From 18759b533f7f4c9017483ad0e99b66100fd5b853 Mon Sep 17 00:00:00 2001
From: Miguel Pena <miguelp1986@gmail.com>
Date: Tue, 19 May 2026 20:40:21 -0700
Subject: [PATCH 1/2] ci updates

---
 .github/workflows/ngwpc-cicd.yml | 45 +++++++++++++++++++++++---------
 Dockerfile                       | 10 ++++---
 2 files changed, 39 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/ngwpc-cicd.yml b/.github/workflows/ngwpc-cicd.yml
index cd2094962a..fcb8be7b4c 100644
--- a/.github/workflows/ngwpc-cicd.yml
+++ b/.github/workflows/ngwpc-cicd.yml
@@ -81,6 +81,7 @@ jobs:
       clean_ref: ${{ steps.vars.outputs.clean_ref }}
       ngen_forcing_digest: ${{ steps.vars.outputs.ngen_forcing_digest }}
       ngen_forcing_revision: ${{ steps.vars.outputs.ngen_forcing_revision }}
+      ewts_revision: ${{ steps.vars.outputs.ewts_revision }}
     steps:
       - name: Compute image vars
         id: vars
@@ -139,20 +140,37 @@ jobs:
           # base image (ngen-forcing) metadata for ngen Dockerfile labels
           NGEN_FORCING_IMAGE_TAG="${{ inputs.NGEN_FORCING_IMAGE_TAG || 'latest' }}"
           NGEN_FORCING_IMAGE="ghcr.io/${ORG}/ngen-bmi-forcing:${NGEN_FORCING_IMAGE_TAG}"
-          NGEN_FORCING_INSPECT=$(skopeo inspect "docker://${NGEN_FORCING_IMAGE}" 2>/dev/null || echo '{}')
+          NGEN_FORCING_INSPECT=$(skopeo inspect --override-os linux --override-arch amd64 "docker://${NGEN_FORCING_IMAGE}" 2>/dev/null || echo '{}')
           NGEN_FORCING_DIGEST=$(echo "$NGEN_FORCING_INSPECT" | jq -r '.Digest // "unknown"')
           NGEN_FORCING_REVISION=$(echo "$NGEN_FORCING_INSPECT" | jq -r '.Labels["org.opencontainers.image.revision"] // "unknown"')
 
+          # resolve each source repo's ref (branch/tag/SHA) to its commit SHA for revision labels
+          resolve_sha() {
+            local url="$1" ref="$2" out sha
+            # a full 40-char SHA can't be looked up via ls-remote; use it directly
+            if [[ "$ref" =~ ^[0-9a-f]{40}$ ]]; then echo "$ref"; return; fi
+            out=$(git ls-remote "$url" "$ref" "refs/tags/${ref}^{}" 2>/dev/null)
+            # prefer the dereferenced commit (^{}) for annotated tags; else first match
+            sha=$(echo "$out" | grep '\^{}$' | head -n1 | cut -f1)
+            [ -z "$sha" ] && sha=$(echo "$out" | head -n1 | cut -f1)
+            echo "${sha:-unknown}"
+          }
+
+          EWTS_REVISION=$(resolve_sha "https://github.com/${{ inputs.EWTS_ORG || github.repository_owner }}/nwm-ewts.git" "${{ inputs.EWTS_REF || 'development' }}")
+
           # save outputs
-          echo "org=${ORG}" >> "$GITHUB_OUTPUT"
-          echo "image_base=${IMAGE_BASE}" >> "$GITHUB_OUTPUT"
-          echo "test_image_tag=${TEST_TAG}" >> "$GITHUB_OUTPUT"
-          echo "alias_tag=${ALIAS}" >> "$GITHUB_OUTPUT"
-          echo "commit_sha=${REAL_SHA}" >> "$GITHUB_OUTPUT"
-          echo "commit_sha_short=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
-          echo "clean_ref=${CLEAN_REF}" >> "$GITHUB_OUTPUT"
-          echo "ngen_forcing_digest=${NGEN_FORCING_DIGEST}" >> "$GITHUB_OUTPUT"
-          echo "ngen_forcing_revision=${NGEN_FORCING_REVISION}" >> "$GITHUB_OUTPUT"
+          cat >> "$GITHUB_OUTPUT" <<EOF
+          org=${ORG}
+          image_base=${IMAGE_BASE}
+          test_image_tag=${TEST_TAG}
+          alias_tag=${ALIAS}
+          commit_sha=${REAL_SHA}
+          commit_sha_short=${SHORT_SHA}
+          clean_ref=${CLEAN_REF}
+          ngen_forcing_digest=${NGEN_FORCING_DIGEST}
+          ngen_forcing_revision=${NGEN_FORCING_REVISION}
+          ewts_revision=${EWTS_REVISION}
+          EOF
 
