ci(rh-shield-operator): enhance operator release pipeline

The old pipeline would simply build and push the operator and bundle
images. This was a start, but left numerous manual steps to get the
Operator itself certified. The changes in this PR add the following
enhancements to the pipeline.

1. Generate the Bundle content in the pipeline
  a. Run the 'make bundle' command in the pipeline as opposed to
     requiring it be run beforehand.
  b. Since the pipeline guarantees the operator image itself will be
     built and pushed before the bundle is generated, we can set
     USE_IMAGE_DIGESTS=true when running 'make bundle' to include
     the image checksums in the bundle. This is a requirement for
     certification.
  c. The newly generated bundle content will be modified to
     include the annotations required for certification that are not
     created by the operator-sdk.
2. Trigger preflight certification

The act of certifying the operator will still require manual intervention.

Author: aroberts87

.github/workflows/release-rh-shield-operator.yaml

@@ -1,18 +1,37 @@
-name: Release the Shield Operator
+name: Build and Push the Shield Operator
 
 on:
-  workflow_dispatch:
-    inputs:
-      release_version:
-        description: 'The version of the operator to release'
-        required: true
-        type: string
+  push:
+    branches:
+      - main
+    paths:
+      - 'rh-shield-operator/Makefile'  # Updated by the release pipelines
+
 jobs:
-  build-and-push:
-    name: Build and Push the Operator Images
+  determine-operator-version:
+    name: Determine the Operator Version
+    runs-on: ubuntu-latest
+    outputs:
+      release_version: ${{ steps.get-operator-version.outputs.release_version }}
+    steps:
+      - name: Checkout charts repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: '1'
+
+      - name: Get Operator Version
+        id: get-operator-version
+        run: |
+          VERSION=$(awk '/^VERSION/{print $3}' Makefile)
+          echo "Discovered release version is $VERSION"
+          echo "release_version=$VERSION" >> $GITHUB_OUTPUT
+        working-directory: rh-shield-operator
+
+  build-operator:
+    name: Build the Operator Image
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
+      - name: Checkout charts repo
         uses: actions/checkout@v4
         with:
           fetch-depth: '1'
@@ -24,10 +43,111 @@ jobs:
           username: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_USERNAME }}
           password: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_PASSWORD }}
 
-      - name: Build and Push Operator and Bundle Images
-        env:
-          IMAGE_TAG_BASE: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_IMAGE_TAG_BASE }}
-          VERSION: ${{ github.event.inputs.release_version }}
+      - name: Build and Push Operator Image
+        id: build-operator
         run: |
-          make docker-build docker-push bundle-build bundle-push
+          make docker-build docker-push
+        working-directory: rh-shield-operator
+
+  build-operator-bundle:
+    name: Build the Operator Bundle
+    runs-on: ubuntu-latest
+    needs:
+      - build-operator
+      - determine-operator-version
+    steps:
+      - name: Checkout charts repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: '1'
+
+      - name: Login to Docker registry
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_USERNAME }}
+          password: ${{ secrets.QUAY_RH_SHIELD_OPERATOR_PASSWORD }}
+
+      - name: Generate Bundle Content
+        # When using 'USE_IMAGE_DIGEST', the 'make bundle' command inspects the live operator image from the registry
+        # to generate the image digest. As a result, this step must be after the operator image has been
+        # generated and pushed to the registry.
+        run: |
+          USE_IMAGE_DIGESTS=true make bundle
+        working-directory: rh-shield-operator
+
+      - name: Set Labels and Annotations required for Certification on the Bundle
+        uses: mikefarah/yq@v4
+        with:
+          cmd: |
+            yq e -i '.metadata.name |= sub("rh-shield-operator", "sysdig-shield-operator")' rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml
+            yq e -i '.annotations."operators.operatorframework.io.bundle.package.v1" |= sub("rh-shield-operator", "sysdig-shield-operator")' rh-shield-operator/bundle/metadata/annotations.yaml
+            yq e -i '.metadata.annotations.containerImage = (.spec.relatedImages[] | select(.name == "manager").image)' rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml
+            yq e -i '.metadata.annotations += {
+              "features.operators.openshift.io/cnf": "false",
+              "features.operators.openshift.io/cni": "false",
+              "features.operators.openshift.io/csi": "false",
+              "features.operators.openshift.io/disconnected": "false",
+              "features.operators.openshift.io/fips-compliant": "false",
+              "features.operators.openshift.io/proxy-aware": "false",
+              "features.operators.openshift.io/tls-profiles": "false",
+              "features.operators.openshift.io/token-auth-aws": "false",
+              "features.operators.openshift.io/token-auth-azure": "false",
+              "features.operators.openshift.io/token-auth-gcp": "false"
+            }' rh-shield-operator/bundle/manifests/rh-shield-operator.clusterserviceversion.yaml
+            yq e -i '.annotations."com.redhat.openshift.versions" = "v4.8-v4.17"' rh-shield-operator/bundle/metadata/annotations.yaml
+
+      - name: Open Pull Request for Bundle update
+        uses: peter-evans/create-pull-request@v7
+        id: open-pr
+        with:
+          token: ${{ secrets.TOOLS_JENKINS_ADMIN_ACCESS_GITHUB_TOKEN }}
+          commit-message: |
+            "chore(rh-shield-operator): update bundle for rh-shield-operator:v${{ steps.determine-operator-version.outputs.release_version }}"
+          title: |
+            "chore(rh-shield-operator): update bundle for rh-shield-operator:v${{ steps.determine-operator-version.outputs.release_version }}"
+          body: |
+            This is an automated pull request that is generated as a part of the rh-shield-operator release pipeline.
+            The changes here update the bundle metadata using the newly published Operator image to generate the
+            image checksum, as well as adjusting some metadata that is required for certification.
+
+      - name: Wait for Pull Request to be merged
+        uses: Wandalen/[email protected]
+        with:
+          command: gh pr view ${{ steps.open-pr.outputs.pull-request-number }} --json state -q .state | grep MERGED
+          attempt_limit: 240  # Results in 2 hours of waiting
+          attempt_delay: 30000  # 30 seconds
+
+      - name: Build and Push Bundle Image
+        run: |
+          make bundle-build bundle-push
+        working-directory: rh-shield-operator
+
+  certify-operator-image:
+    name: Certify the Operator Image with Preflight
+    runs-on: ubuntu-latest
+    needs:
+      - build-operator
+      - determine-operator-version
+    steps:
+      - name: Checkout charts repo
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: '1'
+
+      - name: Install Preflight
+        uses: redhat-actions/openshift-tools-installer@v1
+        with:
+          source: "github"
+          preflight: "latest"
+          github_pat: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run Preflight checks
+        run: |
+          IMAGE_TAG_BASE=$(awk '/^IMAGE_TAG_BASE/{print $3}' Makefile)
+
+          preflight check container \
+            $IMAGE_TAG_BASE:v${{ needs.determine-operator-version.outputs.release_version }} \
+            --pyxis-api-token ${{ secrets.RH_SHIELD_OPERATOR_PYXIS_API_TOKEN }} \
+            --certification-project-id ${{ secrets.RH_SHIELD_OPERATOR_CERTIFICATION_PROJECT_ID }}
         working-directory: rh-shield-operator