fix: publish docker images from goreleaser snapshots

Allowing test images to be used in downstream pipelines

goreleaser.md

@@ -35,9 +35,9 @@ archives:
 dockers:
   - image_templates:
-    - "{{ .Env.CI_REGISTRY_IMAGE }}:latest"
-    - "{{ .Env.CI_REGISTRY_IMAGE }}:{{ .Tag }}"
-    - "{{ .Env.CI_REGISTRY_IMAGE }}:v{{ .Major }}"
+    - "{{ .Env.GL_CI_REGISTRY_IMAGE }}:latest"
+    - "{{ .Env.GL_CI_REGISTRY_IMAGE }}:{{ .Tag }}"
+    - "{{ .Env.GL_CI_REGISTRY_IMAGE }}:v{{ .Major }}"
     goos: linux
     goarch: amd64
@@ -246,3 +246,20 @@ set the `GORELEASER_FULL_MOCK_RELEASE` variable to 1:
 variables:
   GORELEASER_FULL_MOCK_RELEASE: 1
 ```
+
+### Avoiding container image name clashes when using full-mock releases
+
+Goreleaser may push an image from a snapshot (branch pipeline).
+
+It's possible that in `.goreleaser.yml`, the configuration is configured to push the `latest` tag,
+in which case, Goreleaser could overwrite the `latest` image with an unapproved merge build.
+
+To avoid this, the `goreleaser` task sets an environment variable, `GL_CI_REGISTRY_IMAGE`,
+which is configured as follows:
+
+1. For tag CI builds, it is the same as [`$CI_REGISTRY_IMAGE`](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html#:~:text=the%20GitLab%20instance.-,CI_REGISTRY_IMAGE,-Pre%2Dpipeline)
+1. For other builds, it is `$CI_REGISTRY_IMAGE/dev`.
+
+Using `{{ .Env.GL_CI_REGISTRY_IMAGE }}` in your Goreleaser configuration,
+instead of `{{ .Env.CI_REGISTRY_IMAGE }}` will ensure that mock builds are not
+published to the main registry of your project.

goreleaser.yml

@@ -81,6 +81,7 @@ goreleaser_validate:
     DOCKER_PASSWORD: $CI_REGISTRY_PASSWORD
     GIT_DEPTH: 0
     DOCKER_AUTH_SHARED_PATH: /builds/shared/$CI_PROJECT_PATH
+    GL_CI_REGISTRY_IMAGE: ${CI_REGISTRY_IMAGE}${GL_CI_REGISTRY_IMAGE_SUFFIX}
   # See https://goreleaser.com/ci/gitlab/ for documentation
   script: |
@@ -125,6 +126,7 @@ goreleaser_validate:
       -e GOTOOLCHAIN=go${GL_ASDF_GOLANG_VERSION} \
       -e COSIGN_YES \
       -e SIGSTORE_ID_TOKEN \
+      -e GL_CI_REGISTRY_IMAGE \
       ${GORELEASER_DOCKER_EXTRA_ARGS:-} \
       ${GL_COMMON_CI_TASKS_GORELEASER_IMAGE} \
       ${GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS} \
@@ -187,6 +189,10 @@ goreleaser_validate:
       done
     fi
+    set -x
+    if [[ "${GL_COMMON_CI_TASKS_PUSH_DOCKER_SNAPSHOTS:-}" == "true" ]]; then
+      docker image ls --format "{{.Repository}}:{{.Tag}}" | grep -e "$CI_REGISTRY_IMAGE"
+    fi
 # For the moment, we perform a single build for FIPS and non-FIPS
 # this build is done for validation purposes only
@@ -195,6 +201,7 @@ goreleaser_build:
     - .goreleaser_base
   stage: $[[ inputs.validate_stage ]]
   variables:
+    GL_CI_REGISTRY_IMAGE_SUFFIX: "/dev"
     GL_COMMON_CI_TASKS_GORELEASER_MESSAGE: Running go-releaser snapshot validation
   artifacts:
     expire_in: 1 day
@@ -213,7 +220,8 @@ goreleaser_build:
         - .goreleaser.yml
       variables:
         GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-golang-fips:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
-        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --snapshot --clean --skip=publish ${GORELEASER_BUILD_EXTRA_ARGS:-}
+        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --snapshot --clean ${GORELEASER_BUILD_EXTRA_ARGS:-}
+        GL_COMMON_CI_TASKS_PUSH_DOCKER_SNAPSHOTS: "true"
     # FIPS, normal build
     - if: '$FIPS_MODE == "1"'
@@ -229,7 +237,8 @@ goreleaser_build:
         - .goreleaser.yml
       variables:
         GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
-        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --snapshot --clean --skip=publish ${GORELEASER_BUILD_EXTRA_ARGS:-}
+        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --snapshot --clean ${GORELEASER_BUILD_EXTRA_ARGS:-}
+        GL_COMMON_CI_TASKS_PUSH_DOCKER_SNAPSHOTS: "true"
     # Finally, the default
     - exists:
@@ -248,6 +257,7 @@ goreleaser:
     - .goreleaser_auth_config  # Configure vault or variables, from internal/goreleaser/*
   stage: $[[ inputs.release_stage ]]
   variables:
+    GL_CI_REGISTRY_IMAGE_SUFFIX: ""
     GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --clean
   rules:
     # Only run this release job for tags, not every commit