   # CodeQL scan
   codeql-scan:
@@ -311,6 +329,7 @@ jobs:
             BASE_IMAGE_REVISION=${{ needs.setup.outputs.ngen_forcing_revision }}
             EWTS_ORG=${{ inputs.EWTS_ORG || github.repository_owner }}
             EWTS_REF=${{ inputs.EWTS_REF || 'development' }}
+            EWTS_REVISION=${{ needs.setup.outputs.ewts_revision }}
             IMAGE_SOURCE=https://github.com/${{ github.repository }}
             IMAGE_VENDOR=${{ github.repository_owner }}
             IMAGE_VERSION=${{ needs.setup.outputs.clean_ref }}
@@ -427,7 +446,7 @@ jobs:
     name: trigger-downstream (${{ matrix.repo }})
     if: |
       success() && (
-        (github.event_name == 'push' && github.ref_name == 'development') ||
+        (github.event_name == 'push' && (github.ref_name == 'development' || github.ref_name == 'ngwpc-candidate' || github.ref_name == 'ngwpc-release')) ||
         (github.event_name == 'workflow_dispatch' && inputs.TRIGGER_DOWNSTREAM)
       )
     runs-on: ubuntu-latest
@@ -439,9 +458,9 @@ jobs:
       matrix:
         include:
           - repo: nwm-cal-mgr
-            ref: ${{ inputs.NWM_CAL_MGR_REF || 'development' }}
+            ref: ${{ inputs.NWM_CAL_MGR_REF || github.ref_name }}
           - repo: nwm-fcst-mgr
-            ref: ${{ inputs.NWM_FCST_MGR_REF || 'development' }}
+            ref: ${{ inputs.NWM_FCST_MGR_REF || github.ref_name }}
     steps:
       - name: Generate GitHub App token
         id: app-token
diff --git a/Dockerfile b/Dockerfile
index 137657542b..1003d8d639 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -41,17 +41,21 @@ ARG IMAGE_SOURCE="unknown"
 ARG IMAGE_VENDOR="unknown"
 ARG IMAGE_VERSION="unknown"
 ARG IMAGE_REVISION="unknown"
+ARG EWTS_REVISION="unknown"
 
-# OCI Standard Labels
+# Image Labels: OCI-spec annotations followed by custom source-repo metadata.
 LABEL org.opencontainers.image.base.name="${NGEN_FORCING_IMAGE}" \
     org.opencontainers.image.base.digest="${BASE_IMAGE_DIGEST}" \
-    io.${IMAGE_NAMESPACE}.image.base.revision="${BASE_IMAGE_REVISION}" \
     org.opencontainers.image.source="${IMAGE_SOURCE}" \
     org.opencontainers.image.vendor="${IMAGE_VENDOR}" \
     org.opencontainers.image.version="${IMAGE_VERSION}" \
     org.opencontainers.image.revision="${IMAGE_REVISION}" \
     org.opencontainers.image.title="Next Generation Water Modeling Engine and Framework Prototype" \
-    org.opencontainers.image.description="Docker image for the NGEN application"
+    org.opencontainers.image.description="Docker image for the NGEN application" \
+    io.${IMAGE_NAMESPACE}.image.base.revision="${BASE_IMAGE_REVISION}" \
+    io.${IMAGE_NAMESPACE}.ewts.org="${EWTS_ORG}" \
+    io.${IMAGE_NAMESPACE}.ewts.ref="${EWTS_REF}" \
+    io.${IMAGE_NAMESPACE}.ewts.revision="${EWTS_REVISION}"
 
 # cannot remove LANG even though https://bugs.python.org/issue19846 is fixed
 # last attempted removal of LANG broke many users:

