ci: propagate updates to legacy system catalogs (#308)

Closes #307

Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>

.github/workflows/catalogs.yml

@@ -19,6 +19,7 @@ jobs:
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           path: postgres-containers
+          token: ${{ secrets.REPO_GHA_PAT }}
 
       - name: Checkout artifacts
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
@@ -41,6 +42,14 @@ jobs:
         run: |
           python postgres-containers/.github/catalogs_generator.py --output-dir artifacts/image-catalogs/
 
+      # TODO: remove this step once system images are EOL
+      - name: Update legacy catalogs
+        run: |
+          cp artifacts/image-catalogs/catalog-system-bullseye.yaml postgres-containers/Debian/ClusterImageCatalog-bullseye.yaml
+          cp artifacts/image-catalogs/catalog-system-bookworm.yaml postgres-containers/Debian/ClusterImageCatalog-bookworm.yaml
+          yq -i '.metadata.name = "postgresql"' postgres-containers/Debian/ClusterImageCatalog-bullseye.yaml
+          yq -i '.metadata.name = "postgresql"' postgres-containers/Debian/ClusterImageCatalog-bookworm.yaml
+
       - name: Diff
         working-directory: artifacts
         run: |
@@ -56,3 +65,40 @@ jobs:
           author_name: CloudNativePG Automated Updates
           author_email: noreply@cnpg.com
           message: 'chore: update imageCatalogs'
+
+      # TODO: remove this step once system images are EOL
+      - name: Temporarily disable "include administrators" branch protection
+        if: ${{ always() && github.ref == 'refs/heads/main' }}
+        id: disable_include_admins
+        uses: benjefferies/branch-protection-bot@af281f37de86139d1c7a27b91176b5dc1c2c827c # v1.1.2
+        with:
+          access_token: ${{ secrets.REPO_GHA_PAT }}
+          branch: main
+          enforce_admins: false
+
+      # TODO: remove this step once system images are EOL
+      - name: Legacy diff
+        working-directory: postgres-containers
+        run: |
+          git add -A .
+          git status
+          git diff --staged
+
+      # TODO: remove this step once system images are EOL
+      - uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9
+        if: ${{ github.ref == 'refs/heads/main' }}
+        with:
+          cwd: 'postgres-containers'
+          add: 'Debian/*.yaml'
+          author_name: CloudNativePG Automated Updates
+          author_email: noreply@cnpg.com
+          message: 'chore: update imageCatalogs'
+
+      # TODO: remove this step once system images are EOL
+      - name: Enable "include administrators" branch protection
+        uses: benjefferies/branch-protection-bot@af281f37de86139d1c7a27b91176b5dc1c2c827c # v1.1.2
+        if: ${{ always() && github.ref == 'refs/heads/main' }}
+        with:
+          access_token: ${{ secrets.REPO_GHA_PAT }}
+          branch: main
+          enforce_admins: ${{ steps.disable_include_admins.outputs.initial_status }}

README.md

@@ -6,7 +6,7 @@
 > In response, the CloudNativePG project has completed the transition to the
 > new `bake`-based build process for all `system` images. We now build directly
 > on top of the official Debian slim images, fully detaching from the official
-> Postgres image. Additional changes are planned as part of epic #287.
+> Postgres image.
 
 ---
 
@@ -169,6 +169,19 @@ tags:
 tag formats that explicitly include both the **image type** and the
 **distribution version** (e.g. `16.10-minimal-trixie`).
 
+## Image Catalogs
+
+CloudNativePG publishes `ClusterImageCatalog` manifests for CloudNativePG in
+the [`artifacts` repository](https://github.com/cloudnative-pg/artifacts/tree/main/image-catalogs),
+with one catalog available for each supported combination of image type and
+operating system version.
+
+**IMPORTANT:** If you are still relying on the legacy
+[`ClusterImageCatalog-bullseye.yaml`](Debian/ClusterImageCatalog-bullseye.yaml)
+and [`ClusterImageCatalog-bookworm.yaml`](Debian/ClusterImageCatalog-bookworm.yaml)
+manifests, please migrate to the new catalogs as soon as possible. These legacy
+manifests are deprecated and will be removed along with the `system` image.
+
 ## Build Attestations
 
 CNPG PostgreSQL Container Images are built with the following attestations to