Stop using v1 and v1.x tags for Docker images (#5956)

## Which problem is this PR solving?
- We used to publish Docker tags like "1" and "1.60", which were aliases
to the most recent fully-qualified version. This is a bad practice,
nobody should be depending on those aliases since they can introduce
unexpected changes to production

## Description of the changes
- Only apply fully qualified vX.Y.Z tag
- Do not generate any tags for runs not on main branch and not on
numbered release
- Rename poorly named internal action `actions/block-pr-not-on-main` to
`actions/block-pr-from-main-branch`
- Remove `name` from many workflow steps as it's redundant
- Add "::group::" boundaries to log output to make it easier to navigate
on github

## How was this change tested?
- CI

---------

Signed-off-by: Yuri Shkuro <github@ysh.us>

.github/workflows/ci-crossdock.yml

@@ -20,8 +20,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -37,11 +36,9 @@ jobs:
       with:
         go-version: 1.23.x
 
-    - name: Export BRANCH variable
-      uses: ./.github/actions/setup-branch
+    - uses: ./.github/actions/setup-branch
 
-    - name: Install tools
-      run: make install-ci
+    - run: make install-ci
 
     - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 

.github/workflows/ci-docker-all-in-one.yml

@@ -27,8 +27,7 @@ jobs:
           binary: jaeger
 
     steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -37,21 +36,17 @@ jobs:
         submodules: true
 
     - name: Fetch git tags
-      run: |
-        git fetch --prune --unshallow --tags
+      run: git fetch --prune --unshallow --tags
 
     - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version: 1.23.x
 
-    - name: Setup Node.js version
-      uses: ./.github/actions/setup-node.js
+    - uses: ./.github/actions/setup-node.js
 
-    - name: Export BRANCH variable
-      uses: ./.github/actions/setup-branch
+    - uses: ./.github/actions/setup-branch
 
-    - name: Install tools
-      run: make install-ci
+    - run: make install-ci
 
     - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 

.github/workflows/ci-docker-build.yml

@@ -20,8 +20,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -30,21 +29,17 @@ jobs:
         submodules: true
 
     - name: Fetch git tags
-      run: |
-        git fetch --prune --unshallow --tags
+      run: git fetch --prune --unshallow --tags
 
     - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version: 1.23.x
 
-    - name: Setup Node.js version
-      uses: ./.github/actions/setup-node.js
+    - uses: ./.github/actions/setup-node.js
 
-    - name: Export BRANCH variable
-      uses: ./.github/actions/setup-branch
+    - uses: ./.github/actions/setup-branch
 
-    - name: Install tools
-      run: make install-ci
+    - run: make install-ci
 
     - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 

.github/workflows/ci-docker-hotrod.yml

@@ -19,8 +19,7 @@ jobs:
   hotrod:
     runs-on: ubuntu-latest
     steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -36,8 +35,7 @@ jobs:
       with:
         go-version: 1.23.x
 
-    - name: Export BRANCH variable
-      uses: ./.github/actions/setup-branch
+    - uses: ./.github/actions/setup-branch
 
     - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
 

.github/workflows/ci-lint-checks.yaml

@@ -19,8 +19,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
@@ -33,33 +32,27 @@ jobs:
     - name: Print Jaeger version for no reason
       run: make echo-v1 echo-v2
 
-    - name: Install tools
-      run: make install-test-tools
+    - run: make install-test-tools
 
-    - name: Lint
-      run: make lint
+    - run: make lint
 
   pull-request-preconditions:
     runs-on: ubuntu-latest
     steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
     - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-    - name: Ensure PR is not on main branch
-      uses: ./.github/actions/block-pr-not-on-main
+    - uses: ./.github/actions/block-pr-from-main-branch
 
-    - name: lint-nocommit
-      run: make lint-nocommit
+    - run: make lint-nocommit
 
   dco-check:
     runs-on: ubuntu-latest
     steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after a couple of runs
 
@@ -78,8 +71,7 @@ jobs:
   generated-files-check:
     runs-on: ubuntu-latest
     steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -104,21 +96,17 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit
 
-    - name: Check out code
-      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-    - name: Install shellcheck
-      run: sudo apt-get install shellcheck
+    - run: sudo apt-get install shellcheck
 
-    - name: Run shellcheck
-      run: shellcheck scripts/*.sh
+    - run: shellcheck scripts/*.sh
 
-    - name: Install shunit2
+    - name: Install shunit2 for shell unit tests
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         repository: kward/shunit2

.github/workflows/ci-release.yml

@@ -21,7 +21,12 @@ on:
       dry_run:
         required: true
         type: boolean
-        description: Pass `true` for a test run. It will only build one platform (for speed) and will not push artifacts.
+        description: Do a test run. It will only build one platform (for speed) and will not push artifacts.
+
+      overwrite:
+        required: true
+        type: boolean
+        description: Allow overwriting artifacts.
 
