-name: test-mono-arch-unsigned
+            image-name-suffix: mono-arch-unsigned
             platform-count: 1
             platforms: '["linux/amd64"]'
+            sign: false
             expected-tagged-versions: 1
             expected-untagged-versions: 1
             expected-total-versions: 2
           - arch-type: multi-arch
-            image-name: test-multi-arch-unsigned
+            image-name-suffix: multi-arch-unsigned
             platform-count: 2
             platforms: '["linux/amd64","linux/arm64"]'
+            sign: false
             expected-tagged-versions: 1
             expected-untagged-versions: 2
             expected-total-versions: 3
@@ -263,15 +147,15 @@ jobs:
 
       - name: Verify image exists
         env:
-          IMAGE_NAME: ${{ matrix.image-name }}
+          IMAGE_NAME: ${{ needs.arrange.outputs.image-name-prefix }}-${{ matrix.image-name-suffix }}
           IMAGE_TAG: 0.1.0
         run: |
           docker pull ghcr.io/hoverkraft-tech/ci-github-container/"${IMAGE_NAME}":"${IMAGE_TAG}"
 
       - name: Verify package has correct number of versions
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          IMAGE_NAME: ${{ matrix.image-name }}
+          IMAGE_NAME: ${{ needs.arrange.outputs.image-name-prefix }}-${{ matrix.image-name-suffix }}
           EXPECTED_TOTAL_VERSIONS: ${{ matrix.expected-total-versions }}
           EXPECTED_TAGGED_VERSIONS: ${{ matrix.expected-tagged-versions }}
           EXPECTED_UNTAGGED_VERSIONS: ${{ matrix.expected-untagged-versions }}
@@ -309,7 +193,7 @@ jobs:
       - name: Verify image manifest and platforms
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
-          IMAGE_NAME: ${{ matrix.image-name }}
+          IMAGE_NAME: ${{ needs.arrange.outputs.image-name-prefix }}-${{ matrix.image-name-suffix }}
           IMAGE_TAG: "0.1.0"
           EXPECTED_PLATFORMS: ${{ matrix.platforms }}
           EXPECTED_PLATFORM_COUNT: ${{ matrix.platform-count }}
@@ -345,11 +229,28 @@ jobs:
             });
 
       - name: Install cosign
+        if: matrix.sign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Verify image signature
+        if: matrix.sign
+        env:
+          IMAGE_NAME: ${{ needs.arrange.outputs.image-name-prefix }}-${{ matrix.image-name-suffix }}
+          IMAGE_TAG: 0.1.0
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp https://github.com/hoverkraft-tech/ci-github-container \
+            ghcr.io/hoverkraft-tech/ci-github-container/"${IMAGE_NAME}":"${IMAGE_TAG}"
+
+      - name: Install cosign for unsigned verification
+        if: ${{ !matrix.sign }}
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
       - name: Verify image is NOT signed (should fail)
+        if: ${{ !matrix.sign }}
         env:
-          IMAGE_NAME: ${{ matrix.image-name }}
+          IMAGE_NAME: ${{ needs.arrange.outputs.image-name-prefix }}-${{ matrix.image-name-suffix }}
           IMAGE_TAG: 0.1.0
         continue-on-error: true
         id: verify-unsigned
@@ -360,7 +261,7 @@ jobs:
             ghcr.io/hoverkraft-tech/ci-github-container/"${IMAGE_NAME}":"${IMAGE_TAG}"
 
       - name: Assert verification failed (image should not be signed)
-        if: steps.verify-unsigned.outcome == 'success'
+        if: ${{ !matrix.sign && steps.verify-unsigned.outcome == 'success' }}
         run: |
           echo "ERROR: Image should not be signed but signature verification succeeded"
           exit 1
@@ -491,17 +392,19 @@ jobs:
     name: Cleanup ephemeral test packages
     if: always()
     needs:
-      - assert-signed-images
-      - assert-unsigned-images
+      - arrange
+      - assert-images
       - assert-build-args-secrets-and-registry-caching
     runs-on: ubuntu-latest
     steps:
       - name: Delete ephemeral test packages
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          IMAGE_PREFIX: ${{ needs.arrange.outputs.image-name-prefix }}
         run: |
           # Delete ephemeral test packages created during testing
-          for IMAGE_NAME in test-mono-arch-signed test-multi-arch-signed test-mono-arch-unsigned test-multi-arch-unsigned; do
+          for SUFFIX in mono-arch-signed multi-arch-signed mono-arch-unsigned multi-arch-unsigned; do
+            IMAGE_NAME="${IMAGE_PREFIX}-${SUFFIX}"
             gh api \
               --method DELETE \
               -H "Accept: application/vnd.github+json" \