LCORE-2083: Move the buildah temp space to /mnt if available for GH Actions image builds

[syedriko]

Description

Move the buildah temp space to /mnt if available for GH Actions image builds

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: Cursor
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue #
• Closes # https://redhat.atlassian.net/browse/LCORE-2083

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• New Features
  • Builds multi-architecture container images (amd64, arm64) and publishes dev/latest tags for non-PR runs.
• Chores
  • Consolidated build/push logic into a reusable CI workflow used by standard and GPU dev pipelines for consistency.
  • Pull requests now run build-only (no image push).

[coderabbitai]

Walkthrough

A new reusable GitHub Actions workflow (build_and_push_container.yaml) centralizes container build and push logic; two existing workflows (build_and_push_dev.yaml, build_and_push_dev_gpu.yaml) are refactored to call the reusable workflow and no longer perform inline Buildah/multi-arch build or push steps.

Changes

Cohort / File(s)	Summary
Reusable workflow .github/workflows/build_and_push_container.yaml	Adds a new workflow_call reusable workflow with required inputs image_name and container_file and optional Quay secrets. Implements runner prep (free disk space, install Buildah), optional remapping of Buildah storage to /mnt, generates a dev image tag (date + git short SHA), builds multi-arch OCI images (amd64, arm64) via Buildah, verifies images/manifests, and conditionally pushes latest and dev tags to quay.io/<IMAGE_NAMESPACE> when not in pull_request events.
Refactored workflows .github/workflows/build_and_push_dev.yaml, .github/workflows/build_and_push_dev_gpu.yaml	Removed inline Buildah install, tag generation, multi-arch build, manifest checks, and push steps; replaced with invocation of the reusable workflow via workflow_call. Workflow-level permissions standardized and Quay credentials forwarded to the reusable workflow via secrets mapping.

Sequence Diagram(s)

sequenceDiagram
  participant Caller as "Calling Workflow"
  participant Runner as "GitHub Actions Runner\n(reusable workflow)"
  participant Git as "Git (checkout)"
  participant Buildah as "Buildah\n(multi-arch build)"
  participant Quay as "Quay Registry"

  Caller->>Runner: workflow_call(image_name, container_file, secrets)
  Runner->>Git: checkout repository
  Runner->>Runner: free disk & optionally remap /var/lib/containers -> /mnt
  Runner->>Buildah: install & configure
  Buildah->>Buildah: build multi-arch images (amd64, arm64)\ncreate dev tag (date+gitSHA)
  Buildah->>Buildah: verify image list and `latest` manifest
  alt event != pull_request
    Runner->>Quay: authenticate using provided secrets
    Buildah->>Quay: push `latest` and dev tags
  else pull_request
    Note right of Runner: skip credential validation and push\n(build-only)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: moving buildah temporary storage to /mnt during GitHub Actions image builds, which is the primary objective reflected in the workflow refactoring.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/build_and_push_container.yaml (1)

43-43: ⚡ Quick win

Pin third-party actions to commit SHAs.

On Line 43, Line 57, Line 77, and Line 98, tag-based refs are mutable. Pinning to full SHAs improves CI supply-chain integrity.

Also applies to: 57-57, 77-77, 98-98

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build_and_push_container.yaml at line 43, The workflow is
using tag-based refs like jlumbroso/free-disk-space@v1.3.1 (and other actions at
the same locations) which are mutable; update each uses: line to pin the action
to its full commit SHA instead of the semver tag (e.g., replace
jlumbroso/free-disk-space@v1.3.1 with
jlumbroso/free-disk-space@<full-commit-sha>) so the actions at the uses: entries
are locked to an immutable commit SHA for supply-chain integrity.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build_and_push_container.yaml:
- Around line 13-17: The workflow_call currently marks QUAY_REGISTRY_USERNAME
and QUAY_REGISTRY_PASSWORD as required:true which blocks forked PRs; change both
secrets to required:false and add a validation step (e.g., a job or initial step
named something like "validate-quay-creds") that runs only for non-pull_request
events to assert the secrets exist before attempting to push to Quay; use the
workflow context (github.event_name) to skip credential validation on
pull_request and fail early with a clear message when the event is not a PR and
the secrets are missing.

---

Nitpick comments:
In @.github/workflows/build_and_push_container.yaml:
- Line 43: The workflow is using tag-based refs like
jlumbroso/free-disk-space@v1.3.1 (and other actions at the same locations) which
are mutable; update each uses: line to pin the action to its full commit SHA
instead of the semver tag (e.g., replace jlumbroso/free-disk-space@v1.3.1 with
jlumbroso/free-disk-space@<full-commit-sha>) so the actions at the uses: entries
are locked to an immutable commit SHA for supply-chain integrity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e4f61265-d795-499d-9f87-94d1bc933379

📥 Commits

Reviewing files that changed from the base of the PR and between 16ea52f and 068ed57.

📒 Files selected for processing (3)

• .github/workflows/build_and_push_container.yaml
• .github/workflows/build_and_push_dev.yaml
• .github/workflows/build_and_push_dev_gpu.yaml

[syedriko]

@are-ces Could you bless this?