ci-automation: Ensure to use latest container image

The container image was only created if it didn't exist locally. This
would result in fixes not being in a downstream job that is scheduled
to a different worker node on Jenkins that has a stale copy.
For the build automation we will now always download the latest
container tar ball based on comparing the image ID from a new artifact,
and for registry images we pull the container image to make sure that
we don't use a stale copy when we rebuild.

ci-automation/ci_automation_common.sh

@@ -185,11 +185,14 @@ function docker_image_to_buildcache() {
 
     # strip potential container registry prefix
     local tarball="$(basename "$image")-${version}.tar.gz"
+    local id_file="$(basename "$image")-${version}.id"
 
     $docker save "${image}":"${version}" | $PIGZ -c > "${tarball}"
-    create_digests "${SIGNER:-}" "${tarball}"
-    sign_artifacts "${SIGNER:-}" "${tarball}"*
-    copy_to_buildcache "containers/${version}" "${tarball}"*
+    # Cut the "sha256:" prefix that is present in Docker but not in Podman
+    $docker image inspect "${image}":"${version}" | jq -r '.[].Id' | sed 's/^sha256://' > "${id_file}"
+    create_digests "${SIGNER:-}" "${tarball}" "${id_file}"
+    sign_artifacts "${SIGNER:-}" "${tarball}"* "${id_file}"*
+    copy_to_buildcache "containers/${version}" "${tarball}"* "${id_file}"*
 }
 # --
 
@@ -207,9 +210,26 @@ function docker_image_from_buildcache() {
     local name="$1"
     local version="$2"
     local tgz="${name}-${version}.tar.gz"
+    local id_file="${name}-${version}.id"
+    local id_file_url="https://${BUILDCACHE_SERVER}/containers/${version}/${id_file}"
+    local id_file_url_release="https://mirror.release.flatcar-linux.net/containers/${version}/${id_file}"
 
     if image_exists_locally "${name}" "${version}" ; then
-        return
+        local image_id=""
+        image_id=$($docker image inspect "${name}:${version}" | jq -r '.[].Id' | sed 's/^sha256://')
+        local remote_id=""
+        remote_id=$(curl --fail --silent --show-error --location --retry-delay 1 \
+                    --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 \
+                    "${id_file_url}" \
+                    || curl --fail --silent --show-error --location --retry-delay 1 \
+                    --retry 60 --retry-connrefused --retry-max-time 60 --connect-timeout 20 \
+                    "${id_file_url_release}" \
+                    || echo "not found")
+        if [ "${image_id}" = "${remote_id}" ]; then
+          echo "Local image is up-to-date" >&2
+          return
+        fi
+        echo "Local image outdated, downloading..." >&2
     fi
 
     # First try bincache then release to allow a bincache overwrite
@@ -233,10 +253,6 @@ function docker_image_from_registry_or_buildcache() {
     local image="$1"
     local version="$2"
 
-    if image_exists_locally "${CONTAINER_REGISTRY}/${image}" "${version}" ; then
-        return
-    fi
-
     if $docker pull "${CONTAINER_REGISTRY}/${image}:${version}" ; then
         return
     fi

run_sdk_container

@@ -113,6 +113,12 @@ if [ -z "$stat" ] ; then
             source ci-automation/ci_automation_common.sh
             docker_image_from_registry_or_buildcache "flatcar-sdk-${arch}" "${docker_sdk_vernum}"
 	)
+    else
+        # We could split the container_image_name in parts to call docker_image_from_registry_or_buildcache
+        # bur for now just try to ensure that we use the latest image if using a container registry,
+        # for the tar-ball-imported images we rely on the ci-automation scripts to call
+        # docker_image_from_registry_or_buildcache explicitly.
+        $docker pull "${container_image_name}" || true
     fi
 
     $docker create $tty -i \