ci updates

.github/workflows/ngwpc-cicd.yml

@@ -79,8 +79,10 @@ jobs:
       test_image_tag: ${{ steps.vars.outputs.test_image_tag }}
       alias_tag: ${{ steps.vars.outputs.alias_tag }}
       clean_ref: ${{ steps.vars.outputs.clean_ref }}
+      default_ref: ${{ steps.vars.outputs.default_ref }}
       ngen_forcing_digest: ${{ steps.vars.outputs.ngen_forcing_digest }}
       ngen_forcing_revision: ${{ steps.vars.outputs.ngen_forcing_revision }}
+      ewts_revision: ${{ steps.vars.outputs.ewts_revision }}
     steps:
       - name: Compute image vars
         id: vars
@@ -112,6 +114,18 @@ jobs:
           CLEAN_REF=$(echo "$REAL_REF" | tr '[:upper:]' '[:lower:]' | sed 's/\//-/g')
           SHORT_SHA="${REAL_SHA:0:7}"
 
+          # default source-repo ref: follow the release-line branch we're building from
+          # (development / ngwpc-candidate / ngwpc-release); tags and other branches fall
+          # back to development. Override per source repo via the *_REF dispatch inputs.
+          case "${GITHUB_REF_TYPE}:${GITHUB_REF_NAME}" in
+            branch:development|branch:ngwpc-candidate|branch:ngwpc-release)
+              DEFAULT_REF="$GITHUB_REF_NAME" ;;
+            *)
+              DEFAULT_REF="development" ;;
+          esac
+          # use an explicit *_REF input if provided, else DEFAULT_REF
+          ref_or_default() { [ -n "$1" ] && echo "$1" || echo "$DEFAULT_REF"; }
+
           # logic for the tags:
           # test_image_tag (commit short sha): used for the initial build and test
           # alias_tag: used for final tagging on successful tests
@@ -139,20 +153,38 @@ jobs:
           # base image (ngen-forcing) metadata for ngen Dockerfile labels
           NGEN_FORCING_IMAGE_TAG="${{ inputs.NGEN_FORCING_IMAGE_TAG || 'latest' }}"
           NGEN_FORCING_IMAGE="ghcr.io/${ORG}/ngen-bmi-forcing:${NGEN_FORCING_IMAGE_TAG}"
-          NGEN_FORCING_INSPECT=$(skopeo inspect "docker://${NGEN_FORCING_IMAGE}" 2>/dev/null || echo '{}')
+          NGEN_FORCING_INSPECT=$(skopeo inspect --override-os linux --override-arch amd64 "docker://${NGEN_FORCING_IMAGE}" 2>/dev/null || echo '{}')
           NGEN_FORCING_DIGEST=$(echo "$NGEN_FORCING_INSPECT" | jq -r '.Digest // "unknown"')
           NGEN_FORCING_REVISION=$(echo "$NGEN_FORCING_INSPECT" | jq -r '.Labels["org.opencontainers.image.revision"] // "unknown"')
 
+          # resolve each source repo's ref (branch/tag/SHA) to its commit SHA for revision labels
+          resolve_sha() {
+            local url="$1" ref="$2" out sha
+            # a full 40-char SHA can't be looked up via ls-remote; use it directly
+            if [[ "$ref" =~ ^[0-9a-f]{40}$ ]]; then echo "$ref"; return; fi
+            out=$(git ls-remote "$url" "$ref" "refs/tags/${ref}^{}" 2>/dev/null)
+            # prefer the dereferenced commit (^{}) for annotated tags; else first match
+            sha=$(echo "$out" | grep '\^{}$' | head -n1 | cut -f1)
+            [ -z "$sha" ] && sha=$(echo "$out" | head -n1 | cut -f1)
+            echo "${sha:-unknown}"
+          }
+
+          EWTS_REVISION=$(resolve_sha "https://github.com/${{ inputs.EWTS_ORG || github.repository_owner }}/nwm-ewts.git" "$(ref_or_default "${{ inputs.EWTS_REF }}")")
+
           # save outputs
-          echo "org=${ORG}" >> "$GITHUB_OUTPUT"
-          echo "image_base=${IMAGE_BASE}" >> "$GITHUB_OUTPUT"
-          echo "test_image_tag=${TEST_TAG}" >> "$GITHUB_OUTPUT"
-          echo "alias_tag=${ALIAS}" >> "$GITHUB_OUTPUT"
-          echo "commit_sha=${REAL_SHA}" >> "$GITHUB_OUTPUT"
-          echo "commit_sha_short=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
-          echo "clean_ref=${CLEAN_REF}" >> "$GITHUB_OUTPUT"
-          echo "ngen_forcing_digest=${NGEN_FORCING_DIGEST}" >> "$GITHUB_OUTPUT"
-          echo "ngen_forcing_revision=${NGEN_FORCING_REVISION}" >> "$GITHUB_OUTPUT"
+          cat >> "$GITHUB_OUTPUT" <<EOF
+          org=${ORG}
+          image_base=${IMAGE_BASE}
+          test_image_tag=${TEST_TAG}
+          alias_tag=${ALIAS}
+          commit_sha=${REAL_SHA}
+          commit_sha_short=${SHORT_SHA}
+          clean_ref=${CLEAN_REF}
+          default_ref=${DEFAULT_REF}
+          ngen_forcing_digest=${NGEN_FORCING_DIGEST}
+          ngen_forcing_revision=${NGEN_FORCING_REVISION}
+          ewts_revision=${EWTS_REVISION}
+          EOF
 