 # See https://github.com/jaegertracing/jaeger/issues/4017
 permissions:
@@ -45,8 +50,7 @@ jobs:
         sudo rm -rf /usr/local/lib/android || true
         df -h /
 
-    - name: Harden Runner
-      uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
+    - uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c # v2.9.0
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -62,17 +66,18 @@ jobs:
       with:
         go-version: 1.23.x
 
-    - name: Setup Node.js version
-      uses: ./.github/actions/setup-node.js
+    - uses: ./.github/actions/setup-node.js
 
     - name: Determine parameters
       id: params
       run: |
         if [[ "${{ inputs.dry_run }}" == "true" ]]; then
+          echo "local_build=-l" >> $GITHUB_OUTPUT
           echo "platforms=linux/amd64" >> $GITHUB_OUTPUT
           echo "linux_platforms=linux/amd64" >> $GITHUB_OUTPUT
           echo "gpg_key_override=-k skip" >> $GITHUB_OUTPUT
         else
+          echo "local_build=" >> $GITHUB_OUTPUT
           echo "platforms=$(make echo-platforms)" >> $GITHUB_OUTPUT
           echo "linux_platforms=$(make echo-linux-platforms)" >> $GITHUB_OUTPUT
         fi
@@ -89,8 +94,7 @@ jobs:
         echo Validate that the latest tag ${BRANCH} is in semver format
         echo ${BRANCH} | grep -E '^v[0-9]+.[0-9]+.[0-9]+$'
 
-    - name: Install tools
-      run: make install-ci
+    - run: make install-ci
 
     - name: Configure GPG Key
       if: ${{ inputs.dry_run != true }}
@@ -112,7 +116,7 @@ jobs:
       with:
         file: '{deploy/*.tar.gz,deploy/*.zip,deploy/*.sha256sum.txt,deploy/*.asc}'
         file_glob: true
-        overwrite: true
+        overwrite: ${{ inputs.overwrite }}
         tag: ${{ env.BRANCH }}
         repo_token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -125,19 +129,28 @@ jobs:
 
     - name: Build and upload all container images
       # -B skips building the binaries since we already did that above
-      run: bash scripts/build-upload-docker-images.sh -B -p ${{ steps.params.outputs.linux_platforms }}
+      run: |
+        bash scripts/build-upload-docker-images.sh -B \
+          -p ${{ steps.params.outputs.linux_platforms }} \
+          ${{ steps.params.outputs.local_build }}
       env:
         DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
         QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
 
     - name: Build, test, and publish all-in-one image
-      run: bash scripts/build-all-in-one-image.sh -p ${{ steps.params.outputs.linux_platforms }}
+      run: |
+        bash scripts/build-all-in-one-image.sh \
+          -p ${{ steps.params.outputs.linux_platforms }} \
+          ${{ steps.params.outputs.local_build }}
       env:
         DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
         QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
 
     - name: Build, test, and publish hotrod image
-      run: bash scripts/build-hotrod-image.sh -p ${{ steps.params.outputs.linux_platforms }}
+      run: |
+        bash scripts/build-hotrod-image.sh \
+          -p ${{ steps.params.outputs.linux_platforms }} \
+          ${{ steps.params.outputs.local_build }}
       env:
         DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
         QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
@@ -157,6 +170,6 @@ jobs:
       if: ${{ inputs.dry_run != true }}
       with:
         file: jaeger-SBOM.spdx.json
-        overwrite: true
+        overwrite: ${{ inputs.overwrite }}
         tag: ${{ env.BRANCH }}
         repo_token: ${{ secrets.GITHUB_TOKEN }}

Makefile.Docker.mk

@@ -10,24 +10,32 @@ DEBUG_IMAGE      ?= $(DOCKER_REGISTRY)/debugimg_alpine:latest
 create-baseimg-debugimg: create-baseimg create-debugimg
 
 create-baseimg: prepare-docker-buildx
+	@echo "::group:: create-baseimg"
 	docker buildx build -t $(BASE_IMAGE) --push \
 		--platform=$(LINUX_PLATFORMS) \
 		docker/base
+	@echo "::endgroup::"
 
 create-debugimg: prepare-docker-buildx
+	@echo "::group:: create-debugimg"
 	docker buildx build -t $(DEBUG_IMAGE) --push \
 		--platform=$(LINUX_PLATFORMS) \
 		docker/debug
+	@echo "::endgroup::"
 
 create-fake-debugimg: prepare-docker-buildx
+	@echo "::group:: create-fake-debugimg"
 	docker buildx build -t $(DEBUG_IMAGE) --push \
 		--platform=$(LINUX_PLATFORMS) \
 		docker/base
+	@echo "::endgroup::"
 
 .PHONY: prepare-docker-buildx
 prepare-docker-buildx:
+	@echo "::group:: prepare-docker-buildx"
 	docker buildx inspect jaeger-build > /dev/null || docker buildx create --use --name=jaeger-build --buildkitd-flags="--allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host" --driver-opt="network=host"
 	docker inspect registry > /dev/null || docker run --rm -d -p 5000:5000 --name registry registry:2
+	@echo "::endgroup::"
 
 .PHONY: clean-docker-buildx
 clean-docker-buildx:

scripts/build-all-in-one-image.sh

@@ -6,7 +6,7 @@
 set -euf -o pipefail
 
 print_help() {
-  echo "Usage: $0 [-b binary] [-D] [-l] [-p platforms]"
+  echo "Usage: $0 [-b binary] [-D] [-h] [-l] [-p platforms]"
   echo "-b: Which binary to build: 'all-in-one' (default) or 'jaeger' (v2)"
   echo "-D: Disable building of images with debugger"
   echo "-h: Print help"

scripts/build-hotrod-image.sh

@@ -6,7 +6,7 @@
 set -euxf -o pipefail
 
 print_help() {
-  echo "Usage: $0 [-l] [-D] [-p platforms] [-h]"
+  echo "Usage: $0 [-h] [-l] [-p platforms]"
   echo "-h: Print help"
   echo "-l: Enable local-only mode that only pushes images to local registry"
   echo "-p: Comma-separated list of platforms to build for (default: all supported)"
@@ -19,7 +19,7 @@ current_platform="$(go env GOOS)/$(go env GOARCH)"
 LOCAL_FLAG=''
 success="false"
 
-while getopts "lp:h" opt; do
+while getopts "hlp:" opt; do
 	case "${opt}" in
 	l)
 		# in the local-only mode the images will only be pushed to local registry