[#1591] Build and host OCI images on our own infra

Similar to TrueCloudLab/frostfs-s3-gw#587
this PR introduces a CI pipeline that builds Docker images and pushes them
to our selfhosted registry.

Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>

.forgejo/workflows/oci-image.yml

@@ -0,0 +1,28 @@
+name: OCI image
+
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  image:
+    name: Build container images
+    runs-on: docker
+    container: git.frostfs.info/truecloudlab/env:oci-image-builder-bookworm
+    steps:
+      - name: Clone git repo
+        uses: actions/checkout@v3
+
+      - name: Build OCI image
+        run: make images
+
+      - name: Push image to OCI registry
+        run: |
+          echo "$REGISTRY_PASSWORD" \
+            | docker login --username truecloudlab --password-stdin git.frostfs.info
+          make push-images
+        if: >-
+          startsWith(github.ref, 'refs/tags/v') &&
+          (github.event_name == 'workflow_dispatch' || github.event_name == 'push')
+        env:
+          REGISTRY_PASSWORD: ${{secrets.FORGEJO_OCI_REGISTRY_PUSH_TOKEN}}

Makefile

@@ -139,6 +139,15 @@ images: image-storage image-ir image-cli image-adm
 # Build dirty local Docker images
 dirty-images: image-dirty-storage image-dirty-ir image-dirty-cli image-dirty-adm
 
+# Push FrostFS components' docker image to the registry
+push-image-%:
+	@echo "⇒ Publish FrostFS $* docker image "
+	@docker push $(HUB_IMAGE)-$*:$(HUB_TAG)
+
+# Push all Docker images to the registry
+.PHONY: push-images
+push-images: push-image-storage push-image-ir push-image-cli push-image-adm
+
 # Run `make %` in Golang container
 docker/%:
 	docker run --rm -t \

docs/release-instruction.md

@@ -95,19 +95,15 @@ $ git push origin ${FROSTFS_TAG_PREFIX}${FROSTFS_REVISION}
 
 ## Post-release
 
-### Prepare and push images to a Docker Hub (if not automated)
+### Prepare and push images to a Docker registry (automated)
 
-Create Docker images for all applications and push them into Docker Hub
-(requires [organization](https://hub.docker.com/u/truecloudlab) privileges)
+Create Docker images for all applications and push them into container registry
+(executed automatically in Forgejo Actions upon pushing a release tag):
 
 ```shell
 $ git checkout ${FROSTFS_TAG_PREFIX}${FROSTFS_REVISION}
 $ make images
-$ docker push truecloudlab/frostfs-storage:${FROSTFS_REVISION}
-$ docker push truecloudlab/frostfs-storage-testnet:${FROSTFS_REVISION}
-$ docker push truecloudlab/frostfs-ir:${FROSTFS_REVISION}
-$ docker push truecloudlab/frostfs-cli:${FROSTFS_REVISION}
-$ docker push truecloudlab/frostfs-adm:${FROSTFS_REVISION}
+$ make push-images
 ```
 
 ### Make a proper release (if not automated)

pkg/util/ape/parser.go

@@ -261,7 +261,7 @@ func parseResource(lexeme string, isObj bool) (string, error) {
 		} else {
 			if lexeme == "*" {
 				return nativeschema.ResourceFormatAllContainers, nil
-			} else if lexeme == "/*" {
+			} else if lexeme == "/*" || lexeme == "root/*" {
 				return nativeschema.ResourceFormatRootContainers, nil
 			} else if strings.HasPrefix(lexeme, "/") && len(lexeme) > 1 {
 				lexeme = lexeme[1:]

pkg/util/ape/parser_test.go

@@ -43,6 +43,15 @@ func TestParseAPERule(t *testing.T) {
 				Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootObjects}},
 			},
 		},
+		{
+			name: "Valid rule for all containers in explicit root namespace",
+			rule: "allow Container.Put root/*",
+			expectRule: policyengine.Rule{
+				Status:    policyengine.Allow,
+				Actions:   policyengine.Actions{Names: []string{nativeschema.MethodPutContainer}},
+				Resources: policyengine.Resources{Names: []string{nativeschema.ResourceFormatRootContainers}},
+			},
+		},
 		{
 			name: "Valid rule for all objects in root namespace and container",
 			rule: "allow Object.Put /cid/*",