   # CodeQL scan
   codeql-scan:
@@ -220,7 +252,7 @@ jobs:
         run: |
           set -euo pipefail
           EWTS_ORG="${{ inputs.EWTS_ORG || github.repository_owner }}"
-          EWTS_REF="${{ inputs.EWTS_REF || 'development' }}"
+          EWTS_REF="${{ inputs.EWTS_REF || needs.setup.outputs.default_ref }}"
           EWTS_PREFIX=/opt/ewts
 
           git clone --depth 1 -b "${EWTS_REF}" \
@@ -301,7 +333,6 @@ jobs:
         uses: docker/build-push-action@v7
         with:
           context: .
-          # file: Dockerfile.test # comment out when done testing
           push: true
           tags: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }}
           build-args: |
@@ -310,7 +341,8 @@ jobs:
             BASE_IMAGE_DIGEST=${{ needs.setup.outputs.ngen_forcing_digest }}
             BASE_IMAGE_REVISION=${{ needs.setup.outputs.ngen_forcing_revision }}
             EWTS_ORG=${{ inputs.EWTS_ORG || github.repository_owner }}
-            EWTS_REF=${{ inputs.EWTS_REF || 'development' }}
+            EWTS_REF=${{ inputs.EWTS_REF || needs.setup.outputs.default_ref }}
+            EWTS_REVISION=${{ needs.setup.outputs.ewts_revision }}
             IMAGE_SOURCE=https://github.com/${{ github.repository }}
             IMAGE_VENDOR=${{ github.repository_owner }}
             IMAGE_VERSION=${{ needs.setup.outputs.clean_ref }}
@@ -427,7 +459,7 @@ jobs:
     name: trigger-downstream (${{ matrix.repo }})
     if: |
       success() && (
-        (github.event_name == 'push' && github.ref_name == 'development') ||
+        (github.event_name == 'push' && (github.ref_name == 'development' || github.ref_name == 'ngwpc-candidate' || github.ref_name == 'ngwpc-release')) ||
         (github.event_name == 'workflow_dispatch' && inputs.TRIGGER_DOWNSTREAM)
       )
     runs-on: ubuntu-latest
@@ -439,9 +471,9 @@ jobs:
       matrix:
         include:
           - repo: nwm-cal-mgr
-            ref: ${{ inputs.NWM_CAL_MGR_REF || 'development' }}
+            ref: ${{ inputs.NWM_CAL_MGR_REF || needs.setup.outputs.default_ref }}
           - repo: nwm-fcst-mgr
-            ref: ${{ inputs.NWM_FCST_MGR_REF || 'development' }}
+            ref: ${{ inputs.NWM_FCST_MGR_REF || needs.setup.outputs.default_ref }}
     steps:
       - name: Generate GitHub App token
         id: app-token
@@ -454,9 +486,9 @@ jobs:
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
           EWTS_ORG: ${{ inputs.EWTS_ORG || github.repository_owner }}
-          EWTS_REF: ${{ inputs.EWTS_REF || 'development' }}
+          EWTS_REF: ${{ inputs.EWTS_REF || needs.setup.outputs.default_ref }}
           MSW_MGR_ORG: ${{ inputs.MSW_MGR_ORG || github.repository_owner }}
-          MSW_MGR_REF: ${{ inputs.MSW_MGR_REF || 'development' }}
+          MSW_MGR_REF: ${{ inputs.MSW_MGR_REF || needs.setup.outputs.default_ref }}
           GHCR_ORG: ${{ inputs.GHCR_ORG || needs.setup.outputs.org }}
           NGEN_IMAGE_TAG: ${{ needs.setup.outputs.alias_tag }}
         run: |

Dockerfile

@@ -41,17 +41,21 @@ ARG IMAGE_SOURCE="unknown"
 ARG IMAGE_VENDOR="unknown"
 ARG IMAGE_VERSION="unknown"
 ARG IMAGE_REVISION="unknown"
+ARG EWTS_REVISION="unknown"
 
-# OCI Standard Labels
+# Image Labels: OCI-spec annotations followed by custom source-repo metadata.
 LABEL org.opencontainers.image.base.name="${NGEN_FORCING_IMAGE}" \
     org.opencontainers.image.base.digest="${BASE_IMAGE_DIGEST}" \
-    io.${IMAGE_NAMESPACE}.image.base.revision="${BASE_IMAGE_REVISION}" \
     org.opencontainers.image.source="${IMAGE_SOURCE}" \
     org.opencontainers.image.vendor="${IMAGE_VENDOR}" \
     org.opencontainers.image.version="${IMAGE_VERSION}" \
     org.opencontainers.image.revision="${IMAGE_REVISION}" \
     org.opencontainers.image.title="Next Generation Water Modeling Engine and Framework Prototype" \
-    org.opencontainers.image.description="Docker image for the NGEN application"
+    org.opencontainers.image.description="Docker image for the NGEN application" \
+    io.${IMAGE_NAMESPACE}.image.base.revision="${BASE_IMAGE_REVISION}" \
+    io.${IMAGE_NAMESPACE}.ewts.org="${EWTS_ORG}" \
+    io.${IMAGE_NAMESPACE}.ewts.ref="${EWTS_REF}" \
+    io.${IMAGE_NAMESPACE}.ewts.revision="${EWTS_REVISION}"
 
 # cannot remove LANG even though https://bugs.python.org/issue19846 is fixed
 # last attempted removal of LANG broke many users: