scality · Apr 24, 2026 · Apr 9, 2026 · Apr 10, 2026 · Apr 4, 2026 · Apr 8, 2026
diff --git a/.github/actions/create-component-deployments/action.yaml b/.github/actions/create-component-deployments/action.yaml
@@ -0,0 +1,134 @@
+name: Manage Component Deployments
+description: >
+  Create or update GitHub Deployments on scality component repos
+  referenced in deps.yaml, providing integration visibility.
+  Generates a minimally-scoped token (deployments:write + packages:read,
+  limited to the exact repos found in deps.yaml).
+  Falls back to OCI manifest annotations when image tags are not valid git refs.
+
+inputs:
+  app-id:
+    description: GitHub App ID for token generation
+    required: true
+  app-private-key:
+    description: GitHub App private key for token generation
+    required: true
+  deps-file:
+    description: Path to deps.yaml
+    required: false
+    default: solution/deps.yaml
+  target-branch:
+    description: >-
+      Target branch to diff deps against (when set, deployments are created only for
+      changed componentsets)
+    required: false
+    default: ''
+  environment:
+    description: Deployment environment name (e.g. zenko/development/2.11)
+    required: true
+  status:
+    description: Deployment status (in_progress, success, failure)
+    required: true
+  transient:
+    description: Whether deployments are transient (auto-inactivated on newer success)
+    required: false
+    default: 'false'
+  production:
+    description: Whether deployments target a production environment
+    required: false
+    default: 'false'
+  log-url:
+    description: URL to link from the deployment status
+    required: true
+  description:
+    description: Human-readable deployment status description
+    required: false
+    default: ''
+  github-token:
+    description: GitHub token for github-script (only needed for act.js tests)
+    required: false
+    default: ${{ github.token }}
+
+runs:
+  using: composite
+  steps:
+    - name: Filter to changed dependencies
+      if: inputs.target-branch != ''
+      id: filter
+      shell: bash
+      run: |
+        # Diff against the merge-base (common ancestor with target branch) rather
+        # than the target branch tip, so deps where the PR branch is merely
+        # behind on target don't show up as "changed". Requires fetch-depth: 0
+        # on the caller checkout.
+        git fetch origin "${{ inputs.target-branch }}"
+        base_ref=$(git merge-base HEAD "origin/${{ inputs.target-branch }}")
+        echo "Diffing against merge-base $base_ref"
+        git show "$base_ref:${{ inputs.deps-file }}" > /tmp/base-deps.yaml 2>/dev/null || echo '{}' > /tmp/base-deps.yaml
+
+        yq eval-all '
+          select(fi == 0) as $curr | select(fi == 1) as $base |
+          $curr | with_entries(select(.value.tag != ($base[.key].tag // "")))
+        ' '${{ inputs.deps-file }}' /tmp/base-deps.yaml > /tmp/changed-deps.yaml
+
+        cat /tmp/changed-deps.yaml
+        echo "deps-file=/tmp/changed-deps.yaml" >> "$GITHUB_OUTPUT"
+
+    - name: Convert deps.yaml to JSON
+      id: json
+      shell: bash
+      run: |
+        yq -o=json '${{ steps.filter.outputs.deps-file || inputs.deps-file }}' > /tmp/changed-deps.json
+        echo "deps-file=/tmp/changed-deps.json" >> "$GITHUB_OUTPUT"
+
+    - name: Parse component repos from deps.yaml
+      id: parse
+      uses: actions/github-script@v7
+      with:
+        github-token: ${{ inputs.github-token }}
+        script: |
+          const { parseDeps } = require('${{ github.action_path }}/parse-deps.js');
+          const selfRepo = process.env.GITHUB_REPOSITORY || 'scality/zenko';
+          const { components, repos } = parseDeps('${{ steps.json.outputs.deps-file }}', selfRepo);
+
+          if (components.length === 0) {
+            core.info('No component repos found in deps.yaml');
+            core.setOutput('components', '');
+            return;
+          }
+
+          core.setOutput('components', JSON.stringify(components));
+          core.setOutput('repos', repos.join('\n'));
+
+    - name: Generate scoped deployments token
+      if: steps.parse.outputs.components != ''
+      id: app-token
+      uses: actions/create-github-app-token@v2
+      with:
+        app-id: ${{ inputs.app-id }}
