script: sanitize git branch names for OCI tag compliance

Git branch names commonly use forward slashes for hierarchy
(e.g., feature/my-branch), but OCI container image tags cannot
contain slashes. This causes build-with-container.py to fail when
building images from branches with slashes in their names.

Add _sanitize_for_oci_tag() function to convert branch names into
OCI-compliant tags by:
- Replacing '/' with '-'
- Replacing other invalid characters with '_'
- Stripping leading invalid characters
- Truncating to 128 characters (OCI tag max length)

Apply sanitization consistently to both auto-detected branches
and manually specified --current-branch arguments.

Fixes branch name handling for pull request branches and other
hierarchical naming schemes.

References:
- OCI Image Spec: tags must match [a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}
  https://github.com/opencontainers/image-spec/blob/main/descriptor.md
- Git allows '/' in branch names for hierarchical organization
  https://git-scm.com/docs/git-check-ref-format
  https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names

Signed-off-by: Kefu Chai <k.chai@proxmox.com>

diff --git a/src/script/build-with-container.py b/src/script/build-with-container.py
index fda8b341a1e84475e9c5440ae7a983cf7b0e6a9d..115f43b402f7cd45d97eb29cee9ed8487eb9f5c5 100755 (executable)
--- a/src/script/build-with-container.py
+++ b/src/script/build-with-container.py
@@ -317,6 +317,26 @@ def _git_current_sha(ctx, short=True):
     return res.stdout.decode("utf8").strip()
 
 
+def _sanitize_for_oci_tag(branch_name):
+    """Sanitize a git branch name to be OCI tag compliant.
+
+    OCI tags must match: [a-zA-Z0-9_][a-zA-Z0-9._-]{0,127}
+    """
+    sanitized = branch_name.replace("/", "-")
+    sanitized = re.sub(r"[^a-zA-Z0-9._-]", "_", sanitized)
+    sanitized = re.sub(r"^[^a-zA-Z0-9_]+", "", sanitized)
+    result = sanitized[:128] if sanitized else "UNKNOWN"
+
+    if result != branch_name:
+        log.warning(
+            "Branch name '%s' was sanitized to '%s' for OCI tag compliance",
+            branch_name,
+            result
+        )
+
+    return result
+
+
 @ftcache
 def _hash_sources(bsize=4096):
     hh = hashlib.sha256()
@@ -504,9 +524,11 @@ class Context:
         branch = self.cli.current_branch
         if not branch:
             try:
-                branch = _git_current_branch(self).replace("/", "-")
+                branch = _git_current_branch(self)
             except subprocess.CalledProcessError:
                 branch = "UNKNOWN"
+        # Sanitize branch name to be OCI tag compliant
+        branch = _sanitize_for_oci_tag(branch)
         variant = self.variant()
         if variant is not ImageVariant.DEFAULT:
             suffix = f".{variant}{suffix}"