Add podman-entitlement GitHub Action.

README.md

@@ -12,6 +12,7 @@ This repository contains the common Actions and config files for developing the
 - [action-io-generator](./action-io-generator) is an NPM package and (soon to be) Docker Action that makes sure your JavaScript action uses the same Inputs and Outputs defined in your `action.yml`.
 - [bundle-verifier](./bundle-verifier) is a JavaScript Action that makes sure your JavaScript action's committed distribution bundle is up-to-date.
 - [commit-data](./commit-data) is a Docker Action that outputs some commonly needed data about the current workflow's HEAD commit.
+- [podman-entitlement](./podman-entitlement) is a composite Action which enables subsequent `podman build`s to consume Red Hat entitlements.
 - [config-files](./config-files) contains our shared TypeScript, ESLint, and Webpack configs.
 
 It is also used for tracking issues that don't fit into another, more specific repository.

podman-entitlement/README.md

@@ -0,0 +1,43 @@
+## Podman Entitlement GitHub Action
+
+When building container images that install Red Hat content
+which is not part of Universal Base Image repositories,
+Red Hat entitlements are needed to access the full Red Hat Enterprise Linux
+repositories.
+
+To avoid modifying the Dockerfiles with extra steps that would
+handle the registration, this Action registers a temporary system
+using organization's activation key, and uses `/etc/containers/mounts.conf`
+to configure subsequent `podman build` invocations to have access
+to the entitlements.
+
+## Inputs
+
+| Input | Description |
+| ---   | --- |
+| `org` | Red Hat account organization |
+| `activationkey` | Red Hat account activation key |
+| `image` | Container image to use to run `subscription-manager register` with the above parameters <br> Optional, defaults to `registry.access.redhat.com/ubi9` |
+
+## Usage
+
+On https://access.redhat.com/management/activation_keys, create
+new Subscription Manager activation key.
+
+Set up secrets in your repository, for example `redhat_org` for your
+Red Hat account organization and `redhat_activationkey` for your Red Hat
+account activation key. Your Organization ID is shown on the above-mentioned
+Activation Keys page on Red Hat portal.
+
+In your workflow YAML which calls `podman build`, add invocation
+of `redhat-actions/common/podman-entitlement` before that `podman build`
+step:
+
+```yaml
+      - uses: redhat-actions/common/podman-entitlement
+        with:
+          org: ${{ secrets.redhat_org }}
+          activationkey: ${{ secrets.redhat_activationkey }}
+      - run: podman build -t localhost/the-image:the-tag src
+```
+

podman-entitlement/action.yml

@@ -0,0 +1,32 @@
+name: 'Enable Red Hat entitled podman builds'
+inputs:
+  org:
+    description: 'Red Hat account organization'
+  activationkey:
+    description: 'Red Hat account activation key'
+  image:
+    description: 'Container image to use to run subscription-manager register'
+    default: 'registry.access.redhat.com/ubi9'
+runs:
+  using: 'composite'
+  steps:
+    - run: mkdir -p /tmp/{etc-pki-entitlement,rhsm}-${{ github.run_id }}
+      shell: bash
+    - run: |
+        NAME=$( echo "$run_url" | sed 's#^https://##;s#/#-#g' )
+        podman run --rm --name="$NAME" \
+          -v "/tmp/etc-pki-entitlement-${{ github.run_id }}":/etc/pki/entitlement-out:z \
+          -v "/tmp/rhsm-${{ github.run_id }}":/etc/rhsm-out:z \
+          "${{ inputs.image }}" \
+          bash -c '/usr/sbin/subscription-manager register \
+                     --org="${{ inputs.org }}" \
+                     --activationkey="${{ inputs.activationkey }}" \
+                     --name="'$NAME'" \
+                   && cp /etc/pki/entitlement/* /etc/pki/entitlement-out/ \
+                   && cp -r /etc/rhsm/ca /etc/rhsm/rhsm.conf /etc/rhsm-out \
+                   && /usr/sbin/subscription-manager unregister'
+      env:
+        run_url: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+      shell: bash
+    - run: for i in etc-pki-entitlement rhsm ; do echo "/tmp/$i-${{ github.run_id }}:/run/secrets/$i" ; done | sudo tee -a /etc/containers/mounts.conf
+      shell: bash