+        private-key: ${{ inputs.app-private-key }}
+        owner: ${{ github.repository_owner }}
+        repositories: ${{ steps.parse.outputs.repos }}
+        permission-deployments: write
+        permission-packages: read
+
+    - name: Create or update deployments
+      if: steps.parse.outputs.components != ''
+      uses: actions/github-script@v7
+      env:
+        COMPONENTS: ${{ steps.parse.outputs.components }}
+      with:
+        github-token: ${{ steps.app-token.outputs.token }}
+        script: |
+          const { createDeployments } = require('${{ github.action_path }}/create-deployments.js');
+          await createDeployments({
+            github, core,
+            components: JSON.parse(process.env.COMPONENTS),
+            environment: `${{ inputs.environment }}`,
+            status: `${{ inputs.status }}`,
+            transient: ${{ inputs.transient }},
+            production: ${{ inputs.production }},
+            logUrl: `${{ inputs.log-url }}`,
+            description: `${{ inputs.description }}`,
+            token: `${{ steps.app-token.outputs.token }}`,
+          });
diff --git a/.github/actions/create-component-deployments/create-deployments.js b/.github/actions/create-component-deployments/create-deployments.js
@@ -0,0 +1,220 @@
+// @ts-check
+
+/**
+ * @typedef {import('@octokit/rest').Octokit} Octokit
+ * @typedef {{ info: (msg: string) => void, warning: (msg: string) => void, startGroup: (name: string) => void, endGroup: () => void }} Core
+ * @typedef {{ repo: string, ref: string, image: string }} Component
+ * @typedef {{ token: string, environment: string, description: string, transient: boolean, production: boolean, createOnly: boolean }} DeploymentParams
+ */
+
+const GHCR_REGISTRY = 'https://ghcr.io';
+
+/**
+ * Fetch OCI image annotations from ghcr.io to resolve repo and git ref.
+ *
+ * Looks for standard OCI annotations:
+ *   - org.opencontainers.image.revision → git SHA
+ *   - org.opencontainers.image.source   → repo URL
+ *
+ * @param {string} image - e.g. "scality/playground/my-image"
+ * @param {string} tag
+ * @param {string} token - Bearer token with packages:read
+ * @returns {Promise<{repo: string, ref: string} | null>}
+ */
+async function resolveFromManifest(image, tag, token) {
+    // Get a scoped token from ghcr.io (Basic auth required for private images)
+    const authResp = await fetch(`${GHCR_REGISTRY}/token?scope=repository:${image}:pull`, {
+        headers: { Authorization: `Basic ${Buffer.from(`x-access-token:${token}`).toString('base64')}` },
+    });
+    if (!authResp.ok) {
+        return null;
+    }
+    const { token: registryToken } = await authResp.json();
+
+    const headers = {
+        Authorization: `Bearer ${registryToken}`,
+        Accept: [
+            'application/vnd.oci.image.manifest.v1+json',
+            'application/vnd.docker.distribution.manifest.v2+json',
+        ].join(', '),
+    };
+
+    // Fetch manifest
+    const manifestResp = await fetch(`${GHCR_REGISTRY}/v2/${image}/manifests/${tag}`, { headers });
+    if (!manifestResp.ok) {
+        return null;
+    }
+    const manifest = await manifestResp.json();
+
+    // Check manifest annotations first (OCI image manifest)
+    let annotations = manifest.annotations || {};
+
+    // If no revision in manifest annotations, check the config blob
+    if (!annotations['org.opencontainers.image.revision'] && manifest.config) {
+        const configResp = await fetch(`${GHCR_REGISTRY}/v2/${image}/blobs/${manifest.config.digest}`, { headers });
+        if (configResp.ok) {
+            const config = await configResp.json();
+            annotations = config.config?.Labels || {};
+        }
+    }
+
+    const ref = annotations['org.opencontainers.image.revision'];
+    if (!ref) {
+        return null;
+    }
+
+    // Derive repo from source annotation or image path
+    const source = annotations['org.opencontainers.image.source'] || '';
+    let repo = '';
+    const ghMatch = source.match(/github\.com\/([^/]+\/[^/]+)/);
+    if (ghMatch) {
+        repo = ghMatch[1].replace(/\.git$/, '');
+    }
+
+    return { repo, ref };
+}
+
+/**
+ * Find an existing deployment or create a new one.
+ *
+ * For status updates (success/failure), looks up an existing deployment first.
+ * For in_progress, always creates a fresh one.
