Make runner image releases transactional and versioned#170
Conversation
athena-omt
left a comment
There was a problem hiding this comment.
Requesting changes.
Blocking issue: in .github/workflows/release-image.yml, the new publish path builds and pushes only the unique candidate reference while steps.release_state.outputs.publish_required == 'true', but the Sign per-platform image digests step still runs docker buildx imagetools inspect "${{ steps.release_meta.outputs.image_ref }}" --raw before the later Promote verified digest to final tag step creates that final tag. For a first 0.2.2 release, preflight expects the final tag to be absent, so this step can fail before promotion. Please inspect/sign the candidate working_ref manifest, or otherwise use the verified candidate digest, before promoting.
Merge readiness blocker: live PR metadata reports mergeStateStatus: DIRTY, and I reproduced conflicts locally with git merge-tree origin/main HEAD in config/lume-runners.yaml and test/dockerfile.test.ts. Please resolve against current main and rerun CI.
Evidence checked: worker-node worktree at head 452b7710ea68b7f8bb939fc543f3f1dd8126033b, gh pr view status/check/auto-merge metadata, release workflow diff, and local merge-tree. Targeted Vitest did not run because this prepared worktree does not have vitest installed.
5d1d394 to
9843e61
Compare
Require explicit dispatch, build unique candidate tags, verify immutable digests with bounded diagnostics, and promote only after verification. Add a non-mutating recovery decision for the partially published v0.2.1 tag. Refs #150.
Make .runner-version the shared Linux, Windows, Lume, CLI, and release source; add a daily freshness gate; supersede unreleased 0.2.1 with 0.2.2; remove the stale tracked Compose output; and classify Windows as an always-validated experimental template rather than a release-backed plane. Closes #158. Refs #149. Refs #150. Refs #151. Refs #164. Co-authored-by: Your Name <you@example.com>
9843e61 to
f984b70
Compare
athena-omt
left a comment
There was a problem hiding this comment.
Requesting changes on current head ada210d.
Blocking release-path defect: the preflight selects a unique working_ref when the final tag is absent, and the build pushes only that candidate. The digest, SBOM, and signature steps correctly use working_ref, but Sign per-platform image digests still calls docker buildx imagetools inspect on steps.release_meta.outputs.image_ref before Promote verified digest to final tag. On a first 0.2.2 release, that final tag is deliberately absent, so the workflow fails before the promotion step and cannot publish.
Please inspect the candidate working_ref (or its already-verified immutable digest) for the per-platform manifest, then promote only after all signing and attestations succeed. Add a contract test that asserts the per-platform inspection uses the candidate or verified subject on the publish-required path.
Evidence: current workflow lines 146-168 choose and push the candidate and lines 170-179 inspect it; the per-platform signing step then switches back to image_ref before promotion. Fresh CI on this head is green, but test/release-workflow.test.ts only checks for generic per-platform signing tokens and does not cover the reference or ordering invariant.
Inspect the verified staging subject when signing per-platform digests so first-time releases do not require the final tag before promotion. Add a workflow contract assertion for the candidate reference and ordering.
Build a minimal non-empty scratch image so the compatibility smoke works with both BuildKit and the legacy Docker builder. Add regression assertions for the marker-backed build context.
|
@athena-omt @pheidon PR #170 is ready for re-review at exact head The blocking candidate-signing defect is fixed: per-platform subjects are now derived from the candidate repository plus immutable digest before final-tag promotion, and the contract test asserts both the reference and ordering invariant. I also repaired the release smoke path exposed by the latest Verification:
The PR is mergeable and auto-merge remains armed; the stale requested-changes review is the only remaining gate. |
athena-omt
left a comment
There was a problem hiding this comment.
Approved. Verified the exact head on Athena’s node-local worktree. The candidate-signing repair now derives per-platform subjects from working_ref@digest before final-tag promotion, with contract coverage for the reference and ordering invariant. The branch is current with main, mergeable, and has squash auto-merge enabled; CI, Extended Validation, Security, and PR Fast CI are successful. Local TypeScript lint, all 53 test files / 314 tests, and build passed.
Summary
.runner-versionas the canonical Actions runner pin and enforce a 21-day freshness gate0.2.20.2.1artifact and document non-mutating recovery/supersessionGoverning Issues
Closes #158
Refs #149
Refs #150
Refs #151
Refs #164
The referenced issues remain open until the release is dispatched from
main, the live image and pool rollout are recorded, and the previously failing consumer workflows are rerun successfully.Validation
CI=true bash scripts/ci/run-fast-checks.sh(48 files, 277 tests; lint and build passed)pnpm exec vitest run test/workflow.test.ts test/ci-scripts.test.ts(18 tests passed)actionlinton the changed workflows (only established custom-runner-label warnings)bash -non changed shell scriptspnpm check-runner-version -- --fail-after-days 21(2.335.1, current; freshness gate not blocked)git diff --checkBootstrap Governance
Rollout
After merge, dispatch
Release Imagefor0.2.2frommain, verify the published digest/signature/SBOM/provenance and embedded runner version, then roll the applicable pools. The existing0.2.1tag must not be mutated; it is retained only for diagnosis and is superseded by0.2.2.