Enable CI builds for che-incubator/configbump, including updated secrets

[tolusha]

Is your task related to a problem? Please describe

Currently there is no way to release a new version of che-incubator/configbump since release action fails [1] with the error message:

Run echo "${DOCKERHUB_PASSWORD}" | docker login *** --username "***" --password-stdin
  echo "${DOCKERHUB_PASSWORD}" | docker login *** --username "***" --password-stdin
  shell: /usr/bin/bash -e {0}
  env:
    DOCKERHUB_PASSWORD: ***
Error response from daemon: Get "https://***/v[2](https://github.com/che-incubator/configbump/actions/runs/4103246296/jobs/7077201012#step:6:2)/": unauthorized: Invalid Username or Password

Credentials are outdated.

[1] https://github.com/che-incubator/configbump/actions/runs/4103246296

Describe the solution you'd like

• Update quay.io and github token credentials
• Create make-release.sh and release.yml scripts, like we have in other repos (eg., https://github.com/eclipse-che/che-machine-exec/blob/main/.github/workflows/release.yml and https://github.com/eclipse-che/che-machine-exec/blob/main/make-release.sh )
• switch che-release process from creating a branch every sprint to triggering a release - https://github.com/eclipse-che/che-release/blob/main/make-release.sh#L104 vs. https://github.com/eclipse-che/che-release/blob/main/make-release.sh#L84-L86

Stretch goals:

• replace alpine-based Dockerfile with ubi8-micro based Dockerfile
• downstream, update scripts to use new rhel8-based Dockerfile instead of rhel.Dockerfile, if it's no longer needed

Additional context

#21883

[ibuziuk]

@nickboldt could you please take a look? it is very weird to see DOCKERHUB_PASSWORD in the logs since I do believe we only publish images to quay.io

[nickboldt]

Note thas as part of this update, we could also switch from alpine to ubi8 as the base from which images are built.

Figure if no one has cared about configbump for >2yrs https://quay.io/repository/che-incubator/configbump?tab=tags it's time to update it so it can benefit from our weekly base image update checks/PR generation.

[tolusha]

I think ubi8 is a heavier image than alphine, so I am against it.

[nickboldt]

we'd use ubi8 micro (under 30M), not the full 214M ubi8 image.

• docker.io/library/alpine 3.12 5.87 MB
• registry.access.redhat.com/ubi8-micro latest 28.5 MB
• registry.access.redhat.com/ubi8-minimal latest 94.5 MB
• registry.access.redhat.com/ubi8 latest 214 MB

[tolusha]

Then micro is fine for me. ^)

[nickboldt]

@dmytro-ndp has asked for something to do for Day of Learning / H&H so I've given him this issue to work on when he has time.

[dmytro-ndp]

@nickboldt: did I understand it correctly, that you had suggested to change versioning of configbump from 0.1.0 to Eclipse Che version, like che-machine-exec?

[nickboldt]

Yeah, might as well align to the other che-incubator projects and make per-sprint releases simpler.

https://quay.io/repository/che-incubator/configbump?tab=tags
vs.
https://quay.io/repository/che-incubator/che-code?tab=tags&tag=7.62.0

To see how secrets are used, check out:

• https://github.com/che-incubator/che-code/blob/main/.github/workflows/release.yml#L62-L63
• https://github.com/che-incubator/che-code/blob/main/.github/workflows/image-publish.yml#L68-L81

See also this tool to list names of secrets in a repo, or push updates to secrets https://github.com/nickboldt/github-secrets-generator

[nickboldt]

Note as part of having CI builds we should verify that che-incubator/configbump#68 (review) is merged and triggers a new CI build

[nickboldt]

Is this still needed?

[tolusha]

Yes, we need a way to build a fresh image. The latest one is 2 y.o
https://quay.io/repository/che-incubator/configbump?tab=tags

[nickboldt]

Added to sprint plan for DTW. https://github.com/orgs/eclipse/projects/53/views/2?filterQuery=%5BDevToolsWeek%5D+&pane=issue&itemId=38362130

[nickboldt]

Ready to merge (needs codeowner approval):

• chore: add release scripts so configbump can follow che releases (and stay current w/ CVE fixes) che-incubator/configbump#98

Once merged, can update this PR and merge it too:

• chore: switch from configbump as a branch creation step to a release step; fix inconsistent ordering in make-release.sh; update readme for new phase order; simplify redundant text che-release#80

[nickboldt]

Vastly better:

However need to fix that CVE -- see https://github.com/che-incubator/configbump/pull/100/files

[nickboldt]

CVE fixed.

Working on a fix for tagging next, as job is failing in https://github.com/che-incubator/configbump/actions/runs/6225852133/job/16897423038

--> https://github.com/che-incubator/configbump/pull/103/files

[nickboldt]

When run from the 7.74.x branch (where I already pushed my changes) the job passed:

https://github.com/che-incubator/configbump/actions/runs/6226555508/job/16899641726

So the PR should be safe to merge now

[nickboldt]

Hmm. tag-release failed in https://github.com/che-incubator/configbump/actions/runs/6227605614 but passed in https://github.com/che-incubator/configbump/actions/runs/6226555508

will assume for now this is fixed and verify further next week for the 7.75 release, when we don't have an existing branch and tag to contend with.

[nickboldt]

Resolving.