openebs · bors-openebs-mayastor · Dec 9, 2025 · Nov 26, 2025
@@ -4,13 +4,25 @@ on:
     branches:
       - develop
       - 'release/**'
-    tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+**'
-
+  workflow_call:
+    inputs:
+      tag:
+        description: 'Tag to be released (e.g. v2.10.0)'
+        required: true
+        type: string
+      registry:
+        description: 'Registry, example: ghcr.io'
+        required: true
+        type: string
+      namespace:
+        description: 'Namespace, example: mayastor/dev'
+        required: true
+        type: string
 env:
   CARGO_TERM_COLOR: always
   CARGO_INCREMENTAL: 0
   CI: 1
+  TAG: ${{ inputs.tag }}
 
 jobs:
   image-build-push:
@@ -32,5 +44,16 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push the release images
-        run: ./scripts/release.sh
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            ./scripts/release.sh --tag ${{ inputs.tag }} --registry ${{ inputs.registry }}/${{ github.repository_owner }}/${{ inputs.namespace }}
+          elif [[ "${{ github.event_name }}" == "push" ]]; then
+            ./scripts/release.sh
+          fi        
@@ -0,0 +1,71 @@
+name: Release Tagging Workflow
+
+on:
+  release:
+    types: [ created ]
+
+jobs:
+  preflight-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - uses: cachix/[email protected]
+      - name: Pre-populate nix-shell
+        run: |
+          export NIX_PATH=nixpkgs=$(jq '.nixpkgs.url' nix/sources.json -r)
+          echo "NIX_PATH=$NIX_PATH" >> $GITHUB_ENV
+          nix-shell ./utils/dependencies/scripts/staging/shell.nix --pure --run "echo"
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Validate if the release should be even made
+        run: |
+          nix-shell ./utils/dependencies/scripts/staging/shell.nix --pure --run "./utils/dependencies/scripts/staging/validate.sh \
+            --tag ${{ github.ref_name }} \
+            --type release"
+
+  release-images:
+    runs-on: ubuntu-latest
+    needs: preflight-checks
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - uses: cachix/[email protected]
+      - name: Pre-populate nix-shell
+        run: |
+          export NIX_PATH=nixpkgs=$(jq '.nixpkgs.url' nix/sources.json -r)
+          echo "NIX_PATH=$NIX_PATH" >> $GITHUB_ENV
+          nix-shell ./utils/dependencies/scripts/staging/shell.nix --pure --run "echo"
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Mirror images from dev to Docker Hub
+        run: |
+          nix-shell ./utils/dependencies/scripts/staging/shell.nix --pure --run "./utils/dependencies/scripts/staging/mirror-images.sh \
+            --source ghcr.io/${{ github.repository_owner }}/mayastor/dev \
+            --target docker.io/${{ github.repository_owner }} \
+            --tag ${{ github.ref_name }}"
@@ -0,0 +1,55 @@
+name: Staging Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to be released (e.g. v4.2.0)'
+        required: true
+        type: string
+
+env:
+  TAG: ${{ inputs.tag }}
+  CI: 1
+
+jobs:
+  preflight-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: recursive
+
+      - uses: cachix/[email protected]
+      - name: Pre-populate nix-shell
+        run: |
+          export NIX_PATH=nixpkgs=$(jq '.nixpkgs.url' nix/sources.json -r)
+          echo "NIX_PATH=$NIX_PATH" >> $GITHUB_ENV
+          nix-shell ./utils/dependencies/scripts/staging/shell.nix --pure --run "echo"
+
+      - name: Login to 
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Validate if the staging should be even made
+        run: |
+          nix-shell ./utils/dependencies/scripts/staging/shell.nix \
+          --pure \
+          --keep CI \
+          --keep TAG \
+          --run "./utils/dependencies/scripts/staging/validate.sh \
+            --tag ${{ env.TAG }} \
+            --type staging"
+
+  build-images:
+    uses: ./.github/workflows/image.yml
+    needs: preflight-checks
+    with:
+      tag: ${{ inputs.tag }}
+      registry: ghcr.io
+      namespace: mayastor/dev
+    secrets: inherit
@@ -5,7 +5,10 @@
 # The script assumes that a user is logged on to dockerhub for public images,
 # or has insecure registry access setup for CI.
 
-SOURCE_REL=$(dirname "$0")/../utils/dependencies/scripts/release.sh
+# Allow override from caller
+if [[ -z "${SOURCE_REL:-}" ]]; then
+    SOURCE_REL=$(dirname "$0")/../utils/dependencies/scripts/release.sh
+fi
 
 if [ ! -f "$SOURCE_REL" ] && [ -z "$CI" ]; then
   git submodule update --init --recursive
@@ -14,6 +17,9 @@ fi
 IMAGES="mayastor.io-engine mayastor.casperf fio-spdk"
 CARGO_DEPS=units.cargoDeps
 PROJECT="io-engine"
+
 . "$SOURCE_REL"
 
-common_run $@
+if [ "${NO_RUN:-}" != "true" ]; then
+  common_run "$@"
+fi