From 5bf5436a3679048381f3100aeada982db54a03e5 Mon Sep 17 00:00:00 2001
From: Nathan Klick <nathan@swirldslabs.com>
Date: Fri, 22 Mar 2024 17:49:43 -0500
Subject: [PATCH] chore(ci): add image validations

Signed-off-by: Nathan Klick <nathan@swirldslabs.com>
---
 .../node-zxc-build-release-artifact.yaml      | 74 ++++++++++++++++++-
 1 file changed, 72 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/node-zxc-build-release-artifact.yaml b/.github/workflows/node-zxc-build-release-artifact.yaml
index a595b323d47e..f7bcdb6281b7 100644
--- a/.github/workflows/node-zxc-build-release-artifact.yaml
+++ b/.github/workflows/node-zxc-build-release-artifact.yaml
@@ -108,6 +108,9 @@ defaults:
 
 env:
   LC_ALL: C.UTF-8
+  DOCKER_MANIFEST_GENERATOR: .github/workflows/support/scripts/generate-docker-artifact-baseline.sh
+  DOCKER_MANIFEST_PATH: ${{ github.workspace }}/.manifests/docker
+  SKOPEO_VERSION: v1.14.0
 
 permissions:
   id-token: write
@@ -575,6 +578,74 @@ jobs:
       jf-docker-registry: ${{ secrets.jf-docker-registry }}
       jf-access-token: ${{ secrets.jf-access-token }}
 
+  validate-production-image:
+    name: Validate Production Image
+    runs-on: [ self-hosted, Linux, large, ephemeral ]
+    needs:
+      - gcp-production-image
+      - jfr-production-image
+    if: ${{ inputs.dry-run-enabled != true && !cancelled() && !failure() }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Create Manifest Directories
+        run: |
+          mkdir -p "${DOCKER_MANIFEST_PATH}/gcp"
+          mkdir -p "${DOCKER_MANIFEST_PATH}/jfrog"
+
+      - name: Generate GCP Manifest
+        if: gcp
+        env:
+          MANIFEST_PATH: ${{ env.DOCKER_MANIFEST_PATH }}/gcp
+          DOCKER_REGISTRY: ${{ needs.gcp-production-image.outputs.docker-image-prefix }}
+          DOCKER_TAG: ${{ needs.gcp-production-image.outputs.docker-image-tag }}
+        run: ${{ env.DOCKER_MANIFEST_GENERATOR }}
+
+      - name: Generate JFrog Manifest
+        id: jfrog
+        env:
+          MANIFEST_PATH: ${{ env.DOCKER_MANIFEST_PATH }}/jfrog
+          DOCKER_REGISTRY: ${{ needs.jfr-production-image.outputs.docker-image-prefix }}
+          DOCKER_TAG: ${{ needs.jfr-production-image.outputs.docker-image-tag }}
+        run: ${{ env.DOCKER_MANIFEST_GENERATOR }}
+
+      - name: Validate Layers (linux/amd64)
+        run: |
+          if ! diff -u "${{ steps.gcp.outputs.path }}/linux-amd64.layers.json" "${{ steps.jfrog.outputs.path }}/linux-amd64.layers.json" >/dev/null 2>&1; then
+           echo "::group::Layer Differences"
+           diff -u "${DOCKER_MANIFEST_PATH}/linux-amd64.layers.json" "${{ steps.regen-manifest.outputs.path }}/linux-amd64.layers.json"
+           echo "::endgroup::"
+           exit 1
+          fi
+
+      - name: Validate Layers (linux/arm64)
+        run: |
+          if ! diff -u "${{ steps.gcp.outputs.path }}/linux-arm64.layers.json" "${{ steps.jfrog.outputs.path }}/linux-arm64.layers.json" >/dev/null 2>&1; then
+           echo "::group::Layer Differences"
+           diff -u "${DOCKER_MANIFEST_PATH}/linux-arm64.layers.json" "${{ steps.regen-manifest.outputs.path }}/linux-arm64.layers.json"
+           echo "::endgroup::"
+           exit 1
+          fi
+
+      - name: Validate Full Manifest (linux/amd64)
+        run: |
+          if ! diff -u "${{ steps.gcp.outputs.path }}/linux-amd64.comparable.json" "${{ steps.jfrog.outputs.path }}/linux-amd64.comparable.json" >/dev/null 2>&1; then
+           echo "::group::Layer Differences"
+           diff -u "${DOCKER_MANIFEST_PATH}/linux-amd64.comparable.json" "${{ steps.regen-manifest.outputs.path }}/linux-amd64.comparable.json"
+           echo "::endgroup::"
+           exit 1
+          fi
+
+      - name: Validate Full Manifest (linux/arm64)
+        run: |
+          if ! diff -u "${{ steps.gcp.outputs.path }}/linux-arm64.comparable.json" "${{ steps.jfrog.outputs.path }}/linux-arm64.comparable.json" >/dev/null 2>&1; then
+           echo "::group::Layer Differences"
+           diff -u "${DOCKER_MANIFEST_PATH}/linux-arm64.comparable.json" "${{ steps.regen-manifest.outputs.path }}/linux-arm64.comparable.json"
+           echo "::endgroup::"
+           exit 1
+          fi
+
   evm-mc-publish:
     name: Publish EVM to Maven Central
     runs-on: [ self-hosted, Linux, large, ephemeral ]
@@ -836,8 +907,7 @@ jobs:
     needs:
       - validate
       - local-node-images
-      - gcp-production-image
-      - jfr-production-image
+      - validate-production-image
       - evm-mc-publish
       - sdk-publish
     if: ${{ inputs.dry-run-enabled != true && inputs.version-policy == 'specified' && !cancelled() && !failure() }}