+ *
+ * @param {Octokit} github
+ * @param {object} params
+ * @param {string} params.owner
+ * @param {string} params.repo
+ * @param {string} params.ref
+ * @param {string} params.environment
+ * @param {string} params.description
+ * @param {boolean} params.transient
+ * @param {boolean} params.production
+ * @param {boolean} params.createOnly - Skip lookup, always create
+ * @returns {Promise<number>} deployment id
+ */
+async function findOrCreateDeployment(github, { owner, repo, ref, environment, description, transient, production, createOnly }) {
+    if (!createOnly) {
+        const { data: existing } = await github.rest.repos.listDeployments({
+            owner, repo, environment, ref, per_page: 1,
+        });
+        if (existing.length > 0) {
+            return existing[0].id;
+        }
+    }
+
+    const { data } = await github.rest.repos.createDeployment({
+        owner, repo, ref,
+        environment,
+        description,
+        auto_merge: false,
+        required_contexts: [],
+        transient_environment: transient,
+        production_environment: production,
+    });
+
+    return data.id;
+}
+
+/**
+ * Resolve repo/ref from manifest if needed, then find or create a deployment.
+ * If findOrCreateDeployment fails with 409/422 and repo was not yet resolved,
+ * resolves from the manifest and retries once.
+ *
+ * @param {Octokit} github
+ * @param {Core} core
+ * @param {Function} resolve
+ * @param {Component} component
+ * @param {DeploymentParams} deployParams
+ * @returns {Promise<{component: Component, deploymentId: number}>}
+ */
+async function resolveDeployment(github, core, resolve, { repo, ref, image }, deployParams) {
+    const { token, environment, description, transient, production, createOnly } = deployParams;
+    const canRetry = !!repo;
+
+    // Resolve repo/ref from manifest if not provided
+    if (!repo) {
+        const resolved = await resolve(image, ref, token);
+        if (!resolved?.repo) {
+            throw new Error(`Could not resolve repo for ${image}:${ref}`);
+        }
+
+        repo = resolved.repo;
+        ref = resolved.ref || ref;
+    }
+
+    const [owner, repoName] = repo.split('/');
+    try {
+        const deploymentId = await findOrCreateDeployment(github, {
+            owner, repo: repoName, ref, environment, description, transient, production, createOnly,
+        });
+
+        return { component: { repo, ref, image }, deploymentId };
+    } catch (/** @type {any} */ err) {
+        if (canRetry && (err.status === 409 || err.status === 422)) {
+            core.info(`Ref "${ref}" not found on ${repo}, checking image manifest...`);
+            return resolveDeployment(github, core, resolve, { repo: '', ref, image }, deployParams);
+        }
+
+        throw err;
+    }
+}
+
+/**
+ * Create or update GitHub Deployments on component repos.
+ *
+ * @param {object} params
+ * @param {Octokit} params.github - Octokit instance
+ * @param {Core} params.core - GitHub Actions core
+ * @param {Array<Component>} params.components - Parsed component list
+ * @param {string} params.environment - Deployment environment name
+ * @param {string} params.status - Deployment status (in_progress, success, failure)
+ * @param {boolean} params.transient - Whether deployments are transient
+ * @param {boolean} params.production - Whether deployments target a production environment
+ * @param {string} params.logUrl - URL to link from the deployment status
+ * @param {string} params.description - Human-readable description
+ * @param {string} params.token - GitHub token with packages:read for manifest lookups
+ */
+async function createDeployments({ github, core, components, environment, status, transient, production, logUrl, description, token }) {
+    const deployParams = { token, environment, description, transient, production, createOnly: status === 'in_progress' };
+    let errors = 0;
+
+    for (const component of components) {
+        core.startGroup(`${component.repo || component.image}:${component.ref}`);
+
+        try {
+            const { component: resolved, deploymentId } = await resolveDeployment(
+                github, core, resolveFromManifest, component, deployParams,
+            );
+            const [owner, repoName] = resolved.repo.split('/');
+            core.info(`Resolved to ${resolved.repo} @ ${resolved.ref}`);
+
+            await github.rest.repos.createDeploymentStatus({
+                owner, repo: repoName,
+                deployment_id: deploymentId,
+                state: status,
+                log_url: logUrl,
+                description,
+            });
+
+            core.info(`Deployment ${deploymentId}, status: ${status}`);
+        } catch (/** @type {any} */ err) {
+            core.warning(`Failed on ${component.repo || component.image}: ${err.message}`);
+            errors++;
+        }
+
+        core.endGroup();
+    }
+
+    if (errors > 0) {
+        core.warning(`${errors} deployment(s) failed (non-fatal)`);
+    }
+
+    return errors;
+}
+
+module.exports = {
+    findOrCreateDeployment,
+    resolveDeployment,
+    resolveFromManifest,
+    createDeployments,
+};