From 62fc6b53b10456774d37ca1512400f40a36ed688 Mon Sep 17 00:00:00 2001
From: Miguel Pena <miguelp1986@gmail.com>
Date: Tue, 19 May 2026 21:32:07 -0700
Subject: [PATCH 2/2] ci updates

---
 .github/workflows/ngwpc-cicd.yml | 29 ++++++++++++++++++--------
 Dockerfile.test                  | 35 --------------------------------
 2 files changed, 21 insertions(+), 43 deletions(-)
 delete mode 100644 Dockerfile.test

diff --git a/.github/workflows/ngwpc-cicd.yml b/.github/workflows/ngwpc-cicd.yml
index fcb8be7b4c..07f7f8c80f 100644
--- a/.github/workflows/ngwpc-cicd.yml
+++ b/.github/workflows/ngwpc-cicd.yml
@@ -79,6 +79,7 @@ jobs:
       test_image_tag: ${{ steps.vars.outputs.test_image_tag }}
       alias_tag: ${{ steps.vars.outputs.alias_tag }}
       clean_ref: ${{ steps.vars.outputs.clean_ref }}
+      default_ref: ${{ steps.vars.outputs.default_ref }}
       ngen_forcing_digest: ${{ steps.vars.outputs.ngen_forcing_digest }}
       ngen_forcing_revision: ${{ steps.vars.outputs.ngen_forcing_revision }}
       ewts_revision: ${{ steps.vars.outputs.ewts_revision }}
@@ -113,6 +114,18 @@ jobs:
           CLEAN_REF=$(echo "$REAL_REF" | tr '[:upper:]' '[:lower:]' | sed 's/\//-/g')
           SHORT_SHA="${REAL_SHA:0:7}"
 
+          # default source-repo ref: follow the release-line branch we're building from
+          # (development / ngwpc-candidate / ngwpc-release); tags and other branches fall
+          # back to development. Override per source repo via the *_REF dispatch inputs.
+          case "${GITHUB_REF_TYPE}:${GITHUB_REF_NAME}" in
+            branch:development|branch:ngwpc-candidate|branch:ngwpc-release)
+              DEFAULT_REF="$GITHUB_REF_NAME" ;;
+            *)
+              DEFAULT_REF="development" ;;
+          esac
+          # use an explicit *_REF input if provided, else DEFAULT_REF
+          ref_or_default() { [ -n "$1" ] && echo "$1" || echo "$DEFAULT_REF"; }
+
           # logic for the tags:
           # test_image_tag (commit short sha): used for the initial build and test
           # alias_tag: used for final tagging on successful tests
@@ -156,7 +169,7 @@ jobs:
             echo "${sha:-unknown}"
           }
 
-          EWTS_REVISION=$(resolve_sha "https://github.com/${{ inputs.EWTS_ORG || github.repository_owner }}/nwm-ewts.git" "${{ inputs.EWTS_REF || 'development' }}")
+          EWTS_REVISION=$(resolve_sha "https://github.com/${{ inputs.EWTS_ORG || github.repository_owner }}/nwm-ewts.git" "$(ref_or_default "${{ inputs.EWTS_REF }}")")
 
           # save outputs
           cat >> "$GITHUB_OUTPUT" <<EOF
@@ -167,6 +180,7 @@ jobs:
           commit_sha=${REAL_SHA}
           commit_sha_short=${SHORT_SHA}
           clean_ref=${CLEAN_REF}
+          default_ref=${DEFAULT_REF}
           ngen_forcing_digest=${NGEN_FORCING_DIGEST}
           ngen_forcing_revision=${NGEN_FORCING_REVISION}
           ewts_revision=${EWTS_REVISION}
@@ -238,7 +252,7 @@ jobs:
         run: |
           set -euo pipefail
           EWTS_ORG="${{ inputs.EWTS_ORG || github.repository_owner }}"
-          EWTS_REF="${{ inputs.EWTS_REF || 'development' }}"
+          EWTS_REF="${{ inputs.EWTS_REF || needs.setup.outputs.default_ref }}"
           EWTS_PREFIX=/opt/ewts
 
           git clone --depth 1 -b "${EWTS_REF}" \
@@ -319,7 +333,6 @@ jobs:
         uses: docker/build-push-action@v7
         with:
           context: .
-          # file: Dockerfile.test # comment out when done testing
           push: true
           tags: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }}
           build-args: |
@@ -328,7 +341,7 @@ jobs:
             BASE_IMAGE_DIGEST=${{ needs.setup.outputs.ngen_forcing_digest }}
             BASE_IMAGE_REVISION=${{ needs.setup.outputs.ngen_forcing_revision }}
             EWTS_ORG=${{ inputs.EWTS_ORG || github.repository_owner }}
-            EWTS_REF=${{ inputs.EWTS_REF || 'development' }}
+            EWTS_REF=${{ inputs.EWTS_REF || needs.setup.outputs.default_ref }}
             EWTS_REVISION=${{ needs.setup.outputs.ewts_revision }}
             IMAGE_SOURCE=https://github.com/${{ github.repository }}
             IMAGE_VENDOR=${{ github.repository_owner }}
@@ -458,9 +471,9 @@ jobs:
       matrix:
         include:
           - repo: nwm-cal-mgr
-            ref: ${{ inputs.NWM_CAL_MGR_REF || github.ref_name }}
+            ref: ${{ inputs.NWM_CAL_MGR_REF || needs.setup.outputs.default_ref }}
           - repo: nwm-fcst-mgr
-            ref: ${{ inputs.NWM_FCST_MGR_REF || github.ref_name }}
+            ref: ${{ inputs.NWM_FCST_MGR_REF || needs.setup.outputs.default_ref }}
     steps:
       - name: Generate GitHub App token
         id: app-token
@@ -473,9 +486,9 @@ jobs:
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
           EWTS_ORG: ${{ inputs.EWTS_ORG || github.repository_owner }}
-          EWTS_REF: ${{ inputs.EWTS_REF || 'development' }}
+          EWTS_REF: ${{ inputs.EWTS_REF || needs.setup.outputs.default_ref }}
           MSW_MGR_ORG: ${{ inputs.MSW_MGR_ORG || github.repository_owner }}
-          MSW_MGR_REF: ${{ inputs.MSW_MGR_REF || 'development' }}
+          MSW_MGR_REF: ${{ inputs.MSW_MGR_REF || needs.setup.outputs.default_ref }}
           GHCR_ORG: ${{ inputs.GHCR_ORG || needs.setup.outputs.org }}
           NGEN_IMAGE_TAG: ${{ needs.setup.outputs.alias_tag }}
         run: |
diff --git a/Dockerfile.test b/Dockerfile.test
deleted file mode 100644
index d636fa8adb..0000000000
--- a/Dockerfile.test
+++ /dev/null
@@ -1,35 +0,0 @@
-# Dockerfile.test
-ARG ORG=ngwpc
-ARG NGEN_FORCING_IMAGE_TAG=latest
-ARG BASE_IMAGE_NAME="alpine:latest"
-
-FROM ${BASE_IMAGE_NAME}
-
-# OCI Metadata Arguments
-ARG BASE_IMAGE_NAME
-ARG BASE_IMAGE_DIGEST="unknown"
-ARG BASE_IMAGE_REVISION="unknown"
-ARG IMAGE_SOURCE="unknown"
-ARG IMAGE_VENDOR="unknown"
-ARG IMAGE_VERSION="unknown"
-ARG IMAGE_REVISION="unknown"
-ARG IMAGE_CREATED="unknown"
-
-# OCI Standard Labels
-LABEL org.opencontainers.image.base.name="${BASE_IMAGE_NAME}" \
-    org.opencontainers.image.base.digest="${BASE_IMAGE_DIGEST}" \
-    io.ngwpc.image.base.revision="${BASE_IMAGE_REVISION}" \
-    org.opencontainers.image.source="${IMAGE_SOURCE}" \
-    org.opencontainers.image.vendor="${IMAGE_VENDOR}" \
-    org.opencontainers.image.version="${IMAGE_VERSION}" \
-    org.opencontainers.image.revision="${IMAGE_REVISION}" \
-    org.opencontainers.image.created="${IMAGE_CREATED}"
-
-# Create a dummy file just to prove we did something
-RUN echo "This is a lightweight test build for pipeline verification." > /build_info.txt
-
-# Add a timestamp so every build layer looks slightly different (optional, forces fresh hash)
-ARG BUILD_DATE
-RUN echo "Built on $BUILD_DATE" >> /build_info.txt
-
-CMD ["cat", "/build_info.txt"]